From 9c170fce2632e76bda6bb9a644777c978785cff1 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 11 May 2007 12:52:48 +0000 Subject: r22797: We are only interested in the DACL of the security descriptor, so search with the SD_FLAGS control. Guenther (This used to be commit 648df57e53ddabe74052e816b8eba95180736208) --- source3/include/ads.h | 1 + source3/include/ads_protos.h | 10 ++++++++ source3/libads/ldap.c | 54 ++++++++++++++++++++++++++++---------------- source3/libads/ldap_utils.c | 16 +++++++++++++ source3/libgpo/gpo_ldap.c | 11 +++++---- 5 files changed, 69 insertions(+), 23 deletions(-) (limited to 'source3') diff --git a/source3/include/ads.h b/source3/include/ads.h index 0e4df629a7..d72c82adb7 100644 --- a/source3/include/ads.h +++ b/source3/include/ads.h @@ -121,6 +121,7 @@ typedef void **ADS_MODLIST; #define ADS_PERMIT_MODIFY_OID "1.2.840.113556.1.4.1413" #define ADS_ASQ_OID "1.2.840.113556.1.4.1504" #define ADS_EXTENDED_DN_OID "1.2.840.113556.1.4.529" +#define ADS_SD_FLAGS_OID "1.2.840.113556.1.4.801" /* ldap attribute oids (Services for Unix) */ #define ADS_ATTR_SFU_UIDNUMBER_OID "1.2.840.113556.1.6.18.1.310" diff --git a/source3/include/ads_protos.h b/source3/include/ads_protos.h index 3e312408e4..2565e2ca9b 100644 --- a/source3/include/ads_protos.h +++ b/source3/include/ads_protos.h @@ -102,3 +102,13 @@ ADS_STATUS ads_parse_gpo(ADS_STRUCT *ads, LDAPMessage *res, const char *gpo_dn, struct GROUP_POLICY_OBJECT *gpo); +ADS_STATUS ads_search_retry_dn_sd_flags(ADS_STRUCT *ads, LDAPMessage **res, + uint32 sd_flags, + const char *dn, + const char **attrs); +ADS_STATUS ads_do_search_all_sd_flags(ADS_STRUCT *ads, const char *bind_path, + int scope, const char *expr, + const char **attrs, uint32 sd_flags, + LDAPMessage **res); + + diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c index af4347c147..ff416b0085 100644 --- a/source3/libads/ldap.c +++ b/source3/libads/ldap.c @@ -570,11 +570,11 @@ static ADS_STATUS ads_do_paged_search_args(ADS_STRUCT *ads, { int rc, i, version; char *utf8_expr, *utf8_path, **search_attrs; - LDAPControl PagedResults, NoReferrals, ExtendedDn, *controls[4], **rcontrols; + LDAPControl PagedResults, NoReferrals, ExternalCtrl, *controls[4], **rcontrols; BerElement *cookie_be = NULL; struct berval *cookie_bv= NULL; - BerElement *extdn_be = NULL; - struct berval *extdn_bv= NULL; + BerElement *ext_be = NULL; + struct berval *ext_bv= NULL; TALLOC_CTX *ctx; ads_control *external_control = (ads_control *) args; @@ -604,7 +604,6 @@ static ADS_STATUS ads_do_paged_search_args(ADS_STRUCT *ads, } } - /* Paged results only available on ldap v3 or later */ ldap_get_option(ads->ld, LDAP_OPT_PROTOCOL_VERSION, &version); if (version < LDAP_VERSION3) { @@ -631,40 +630,42 @@ static ADS_STATUS ads_do_paged_search_args(ADS_STRUCT *ads, NoReferrals.ldctl_value.bv_len = 0; NoReferrals.ldctl_value.bv_val = CONST_DISCARD(char *, ""); - if (external_control && strequal(external_control->control, ADS_EXTENDED_DN_OID)) { + if (external_control && + (strequal(external_control->control, ADS_EXTENDED_DN_OID) || + strequal(external_control->control, ADS_SD_FLAGS_OID))) { - ExtendedDn.ldctl_oid = CONST_DISCARD(char *, external_control->control); - ExtendedDn.ldctl_iscritical = (char) external_control->critical; + ExternalCtrl.ldctl_oid = CONST_DISCARD(char *, external_control->control); + ExternalCtrl.ldctl_iscritical = (char) external_control->critical; /* win2k does not accept a ldctl_value beeing passed in */ if (external_control->val != 0) { - if ((extdn_be = ber_alloc_t(LBER_USE_DER)) == NULL ) { + if ((ext_be = ber_alloc_t(LBER_USE_DER)) == NULL ) { rc = LDAP_NO_MEMORY; goto done; } - if ((ber_printf(extdn_be, "{i}", (ber_int_t) external_control->val)) == -1) { + if ((ber_printf(ext_be, "{i}", (ber_int_t) external_control->val)) == -1) { rc = LDAP_NO_MEMORY; goto done; } - if ((ber_flatten(extdn_be, &extdn_bv)) == -1) { + if ((ber_flatten(ext_be, &extdn_bv)) == -1) { rc = LDAP_NO_MEMORY; goto done; } - ExtendedDn.ldctl_value.bv_len = extdn_bv->bv_len; - ExtendedDn.ldctl_value.bv_val = extdn_bv->bv_val; + ExternalCtrl.ldctl_value.bv_len = ext_bv->bv_len; + ExternalCtrl.ldctl_value.bv_val = ext_bv->bv_val; } else { - ExtendedDn.ldctl_value.bv_len = 0; - ExtendedDn.ldctl_value.bv_val = NULL; + ExternalCtrl.ldctl_value.bv_len = 0; + ExternalCtrl.ldctl_value.bv_val = NULL; } controls[0] = &NoReferrals; controls[1] = &PagedResults; - controls[2] = &ExtendedDn; + controls[2] = &ExternalCtrl; controls[3] = NULL; } else { @@ -725,12 +726,12 @@ static ADS_STATUS ads_do_paged_search_args(ADS_STRUCT *ads, done: talloc_destroy(ctx); - if (extdn_be) { - ber_free(extdn_be, 1); + if (ext_be) { + ber_free(ext_be, 1); } - if (extdn_bv) { - ber_bvfree(extdn_bv); + if (ext_bv) { + ber_bvfree(ext_bv); } /* if/when we decide to utf8-encode attrs, take out this next line */ @@ -810,6 +811,21 @@ static ADS_STATUS ads_do_paged_search(ADS_STRUCT *ads, const char *bind_path, return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, NULL, res); } + ADS_STATUS ads_do_search_all_sd_flags(ADS_STRUCT *ads, const char *bind_path, + int scope, const char *expr, + const char **attrs, uint32 sd_flags, + LDAPMessage **res) +{ + ads_control args; + + args.control = ADS_SD_FLAGS_OID; + args.val = sd_flags; + args.critical = True; + + return ads_do_search_all_args(ads, bind_path, scope, expr, attrs, &args, res); +} + + /** * Run a function on all results for a search. Uses ads_do_paged_search() and * runs the function as each page is returned, using ads_process_results() diff --git a/source3/libads/ldap_utils.c b/source3/libads/ldap_utils.c index 383b652f97..6417e92e92 100644 --- a/source3/libads/ldap_utils.c +++ b/source3/libads/ldap_utils.c @@ -4,6 +4,7 @@ Some Helpful wrappers on LDAP Copyright (C) Andrew Tridgell 2001 + Copyright (C) Guenther Deschner 2006,2007 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -185,6 +186,21 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind "(objectclass=*)", &args, attrs[0], strings, num_strings); +} + + ADS_STATUS ads_search_retry_dn_sd_flags(ADS_STRUCT *ads, LDAPMessage **res, + uint32 sd_flags, + const char *dn, + const char **attrs) +{ + ads_control args; + + args.control = ADS_SD_FLAGS_OID; + args.val = sd_flags; + args.critical = True; + + return ads_do_search_retry_args(ads, dn, LDAP_SCOPE_BASE, + "(objectclass=*)", attrs, &args, res); } ADS_STATUS ads_search_retry_sid(ADS_STRUCT *ads, LDAPMessage **res, diff --git a/source3/libgpo/gpo_ldap.c b/source3/libgpo/gpo_ldap.c index 112d2bb1f9..b19ef0cd7e 100644 --- a/source3/libgpo/gpo_ldap.c +++ b/source3/libgpo/gpo_ldap.c @@ -459,6 +459,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads, "gPCFunctionalityVersion", "gPCMachineExtensionNames", "gPCUserExtensionNames", "gPCWQLFilter", "name", "versionNumber", "ntSecurityDescriptor", NULL}; + uint32 sd_flags = DACL_SECURITY_INFORMATION; ZERO_STRUCTP(gpo); @@ -472,7 +473,9 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads, gpo_dn = gpo_dn + strlen("LDAP://"); } - status = ads_search_dn(ads, &res, gpo_dn, attrs); + status = ads_search_retry_dn_sd_flags(ads, &res, + sd_flags, + gpo_dn, attrs); } else if (display_name || guid_name) { @@ -482,9 +485,9 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads, display_name ? display_name : guid_name); ADS_ERROR_HAVE_NO_MEMORY(filter); - status = ads_do_search_all(ads, ads->config.bind_path, - LDAP_SCOPE_SUBTREE, filter, - attrs, &res); + status = ads_do_search_all_sd_flags(ads, ads->config.bind_path, + LDAP_SCOPE_SUBTREE, filter, + attrs, sd_flags, &res); } if (!ADS_ERR_OK(status)) { -- cgit