From d6fde2d4c24d7fb5e040ccb00476f689a4472eff Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Wed, 26 Oct 2011 09:47:35 +0200 Subject: LDB/s4 - deny the "(dn=...)" syntax on search filters when in AD mode Achieve this by introducing a "disallowDNFilter" flag. Reviewed-by: Andrew Bartlett Signed-off-by: Andrew Bartlett --- lib/ldb/ldb_tdb/ldb_cache.c | 10 ++++++++-- lib/ldb/ldb_tdb/ldb_index.c | 9 +++++++++ lib/ldb/ldb_tdb/ldb_tdb.h | 2 ++ 3 files changed, 19 insertions(+), 2 deletions(-) (limited to 'lib/ldb/ldb_tdb') diff --git a/lib/ldb/ldb_tdb/ldb_cache.c b/lib/ldb/ldb_tdb/ldb_cache.c index 0b93021884..6467af1d00 100644 --- a/lib/ldb/ldb_tdb/ldb_cache.c +++ b/lib/ldb/ldb_tdb/ldb_cache.c @@ -346,11 +346,17 @@ int ltdb_cache_load(struct ldb_module *module) goto failed; } - /* set flag for checking base DN on searches */ + /* set flags if they do exist */ if (r == LDB_SUCCESS) { - ltdb->check_base = ldb_msg_find_attr_as_bool(options, LTDB_CHECK_BASE, false); + ltdb->check_base = ldb_msg_find_attr_as_bool(options, + LTDB_CHECK_BASE, + false); + ltdb->disallow_dn_filter = ldb_msg_find_attr_as_bool(options, + LTDB_DISALLOW_DN_FILTER, + false); } else { ltdb->check_base = false; + ltdb->disallow_dn_filter = false; } talloc_free(ltdb->cache->indexlist); diff --git a/lib/ldb/ldb_tdb/ldb_index.c b/lib/ldb/ldb_tdb/ldb_index.c index 24cc93feb9..a3848eddb2 100644 --- a/lib/ldb/ldb_tdb/ldb_index.c +++ b/lib/ldb/ldb_tdb/ldb_index.c @@ -510,6 +510,15 @@ static int ltdb_index_dn_leaf(struct ldb_module *module, const struct ldb_message *index_list, struct dn_list *list) { + struct ltdb_private *ltdb = talloc_get_type(ldb_module_get_private(module), + struct ltdb_private); + if (ltdb->disallow_dn_filter && + (ldb_attr_cmp(tree->u.equality.attr, "dn") == 0)) { + /* in AD mode we do not support "(dn=...)" search filters */ + list->dn = NULL; + list->count = 0; + return LDB_SUCCESS; + } if (ldb_attr_dn(tree->u.equality.attr) == 0) { list->dn = talloc_array(list, struct ldb_val, 1); if (list->dn == NULL) { diff --git a/lib/ldb/ldb_tdb/ldb_tdb.h b/lib/ldb/ldb_tdb/ldb_tdb.h index 29856bf827..3b87b56bfd 100644 --- a/lib/ldb/ldb_tdb/ldb_tdb.h +++ b/lib/ldb/ldb_tdb/ldb_tdb.h @@ -26,6 +26,7 @@ struct ltdb_private { int in_transaction; bool check_base; + bool disallow_dn_filter; struct ltdb_idxptr *idxptr; bool prepared_commit; int read_lock_count; @@ -62,6 +63,7 @@ struct ltdb_context { /* special attribute types */ #define LTDB_SEQUENCE_NUMBER "sequenceNumber" #define LTDB_CHECK_BASE "checkBaseOnSearch" +#define LTDB_DISALLOW_DN_FILTER "disallowDNFilter" #define LTDB_MOD_TIMESTAMP "whenChanged" #define LTDB_OBJECTCLASS "objectClass" -- cgit