s4:ldap_server: don't call ldb_req_mark_untrusted() on the privileged ldapi socket

metze

diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
index 01d0376b8263c8c8da3aaa2101b554ad38e1675d..f3c9b01b7e75a351cca057472eff157393d08491 100644 (file)
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -321,7 +321,9 @@ static int ldapsrv_add_with_controls(struct ldapsrv_call *call,
                return ret;
        }
 
-       ldb_req_mark_untrusted(req);
+       if (!call->conn->is_privileged) {
+               ldb_req_mark_untrusted(req);
+       }
 
        LDB_REQ_SET_LOCATION(req);
 
@@ -372,7 +374,9 @@ static int ldapsrv_mod_with_controls(struct ldapsrv_call *call,
                return ret;
        }
 
-       ldb_req_mark_untrusted(req);
+       if (!call->conn->is_privileged) {
+               ldb_req_mark_untrusted(req);
+       }
 
        LDB_REQ_SET_LOCATION(req);
 
@@ -416,7 +420,9 @@ static int ldapsrv_del_with_controls(struct ldapsrv_call *call,
                return ret;
        }
 
-       ldb_req_mark_untrusted(req);
+       if (!call->conn->is_privileged) {
+               ldb_req_mark_untrusted(req);
+       }
 
        LDB_REQ_SET_LOCATION(req);
 
@@ -461,7 +467,9 @@ static int ldapsrv_rename_with_controls(struct ldapsrv_call *call,
                return ret;
        }
 
-       ldb_req_mark_untrusted(req);
+       if (!call->conn->is_privileged) {
+               ldb_req_mark_untrusted(req);
+       }
 
        LDB_REQ_SET_LOCATION(req);
 
@@ -600,7 +608,9 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
 
        ldb_set_timeout(samdb, lreq, req->timelimit);
 
-       ldb_req_mark_untrusted(lreq);
+       if (!call->conn->is_privileged) {
+               ldb_req_mark_untrusted(lreq);
+       }
 
        LDB_REQ_SET_LOCATION(lreq);
 

diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
index db775c9a1239c0fea5ecefa06334e7e114c8179f..21030ba318571bf865cd1300b9c59a31b6b937a8 100644 (file)
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -261,7 +261,8 @@ static void ldapsrv_accept_tls_done(struct tevent_req *subreq);
   for reading from that socket
 */
 static void ldapsrv_accept(struct stream_connection *c,
-                          struct auth_session_info *session_info)
+                          struct auth_session_info *session_info,
+                          bool is_privileged)
 {
        struct ldapsrv_service *ldapsrv_service = 
                talloc_get_type(c->private_data, struct ldapsrv_service);
@@ -279,6 +280,7 @@ static void ldapsrv_accept(struct stream_connection *c,
                stream_terminate_connection(c, "ldapsrv_accept: out of memory");
                return;
        }
+       conn->is_privileged = is_privileged;
 
        conn->sockets.send_queue = tevent_queue_create(conn, "ldapsev send queue");
        if (conn->sockets.send_queue == NULL) {
@@ -758,7 +760,7 @@ static void ldapsrv_accept_nonpriv(struct stream_connection *c)
                                            "session info");
                return;
        }
-       ldapsrv_accept(c, session_info);
+       ldapsrv_accept(c, session_info, false);
 }
 
 static const struct stream_server_ops ldap_stream_nonpriv_ops = {
@@ -786,7 +788,7 @@ static void ldapsrv_accept_priv(struct stream_connection *c)
                                            "session info");
                return;
        }
-       ldapsrv_accept(c, session_info);
+       ldapsrv_accept(c, session_info, true);
 }
 
 static const struct stream_server_ops ldap_stream_priv_ops = {

diff --git a/source4/ldap_server/ldap_server.h b/source4/ldap_server/ldap_server.h
index 4d5cae49fc74fc36c996a959fbe089e2dff722fd..6f8b433a1cdabbbcef74b9538f452fe65b17796a 100644 (file)
--- a/source4/ldap_server/ldap_server.h
+++ b/source4/ldap_server/ldap_server.h
@@ -41,6 +41,7 @@ struct ldapsrv_connection {
        } sockets;
 
        bool global_catalog;
+       bool is_privileged;
 
        struct {
                int initial_timeout;