summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/dsdb/samdb/ldb_modules/kludge_acl.c80
-rw-r--r--source4/dsdb/schema/schema.h1
-rw-r--r--source4/dsdb/schema/schema_init.c8
-rw-r--r--source4/setup/provision_users_modify.ldif4
4 files changed, 83 insertions, 10 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
index 1ce23d365a..ed95d8112d 100644
--- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c
+++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
@@ -107,13 +107,15 @@ struct kludge_acl_context {
enum user_is user_type;
bool allowedAttributes;
bool allowedAttributesEffective;
+ bool allowedChildClasses;
+ bool allowedChildClassesEffective;
const char **attrs;
};
/* read all objectClasses */
static int kludge_acl_allowedAttributes(struct ldb_context *ldb, struct ldb_message *msg,
- const char *attrName)
+ const char *attrName)
{
struct ldb_message_element *oc_el;
struct ldb_message_element *allowedAttributes;
@@ -129,12 +131,13 @@ static int kludge_acl_allowedAttributes(struct ldb_context *ldb, struct ldb_mess
we alter the element array in ldb_msg_add_empty() */
oc_el = ldb_msg_find_element(msg, "objectClass");
- for (i=0; i < oc_el->num_values; i++) {
+ for (i=0; oc_el && i < oc_el->num_values; i++) {
class = dsdb_class_by_lDAPDisplayName(schema, (const char *)oc_el->values[i].data);
if (!class) {
/* We don't know this class? what is going on? */
continue;
}
+
for (j=0; class->mayContain && class->mayContain[j]; j++) {
ldb_msg_add_string(msg, attrName, class->mayContain[j]);
}
@@ -169,6 +172,57 @@ static int kludge_acl_allowedAttributes(struct ldb_context *ldb, struct ldb_mess
return 0;
}
+/* read all objectClasses */
+
+static int kludge_acl_childClasses(struct ldb_context *ldb, struct ldb_message *msg,
+ const char *attrName)
+{
+ struct ldb_message_element *oc_el;
+ struct ldb_message_element *allowedClasses;
+ const struct dsdb_schema *schema = dsdb_get_schema(ldb);
+ const struct dsdb_class *class;
+ int i, j, ret;
+ ret = ldb_msg_add_empty(msg, attrName, 0, &allowedClasses);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ /* To ensure that oc_el is valid, we must look for it after
+ we alter the element array in ldb_msg_add_empty() */
+ oc_el = ldb_msg_find_element(msg, "objectClass");
+
+ for (i=0; oc_el && i < oc_el->num_values; i++) {
+ class = dsdb_class_by_lDAPDisplayName(schema, (const char *)oc_el->values[i].data);
+ if (!class) {
+ /* We don't know this class? what is going on? */
+ continue;
+ }
+
+ for (j=0; class->possibleInferiors && class->possibleInferiors[j]; j++) {
+ ldb_msg_add_string(msg, attrName, class->possibleInferiors[j]);
+ }
+ }
+
+ if (allowedClasses->num_values > 1) {
+ qsort(allowedClasses->values,
+ allowedClasses->num_values,
+ sizeof(*allowedClasses->values),
+ (comparison_fn_t)data_blob_cmp);
+
+ for (i=1 ; i < allowedClasses->num_values; i++) {
+ struct ldb_val *val1 = &allowedClasses->values[i-1];
+ struct ldb_val *val2 = &allowedClasses->values[i];
+ if (data_blob_cmp(val1, val2) == 0) {
+ memmove(val1, val2, (allowedClasses->num_values - i) * sizeof( struct ldb_val));
+ allowedClasses->num_values--;
+ i--;
+ }
+ }
+ }
+
+ return 0;
+
+}
/* find all attributes allowed by all these objectClasses */
@@ -194,6 +248,13 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld
ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributes");
if (ret != LDB_SUCCESS) {
return ret;
+
+ }
+ }
+ if (ac->allowedChildClasses) {
+ ret = kludge_acl_childClasses(ldb, ares->message, "allowedChildClasses");
+ if (ret != LDB_SUCCESS) {
+ return ret;
}
}
@@ -208,6 +269,12 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld
return ret;
}
}
+ if (ac->allowedChildClassesEffective) {
+ ret = kludge_acl_childClasses(ldb, ares->message, "allowedChildClassesEffective");
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
break;
default:
/* remove password attributes */
@@ -217,7 +284,8 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld
}
}
- if ((ac->allowedAttributes || ac->allowedAttributesEffective) &&
+ if ((ac->allowedAttributes || ac->allowedAttributesEffective
+ || ac->allowedChildClasses || ac->allowedChildClassesEffective) &&
(!ldb_attr_in_list(ac->attrs, "objectClass") &&
!ldb_attr_in_list(ac->attrs, "*"))) {
ldb_msg_remove_attr(ares->message, "objectClass");
@@ -267,7 +335,11 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
- if (ac->allowedAttributes || ac->allowedAttributesEffective) {
+ ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
+
+ ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
+
+ if (ac->allowedAttributes || ac->allowedAttributesEffective || ac->allowedChildClasses || ac->allowedChildClassesEffective) {
down_req->op.search.attrs
= ldb_attr_list_copy_add(down_req, down_req->op.search.attrs, "objectClass");
}
diff --git a/source4/dsdb/schema/schema.h b/source4/dsdb/schema/schema.h
index ca1ebb0388..dd50eae684 100644
--- a/source4/dsdb/schema/schema.h
+++ b/source4/dsdb/schema/schema.h
@@ -111,6 +111,7 @@ struct dsdb_class {
const char **possSuperiors;
const char **mustContain;
const char **mayContain;
+ const char **possibleInferiors;
const char *defaultSecurityDescriptor;
diff --git a/source4/dsdb/schema/schema_init.c b/source4/dsdb/schema/schema_init.c
index fbc4ff0727..ce7645c454 100644
--- a/source4/dsdb/schema/schema_init.c
+++ b/source4/dsdb/schema/schema_init.c
@@ -492,16 +492,18 @@ WERROR dsdb_class_from_ldb(const struct dsdb_schema *schema,
GET_STRING_LDB(msg, "subClassOf", mem_ctx, obj, subClassOf, True);
obj->systemAuxiliaryClass = NULL;
- obj->systemPossSuperiors = NULL;
obj->auxiliaryClass = NULL;
- obj->possSuperiors = NULL;
GET_STRING_LIST_LDB(msg, "systemMustContain", mem_ctx, obj, systemMustContain, False);
GET_STRING_LIST_LDB(msg, "systemMayContain", mem_ctx, obj, systemMayContain, False);
GET_STRING_LIST_LDB(msg, "mustContain", mem_ctx, obj, mustContain, False);
GET_STRING_LIST_LDB(msg, "mayContain", mem_ctx, obj, mayContain, False);
+ GET_STRING_LIST_LDB(msg, "systemPossSuperiors", mem_ctx, obj, systemPossSuperiors, False);
+ GET_STRING_LIST_LDB(msg, "possSuperiors", mem_ctx, obj, possSuperiors, False);
+ GET_STRING_LIST_LDB(msg, "possibleInferiors", mem_ctx, obj, possibleInferiors, False);
+
GET_STRING_LDB(msg, "defaultSecurityDescriptor", mem_ctx, obj, defaultSecurityDescriptor, False);
GET_UINT32_LDB(msg, "schemaFlagsEx", obj, schemaFlagsEx);
@@ -832,6 +834,8 @@ WERROR dsdb_class_from_drsuapi(struct dsdb_schema *schema,
obj->mustContain = NULL;
obj->mayContain = NULL;
+ obj->possibleInferiors = NULL;
+
GET_STRING_DS(schema, r, "defaultSecurityDescriptor", mem_ctx, obj, defaultSecurityDescriptor, False);
GET_UINT32_DS(schema, r, "schemaFlagsEx", obj, schemaFlagsEx);
diff --git a/source4/setup/provision_users_modify.ldif b/source4/setup/provision_users_modify.ldif
index 04ff57368e..5fbfebfd46 100644
--- a/source4/setup/provision_users_modify.ldif
+++ b/source4/setup/provision_users_modify.ldif
@@ -17,7 +17,3 @@ objectCategory: CN=Container,${SCHEMADN}
-
replace: isCriticalSystemObject
isCriticalSystemObject: TRUE
--
-replace: allowedChildClassesEffective
-allowedChildClassesEffective: user
-allowedChildClassesEffective: group