ret = dsdb_module_search_dn(module, mem_ctx, &res,
ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"),
attrs,
- DSDB_FLAG_NEXT_MODULE);
+ DSDB_FLAG_NEXT_MODULE|DSDB_FLAG_TRUSTED, NULL);
if (ret != LDB_SUCCESS) {
goto done;
}
ret = dsdb_module_search_dn(module, tmp_ctx,
&acl_res, req->op.mod.message->dn,
acl_attrs,
- DSDB_FLAG_NEXT_MODULE |
- DSDB_SEARCH_SHOW_DELETED);
+ DSDB_FLAG_NEXT_MODULE | DSDB_FLAG_TRUSTED |
+ DSDB_SEARCH_SHOW_DELETED, req);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
&netbios_res, partitions_dn,
LDB_SCOPE_ONELEVEL,
netbios_attrs,
- DSDB_FLAG_NEXT_MODULE,
+ DSDB_FLAG_NEXT_MODULE | DSDB_FLAG_TRUSTED,
+ req,
"(ncName=%s)",
ldb_dn_get_linearized(ldb_get_default_basedn(ldb)));
guid = class_schemaid_guid_by_lDAPDisplayName(schema,
(char *)oc_el->values[oc_el->num_values-1].data);
- ret = dsdb_module_check_access_on_dn(module, req, parent, SEC_ADS_CREATE_CHILD, guid);
+ ret = dsdb_module_check_access_on_dn(module, req, parent, SEC_ADS_CREATE_CHILD, guid, req);
if (ret != LDB_SUCCESS) {
return ret;
}
struct security_descriptor *sd;
struct dom_sid *sid = NULL;
struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
- bool userPassword = dsdb_user_password_support(module, req);
+ bool userPassword = dsdb_user_password_support(module, req, req);
TALLOC_CTX *tmp_ctx = talloc_new(req);
static const char *acl_attrs[] = {
"nTSecurityDescriptor",
}
ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res, req->op.mod.message->dn,
acl_attrs,
- DSDB_FLAG_NEXT_MODULE);
+ DSDB_FLAG_NEXT_MODULE | DSDB_FLAG_TRUSTED, req);
if (ret != LDB_SUCCESS) {
goto fail;
ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, acl_res->msgs[0], &sd);
if (ret != LDB_SUCCESS) {
- DEBUG(10, ("acl_modify: cannot get descriptor\n"));
- goto fail;
+ talloc_free(tmp_ctx);
+ return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
+ "acl_modify: Error retrieving security descriptor.");
}
/* Theoretically we pass the check if the object has no sd */
if (!sd) {
guid = get_oc_guid_from_message(module, schema, acl_res->msgs[0]);
if (!guid) {
- DEBUG(10, ("acl_modify: cannot get guid\n"));
- goto fail;
+ talloc_free(tmp_ctx);
+ return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
+ "acl_modify: Error retrieving object class GUID.");
}
sid = samdb_result_dom_sid(req, acl_res->msgs[0], "objectSid");
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
&root, &new_node)) {
- DEBUG(10, ("acl_modify: cannot add to object tree\n"));
- goto fail;
+ talloc_free(tmp_ctx);
+ return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
+ "acl_modify: Error adding new node in object tree.");
}
for (i=0; i < req->op.mod.message->num_elements; i++){
const struct dsdb_attribute *attr;
attr = dsdb_attribute_by_lDAPDisplayName(schema,
- req->op.mod.message->elements[i].name);
+ req->op.mod.message->elements[i].name);
if (ldb_attr_cmp("nTSecurityDescriptor", req->op.mod.message->elements[i].name) == 0) {
status = sec_access_check_ds(sd, acl_user_token(module),
/* First check if we have delete object right */
ret = dsdb_module_check_access_on_dn(module, req, req->op.del.dn,
- SEC_STD_DELETE, NULL);
+ SEC_STD_DELETE, NULL, req);
if (ret == LDB_SUCCESS) {
return ldb_next_request(module, req);
}
/* Nope, we don't have delete object. Lets check if we have delete
* child on the parent */
ret = dsdb_module_check_access_on_dn(module, req, parent,
- SEC_ADS_DELETE_CHILD, NULL);
+ SEC_ADS_DELETE_CHILD, NULL, req);
if (ret != LDB_SUCCESS) {
return ret;
}
ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res,
req->op.rename.olddn, acl_attrs,
- DSDB_FLAG_NEXT_MODULE |
- DSDB_SEARCH_SHOW_RECYCLED);
+ DSDB_FLAG_NEXT_MODULE | DSDB_FLAG_TRUSTED |
+ DSDB_SEARCH_SHOW_RECYCLED, req);
/* we sould be able to find the parent */
if (ret != LDB_SUCCESS) {
DEBUG(10,("acl: failed to find object %s\n",
return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
}
- ret = dsdb_module_check_access_on_dn(module, req, newparent, SEC_ADS_CREATE_CHILD, guid);
+ ret = dsdb_module_check_access_on_dn(module, req, newparent, SEC_ADS_CREATE_CHILD, guid, req);
if (ret != LDB_SUCCESS) {
DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
talloc_free(tmp_ctx);
return ldb_next_request(module, req);
}
/* what about delete child on the current parent */
- ret = dsdb_module_check_access_on_dn(module, req, oldparent, SEC_ADS_DELETE_CHILD, NULL);
+ ret = dsdb_module_check_access_on_dn(module, req, oldparent, SEC_ADS_DELETE_CHILD, NULL, req);
if (ret != LDB_SUCCESS) {
DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
talloc_free(tmp_ctx);
|| ac->sDRightsEffective) {
ret = dsdb_module_search_dn(ac->module, ac, &acl_res, ares->message->dn,
acl_attrs,
- DSDB_FLAG_NEXT_MODULE);
+ DSDB_FLAG_NEXT_MODULE | DSDB_FLAG_TRUSTED, req);
if (ret != LDB_SUCCESS) {
return ldb_module_done(ac->req, NULL, NULL, ret);
}
ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
ac->sDRightsEffective = ldb_attr_in_list(req->op.search.attrs, "sDRightsEffective");
- ac->userPassword = dsdb_user_password_support(module, ac);
+ ac->userPassword = dsdb_user_password_support(module, ac, req);
ac->schema = dsdb_get_schema(ldb, ac);
/* replace any attributes in the parse tree that are private,