4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Nadezhda Ivanova 2010
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 * Component: ldb ACL Read module
26 * Description: Module that performs authorisation access checks on read requests
27 * Only DACL checks implemented at this point
29 * Author: Nadezhda Ivanova
33 #include "ldb_module.h"
34 #include "auth/auth.h"
35 #include "libcli/security/security.h"
36 #include "dsdb/samdb/samdb.h"
37 #include "librpc/gen_ndr/ndr_security.h"
38 #include "param/param.h"
39 #include "dsdb/samdb/ldb_modules/util.h"
42 struct aclread_context {
43 struct ldb_module *module;
44 struct ldb_request *req;
45 const char * const *attrs;
46 const struct dsdb_schema *schema;
49 struct aclread_private {
53 static int aclread_callback(struct ldb_request *req, struct ldb_reply *ares)
55 struct ldb_context *ldb;
56 struct aclread_context *ac;
57 struct ldb_result *acl_res;
58 struct ldb_message_element *parent;
59 static const char *acl_attrs[] = {
60 "nTSecurityDescriptor",
66 struct security_descriptor *sd;
67 struct dom_sid *sid = NULL;
69 ac = talloc_get_type(req->context, struct aclread_context);
70 ldb = ldb_module_get_ctx(ac->module);
72 return ldb_module_done(ac->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR );
74 if (ares->error != LDB_SUCCESS) {
75 return ldb_module_done(ac->req, ares->controls,
76 ares->response, ares->error);
78 tmp_ctx = talloc_new(ac);
81 ret = dsdb_module_search_dn(ac->module, tmp_ctx, &acl_res, ares->message->dn,
83 DSDB_FLAG_NEXT_MODULE |
84 DSDB_SEARCH_SHOW_DELETED);
85 if (ret != LDB_SUCCESS) {
88 ret = dsdb_get_sd_from_ldb_message(ldb, tmp_ctx, acl_res->msgs[0], &sd);
89 if (ret != LDB_SUCCESS) {
90 DEBUG(10, ("acl_read: cannot get descriptor\n"));
91 ret = LDB_ERR_OPERATIONS_ERROR;
94 sid = samdb_result_dom_sid(tmp_ctx, acl_res->msgs[0], "objectSid");
95 /* get the parent guid */
96 parent = ldb_msg_find_element(acl_res->msgs[0], "parentGUID");
98 /* the object has a parent, so we have to check for visibility */
99 struct GUID parent_guid = samdb_result_guid(acl_res->msgs[0], "parentGUID");
100 ret = dsdb_module_check_access_on_guid(ac->module,
105 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
106 talloc_free(tmp_ctx);
108 } else if (ret != LDB_SUCCESS) {
112 /* for every element in the message check RP */
114 while (i < ares->message->num_elements) {
116 const struct dsdb_attribute *attr;
117 p = strchr(ares->message->elements[i].name, ';');
119 attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
120 ares->message->elements[i].name);
122 new_attr = talloc_strndup(tmp_ctx,
123 ares->message->elements[i].name,
124 (size_t)(p -ares->message->elements[i].name));
127 ret = LDB_ERR_OPERATIONS_ERROR;
130 attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
132 talloc_free(new_attr);
136 DEBUG(2, ("acl_read: cannot find attribute %s in schema\n",
137 ares->message->elements[i].name));
138 ret = LDB_ERR_OPERATIONS_ERROR;
141 /* nTSecurityDescriptor is a special case */
142 if (ldb_attr_cmp("nTSecurityDescriptor",
143 ares->message->elements[i].name) == 0) {
144 ret = acl_check_access_on_attribute(ac->module,
148 SEC_FLAG_SYSTEM_SECURITY,
151 ret = acl_check_access_on_attribute(ac->module,
158 if (ret == LDB_SUCCESS) {
160 } else if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
161 /* do not return this entry if attribute is
162 part of the search filter */
163 if (dsdb_attr_in_parse_tree(ac->req->op.search.tree,
164 ares->message->elements[i].name)) {
165 talloc_free(tmp_ctx);
168 ldb_msg_remove_attr(ares->message, ares->message->elements[i].name);
173 talloc_free(tmp_ctx);
174 return ldb_module_send_entry(ac->req, ares->message, ares->controls);
175 case LDB_REPLY_REFERRAL:
176 return ldb_module_send_referral(ac->req, ares->referral);
178 return ldb_module_done(ac->req, ares->controls,
179 ares->response, LDB_SUCCESS);
184 talloc_free(tmp_ctx);
185 return ldb_module_done(ac->req, NULL, NULL, ret);
189 static int aclread_search(struct ldb_module *module, struct ldb_request *req)
191 struct ldb_context *ldb;
193 bool block_anonymous;
194 struct aclread_context *ac;
195 struct ldb_request *down_req;
196 struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
197 struct ldb_control *apply_access = ldb_request_get_control(req, DSDB_CONTROL_SEARCH_APPLY_ACCESS);
198 struct auth_session_info *session_info;
199 struct ldb_result *res;
200 struct ldb_message_element *parent;
201 struct aclread_private *p;
202 static const char *acl_attrs[] = {
206 ldb = ldb_module_get_ctx(module);
207 p = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
208 if (apply_access != NULL) {
209 apply_access->critical = 0;
211 /* skip access checks if we are system or system control is supplied
212 * or this is not LDAP server request */
213 if (!p || !p->enabled ||
214 dsdb_module_am_system(module)
215 || as_system || !apply_access) {
216 return ldb_next_request(module, req);
218 /* no checks on special dn */
219 if (ldb_dn_is_special(req->op.search.base)) {
220 return ldb_next_request(module, req);
222 /* allow all access to rootDSE */
223 if (req->op.search.scope == LDB_SCOPE_BASE && ldb_dn_is_null(req->op.search.base)) {
224 return ldb_next_request(module, req);
227 session_info = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
228 if (session_info && security_token_is_anonymous(session_info->security_token)) {
229 block_anonymous = dsdb_block_anonymous_ops(module, req);
230 if (block_anonymous) {
231 return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
232 "This request is not allowed to an anonymous connection.");
236 /* check accessibility of base */
237 if (!ldb_dn_is_null(req->op.search.base)) {
238 ret = dsdb_module_search_dn(module, req, &res, req->op.search.base,
240 DSDB_FLAG_NEXT_MODULE |
241 DSDB_SEARCH_SHOW_DELETED);
242 if (ret != LDB_SUCCESS) {
243 return ldb_error(ldb, ret,
244 "acl_read: Error retrieving SD for base.");
247 parent = ldb_msg_find_element(res->msgs[0], "parentGUID");
249 /* the object has a parent, so we have to check for visibility */
250 struct GUID parent_guid = samdb_result_guid(res->msgs[0], "parentGUID");
251 ret = dsdb_module_check_access_on_guid(module,
256 if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
257 return ldb_module_done(req, NULL, NULL, LDB_ERR_NO_SUCH_OBJECT);
258 } else if (ret != LDB_SUCCESS) {
259 return ldb_module_done(req, NULL, NULL, ret);
263 ac = talloc_zero(req, struct aclread_context);
269 ac->schema = dsdb_get_schema(ldb, req);
271 return ldb_operr(ldb);
274 ret = ldb_build_search_req_ex(&down_req,
277 req->op.search.scope,
279 req->op.search.attrs,
281 ac, aclread_callback,
284 if (ret != LDB_SUCCESS) {
285 return LDB_ERR_OPERATIONS_ERROR;
288 return ldb_next_request(module, down_req);
291 static int aclread_init(struct ldb_module *module)
293 struct ldb_context *ldb = ldb_module_get_ctx(module);
294 struct aclread_private *p = talloc_zero(module, struct aclread_private);
296 return ldb_module_oom(module);
298 p->enabled = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"), NULL, "acl", "search", false);
299 ldb_module_set_private(module, p);
300 return ldb_next_init(module);
303 _PUBLIC_ const struct ldb_module_ops ldb_aclread_module_ops = {
305 .search = aclread_search,
306 .init_context = aclread_init