s4:rootdse Implement "tokenGroups" in the rootDSE

This returns the currently connected user's full token.  This is very
useful for debugging, and should be used in ACL tests.

Andrew Bartlett

diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c
index 808552f3278ed73fc9e3bca830553ebce16a7868..e99fcaa5169e3d9407a2668557c629426ce4c9d3 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -29,6 +29,7 @@
 #include "dsdb/samdb/ldb_modules/util.h"
 #include "libcli/security/security.h"
 #include "librpc/ndr/libndr.h"
+#include "auth/auth.h"
 
 struct private_data {
        unsigned int num_controls;
@@ -381,6 +382,23 @@ static int rootdse_add_dynamic(struct ldb_module *module, struct ldb_message *ms
                }
        }
 
+       if (do_attribute(attrs, "tokenGroups")) {
+               unsigned int i;
+               /* Obtain the user's session_info */
+               struct auth_session_info *session_info
+                       = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
+               if (session_info && session_info->security_token) {
+                       /* The list of groups this user is in */
+                       for (i = 0; i < session_info->security_token->num_sids; i++) {
+                               if (samdb_msg_add_dom_sid(ldb, msg, msg,
+                                                         "tokenGroups",
+                                                         session_info->security_token->sids[i]) != 0) {
+                                       goto failed;
+                               }
+                       }
+               }
+       }
+
        /* TODO: lots more dynamic attributes should be added here */
 
        return LDB_SUCCESS;