summaryrefslogtreecommitdiff
path: root/source4/dsdb
diff options
context:
space:
mode:
Diffstat (limited to 'source4/dsdb')
-rw-r--r--source4/dsdb/common/util.c28
-rw-r--r--source4/dsdb/samdb/ldb_modules/extended_dn_out.c13
-rw-r--r--source4/dsdb/samdb/ldb_modules/util.c12
3 files changed, 41 insertions, 12 deletions
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 42619b9692..e4e55fc530 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -41,6 +41,7 @@
#include "lib/util/tsort.h"
#include "dsdb/common/util.h"
#include "lib/socket/socket.h"
+#include "dsdb/samdb/ldb_modules/util.h"
/*
search the sam for the specified attributes in a specific domain, filter on
@@ -3752,3 +3753,30 @@ int dsdb_validate_dsa_guid(struct ldb_context *ldb,
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
+
+const char *rodc_fas_list[] = {"ms-PKI-DPAPIMasterKeys",
+ "ms-PKI-AccountCredentials",
+ "ms-PKI-RoamingTimeStamp",
+ "ms-FVE-KeyPackage",
+ "ms-FVE-RecoveryGuid",
+ "ms-FVE-RecoveryInformation",
+ "ms-FVE-RecoveryPassword",
+ "ms-FVE-VolumeGuid",
+ "ms-TPM-OwnerInformation",
+ NULL};
+/*
+ check if the attribute belongs to the RODC filtered attribute set
+*/
+bool dsdb_attr_in_rodc_fas(uint32_t replica_flags, const struct dsdb_attribute *sa)
+{
+ int rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL;
+ bool drs_write_replica = ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0);
+
+ if (drs_write_replica && (sa->searchFlags & rodc_filtered_flags)) {
+ return true;
+ }
+ if (drs_write_replica && is_attr_in_list(rodc_fas_list, sa->cn)) {
+ return true;
+ }
+ return false;
+}
diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
index f28ad8e12f..39af87091c 100644
--- a/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_out.c
@@ -40,6 +40,7 @@
#include "librpc/gen_ndr/ndr_security.h"
#include "librpc/ndr/libndr.h"
#include "dsdb/samdb/samdb.h"
+#include "util.h"
struct extended_dn_out_private {
bool dereference;
@@ -47,18 +48,6 @@ struct extended_dn_out_private {
struct dsdb_openldap_dereference_control *dereference_control;
};
-static bool is_attr_in_list(const char * const * attrs, const char *attr)
-{
- unsigned int i;
-
- for (i = 0; attrs[i]; i++) {
- if (ldb_attr_cmp(attrs[i], attr) == 0)
- return true;
- }
-
- return false;
-}
-
static char **copy_attrs(void *mem_ctx, const char * const * attrs)
{
char **nattrs;
diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
index 7913ac8049..18631c4350 100644
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -826,3 +826,15 @@ int dsdb_recyclebin_enabled(struct ldb_module *module, bool *enabled)
talloc_free(partitions_dn);
return LDB_SUCCESS;
}
+
+bool is_attr_in_list(const char * const * attrs, const char *attr)
+{
+ unsigned int i;
+
+ for (i = 0; attrs[i]; i++) {
+ if (ldb_attr_cmp(attrs[i], attr) == 0)
+ return true;
+ }
+
+ return false;
+}