From 34f47a33dffa429c6f8bc58c4d8b27a1152ad259 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sun, 19 Sep 2010 16:11:57 -0700 Subject: s4-rootdse: mark registered controls as non-critical this is needed for clients that may include unnecessary controls in requests and mark them as non-critical --- source4/dsdb/samdb/ldb_modules/rootdse.c | 37 ++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) (limited to 'source4') diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c index 2e7c97af38..b84621f9ee 100644 --- a/source4/dsdb/samdb/ldb_modules/rootdse.c +++ b/source4/dsdb/samdb/ldb_modules/rootdse.c @@ -492,6 +492,35 @@ static int rootdse_callback(struct ldb_request *req, struct ldb_reply *ares) return LDB_SUCCESS; } +/* + mark our registered controls as non-critical in the request + + This is needed as clients may mark controls as critical even if they + are not needed at all in a request. For example, the centrify client + sets the SD_FLAGS control as critical on ldap modify requests which + are setting the dNSHostName attribute on the machine account. That + request doesn't need SD_FLAGS at all, but centrify adds it on all + ldap requests. + */ +static void rootdse_mark_noncritical(struct ldb_module *module, struct ldb_control **controls) +{ + int i, j; + struct private_data *priv = talloc_get_type(ldb_module_get_private(module), struct private_data); + + if (!controls) return; + + for (i=0; controls[i]; i++) { + if (controls[i]->critical == 0) { + continue; + } + for (j=0; jnum_controls; j++) { + if (strcasecmp(priv->controls[j], controls[i]->oid) == 0) { + controls[i]->critical = 0; + } + } + } +} + static int rootdse_search(struct ldb_module *module, struct ldb_request *req) { struct ldb_context *ldb; @@ -499,6 +528,8 @@ static int rootdse_search(struct ldb_module *module, struct ldb_request *req) struct ldb_request *down_req; int ret; + rootdse_mark_noncritical(module, req->controls); + ldb = ldb_module_get_ctx(module); /* see if its for the rootDSE - only a base search on the "" DN qualifies */ @@ -963,6 +994,8 @@ static int rootdse_add(struct ldb_module *module, struct ldb_request *req) { struct ldb_context *ldb = ldb_module_get_ctx(module); + rootdse_mark_noncritical(module, req->controls); + /* If dn is not "" we should let it pass through */ @@ -1013,6 +1046,8 @@ static int rootdse_modify(struct ldb_module *module, struct ldb_request *req) { struct ldb_context *ldb = ldb_module_get_ctx(module); + rootdse_mark_noncritical(module, req->controls); + /* If dn is not "" we should let it pass through */ @@ -1054,6 +1089,8 @@ static int rootdse_delete(struct ldb_module *module, struct ldb_request *req) { struct ldb_context *ldb = ldb_module_get_ctx(module); + rootdse_mark_noncritical(module, req->controls); + /* If dn is not "" we should let it pass through */ -- cgit