From 03f92508ef2ebb4e7790f612e3f833382c691051 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 28 Jul 2011 17:14:28 +1000 Subject: samba-tool: use ldb.binary_encode() on search expression elements this allows us to deal with search elements containing characters that must be escaped in LDAP Pair-Programmed-With: Andrew Bartlett Pair-Programmed-With: Amitay Isaacs --- source4/scripting/python/samba/join.py | 4 ++-- source4/scripting/python/samba/netcmd/delegation.py | 10 +++++----- source4/scripting/python/samba/netcmd/domain.py | 2 +- source4/scripting/python/samba/netcmd/drs.py | 5 +++-- source4/scripting/python/samba/netcmd/gpo.py | 6 +++--- source4/scripting/python/samba/netcmd/rodc.py | 2 +- source4/scripting/python/samba/netcmd/spn.py | 8 ++++---- source4/scripting/python/samba/netcmd/user.py | 4 ++-- source4/scripting/python/samba/samdb.py | 10 ++++++---- 9 files changed, 27 insertions(+), 24 deletions(-) (limited to 'source4') diff --git a/source4/scripting/python/samba/join.py b/source4/scripting/python/samba/join.py index b586e2cd5b..4495b527b9 100644 --- a/source4/scripting/python/samba/join.py +++ b/source4/scripting/python/samba/join.py @@ -147,7 +147,7 @@ class dc_join(object): # find the krbtgt link print("checking samaccountname") res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(), - expression='samAccountName=%s' % ctx.samname, + expression='samAccountName=%s' % ldb.binary_encode(ctx.samname), attrs=["msDS-krbTgtLink"]) if res: ctx.del_noerror(res[0].dn, recursive=True) @@ -408,7 +408,7 @@ class dc_join(object): ctx.samdb.modify(m) print "Setting account password for %s" % ctx.samname - ctx.samdb.setpassword("(&(objectClass=user)(sAMAccountName=%s))" % ctx.samname, + ctx.samdb.setpassword("(&(objectClass=user)(sAMAccountName=%s))" % ldb.binary_encode(ctx.samname), ctx.acct_pass, force_change_at_next_login=False, username=ctx.samname) diff --git a/source4/scripting/python/samba/netcmd/delegation.py b/source4/scripting/python/samba/netcmd/delegation.py index 1980203f9d..9aa8287785 100644 --- a/source4/scripting/python/samba/netcmd/delegation.py +++ b/source4/scripting/python/samba/netcmd/delegation.py @@ -72,7 +72,7 @@ class cmd_delegation_show(Command): # to the correct domain (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) print "Searching for: %s" % (cleanedaccount) - res = sam.search(expression="sAMAccountName=%s" % cleanedaccount, + res = sam.search(expression="sAMAccountName=%s" % ldb.binary_encode(cleanedaccount), scope=ldb.SCOPE_SUBTREE, attrs=["userAccountControl", "msDS-AllowedToDelegateTo"]) if len(res) != 1: @@ -122,7 +122,7 @@ class cmd_delegation_for_any_service(Command): # to the correct domain (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) - search_filter = "sAMAccountName=%s" % cleanedaccount + search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount) flag = dsdb.UF_TRUSTED_FOR_DELEGATION try: sam.toggle_userAccountFlags(search_filter, flag, on=on, strict=True) @@ -154,7 +154,7 @@ class cmd_delegation_for_any_protocol(Command): # to the correct domain (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) - search_filter = "sAMAccountName=%s" % cleanedaccount + search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount) flag = dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION try: sam.toggle_userAccountFlags(search_filter, flag, on=on, strict=True) @@ -178,7 +178,7 @@ class cmd_delegation_add_service(Command): # to the correct domain (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) - res = sam.search(expression="sAMAccountName=%s" % cleanedaccount, + res = sam.search(expression="sAMAccountName=%s" % ldb.binary_encode(cleanedaccount), scope=ldb.SCOPE_SUBTREE, attrs=["msDS-AllowedToDelegateTo"]) if len(res) != 1: @@ -211,7 +211,7 @@ class cmd_delegation_del_service(Command): # to the correct domain (cleanedaccount, realm, domain) = _get_user_realm_domain(accountname) - res = sam.search(expression="sAMAccountName=%s" % cleanedaccount, + res = sam.search(expression="sAMAccountName=%s" % ldb.binary_encode(cleanedaccount), scope=ldb.SCOPE_SUBTREE, attrs=["msDS-AllowedToDelegateTo"]) if len(res) != 1: diff --git a/source4/scripting/python/samba/netcmd/domain.py b/source4/scripting/python/samba/netcmd/domain.py index 8dffbd2b56..50b5d80395 100644 --- a/source4/scripting/python/samba/netcmd/domain.py +++ b/source4/scripting/python/samba/netcmd/domain.py @@ -317,7 +317,7 @@ class cmd_domain_machinepassword(Command): secretsdb = Ldb(url=url, session_info=system_session(), credentials=creds, lp=lp) result = secretsdb.search(attrs=["secret"], - expression="(&(objectclass=primaryDomain)(samaccountname=%s))" % secret) + expression="(&(objectclass=primaryDomain)(samaccountname=%s))" % ldb.binary_encode(secret)) if len(result) != 1: raise CommandError("search returned %d records, expected 1" % len(result)) diff --git a/source4/scripting/python/samba/netcmd/drs.py b/source4/scripting/python/samba/netcmd/drs.py index f9b55f47b5..e9cd540603 100644 --- a/source4/scripting/python/samba/netcmd/drs.py +++ b/source4/scripting/python/samba/netcmd/drs.py @@ -287,8 +287,9 @@ class cmd_drs_replicate(Command): # we need to find the NTDS GUID of the source DC msg = self.samdb.search(base=self.samdb.get_config_basedn(), - expression="(&(objectCategory=server)(|(name=%s)(dNSHostName=%s)))" % (SOURCE_DC, - SOURCE_DC), + expression="(&(objectCategory=server)(|(name=%s)(dNSHostName=%s)))" % ( + ldb.binary_encode(SOURCE_DC), + ldb.binary_encode(SOURCE_DC)), attrs=[]) if len(msg) == 0: raise CommandError("Failed to find source DC %s" % SOURCE_DC) diff --git a/source4/scripting/python/samba/netcmd/gpo.py b/source4/scripting/python/samba/netcmd/gpo.py index 72c157d00a..e59b79dbc0 100644 --- a/source4/scripting/python/samba/netcmd/gpo.py +++ b/source4/scripting/python/samba/netcmd/gpo.py @@ -131,10 +131,10 @@ def get_gpo_info(samdb, gpo=None, displayname=None, dn=None): search_scope = ldb.SCOPE_ONELEVEL if gpo is not None: - search_expr = "(&(objectClass=groupPolicyContainer)(name=%s))" % gpo + search_expr = "(&(objectClass=groupPolicyContainer)(name=%s))" % ldb.binary_encode(gpo) if displayname is not None: - search_expr = "(&(objectClass=groupPolicyContainer)(displayname=%s))" % displayname + search_expr = "(&(objectClass=groupPolicyContainer)(displayname=%s))" % ldb.binary_encode(displayname) if dn is not None: base_dn = dn @@ -253,7 +253,7 @@ class cmd_list(Command): try: msg = self.samdb.search(expression='(&(|(samAccountName=%s)(samAccountName=%s$))(objectClass=User))' % - (username,username)) + (ldb.binary_encode(username),ldb.binary_encode(username))) user_dn = msg[0].dn except Exception, e: raise CommandError("Failed to find account %s" % username, e) diff --git a/source4/scripting/python/samba/netcmd/rodc.py b/source4/scripting/python/samba/netcmd/rodc.py index 411221e24f..75c326f950 100644 --- a/source4/scripting/python/samba/netcmd/rodc.py +++ b/source4/scripting/python/samba/netcmd/rodc.py @@ -52,7 +52,7 @@ class cmd_rodc_preload(Command): expression="objectclass=user", scope=ldb.SCOPE_BASE, attrs=[]) else: - res = samdb.search(expression="(&(samAccountName=%s)(objectclass=user))" % account, + res = samdb.search(expression="(&(samAccountName=%s)(objectclass=user))" % ldb.binary_encode(account), scope=ldb.SCOPE_SUBTREE, attrs=[]) if len(res) != 1: raise Exception("Failed to find account '%s'" % account) diff --git a/source4/scripting/python/samba/netcmd/spn.py b/source4/scripting/python/samba/netcmd/spn.py index e81cdce4f3..672f1401e9 100644 --- a/source4/scripting/python/samba/netcmd/spn.py +++ b/source4/scripting/python/samba/netcmd/spn.py @@ -69,7 +69,7 @@ class cmd_spn_list(Command): # to the correct domain (cleaneduser, realm, domain) = _get_user_realm_domain(user) print cleaneduser - res = sam.search(expression="samaccountname=%s" % cleaneduser, + res = sam.search(expression="samaccountname=%s" % ldb.binary_encode(cleaneduser), scope=ldb.SCOPE_SUBTREE, attrs=["servicePrincipalName"]) if len(res) >0: @@ -102,7 +102,7 @@ class cmd_spn_add(Command): paths = provision.provision_paths_from_lp(lp, lp.get("realm")) sam = SamDB(paths.samdb, session_info=system_session(), credentials=creds, lp=lp) - res = sam.search(expression="servicePrincipalName=%s" % name, + res = sam.search(expression="servicePrincipalName=%s" % ldb.binary_encode(name), scope=ldb.SCOPE_SUBTREE, ) if len(res) != 0 and not force: @@ -110,7 +110,7 @@ class cmd_spn_add(Command): " affected to another user" % name) (cleaneduser, realm, domain) = _get_user_realm_domain(user) - res = sam.search(expression="samaccountname=%s" % cleaneduser, + res = sam.search(expression="samaccountname=%s" % ldb.binary_encode(cleaneduser), scope=ldb.SCOPE_SUBTREE, attrs=["servicePrincipalName"]) if len(res) >0: @@ -151,7 +151,7 @@ class cmd_spn_delete(Command): paths = provision.provision_paths_from_lp(lp, lp.get("realm")) sam = SamDB(paths.samdb, session_info=system_session(), credentials=creds, lp=lp) - res = sam.search(expression="servicePrincipalName=%s" % name, + res = sam.search(expression="servicePrincipalName=%s" % ldb.binary_encode(name), scope=ldb.SCOPE_SUBTREE, attrs=["servicePrincipalName", "samAccountName"]) if len(res) >0: diff --git a/source4/scripting/python/samba/netcmd/user.py b/source4/scripting/python/samba/netcmd/user.py index e92276b093..88d93e3bea 100644 --- a/source4/scripting/python/samba/netcmd/user.py +++ b/source4/scripting/python/samba/netcmd/user.py @@ -142,7 +142,7 @@ class cmd_user_enable(Command): raise CommandError("Either the username or '--filter' must be specified!") if filter is None: - filter = "(&(objectClass=user)(sAMAccountName=%s))" % (username) + filter = "(&(objectClass=user)(sAMAccountName=%s))" % (ldb.binary_encode(username)) lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp, fallback_machine=True) @@ -178,7 +178,7 @@ class cmd_user_setexpiry(Command): raise CommandError("Either the username or '--filter' must be specified!") if filter is None: - filter = "(&(objectClass=user)(sAMAccountName=%s))" % (username) + filter = "(&(objectClass=user)(sAMAccountName=%s))" % (ldb.binary_encode(username)) lp = sambaopts.get_loadparm() creds = credopts.get_credentials(lp) diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index a7ed1d2c39..6f3953540a 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -189,7 +189,7 @@ pwdLastSet: 0 :param groupname: Name of the target group """ - groupfilter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (groupname, "CN=Group,CN=Schema,CN=Configuration", self.domain_dn()) + groupfilter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (ldb.binary_encode(groupname), "CN=Group,CN=Schema,CN=Configuration", self.domain_dn()) self.transaction_start() try: targetgroup = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE, @@ -214,7 +214,8 @@ pwdLastSet: 0 operation """ - groupfilter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (groupname, "CN=Group,CN=Schema,CN=Configuration", self.domain_dn()) + groupfilter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % ( + ldb.binary_encode(groupname), "CN=Group,CN=Schema,CN=Configuration", self.domain_dn()) groupmembers = listofmembers.split(',') self.transaction_start() @@ -234,7 +235,8 @@ changetype: modify for member in groupmembers: targetmember = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE, - expression="(|(sAMAccountName=%s)(CN=%s))" % (member, member), attrs=[]) + expression="(|(sAMAccountName=%s)(CN=%s))" % ( + ldb.binary_encode(member), ldb.binary_encode(member)), attrs=[]) if len(targetmember) != 1: continue @@ -378,7 +380,7 @@ member: %s # Sets the password for it if setpassword: - self.setpassword("(samAccountName=%s)" % username, password, + self.setpassword("(samAccountName=%s)" % ldb.binary_encode(username), password, force_password_change_at_next_login_req) except Exception: self.transaction_cancel() -- cgit