From 3d0e36bc87bd23e3d1bff7468db2eb99531d8d87 Mon Sep 17 00:00:00 2001 From: Nadezhda Ivanova Date: Tue, 14 Sep 2010 10:51:14 +0300 Subject: s4-ldap: Added a control to apply the access checks on read via LDAP --- source4/dsdb/samdb/samdb.h | 3 +++ source4/ldap_server/ldap_backend.c | 1 + source4/libcli/ldap/ldap_controls.c | 2 ++ 3 files changed, 6 insertions(+) diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h index a3d8f7952d..4a9edbae10 100644 --- a/source4/dsdb/samdb/samdb.h +++ b/source4/dsdb/samdb/samdb.h @@ -192,4 +192,7 @@ struct dsdb_fsmo_extended_op { struct GUID destination_dsa_guid; }; +/* applied access checks on LDAP reads */ +#define DSDB_CONTROL_SEARCH_APPLY_ACCESS "1.3.6.1.4.1.7165.4.3.15" + #endif /* __SAMDB_H__ */ diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c index 6faaa30c2f..6a518e48a3 100644 --- a/source4/ldap_server/ldap_backend.c +++ b/source4/ldap_server/ldap_backend.c @@ -579,6 +579,7 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call) } } + ldb_request_add_control(lreq, DSDB_CONTROL_SEARCH_APPLY_ACCESS, false, NULL); ldb_set_timeout(samdb, lreq, req->timelimit); ldb_ret = ldb_request(samdb, lreq); diff --git a/source4/libcli/ldap/ldap_controls.c b/source4/libcli/ldap/ldap_controls.c index 5244975dfc..b8becb8955 100644 --- a/source4/libcli/ldap/ldap_controls.c +++ b/source4/libcli/ldap/ldap_controls.c @@ -1166,6 +1166,8 @@ static const struct ldap_control_handler ldap_known_controls[] = { { "1.3.6.1.4.1.7165.4.3.7", NULL, NULL }, /* DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID is internal only, and has no network representation */ { "1.3.6.1.4.1.7165.4.3.8", NULL, NULL }, +/* DSDB_CONTROL_SEARCH_APPLY_ACCESS is internal only, and has no network representation */ + { "1.3.6.1.4.1.7165.4.3.15", NULL, NULL }, /* DSDB_EXTENDED_REPLICATED_OBJECTS_OID is internal only, and has no network representation */ { "1.3.6.1.4.1.7165.4.4.1", NULL, NULL }, { DSDB_OPENLDAP_DEREFERENCE_CONTROL, decode_openldap_dereference, encode_openldap_dereference}, -- cgit