From d6fde2d4c24d7fb5e040ccb00476f689a4472eff Mon Sep 17 00:00:00 2001
From: Matthias Dieter Wallnöfer <mdw@samba.org>
Date: Wed, 26 Oct 2011 09:47:35 +0200
Subject: LDB/s4 - deny the "(dn=...)" syntax on search filters when in AD mode

Achieve this by introducing a "disallowDNFilter" flag.

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 lib/ldb/ldb_tdb/ldb_cache.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

(limited to 'lib/ldb/ldb_tdb/ldb_cache.c')

diff --git a/lib/ldb/ldb_tdb/ldb_cache.c b/lib/ldb/ldb_tdb/ldb_cache.c
index 0b93021884..6467af1d00 100644
--- a/lib/ldb/ldb_tdb/ldb_cache.c
+++ b/lib/ldb/ldb_tdb/ldb_cache.c
@@ -346,11 +346,17 @@ int ltdb_cache_load(struct ldb_module *module)
 		goto failed;
 	}
 	
-	/* set flag for checking base DN on searches */
+	/* set flags if they do exist */
 	if (r == LDB_SUCCESS) {
-		ltdb->check_base = ldb_msg_find_attr_as_bool(options, LTDB_CHECK_BASE, false);
+		ltdb->check_base = ldb_msg_find_attr_as_bool(options,
+							     LTDB_CHECK_BASE,
+							     false);
+		ltdb->disallow_dn_filter = ldb_msg_find_attr_as_bool(options,
+								     LTDB_DISALLOW_DN_FILTER,
+								     false);
 	} else {
 		ltdb->check_base = false;
+		ltdb->disallow_dn_filter = false;
 	}
 
 	talloc_free(ltdb->cache->indexlist);
-- 
cgit