s4-ldbmodules: Modified rootdce to deny anonymous access depending on dSHeuristics

Any request other than a base search on rootdse is denied with operations error.

diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c
index 3e5a94673f72bda2048766847569190687fcfaae..4ad68799409fdcff8d97677110adc79290af485c 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -494,12 +494,22 @@ static int rootdse_search(struct ldb_module *module, struct ldb_request *req)
        struct ldb_context *ldb;
        struct rootdse_context *ac;
        struct ldb_request *down_req;
+       bool block_anonymous;
        int ret;
 
        ldb = ldb_module_get_ctx(module);
 
        /* see if its for the rootDSE - only a base search on the "" DN qualifies */
        if (!(req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base))) {
+               struct auth_session_info *session_info = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
+               if (session_info && security_token_is_anonymous(session_info->security_token)) {
+                       block_anonymous = dsdb_block_anonymous_ops(module, req);
+                       if (block_anonymous && !ldb_dn_is_special(req->op.search.base)) {
+                               /*      DEBUG(0, ("REq %s", ldb_dn_get_linearized(req->op.search.base))); */
+                               return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
+                                                "This request is not allowed to an anonymous connection.");
+                       }
+               }
                /* Otherwise, pass down to the rest of the stack */
                return ldb_next_request(module, req);
        }
@@ -626,9 +636,9 @@ static int rootdse_init(struct ldb_module *module)
 
           Then stuff these values into an opaque
        */
-       ret = ldb_search(ldb, mem_ctx, &res,
+       ret = dsdb_module_search(module, mem_ctx, &res,
                         ldb_get_default_basedn(ldb),
-                        LDB_SCOPE_BASE, attrs, NULL);
+                                LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE,NULL);
        if (ret == LDB_SUCCESS && res->count == 1) {
                int domain_behaviour_version
                        = ldb_msg_find_attr_as_int(res->msgs[0],
@@ -648,9 +658,9 @@ static int rootdse_init(struct ldb_module *module)
                }
        }
 
-       ret = ldb_search(ldb, mem_ctx, &res,
+       ret = dsdb_module_search(module, mem_ctx, &res,
                         samdb_partitions_dn(ldb, mem_ctx),
-                        LDB_SCOPE_BASE, attrs, NULL);
+                                LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE,NULL);
        if (ret == LDB_SUCCESS && res->count == 1) {
                int forest_behaviour_version
                        = ldb_msg_find_attr_as_int(res->msgs[0],
@@ -672,14 +682,14 @@ static int rootdse_init(struct ldb_module *module)
 
        ret = ldb_search(ldb, mem_ctx, &res,
                         ldb_dn_new(mem_ctx, ldb, ""),
-                        LDB_SCOPE_BASE, ds_attrs, NULL);
+                                LDB_SCOPE_BASE, ds_attrs,NULL);
        if (ret == LDB_SUCCESS && res->count == 1) {
                struct ldb_dn *ds_dn
                        = ldb_msg_find_attr_as_dn(ldb, mem_ctx, res->msgs[0],
                                                  "dsServiceName");
                if (ds_dn) {
-                       ret = ldb_search(ldb, mem_ctx, &res, ds_dn,
-                                        LDB_SCOPE_BASE, attrs, NULL);
+                       ret = dsdb_module_search(module, mem_ctx, &res, ds_dn,
+                                                LDB_SCOPE_BASE, attrs, DSDB_FLAG_NEXT_MODULE,NULL);
                        if (ret == LDB_SUCCESS && res->count == 1) {
                                int domain_controller_behaviour_version
                                        = ldb_msg_find_attr_as_int(res->msgs[0],