#include "librpc/gen_ndr/ndr_security.h"
#include "param/param.h"
#include "dsdb/samdb/ldb_modules/util.h"
-#include "dsdb/samdb/ldb_modules/schema.h"
#include "lib/util/tsort.h"
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
struct acl_private {
bool acl_perform;
const char **password_attrs;
+ void *cached_schema_ptr;
+ uint64_t cached_schema_metadata_usn;
+ uint64_t cached_schema_loaded_usn;
+ const char **confidential_attrs;
};
struct acl_context {
struct ldb_module *module;
struct ldb_request *req;
bool am_system;
+ bool am_administrator;
+ bool modify_search;
+ bool constructed_attrs;
bool allowedAttributes;
bool allowedAttributesEffective;
bool allowedChildClasses;
return ldb_operr(ldb);
}
- data = talloc(module, struct acl_private);
+ data = talloc_zero(module, struct acl_private);
if (data == NULL) {
return ldb_oom(ldb);
}
- data->password_attrs = NULL;
data->acl_perform = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"),
NULL, "acl", "perform", false);
ldb_module_set_private(module, data);
return LDB_SUCCESS;
}
+static int acl_check_access_on_class(struct ldb_module *module,
+ const struct dsdb_schema *schema,
+ TALLOC_CTX *mem_ctx,
+ struct security_descriptor *sd,
+ struct security_token *token,
+ struct dom_sid *rp_sid,
+ uint32_t access_mask,
+ const char *class_name)
+{
+ int ret;
+ NTSTATUS status;
+ uint32_t access_granted;
+ struct object_tree *root = NULL;
+ struct object_tree *new_node = NULL;
+ const struct GUID *guid;
+
+ if (class_name != NULL) {
+ guid = class_schemaid_guid_by_lDAPDisplayName(schema, class_name);
+ if (!guid) {
+ DEBUG(10, ("acl_search: cannot find class %s\n",
+ class_name));
+ goto fail;
+ }
+ if (!insert_in_object_tree(mem_ctx,
+ guid, access_mask,
+ &root, &new_node)) {
+ DEBUG(10, ("acl_search: cannot add to object tree guid\n"));
+ goto fail;
+ }
+ }
+
+ status = sec_access_check_ds(sd, token,
+ access_mask,
+ &access_granted,
+ root,
+ rp_sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ } else {
+ ret = LDB_SUCCESS;
+ }
+ return ret;
+fail:
+ return ldb_operr(ldb_module_get_ctx(module));
+}
+
static int acl_childClassesEffective(struct ldb_module *module,
const struct dsdb_schema *schema,
struct ldb_message *sd_msg,
schema,
msg,
sd,
+ acl_user_token(module),
sid,
SEC_ADS_CREATE_CHILD,
sclass->possibleInferiors[j]);
char *instanceName;
char *serviceType;
char *serviceName;
- const char *realm;
const char *forest_name = samdb_forest_name(ldb, mem_ctx);
const char *base_domain = samdb_default_domain_name(ldb, mem_ctx);
struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
instanceName = principal->name.name_string.val[1];
serviceType = principal->name.name_string.val[0];
- realm = krb5_principal_get_realm(krb_ctx, principal);
if (principal->name.name_string.len == 3) {
serviceName = principal->name.name_string.val[2];
} else {
if (strlen(instanceName) == (strlen(samAccountName) - 1)
&& strncasecmp(instanceName, samAccountName, strlen(samAccountName) - 1) == 0) {
goto success;
- } else if (strcasecmp(instanceName, dnsHostName) == 0) {
+ } else if (dnsHostName != NULL && strcasecmp(instanceName, dnsHostName) == 0) {
goto success;
} else if (is_dc) {
const char *guid_str;
oc_el = ldb_msg_find_element(req->op.add.message, "objectClass");
if (!oc_el || oc_el->num_values == 0) {
- DEBUG(10,("acl:operation error %s\n", ldb_dn_get_linearized(req->op.add.message->dn)));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl: unable to find objectClass on %s\n",
+ ldb_dn_get_linearized(req->op.add.message->dn));
return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
}
return ret;
}
+static const struct GUID *get_oc_guid_from_message(const struct dsdb_schema *schema,
+ struct ldb_message *msg)
+{
+ struct ldb_message_element *oc_el;
+ const struct dsdb_class *object_class;
+
+ oc_el = ldb_msg_find_element(msg, "objectClass");
+ if (!oc_el) {
+ return NULL;
+ }
+
+ object_class = dsdb_get_last_structural_class(schema, oc_el);
+ if (object_class == NULL) {
+ return NULL;
+ }
+
+ return &object_class->schemaIDGUID;
+}
+
+
static int acl_modify(struct ldb_module *module, struct ldb_request *req)
{
int ret;
}
ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res, req->op.mod.message->dn,
acl_attrs,
- DSDB_FLAG_NEXT_MODULE, req);
+ DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_DELETED,
+ req);
if (ret != LDB_SUCCESS) {
goto fail;
goto success;
}
- guid = get_oc_guid_from_message(module, schema, acl_res->msgs[0]);
+ guid = get_oc_guid_from_message(schema, acl_res->msgs[0]);
if (!guid) {
talloc_free(tmp_ctx);
return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
sid);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("Object %s has no write dacl access\n",
- ldb_dn_get_linearized(req->op.mod.message->dn)));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "Object %s has no write dacl access\n",
+ ldb_dn_get_linearized(req->op.mod.message->dn));
dsdb_acl_debug(sd,
acl_user_token(module),
req->op.mod.message->dn,
if (!insert_in_object_tree(tmp_ctx,
&attr->attributeSecurityGUID, SEC_ADS_WRITE_PROP,
&new_node, &new_node)) {
- DEBUG(10, ("acl_modify: cannot add to object tree securityGUID\n"));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl_modify: cannot add to object tree securityGUID\n");
ret = LDB_ERR_OPERATIONS_ERROR;
goto fail;
}
if (!insert_in_object_tree(tmp_ctx,
&attr->schemaIDGUID, SEC_ADS_WRITE_PROP, &new_node, &new_node)) {
- DEBUG(10, ("acl_modify: cannot add to object tree attributeGUID\n"));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl_modify: cannot add to object tree attributeGUID\n");
ret = LDB_ERR_OPERATIONS_ERROR;
goto fail;
}
sid);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("Object %s has no write property access\n",
- ldb_dn_get_linearized(req->op.mod.message->dn)));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "Object %s has no write property access\n",
+ ldb_dn_get_linearized(req->op.mod.message->dn));
dsdb_acl_debug(sd,
- acl_user_token(module),
- req->op.mod.message->dn,
- true,
- 10);
+ acl_user_token(module),
+ req->op.mod.message->dn,
+ true,
+ 10);
ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
goto fail;
}
return ldb_operr(ldb);
}
- guid = get_oc_guid_from_message(module, schema, acl_res->msgs[0]);
+ guid = get_oc_guid_from_message(schema, acl_res->msgs[0]);
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
&root, &new_node)) {
talloc_free(tmp_ctx);
sid);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("Object %s has no wp on name\n",
- ldb_dn_get_linearized(req->op.rename.olddn)));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "Object %s has no wp on name\n",
+ ldb_dn_get_linearized(req->op.rename.olddn));
dsdb_acl_debug(sd,
acl_user_token(module),
req->op.rename.olddn,
/* new parent should have create child */
root = NULL;
new_node = NULL;
- guid = get_oc_guid_from_message(module, schema, acl_res->msgs[0]);
+ guid = get_oc_guid_from_message(schema, acl_res->msgs[0]);
if (!guid) {
- DEBUG(10,("acl:renamed object has no object class\n"));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl:renamed object has no object class\n");
talloc_free(tmp_ctx);
return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
}
ret = dsdb_module_check_access_on_dn(module, req, newparent, SEC_ADS_CREATE_CHILD, guid, req);
if (ret != LDB_SUCCESS) {
- DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl:access_denied renaming %s",
+ ldb_dn_get_linearized(req->op.rename.olddn));
talloc_free(tmp_ctx);
return ret;
}
/* what about delete child on the current parent */
ret = dsdb_module_check_access_on_dn(module, req, oldparent, SEC_ADS_DELETE_CHILD, NULL, req);
if (ret != LDB_SUCCESS) {
- DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn));
talloc_free(tmp_ctx);
return ldb_module_done(req, NULL, NULL, ret);
}
return ldb_next_request(module, req);
}
+static int acl_search_update_confidential_attrs(struct acl_context *ac,
+ struct acl_private *data)
+{
+ struct dsdb_attribute *a;
+ uint32_t n = 0;
+
+ if ((ac->schema == data->cached_schema_ptr) &&
+ (ac->schema->loaded_usn == data->cached_schema_loaded_usn) &&
+ (ac->schema->metadata_usn == data->cached_schema_metadata_usn))
+ {
+ return LDB_SUCCESS;
+ }
+
+ data->cached_schema_ptr = NULL;
+ data->cached_schema_loaded_usn = 0;
+ data->cached_schema_metadata_usn = 0;
+ TALLOC_FREE(data->confidential_attrs);
+
+ if (ac->schema == NULL) {
+ return LDB_SUCCESS;
+ }
+
+ for (a = ac->schema->attributes; a; a = a->next) {
+ const char **attrs = data->confidential_attrs;
+
+ if (!(a->searchFlags & SEARCH_FLAG_CONFIDENTIAL)) {
+ continue;
+ }
+
+ attrs = talloc_realloc(data, attrs, const char *, n + 2);
+ if (attrs == NULL) {
+ TALLOC_FREE(data->confidential_attrs);
+ return ldb_module_oom(ac->module);
+ }
+
+ attrs[n] = a->lDAPDisplayName;
+ attrs[n+1] = NULL;
+ n++;
+
+ data->confidential_attrs = attrs;
+ }
+
+ data->cached_schema_ptr = ac->schema;
+ data->cached_schema_loaded_usn = ac->schema->loaded_usn;
+ data->cached_schema_metadata_usn = ac->schema->metadata_usn;
+
+ return LDB_SUCCESS;
+}
+
static int acl_search_callback(struct ldb_request *req, struct ldb_reply *ares)
{
- struct ldb_context *ldb;
struct acl_context *ac;
struct acl_private *data;
struct ldb_result *acl_res;
ac = talloc_get_type(req->context, struct acl_context);
data = talloc_get_type(ldb_module_get_private(ac->module), struct acl_private);
- ldb = ldb_module_get_ctx(ac->module);
-
if (!ares) {
return ldb_module_done(ac->req, NULL, NULL,
LDB_ERR_OPERATIONS_ERROR);
switch (ares->type) {
case LDB_REPLY_ENTRY:
- if (ac->allowedAttributes
- || ac->allowedChildClasses
- || ac->allowedChildClassesEffective
- || ac->allowedAttributesEffective
- || ac->sDRightsEffective) {
+ if (ac->constructed_attrs) {
ret = dsdb_module_search_dn(ac->module, ac, &acl_res, ares->message->dn,
acl_attrs,
- DSDB_FLAG_NEXT_MODULE, req);
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_SEARCH_SHOW_DELETED, req);
if (ret != LDB_SUCCESS) {
return ldb_module_done(ac->req, NULL, NULL, ret);
}
- if (ac->allowedAttributes || ac->allowedAttributesEffective) {
- ret = acl_allowedAttributes(ac->module, ac->schema, acl_res->msgs[0], ares->message, ac);
- if (ret != LDB_SUCCESS) {
- return ldb_module_done(ac->req, NULL, NULL, ret);
- }
+ }
+
+ if (ac->allowedAttributes || ac->allowedAttributesEffective) {
+ ret = acl_allowedAttributes(ac->module, ac->schema,
+ acl_res->msgs[0],
+ ares->message, ac);
+ if (ret != LDB_SUCCESS) {
+ return ldb_module_done(ac->req, NULL, NULL, ret);
}
- if (ac->allowedChildClasses) {
- ret = acl_childClasses(ac->module, ac->schema, acl_res->msgs[0],
- ares->message, "allowedChildClasses");
- if (ret != LDB_SUCCESS) {
- return ldb_module_done(ac->req, NULL, NULL, ret);
- }
+ }
+
+ if (ac->allowedChildClasses) {
+ ret = acl_childClasses(ac->module, ac->schema,
+ acl_res->msgs[0],
+ ares->message,
+ "allowedChildClasses");
+ if (ret != LDB_SUCCESS) {
+ return ldb_module_done(ac->req, NULL, NULL, ret);
}
- if (ac->allowedChildClassesEffective) {
- ret = acl_childClassesEffective(ac->module, ac->schema,
- acl_res->msgs[0], ares->message, ac);
- if (ret != LDB_SUCCESS) {
- return ldb_module_done(ac->req, NULL, NULL, ret);
- }
+ }
+
+ if (ac->allowedChildClassesEffective) {
+ ret = acl_childClassesEffective(ac->module, ac->schema,
+ acl_res->msgs[0],
+ ares->message, ac);
+ if (ret != LDB_SUCCESS) {
+ return ldb_module_done(ac->req, NULL, NULL, ret);
}
- if (ac->sDRightsEffective) {
- ret = acl_sDRightsEffective(ac->module,
- acl_res->msgs[0], ares->message, ac);
- if (ret != LDB_SUCCESS) {
- return ldb_module_done(ac->req, NULL, NULL, ret);
- }
+ }
+
+ if (ac->sDRightsEffective) {
+ ret = acl_sDRightsEffective(ac->module,
+ acl_res->msgs[0],
+ ares->message, ac);
+ if (ret != LDB_SUCCESS) {
+ return ldb_module_done(ac->req, NULL, NULL, ret);
}
}
- if (data && data->password_attrs) {
- if (!ac->am_system) {
- for (i = 0; data->password_attrs[i]; i++) {
- if ((!ac->userPassword) &&
- (ldb_attr_cmp(data->password_attrs[i],
- "userPassword") == 0))
- continue;
- ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
+ if (data == NULL) {
+ return ldb_module_send_entry(ac->req, ares->message,
+ ares->controls);
+ }
+
+ if (ac->am_system) {
+ return ldb_module_send_entry(ac->req, ares->message,
+ ares->controls);
+ }
+
+ if (data->password_attrs != NULL) {
+ for (i = 0; data->password_attrs[i]; i++) {
+ if ((!ac->userPassword) &&
+ (ldb_attr_cmp(data->password_attrs[i],
+ "userPassword") == 0))
+ {
+ continue;
}
+
+ ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
}
}
+
+ if (ac->am_administrator) {
+ return ldb_module_send_entry(ac->req, ares->message,
+ ares->controls);
+ }
+
+ ret = acl_search_update_confidential_attrs(ac, data);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (data->confidential_attrs != NULL) {
+ for (i = 0; data->confidential_attrs[i]; i++) {
+ ldb_msg_remove_attr(ares->message,
+ data->confidential_attrs[i]);
+ }
+ }
+
return ldb_module_send_entry(ac->req, ares->message, ares->controls);
case LDB_REPLY_REFERRAL:
{
struct ldb_context *ldb;
struct acl_context *ac;
+ struct ldb_parse_tree *down_tree;
struct ldb_request *down_req;
struct acl_private *data;
int ret;
ac->module = module;
ac->req = req;
ac->am_system = dsdb_module_am_system(module);
+ ac->am_administrator = dsdb_module_am_administrator(module);
+ ac->constructed_attrs = false;
+ ac->modify_search = true;
ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes");
ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
ac->userPassword = dsdb_user_password_support(module, ac, req);
ac->schema = dsdb_get_schema(ldb, ac);
- /* replace any attributes in the parse tree that are private,
- so we don't allow a search for 'userPassword=penguin',
- just as we would not allow that attribute to be returned */
+ ac->constructed_attrs |= ac->allowedAttributes;
+ ac->constructed_attrs |= ac->allowedChildClasses;
+ ac->constructed_attrs |= ac->allowedChildClassesEffective;
+ ac->constructed_attrs |= ac->allowedAttributesEffective;
+ ac->constructed_attrs |= ac->sDRightsEffective;
+
+ if (data == NULL) {
+ ac->modify_search = false;
+ }
if (ac->am_system) {
- /* FIXME: We should copy the tree and keep the original unmodified. */
- /* remove password attributes */
- if (data && data->password_attrs) {
- for (i = 0; data->password_attrs[i]; i++) {
- if ((!ac->userPassword) &&
- (ldb_attr_cmp(data->password_attrs[i],
- "userPassword") == 0))
- continue;
+ ac->modify_search = false;
+ }
- ldb_parse_tree_attr_replace(req->op.search.tree,
- data->password_attrs[i],
- "kludgeACLredactedattribute");
+ if (!ac->constructed_attrs && !ac->modify_search) {
+ return ldb_next_request(module, req);
+ }
+
+ ret = acl_search_update_confidential_attrs(ac, data);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ down_tree = ldb_parse_tree_copy_shallow(ac, req->op.search.tree);
+ if (down_tree == NULL) {
+ return ldb_oom(ldb);
+ }
+
+ if (!ac->am_system && data->password_attrs) {
+ for (i = 0; data->password_attrs[i]; i++) {
+ if ((!ac->userPassword) &&
+ (ldb_attr_cmp(data->password_attrs[i],
+ "userPassword") == 0))
+ {
+ continue;
}
+
+ ldb_parse_tree_attr_replace(down_tree,
+ data->password_attrs[i],
+ "kludgeACLredactedattribute");
}
}
+
+ if (!ac->am_system && !ac->am_administrator && data->confidential_attrs) {
+ for (i = 0; data->confidential_attrs[i]; i++) {
+ ldb_parse_tree_attr_replace(down_tree,
+ data->confidential_attrs[i],
+ "kludgeACLredactedattribute");
+ }
+ }
+
ret = ldb_build_search_req_ex(&down_req,
ldb, ac,
req->op.search.base,
req->op.search.scope,
- req->op.search.tree,
+ down_tree,
req->op.search.attrs,
req->controls,
ac, acl_search_callback,