4 Copyright (C) Nadezhda Ivanova 2010
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 * Description: utility functions for access checking on objects
25 * Authors: Nadezhda Ivanova
30 #include "ldb_module.h"
31 #include "ldb_errors.h"
32 #include "libcli/security/security.h"
33 #include "librpc/gen_ndr/ndr_security.h"
34 #include "libcli/ldap/ldap_ndr.h"
35 #include "param/param.h"
36 #include "auth/auth.h"
37 #include "dsdb/samdb/samdb.h"
39 void dsdb_acl_debug(struct security_descriptor *sd,
40 struct security_token *token,
46 DEBUG(level, ("Access on %s denied", ldb_dn_get_linearized(dn)));
48 DEBUG(level, ("Access on %s granted", ldb_dn_get_linearized(dn)));
51 DEBUG(level,("Security context: %s\n",
52 ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_token,"", token)));
53 DEBUG(level,("Security descriptor: %s\n",
54 ndr_print_struct_string(0,(ndr_print_fn_t)ndr_print_security_descriptor,"", sd)));
57 int dsdb_get_sd_from_ldb_message(struct ldb_context *ldb,
59 struct ldb_message *acl_res,
60 struct security_descriptor **sd)
62 struct ldb_message_element *sd_element;
63 enum ndr_err_code ndr_err;
65 sd_element = ldb_msg_find_element(acl_res, "nTSecurityDescriptor");
70 *sd = talloc(mem_ctx, struct security_descriptor);
74 ndr_err = ndr_pull_struct_blob(&sd_element->values[0], *sd, *sd,
75 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
77 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
78 return ldb_operr(ldb);
84 int dsdb_check_access_on_dn_internal(struct ldb_context *ldb,
85 struct ldb_result *acl_res,
87 struct security_token *token,
90 const struct GUID *guid)
92 struct security_descriptor *sd = NULL;
93 struct dom_sid *sid = NULL;
94 struct object_tree *root = NULL;
95 struct object_tree *new_node = NULL;
97 uint32_t access_granted;
100 ret = dsdb_get_sd_from_ldb_message(ldb, mem_ctx, acl_res->msgs[0], &sd);
101 if (ret != LDB_SUCCESS) {
102 return ldb_operr(ldb);
104 /* Theoretically we pass the check if the object has no sd */
108 sid = samdb_result_dom_sid(mem_ctx, acl_res->msgs[0], "objectSid");
110 if (!insert_in_object_tree(mem_ctx, guid, access, &root, &new_node)) {
111 return ldb_operr(ldb);
114 status = sec_access_check_ds(sd, token,
119 if (!NT_STATUS_IS_OK(status)) {
125 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
130 /* performs an access check from outside the module stack
131 * given the dn of the object to be checked, the required access
132 * guid is either the guid of the extended right, or NULL
135 int dsdb_check_access_on_dn(struct ldb_context *ldb,
139 const struct GUID *guid)
142 struct ldb_result *acl_res;
143 static const char *acl_attrs[] = {
144 "nTSecurityDescriptor",
149 struct auth_session_info *session_info
150 = (struct auth_session_info *)ldb_get_opaque(ldb, "sessionInfo");
152 return ldb_operr(ldb);
155 ret = ldb_search(ldb, mem_ctx, &acl_res, dn, LDB_SCOPE_BASE, acl_attrs, NULL);
156 if (ret != LDB_SUCCESS) {
157 DEBUG(10,("access_check: failed to find object %s\n", ldb_dn_get_linearized(dn)));
161 return dsdb_check_access_on_dn_internal(ldb, acl_res,
163 session_info->security_token,