summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb/ldb_modules/acl.c
AgeCommit message (Collapse)AuthorFilesLines
2010-10-10dsdb/modules: Split up helpers a bit to prevent recursive dependencies.Jelmer Vernooij1-0/+1
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sun Oct 10 23:47:54 UTC 2010 on sn-devel-104
2010-10-03s4:dsdb - substitute the "show_deleted" with the "show_recycled" controlMatthias Dieter Wallnöfer1-1/+1
We intend to see always all objects with the "show_deleted" control specified. To see also recycled objects (beginning with 2008_R2 function level) we need to use the new "show_recycled" control. As far as I see this is only internal code and therefore we don't run into problems if we do substitute it. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-09-26s4-dsdb: Moved some helper functions to a separate fileNadezhda Ivanova1-220/+0
We need these to be accessible to the aclread module as well.
2010-09-25s4-dsdb: added tagging of requests in dsdb modulesAndrew Tridgell1-0/+1
this allows you to call dsdb_req_chain_debug() in gdb or when writing debug code to see the request chain
2010-08-23s4:security Change struct security_token->sids from struct dom_sid * to ↵Andrew Bartlett1-1/+1
struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-18s4:security Remove use of user_sid and group_sid from struct security_tokenAndrew Bartlett1-1/+3
This makes the structure more like Samba3's NT_USER_TOKEN
2010-08-17s4:acl LDB module - support password changes over the ↵Matthias Dieter Wallnöfer1-1/+15
DSDB_CONTROL_PASSWORD_CHANGE_OID control This control is used from the SAMR and "kpasswd" password changes. It is strictly private and means "this is a password change and not a password set".
2010-08-17s4-ldb: use LDB_FLAG_MOD_TYPE() to extract element type from messagesAndrew Tridgell1-3/+3
The flags field of message elements is part of a set of flags. We had LDB_FLAG_MOD_MASK for extracting the type, but it was only rarely being used (only 1 call used it correctly). This adds LDB_FLAG_MOD_MASK() to make it more obvious what is going on. This will allow us to use some of the other flags bits for internal markers on elements Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-04s4-dsdb: Removed kludge_acl as it is no longer necessaryNadezhda Ivanova1-0/+39
Moved the access check on extended operations to acl module and removed kludge_acl
2010-08-01s4:acl LDB module - remove the "forest DN" checkMatthias Dieter Wallnöfer1-6/+3
After some reading I've discovered that this isn't really true. The forest partition does exist on one or more DCs and is there the same as the default base DN (which is already checked by the module). And if we have other DCs which contain child domains then they never contain data of the forest domain beside the schema and the configuration partition (which are checked anyway) since a DC can always contain only one domain! Link: http://www.informit.com/articles/article.aspx?p=26896&seqNum=5
2010-08-01s4:acl LDB module - remove unused call "is_root_base_dn"Matthias Dieter Wallnöfer1-8/+0
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell1-1/+1
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-08s4:acl LDB module - password attributes - check also the "dBCSPwd" attributeMatthias Dieter Wallnöfer1-2/+2
It's also a possible password change/set attribute candidate.
2010-07-08s4:acl LDB module - move a "mem_ctx" creation to the place where it is ↵Matthias Dieter Wallnöfer1-1/+2
actually checked Memory allocations and their result checks should be as tight as possible.
2010-07-08s4-source4/dsdb/samdb/ldb_modules/acl.c Use DSDB_FLAG_NEXT_MODULE flagKamen Mazdrashki1-5/+12
2010-07-07s4-dsdb: use ldb_operr() in the dsdb codeAndrew Tridgell1-30/+25
this replaces "return LDB_ERR_OPERATIONS_ERROR" with "return ldb_operr(ldb)" in places in the dsdb code where we don't already explicitly set an error string. This should make is much easier to track down dsdb module bugs that result in an operations error.
2010-07-05s4-dsdb: Implementation of User-Change-Password and User-Force-Password-ChangeNadezhda Ivanova1-79/+162
These CARs need to be checked on password change and password reset operations. Apparently the password attributes are not influenced by Write Property. Single detele operations and modifications of dBCSPwd are let through to the password_hash module. This is determined experimentally.
2010-06-29Fixed incorrect use of cn instead of lDAPDisplayNameNadezhda Ivanova1-2/+2
2010-06-28s4:acl LDB module - fix counter typeMatthias Dieter Wallnöfer1-1/+2
2010-06-28Implementation of self membership validated right.Nadezhda Ivanova1-1/+100
When this right is granted, the user can add or remove themselves from a group even if they dont have write property right.
2010-06-07s4:acl LDB module - LDB attribute names should be compared using ↵Matthias Dieter Wallnöfer1-2/+2
"ldb_attr_cmp" or "strcasecmp"
2010-06-07s4:acl LDB module - adaption for "objectclass_attrs" moduleMatthias Dieter Wallnöfer1-5/+15
Since the attribute schema checking code moved back we need to give here the "LDB_ERR_NO_SUCH_ATTRIBUTE" error.
2010-06-06s4:acl LDB module - fix counter types where appropriateMatthias Dieter Wallnöfer1-2/+4
2010-05-10s4:acl ldb module - fix typosMatthias Dieter Wallnöfer1-3/+3
2010-04-16s4:Replaced dsdb_get_dom_sid_from_ldb_message() with samdb_result_dom_sid()Nadezhda Ivanova1-24/+5
2010-04-13s4:acl/descriptor LDB module - distinguish between root and default basednMatthias Dieter Wallnöfer1-0/+6
The first is the forest base DN, the second the domain base DN. At the moment we assume that they are both the same but it hasn't to be so. Nadia, I would invite you to fix the outstanding parts regarding this (I added comments).
2010-03-16s4:dsdb/acl Reduce calls to dsdb_get_schema() and add memory contextAndrew Bartlett1-24/+46
dsdb_get_schema() isn't a very cheap call, due to the use of LDB opaque pointers. We need to call it less, and instead pass it as a parameter where possible. This also changes to the new API with a talloc context. Andrew Bartlett
2010-03-12Split the dsdb_access_check_on_dn.Nadezhda Ivanova1-5/+44
Split the dsdb_access_check_on_dn so it can be reused for checks from both within the module stack and outside it.
2010-03-12Fixed ACL module to use dsdb_module_* API.Nadezhda Ivanova1-9/+9
2010-03-12Moved access_check_on_dn from acl module as an utility.Nadezhda Ivanova1-156/+19
Made this an utility function so it can be used for access checking outside of the acl ldb module, such as checking validated writes and control access rights in other protocols (e. g drs)
2010-03-09Added a check for permissions to modify the RDN attribute on rename.Nadezhda Ivanova1-0/+12
Necessary because rdn module will be moved lower than acl in the stack.
2010-03-07s4:acl LDB module - change counter variable to "unsigned"Matthias Dieter Wallnöfer1-1/+1
2010-02-13s4-dsdb: use TYPESAFE_QSORT() in dsdb codeAndrew Tridgell1-9/+3
2010-02-04s4:mark the SYSTEM control always as non-criticalMatthias Dieter Wallnöfer1-0/+29
It is needed to not break the various LDAP backends. For reference look at bug #7040.
2010-01-08s4-dsdb: fixed const misuse in acl moduleAndrew Tridgell1-4/+4
2010-01-08s4-dsdb: use dsdb_module_am_system() in acl moduleAndrew Tridgell1-19/+11
2009-12-21Adapted acl module to skip checks if as_system control is provided.Nadezhda Ivanova1-7/+17
Signed-off-by: Andrew Tridgell <tridge@samba.org>
2009-12-18s4-dsdb: Add a check to prevent acl_modify from debuging a NULL messageBrendan Powers1-1/+5
Check to see if there were any messages passed to acl_modify before debugging the first one. I think I caused this by some malformed LDIF. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-12-17Fixed incorrect checking of PRINCIPAL_SELF permissions.Nadezhda Ivanova1-11/+86
If an ace has the PRINCIPAL_SELF as trustee, this sid has to be replaced with the onjectSid of the object being checked. PRINCIPAL_SELF is the way to grant rights to an account over itself.
2009-12-15Fixed a problem with duplicate values of allowedAttributesEffective.Nadezhda Ivanova1-1/+3
2009-12-10Implementation of sDRightsEffective, allowedAttributesEffective and ↵Nadezhda Ivanova1-40/+610
allowedChildClassesEffective. Behavior as documented in WSPP and tested. Needs optimisation though.
2009-11-15Fixed some major bugs in inheritance and access checks.Nadezhda Ivanova1-28/+53
Fixed sd creation not working on LDAP modify. Fixed incorrect replacement of CO and CG. Fixed incorrect access check on modify for SD modification. Fixed failing sec_descriptor test and enabled it. Fixed failing sd add test in ldap.python
2009-11-05Version 1.0 of the directory service acls module.Nadezhda Ivanova1-961/+344
At this point, support for checks on LDAP add, delete, rename and modify. Old kludge_acl is still there to handle the searches. This module is synchronous as the async version was impossible to debug, will be converted to async after some user testing.
2009-10-06s4:acl module - intendation fix and comment enhancementMatthias Dieter Wallnöfer1-1/+2
2009-09-21Initial Implementation of the DS objects access checks.Nadezhda Ivanova1-0/+1151
Currently disabled. The search will be greatly modified, also the object tree stuff will be simplified.