From 10c6f3f71a4fe3e36e2a0476dc0077187371fafb Mon Sep 17 00:00:00 2001
From: Nadezhda Ivanova <nadezhda.ivanova@postpath.com>
Date: Mon, 21 Sep 2009 17:27:50 -0700
Subject: Initial Implementation of the DS objects access checks.

Currently disabled. The search will be greatly modified,
also the object tree stuff will be simplified.
---
 source4/dsdb/samdb/ldb_modules/kludge_acl.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'source4/dsdb/samdb/ldb_modules/kludge_acl.c')

diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
index 15db491171..34f848de8a 100644
--- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c
+++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
@@ -35,6 +35,7 @@
 #include "auth/auth.h"
 #include "libcli/security/security.h"
 #include "dsdb/samdb/samdb.h"
+#include "param/param.h"
 
 /* Kludge ACL rules:
  *
@@ -46,6 +47,7 @@
 
 struct kludge_private_data {
 	const char **password_attrs;
+	bool acl_perform;
 };
 
 static enum security_user_level what_is_user(struct ldb_module *module) 
@@ -325,6 +327,9 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
 
 	data = talloc_get_type(ldb_module_get_private(module), struct kludge_private_data);
 
+	if (data && data->acl_perform)
+		return ldb_next_request(module, req);
+
 	ac->module = module;
 	ac->req = req;
 	ac->user_type = what_is_user(module);
@@ -397,6 +402,12 @@ static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req)
 {
 	struct ldb_context *ldb = ldb_module_get_ctx(module);
 	enum security_user_level user_type = what_is_user(module);
+	struct kludge_private_data *data = talloc_get_type(ldb_module_get_private(module),
+							   struct kludge_private_data);
+
+	if (data->acl_perform)
+		return ldb_next_request(module, req);
+
 	switch (user_type) {
 	case SECURITY_SYSTEM:
 	case SECURITY_ADMINISTRATOR:
@@ -459,6 +470,8 @@ static int kludge_acl_init(struct ldb_module *module)
 	}
 
 	data->password_attrs = NULL;
+	data->acl_perform = lp_parm_bool(ldb_get_opaque(ldb, "loadparm"),
+					 NULL, "acl", "perform", false);
 	ldb_module_set_private(module, data);
 
 	if (!mem_ctx) {
-- 
cgit