struct auth_session_info *session_info
= (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
if(!session_info) {
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_operr(ldb);
}
ret = dsdb_module_search_dn(module, mem_ctx, &acl_res, dn,
- acl_attrs, DSDB_SEARCH_SHOW_DELETED);
+ acl_attrs,
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_SEARCH_SHOW_DELETED);
if (ret != LDB_SUCCESS) {
DEBUG(10,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
return ret;
}
- return dsdb_check_access_on_dn_internal(acl_res,
+ return dsdb_check_access_on_dn_internal(ldb, acl_res,
mem_ctx,
session_info->security_token,
dn,
struct ldb_context *ldb;
struct acl_private *data;
int ret, i;
- TALLOC_CTX *mem_ctx = talloc_new(module);
+ TALLOC_CTX *mem_ctx;
static const char *attrs[] = { "passwordAttribute", NULL };
struct ldb_result *res;
struct ldb_message *msg;
if (ret != LDB_SUCCESS) {
ldb_debug(ldb, LDB_DEBUG_ERROR,
"acl_module_init: Unable to register control with rootdse!\n");
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_operr(ldb);
}
data = talloc(module, struct acl_private);
if (data == NULL) {
- ldb_oom(ldb);
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_oom(ldb);
}
data->password_attrs = NULL;
NULL, "acl", "perform", false);
ldb_module_set_private(module, data);
+ mem_ctx = talloc_new(module);
if (!mem_ctx) {
- ldb_oom(ldb);
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_oom(ldb);
}
ret = dsdb_module_search_dn(module, mem_ctx, &res,
ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"),
- attrs, 0);
+ attrs,
+ DSDB_FLAG_NEXT_MODULE);
if (ret != LDB_SUCCESS) {
goto done;
}
data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1);
if (!data->password_attrs) {
talloc_free(mem_ctx);
- ldb_oom(ldb);
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_oom(ldb);
}
for (i=0; i < password_attributes->num_values; i++) {
data->password_attrs[i] = (const char *)password_attributes->values[i].data;
else {
ret = LDB_SUCCESS;
}
+ talloc_free(tmp_ctx);
return ret;
fail:
- return LDB_ERR_OPERATIONS_ERROR;
+ talloc_free(tmp_ctx);
+ return ldb_operr(ldb_module_get_ctx(module));
}
static int acl_check_access_on_class(struct ldb_module *module,
}
return ret;
fail:
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_operr(ldb_module_get_ctx(module));
}
static int acl_allowedAttributes(struct ldb_module *module,
mem_ctx = talloc_new(msg);
if (!mem_ctx) {
- ldb_oom(ldb);
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_oom(ldb);
}
oc_el = ldb_msg_find_element(sd_msg, "objectClass");
return LDB_SUCCESS;
}
- ret = dsdb_get_sd_from_ldb_message(mem_ctx, sd_msg, &sd);
+ ret = dsdb_get_sd_from_ldb_message(ldb_module_get_ctx(module), mem_ctx, sd_msg, &sd);
if (ret != LDB_SUCCESS) {
return ret;
const struct dsdb_attribute *attr = dsdb_attribute_by_lDAPDisplayName(schema,
attr_list[i]);
if (!attr) {
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_operr(ldb);
}
/* remove constructed attributes */
if (attr->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED
struct ldb_message_element *oc_el;
struct ldb_message_element *allowedClasses;
const struct dsdb_class *sclass;
- int i, j, ret;
+ unsigned int i, j;
+ int ret;
/* If we don't have a schema yet, we can't do anything... */
if (schema == NULL) {
struct ldb_control *as_system = ldb_request_get_control(ac->req,
LDB_CONTROL_AS_SYSTEM_OID);
struct dom_sid *sid = NULL;
- int i, j, ret;
+ unsigned int i, j;
+ int ret;
if (as_system != NULL) {
as_system->critical = 0;
ldb_msg_remove_attr(msg, "allowedChildClassesEffective");
oc_el = ldb_msg_find_element(sd_msg, "objectClass");
- ret = dsdb_get_sd_from_ldb_message(msg, sd_msg, &sd);
+ ret = dsdb_get_sd_from_ldb_message(ldb_module_get_ctx(module), msg, sd_msg, &sd);
if (ret != LDB_SUCCESS) {
return ret;
}
}
else {
/* Get the security descriptor from the message */
- ret = dsdb_get_sd_from_ldb_message(msg, sd_msg, &sd);
+ ret = dsdb_get_sd_from_ldb_message(ldb_module_get_ctx(module), msg, sd_msg, &sd);
if (ret != LDB_SUCCESS) {
return ret;
}
schema = dsdb_get_schema(ldb, req);
if (!schema) {
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_operr(ldb);
}
oc_el = ldb_msg_find_element(req->op.add.message, "objectClass");
return ldb_next_request(module, req);
}
+/* checks for validated writes */
+static int acl_check_extended_right(TALLOC_CTX *mem_ctx,
+ struct security_descriptor *sd,
+ struct security_token *token,
+ const char *ext_right,
+ uint32_t right_type,
+ struct dom_sid *sid)
+{
+ struct GUID right;
+ NTSTATUS status;
+ uint32_t access_granted;
+ struct object_tree *root = NULL;
+ struct object_tree *new_node = NULL;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+
+ GUID_from_string(ext_right, &right);
+
+ if (!insert_in_object_tree(tmp_ctx, &right, right_type,
+ &root, &new_node)) {
+ DEBUG(10, ("acl_ext_right: cannot add to object tree\n"));
+ talloc_free(tmp_ctx);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ status = sec_access_check_ds(sd, token,
+ right_type,
+ &access_granted,
+ root,
+ sid);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(tmp_ctx);
+ return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ }
+ talloc_free(tmp_ctx);
+ return LDB_SUCCESS;
+}
+
+
+/* ckecks if modifications are allowed on "Member" attribute */
+static int acl_check_self_membership(TALLOC_CTX *mem_ctx,
+ struct ldb_module *module,
+ struct ldb_request *req,
+ struct security_descriptor *sd,
+ struct dom_sid *sid,
+ const struct GUID *oc_guid,
+ const struct dsdb_attribute *attr)
+{
+ int ret;
+ unsigned int i;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ struct ldb_dn *user_dn;
+ struct ldb_message_element *member_el;
+ /* if we have wp, we can do whatever we like */
+ if (acl_check_access_on_attribute(module,
+ mem_ctx,
+ sd,
+ sid,
+ SEC_ADS_WRITE_PROP,
+ attr) == LDB_SUCCESS) {
+ return LDB_SUCCESS;
+ }
+ /* if we are adding/deleting ourselves, check for self membership */
+ ret = dsdb_find_dn_by_sid(ldb, mem_ctx, acl_user_token(module)->user_sid, &user_dn);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ member_el = ldb_msg_find_element(req->op.mod.message, "member");
+ if (!member_el) {
+ return ldb_operr(ldb);
+ }
+ /* user can only remove oneself */
+ if (member_el->num_values == 0) {
+ return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ }
+ for (i = 0; i < member_el->num_values; i++) {
+ if (strcasecmp((const char *)member_el->values[i].data,
+ ldb_dn_get_extended_linearized(mem_ctx, user_dn, 1)) != 0) {
+ return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ }
+ }
+ ret = acl_check_extended_right(mem_ctx, sd, acl_user_token(module),
+ GUID_DRS_SELF_MEMBERSHIP,
+ SEC_ADS_SELF_WRITE,
+ sid);
+ if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
+ dsdb_acl_debug(sd, acl_user_token(module),
+ req->op.mod.message->dn,
+ true,
+ 10);
+ }
+ return ret;
+}
+
+static int acl_check_password_rights(TALLOC_CTX *mem_ctx,
+ struct ldb_module *module,
+ struct ldb_request *req,
+ struct security_descriptor *sd,
+ struct dom_sid *sid,
+ const struct GUID *oc_guid)
+{
+ int ret = LDB_SUCCESS;
+ unsigned int del_attr_cnt = 0, add_attr_cnt = 0, rep_attr_cnt = 0;
+ struct ldb_message_element *el;
+ struct ldb_message *msg;
+ const char *passwordAttrs[] = { "userPassword", "unicodePwd",
+ "clearTextPassword", NULL }, **l;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+
+ msg = ldb_msg_copy_shallow(tmp_ctx, req->op.mod.message);
+ if (msg == NULL) {
+ return ldb_module_oom(module);
+ }
+ for (l = passwordAttrs; *l != NULL; l++) {
+ while ((el = ldb_msg_find_element(msg, *l)) != NULL) {
+ if (el->flags == LDB_FLAG_MOD_DELETE) {
+ ++del_attr_cnt;
+ }
+ if (el->flags == LDB_FLAG_MOD_ADD) {
+ ++add_attr_cnt;
+ }
+ if (el->flags == LDB_FLAG_MOD_REPLACE) {
+ ++rep_attr_cnt;
+ }
+ ldb_msg_remove_element(msg, el);
+ }
+ }
+ /* a single delete will be handled by password hash
+ later in the stack, so we let it though here */
+ if (del_attr_cnt > 0 && add_attr_cnt == 0) {
+ talloc_free(tmp_ctx);
+ return LDB_SUCCESS;
+ }
+ if (rep_attr_cnt > 0 || (add_attr_cnt != del_attr_cnt)) {
+ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
+ GUID_DRS_FORCE_CHANGE_PASSWORD,
+ SEC_ADS_CONTROL_ACCESS,
+ sid);
+ }
+ else if (add_attr_cnt == 1 && del_attr_cnt == 1) {
+ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
+ GUID_DRS_USER_CHANGE_PASSWORD,
+ SEC_ADS_CONTROL_ACCESS,
+ sid);
+ /* Very strange, but we get constraint violation in this case */
+ if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
+ ret = LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ }
+ if (ret != LDB_SUCCESS) {
+ dsdb_acl_debug(sd, acl_user_token(module),
+ req->op.mod.message->dn,
+ true,
+ 10);
+ }
+ talloc_free(tmp_ctx);
+ return ret;
+}
+
static int acl_modify(struct ldb_module *module, struct ldb_request *req)
{
int ret;
struct ldb_context *ldb = ldb_module_get_ctx(module);
const struct dsdb_schema *schema;
unsigned int i;
- bool modify_sd = false;
const struct GUID *guid;
uint32_t access_granted;
struct object_tree *root = NULL;
if (ldb_dn_is_special(req->op.mod.message->dn)) {
return ldb_next_request(module, req);
}
- ret = dsdb_module_search_dn(module, req, &acl_res, req->op.mod.message->dn,
- acl_attrs, 0);
+ ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res, req->op.mod.message->dn,
+ acl_attrs,
+ DSDB_FLAG_NEXT_MODULE);
if (ret != LDB_SUCCESS) {
- return ret;
+ goto fail;
}
- schema = dsdb_get_schema(ldb, acl_res);
+ schema = dsdb_get_schema(ldb, tmp_ctx);
if (!schema) {
- talloc_free(acl_res);
- return LDB_ERR_OPERATIONS_ERROR;
+ ret = LDB_ERR_OPERATIONS_ERROR;
+ goto fail;
}
- ret = dsdb_get_sd_from_ldb_message(req, acl_res->msgs[0], &sd);
+ ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, acl_res->msgs[0], &sd);
if (ret != LDB_SUCCESS) {
DEBUG(10, ("acl_modify: cannot get descriptor\n"));
- return ret;
+ goto fail;
}
/* Theoretically we pass the check if the object has no sd */
if (!sd) {
- return LDB_SUCCESS;
+ goto success;
}
guid = get_oc_guid_from_message(module, schema, acl_res->msgs[0]);
}
for (i=0; i < req->op.mod.message->num_elements; i++){
const struct dsdb_attribute *attr;
- /* clearTextPassword is not in schema */
- if (strcmp("clearTextPassword", req->op.mod.message->elements[i].name) == 0) {
- attr = dsdb_attribute_by_lDAPDisplayName(schema, "unicodePwd");
- } else {
- attr = dsdb_attribute_by_lDAPDisplayName(schema,
+ attr = dsdb_attribute_by_lDAPDisplayName(schema,
req->op.mod.message->elements[i].name);
+
+ if (ldb_attr_cmp("nTSecurityDescriptor", req->op.mod.message->elements[i].name) == 0) {
+ status = sec_access_check_ds(sd, acl_user_token(module),
+ SEC_STD_WRITE_DAC,
+ &access_granted,
+ NULL,
+ sid);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("Object %s has no write dacl access\n",
+ ldb_dn_get_linearized(req->op.mod.message->dn)));
+ dsdb_acl_debug(sd,
+ acl_user_token(module),
+ req->op.mod.message->dn,
+ true,
+ 10);
+ ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ goto fail;
+ }
+ }
+ else if (ldb_attr_cmp("member", req->op.mod.message->elements[i].name) == 0) {
+ ret = acl_check_self_membership(tmp_ctx,
+ module,
+ req,
+ sd,
+ sid,
+ guid,
+ attr);
+ if (ret != LDB_SUCCESS) {
+ goto fail;
+ }
}
- if (strcmp("nTSecurityDescriptor", req->op.mod.message->elements[i].name) == 0) {
- modify_sd = true;
+ else if (ldb_attr_cmp("dBCSPwd", req->op.mod.message->elements[i].name) == 0) {
+ /* this one is not affected by any rights, we should let it through
+ so that passwords_hash returns the correct error */
+ continue;
+ }
+ else if (ldb_attr_cmp("unicodePwd", req->op.mod.message->elements[i].name) == 0 ||
+ ldb_attr_cmp("userPassword", req->op.mod.message->elements[i].name) == 0 ||
+ ldb_attr_cmp("clearTextPassword", req->op.mod.message->elements[i].name) == 0) {
+ ret = acl_check_password_rights(tmp_ctx,
+ module,
+ req,
+ sd,
+ sid,
+ guid);
+ if (ret != LDB_SUCCESS) {
+ goto fail;
+ }
} else {
+ /* This basic attribute existence check with the right errorcode
+ * is needed since this module is the first one which requests
+ * schema attribute informations.
+ * The complete attribute checking is done in the
+ * "objectclass_attrs" module behind this one.
+ */
if (!attr) {
- DEBUG(10, ("acl_modify: cannot find attribute %s\n",
- req->op.mod.message->elements[i].name));
+ ldb_asprintf_errstring(ldb, "acl_modify: attribute '%s' on entry '%s' was not found in the schema!",
+ req->op.mod.message->elements[i].name,
+ ldb_dn_get_linearized(req->op.mod.message->dn));
+ ret = LDB_ERR_NO_SUCH_ATTRIBUTE;
goto fail;
}
if (!insert_in_object_tree(tmp_ctx,
&attr->attributeSecurityGUID, SEC_ADS_WRITE_PROP,
&new_node, &new_node)) {
DEBUG(10, ("acl_modify: cannot add to object tree securityGUID\n"));
+ ret = LDB_ERR_OPERATIONS_ERROR;
goto fail;
}
if (!insert_in_object_tree(tmp_ctx,
&attr->schemaIDGUID, SEC_ADS_WRITE_PROP, &new_node, &new_node)) {
DEBUG(10, ("acl_modify: cannot add to object tree attributeGUID\n"));
+ ret = LDB_ERR_OPERATIONS_ERROR;
goto fail;
}
}
sid);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("Object %s nas no write property access\n",
+ DEBUG(10, ("Object %s has no write property access\n",
ldb_dn_get_linearized(req->op.mod.message->dn)));
dsdb_acl_debug(sd,
acl_user_token(module),
req->op.mod.message->dn,
true,
10);
- talloc_free(tmp_ctx);
- return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
- }
- }
- if (modify_sd) {
- status = sec_access_check_ds(sd, acl_user_token(module),
- SEC_STD_WRITE_DAC,
- &access_granted,
- NULL,
- sid);
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("Object %s nas no write dacl access\n",
- ldb_dn_get_linearized(req->op.mod.message->dn)));
- dsdb_acl_debug(sd,
- acl_user_token(module),
- req->op.mod.message->dn,
- true,
- 10);
- talloc_free(tmp_ctx);
- return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ goto fail;
}
}
+success:
talloc_free(tmp_ctx);
return ldb_next_request(module, req);
fail:
talloc_free(tmp_ctx);
- return LDB_ERR_OPERATIONS_ERROR;
+ return ret;
}
/* similar to the modify for the time being.
ldb = ldb_module_get_ctx(module);
ret = dsdb_module_search_dn(module, req, &acl_res, req->op.rename.olddn,
- acl_attrs, DSDB_SEARCH_SHOW_DELETED);
+ acl_attrs,
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_SEARCH_SHOW_DELETED);
/* we sould be able to find the parent */
if (ret != LDB_SUCCESS) {
DEBUG(10,("acl: failed to find object %s\n",
schema = dsdb_get_schema(ldb, acl_res);
if (!schema) {
talloc_free(acl_res);
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_operr(ldb);
}
guid = get_oc_guid_from_message(module, schema, acl_res->msgs[0]);
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
&root, &new_node)) {
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_operr(ldb);
};
guid = attribute_schemaid_guid_by_lDAPDisplayName(schema,
"name");
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
&new_node, &new_node)) {
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_operr(ldb);
};
rdn_name = ldb_dn_get_rdn_name(req->op.rename.olddn);
if (rdn_name == NULL) {
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_operr(ldb);
}
guid = attribute_schemaid_guid_by_lDAPDisplayName(schema,
rdn_name);
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
&new_node, &new_node)) {
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_operr(ldb);
};
- ret = dsdb_get_sd_from_ldb_message(req, acl_res->msgs[0], &sd);
+ ret = dsdb_get_sd_from_ldb_message(ldb, req, acl_res->msgs[0], &sd);
if (ret != LDB_SUCCESS) {
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_operr(ldb);
}
/* Theoretically we pass the check if the object has no sd */
if (!sd) {
sid);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("Object %s nas no wp on name\n",
+ DEBUG(10, ("Object %s has no wp on name\n",
ldb_dn_get_linearized(req->op.rename.olddn)));
dsdb_acl_debug(sd,
acl_user_token(module),
|| ac->allowedAttributesEffective
|| ac->sDRightsEffective) {
ret = dsdb_module_search_dn(ac->module, ac, &acl_res, ares->message->dn,
- acl_attrs, 0);
+ acl_attrs,
+ DSDB_FLAG_NEXT_MODULE);
if (ret != LDB_SUCCESS) {
return ldb_module_done(ac->req, NULL, NULL, ret);
}
ac = talloc_zero(req, struct acl_context);
if (ac == NULL) {
- ldb_oom(ldb);
- return LDB_ERR_OPERATIONS_ERROR;
+ return ldb_oom(ldb);
}
data = talloc_get_type(ldb_module_get_private(module), struct acl_private);