diff options
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl.c | 1 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/acl_util.c | 61 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/descriptor.c | 1 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass.c | 1 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/schema.c | 120 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/util.c | 27 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/wscript_build | 16 |
7 files changed, 134 insertions, 93 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c index 149c6b105e..660b4df818 100644 --- a/source4/dsdb/samdb/ldb_modules/acl.c +++ b/source4/dsdb/samdb/ldb_modules/acl.c @@ -39,6 +39,7 @@ #include "librpc/gen_ndr/ndr_security.h" #include "param/param.h" #include "dsdb/samdb/ldb_modules/util.h" +#include "dsdb/samdb/ldb_modules/schema.h" #include "lib/util/tsort.h" struct extended_access_check_attribute { diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c index 6c41602a82..1a84704079 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_util.c +++ b/source4/dsdb/samdb/ldb_modules/acl_util.c @@ -178,67 +178,6 @@ fail: return ldb_operr(ldb_module_get_ctx(module)); } -int acl_check_access_on_class(struct ldb_module *module, - const struct dsdb_schema *schema, - TALLOC_CTX *mem_ctx, - struct security_descriptor *sd, - struct dom_sid *rp_sid, - uint32_t access, - const char *class_name) -{ - int ret; - NTSTATUS status; - uint32_t access_granted; - struct object_tree *root = NULL; - struct object_tree *new_node = NULL; - const struct GUID *guid; - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - struct security_token *token = acl_user_token(module); - if (class_name) { - guid = class_schemaid_guid_by_lDAPDisplayName(schema, class_name); - if (!guid) { - DEBUG(10, ("acl_search: cannot find class %s\n", - class_name)); - goto fail; - } - if (!insert_in_object_tree(tmp_ctx, - guid, access, - &root, &new_node)) { - DEBUG(10, ("acl_search: cannot add to object tree guid\n")); - goto fail; - } - } - status = sec_access_check_ds(sd, token, - access, - &access_granted, - root, - rp_sid); - if (!NT_STATUS_IS_OK(status)) { - ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; - } - else { - ret = LDB_SUCCESS; - } - return ret; -fail: - return ldb_operr(ldb_module_get_ctx(module)); -} - -const struct GUID *get_oc_guid_from_message(struct ldb_module *module, - const struct dsdb_schema *schema, - struct ldb_message *msg) -{ - struct ldb_message_element *oc_el; - - oc_el = ldb_msg_find_element(msg, "objectClass"); - if (!oc_el) { - return NULL; - } - - return class_schemaid_guid_by_lDAPDisplayName(schema, - (char *)oc_el->values[oc_el->num_values-1].data); -} - /* checks for validated writes */ int acl_check_extended_right(TALLOC_CTX *mem_ctx, diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c index 959a7d8cd1..c94d6bdf0b 100644 --- a/source4/dsdb/samdb/ldb_modules/descriptor.c +++ b/source4/dsdb/samdb/ldb_modules/descriptor.c @@ -39,6 +39,7 @@ #include "librpc/ndr/libndr.h" #include "librpc/gen_ndr/ndr_security.h" #include "libcli/security/security.h" +#include "dsdb/samdb/ldb_modules/schema.h" #include "auth/auth.h" #include "param/param.h" #include "util.h" diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index fa956269f4..940290bace 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -45,6 +45,7 @@ #include "auth/auth.h" #include "param/param.h" #include "../libds/common/flags.h" +#include "dsdb/samdb/ldb_modules/schema.h" #include "util.h" struct oc_context { diff --git a/source4/dsdb/samdb/ldb_modules/schema.c b/source4/dsdb/samdb/ldb_modules/schema.c new file mode 100644 index 0000000000..77bf9dc21e --- /dev/null +++ b/source4/dsdb/samdb/ldb_modules/schema.c @@ -0,0 +1,120 @@ +/* + Unix SMB/CIFS implementation. + Samba utility functions + + Copyright (C) Andrew Tridgell 2009 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "ldb.h" +#include "ldb_module.h" +#include "librpc/ndr/libndr.h" +#include "dsdb/samdb/ldb_modules/util.h" +#include "dsdb/samdb/samdb.h" +#include "util.h" +#include "libcli/security/security.h" +#include "lib/ldb/include/ldb_private.h" + +const struct dsdb_class * get_last_structural_class(const struct dsdb_schema *schema,const struct ldb_message_element *element) +{ + const struct dsdb_class *last_class = NULL; + unsigned int i; + + for (i = 0; i < element->num_values; i++){ + const struct dsdb_class *tmp_class = dsdb_class_by_lDAPDisplayName_ldb_val(schema, &element->values[i]); + + if(tmp_class == NULL) { + continue; + } + + if(tmp_class->objectClassCategory > 1) { + continue; + } + + if (!last_class) { + last_class = tmp_class; + } else { + if (tmp_class->subClass_order > last_class->subClass_order) + last_class = tmp_class; + } + } + + return last_class; +} + +int acl_check_access_on_class(struct ldb_module *module, + const struct dsdb_schema *schema, + TALLOC_CTX *mem_ctx, + struct security_descriptor *sd, + struct dom_sid *rp_sid, + uint32_t access, + const char *class_name) +{ + int ret; + NTSTATUS status; + uint32_t access_granted; + struct object_tree *root = NULL; + struct object_tree *new_node = NULL; + const struct GUID *guid; + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + struct security_token *token = acl_user_token(module); + if (class_name) { + guid = class_schemaid_guid_by_lDAPDisplayName(schema, class_name); + if (!guid) { + DEBUG(10, ("acl_search: cannot find class %s\n", + class_name)); + goto fail; + } + if (!insert_in_object_tree(tmp_ctx, + guid, access, + &root, &new_node)) { + DEBUG(10, ("acl_search: cannot add to object tree guid\n")); + goto fail; + } + } + status = sec_access_check_ds(sd, token, + access, + &access_granted, + root, + rp_sid); + if (!NT_STATUS_IS_OK(status)) { + ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; + } + else { + ret = LDB_SUCCESS; + } + return ret; +fail: + return ldb_operr(ldb_module_get_ctx(module)); +} + +const struct GUID *get_oc_guid_from_message(struct ldb_module *module, + const struct dsdb_schema *schema, + struct ldb_message *msg) +{ + struct ldb_message_element *oc_el; + + oc_el = ldb_msg_find_element(msg, "objectClass"); + if (!oc_el) { + return NULL; + } + + return class_schemaid_guid_by_lDAPDisplayName(schema, + (char *)oc_el->values[oc_el->num_values-1].data); +} + + diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c index 569c967e95..d7bf807c24 100644 --- a/source4/dsdb/samdb/ldb_modules/util.c +++ b/source4/dsdb/samdb/ldb_modules/util.c @@ -484,33 +484,6 @@ int dsdb_module_del(struct ldb_module *module, return ret; } -const struct dsdb_class * get_last_structural_class(const struct dsdb_schema *schema,const struct ldb_message_element *element) -{ - const struct dsdb_class *last_class = NULL; - unsigned int i; - - for (i = 0; i < element->num_values; i++){ - const struct dsdb_class *tmp_class = dsdb_class_by_lDAPDisplayName_ldb_val(schema, &element->values[i]); - - if(tmp_class == NULL) { - continue; - } - - if(tmp_class->objectClassCategory > 1) { - continue; - } - - if (!last_class) { - last_class = tmp_class; - } else { - if (tmp_class->subClass_order > last_class->subClass_order) - last_class = tmp_class; - } - } - - return last_class; -} - /* check if a single valued link has multiple non-deleted values diff --git a/source4/dsdb/samdb/ldb_modules/wscript_build b/source4/dsdb/samdb/ldb_modules/wscript_build index 399105332a..03b138b2ac 100644 --- a/source4/dsdb/samdb/ldb_modules/wscript_build +++ b/source4/dsdb/samdb/ldb_modules/wscript_build @@ -3,7 +3,7 @@ bld.SAMBA_SUBSYSTEM('DSDB_MODULE_HELPERS', source='util.c acl_util.c', autoproto='util_proto.h', - deps='ldb LIBNDR SAMDB_SCHEMA' + deps='ldb LIBNDR SAMDB_COMMON' ) bld.SAMBA_SUBSYSTEM('DSDB_MODULE_HELPER_RIDALLOC', @@ -12,6 +12,12 @@ bld.SAMBA_SUBSYSTEM('DSDB_MODULE_HELPER_RIDALLOC', deps='MESSAGING', ) +bld.SAMBA_SUBSYSTEM('DSDB_MODULE_HELPER_SCHEMA', + source='schema.c', + autoproto='schema.h', + deps='SAMDB_SCHEMA' + ) + bld.SAMBA_MODULE('ldb_samba_dsdb', source='samba_dsdb.c', subsystem='ldb', @@ -135,7 +141,7 @@ bld.SAMBA_MODULE('ldb_rootdse', subsystem='ldb', init_function='LDB_MODULE(rootdse)', internal_module=not bld.CONFIG_SET('USING_SYSTEM_LDB'), - deps='talloc LIBEVENTS SAMDB' + deps='talloc LIBEVENTS SAMDB MESSAGING' ) @@ -226,7 +232,7 @@ bld.SAMBA_MODULE('ldb_objectclass', subsystem='ldb', init_function='LDB_MODULE(objectclass)', internal_module=not bld.CONFIG_SET('USING_SYSTEM_LDB'), - deps='talloc LIBEVENTS LIBSECURITY NDR_SECURITY SAMDB DSDB_MODULE_HELPERS LIBSAMBA-UTIL' + deps='talloc LIBEVENTS LIBSECURITY NDR_SECURITY SAMDB DSDB_MODULE_HELPERS LIBSAMBA-UTIL DSDB_MODULE_HELPER_SCHEMA' ) @@ -307,7 +313,7 @@ bld.SAMBA_MODULE('ldb_descriptor', subsystem='ldb', init_function='LDB_MODULE(descriptor)', internal_module=not bld.CONFIG_SET('USING_SYSTEM_LDB'), - deps='talloc LIBEVENTS LIBSECURITY NDR_SECURITY SAMDB DSDB_MODULE_HELPERS' + deps='talloc LIBEVENTS LIBSECURITY NDR_SECURITY SAMDB DSDB_MODULE_HELPERS DSDB_MODULE_HELPER_SCHEMA' ) @@ -325,7 +331,7 @@ bld.SAMBA_MODULE('ldb_acl', subsystem='ldb', init_function='LDB_MODULE(acl)', internal_module=not bld.CONFIG_SET('USING_SYSTEM_LDB'), - deps='talloc LIBEVENTS LIBSECURITY SAMDB DSDB_MODULE_HELPERS' + deps='talloc LIBEVENTS LIBSECURITY SAMDB DSDB_MODULE_HELPERS DSDB_MODULE_HELPER_SCHEMA' ) |