dssync keytab: when not in single object replication mode, use object dn list as...

I.e. only the passwords and keys of those objects whose dns are provided
are written to the keytab file. Others are skippded.

Michael
(This used to be commit a013f926ae5aadf64e02ef9254306e32aea79e80)

diff --git a/source3/libnet/libnet_dssync_keytab.c b/source3/libnet/libnet_dssync_keytab.c
index d74ee3dbdb0a8791b471a70eaff140645a56dafd..2558e1d8019fb728ae6d0769d1a934e4c9dc7df7 100644 (file)
--- a/source3/libnet/libnet_dssync_keytab.c
+++ b/source3/libnet/libnet_dssync_keytab.c
@@ -554,6 +554,24 @@ static NTSTATUS parse_object(TALLOC_CTX *mem_ctx,
        return status;
 }
 
+static bool dn_is_in_object_list(struct dssync_context *ctx,
+                                const char *dn)
+{
+       uint32_t count;
+
+       if (ctx->object_count == 0) {
+               return true;
+       }
+
+       for (count = 0; count < ctx->object_count; count++) {
+               if (strequal(ctx->object_dns[count], dn)) {
+                       return true;
+               }
+       }
+
+       return false;
+}
+
 /****************************************************************
 ****************************************************************/
 
@@ -567,6 +585,16 @@ static NTSTATUS keytab_process_objects(struct dssync_context *ctx,
                (struct libnet_keytab_context *)ctx->private_data;
 
        for (; cur; cur = cur->next_object) {
+               /*
+                * When not in single object replication mode,
+                * the object_dn list is used as a positive write filter.
+                */
+               if (!ctx->single_object_replication &&
+                   !dn_is_in_object_list(ctx, cur->object.identifier->dn))
+               {
+                       continue;
+               }
+
                status = parse_object(mem_ctx, keytab_ctx, cur);
                if (!NT_STATUS_IS_OK(status)) {
                        goto out;