diff options
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/samldb.c | 97 |
1 files changed, 33 insertions, 64 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 30f99440eb..05d153a9fb 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -82,9 +82,6 @@ struct samldb_ctx { struct ldb_dn *user_dn; struct ldb_dn *old_prim_group_dn, *new_prim_group_dn; - /* generic counter - used in "samldb_member_check" */ - unsigned int cnt; - /* all the async steps necessary to complete the operation */ struct samldb_step *steps; struct samldb_step *curstep; @@ -1470,83 +1467,55 @@ static int samldb_prim_group_change(struct samldb_ctx *ac) } -static int samldb_member_check_1(struct samldb_ctx *ac) +static int samldb_member_check(struct samldb_ctx *ac) { struct ldb_context *ldb; struct ldb_message_element *el; + struct ldb_dn *member_dn, *group_dn; + uint32_t prim_group_rid; + struct dom_sid *sid; + const char * const * no_attrs = { NULL }; + struct ldb_message **res; + unsigned int i; ldb = ldb_module_get_ctx(ac->module); el = ldb_msg_find_element(ac->msg, "member"); - - ac->user_dn = ldb_dn_from_ldb_val(ac, ldb, &el->values[ac->cnt]); - if (!ldb_dn_validate(ac->user_dn)) - return LDB_ERR_OPERATIONS_ERROR; - ac->prim_group_rid = 0; - - return samldb_next_step(ac); -} - -static int samldb_member_check_2(struct samldb_ctx *ac) -{ - struct ldb_context *ldb; - - ldb = ldb_module_get_ctx(ac->module); - - ac->sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), - ac->prim_group_rid); - if (ac->sid == NULL) - return LDB_ERR_OPERATIONS_ERROR; - ac->res_dn = NULL; - - return samldb_next_step(ac); -} - -static int samldb_member_check_3(struct samldb_ctx *ac) -{ - if (ldb_dn_compare(ac->res_dn, ac->msg->dn) == 0) - return LDB_ERR_ENTRY_ALREADY_EXISTS; - - ++(ac->cnt); - - return samldb_next_step(ac); -} - -static int samldb_member_check_4(struct samldb_ctx *ac) -{ - return ldb_next_request(ac->module, ac->req); -} - -static int samldb_member_check(struct samldb_ctx *ac) -{ - struct ldb_message_element *el; - int i, ret; - - el = ldb_msg_find_element(ac->msg, "member"); - ac->cnt = 0; for (i = 0; i < el->num_values; i++) { /* Denies to add "member"s to groups which are primary ones * for them */ - ret = samldb_add_step(ac, samldb_member_check_1); - if (ret != LDB_SUCCESS) return ret; + member_dn = ldb_dn_from_ldb_val(ac, ldb, &el->values[i]); + if (!ldb_dn_validate(member_dn)) { + return LDB_ERR_OPERATIONS_ERROR; + } - ret = samldb_add_step(ac, samldb_user_dn_to_prim_group_rid); - if (ret != LDB_SUCCESS) return ret; + prim_group_rid = samdb_search_uint(ldb, ac, (uint32_t) -1, + member_dn, "primaryGroupID", + NULL); + if (prim_group_rid == (uint32_t) -1) { + /* the member hasn't to be a user account -> therefore + * no check needed in this case. */ + continue; + } - ret = samldb_add_step(ac, samldb_member_check_2); - if (ret != LDB_SUCCESS) return ret; + sid = dom_sid_add_rid(ac, samdb_domain_sid(ldb), + prim_group_rid); + if (sid == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } - ret = samldb_add_step(ac, samldb_dn_from_sid); - if (ret != LDB_SUCCESS) return ret; + group_dn = samdb_search_dn(ldb, ac, NULL, "(objectSID=%s)", + dom_sid_string(ac, sid)); + if (group_dn == NULL) { + return LDB_ERR_OPERATIONS_ERROR; + } - ret = samldb_add_step(ac, samldb_member_check_3); - if (ret != LDB_SUCCESS) return ret; + if (ldb_dn_compare(group_dn, ac->msg->dn) == 0) { + return LDB_ERR_ENTRY_ALREADY_EXISTS; + } } - ret = samldb_add_step(ac, samldb_member_check_4); - if (ret != LDB_SUCCESS) return ret; - - return samldb_first_step(ac); + return ldb_next_request(ac->module, ac->req); } |