#include "librpc/gen_ndr/ndr_security.h"
#include "param/param.h"
#include "dsdb/samdb/ldb_modules/util.h"
-#include "dsdb/samdb/ldb_modules/schema.h"
#include "lib/util/tsort.h"
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
};
struct acl_private {
- bool acl_perform;
+ bool acl_search;
const char **password_attrs;
+ void *cached_schema_ptr;
+ uint64_t cached_schema_metadata_usn;
+ uint64_t cached_schema_loaded_usn;
+ const char **confidential_attrs;
};
struct acl_context {
struct ldb_module *module;
struct ldb_request *req;
bool am_system;
+ bool am_administrator;
+ bool modify_search;
+ bool constructed_attrs;
bool allowedAttributes;
bool allowedAttributesEffective;
bool allowedChildClasses;
return ldb_operr(ldb);
}
- data = talloc(module, struct acl_private);
+ data = talloc_zero(module, struct acl_private);
if (data == NULL) {
return ldb_oom(ldb);
}
- data->password_attrs = NULL;
- data->acl_perform = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"),
- NULL, "acl", "perform", false);
+ data->acl_search = lpcfg_parm_bool(ldb_get_opaque(ldb, "loadparm"),
+ NULL, "acl", "search", true);
ldb_module_set_private(module, data);
mem_ctx = talloc_new(module);
ret = dsdb_module_search_dn(module, mem_ctx, &res,
ldb_dn_new(mem_ctx, ldb, "@KLUDGEACL"),
attrs,
- DSDB_FLAG_NEXT_MODULE, NULL);
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_AS_SYSTEM,
+ NULL);
if (ret != LDB_SUCCESS) {
goto done;
}
return LDB_SUCCESS;
}
+static int acl_check_access_on_class(struct ldb_module *module,
+ const struct dsdb_schema *schema,
+ TALLOC_CTX *mem_ctx,
+ struct security_descriptor *sd,
+ struct security_token *token,
+ struct dom_sid *rp_sid,
+ uint32_t access_mask,
+ const char *class_name)
+{
+ int ret;
+ NTSTATUS status;
+ uint32_t access_granted;
+ struct object_tree *root = NULL;
+ struct object_tree *new_node = NULL;
+ const struct GUID *guid;
+
+ if (class_name != NULL) {
+ guid = class_schemaid_guid_by_lDAPDisplayName(schema, class_name);
+ if (!guid) {
+ DEBUG(10, ("acl_search: cannot find class %s\n",
+ class_name));
+ goto fail;
+ }
+ if (!insert_in_object_tree(mem_ctx,
+ guid, access_mask,
+ &root, &new_node)) {
+ DEBUG(10, ("acl_search: cannot add to object tree guid\n"));
+ goto fail;
+ }
+ }
+
+ status = sec_access_check_ds(sd, token,
+ access_mask,
+ &access_granted,
+ root,
+ rp_sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
+ } else {
+ ret = LDB_SUCCESS;
+ }
+ return ret;
+fail:
+ return ldb_operr(ldb_module_get_ctx(module));
+}
+
static int acl_childClassesEffective(struct ldb_module *module,
const struct dsdb_schema *schema,
struct ldb_message *sd_msg,
schema,
msg,
sd,
+ acl_user_token(module),
sid,
SEC_ADS_CREATE_CHILD,
sclass->possibleInferiors[j]);
static int acl_validate_spn_value(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb,
const char *spn_value,
- int userAccountControl,
+ uint32_t userAccountControl,
const char *samAccountName,
const char *dnsHostName,
const char *netbios_name,
char *instanceName;
char *serviceType;
char *serviceName;
- const char *realm;
- const char *guid_str;
const char *forest_name = samdb_forest_name(ldb, mem_ctx);
const char *base_domain = samdb_default_domain_name(ldb, mem_ctx);
struct loadparm_context *lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
bool is_dc = (userAccountControl & UF_SERVER_TRUST_ACCOUNT) ||
(userAccountControl & UF_PARTIAL_SECRETS_ACCOUNT);
+ if (strcasecmp_m(spn_value, samAccountName) == 0) {
+ /* MacOS X sets this value, and setting an SPN of your
+ * own samAccountName is both pointless and safe */
+ return LDB_SUCCESS;
+ }
+
kerr = smb_krb5_init_context_basic(mem_ctx,
lp_ctx,
&krb_ctx);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
+ if (principal->name.name_string.len < 2) {
+ goto fail;
+ }
+
instanceName = principal->name.name_string.val[1];
serviceType = principal->name.name_string.val[0];
- realm = krb5_principal_get_realm(krb_ctx, principal);
- guid_str = talloc_asprintf(mem_ctx,"%s._msdcs.%s",
- ntds_guid,
- forest_name);
if (principal->name.name_string.len == 3) {
serviceName = principal->name.name_string.val[2];
} else {
}
/* instanceName can be samAccountName without $ or dnsHostName
* or "ntds_guid._msdcs.forest_domain for DC objects */
- if (strncasecmp(instanceName, samAccountName, strlen(samAccountName - 1)) == 0) {
+ if (strlen(instanceName) == (strlen(samAccountName) - 1)
+ && strncasecmp(instanceName, samAccountName, strlen(samAccountName) - 1) == 0) {
goto success;
- } else if (strcasecmp(instanceName, dnsHostName) == 0) {
+ } else if (dnsHostName != NULL && strcasecmp(instanceName, dnsHostName) == 0) {
goto success;
} else if (is_dc) {
+ const char *guid_str;
+ guid_str = talloc_asprintf(mem_ctx,"%s._msdcs.%s",
+ ntds_guid,
+ forest_name);
if (strcasecmp(instanceName, guid_str) == 0) {
goto success;
}
- } else {
- goto fail;
}
+
fail:
krb5_free_principal(krb_ctx, principal);
krb5_free_context(krb_ctx);
struct ldb_result *netbios_res;
struct ldb_message_element *el;
struct ldb_dn *partitions_dn = samdb_partitions_dn(ldb, tmp_ctx);
- int userAccountControl;
+ uint32_t userAccountControl;
const char *samAccountName;
const char *dnsHostName;
const char *netbios_name;
- const struct GUID *ntds = samdb_ntds_objectGUID(ldb);
- const char *ntds_guid = GUID_string(tmp_ctx, ntds);
+ struct GUID ntds;
+ char *ntds_guid = NULL;
static const char *acl_attrs[] = {
"samAccountName",
"nETBIOSName",
NULL
};
+
/* if we have wp, we can do whatever we like */
if (acl_check_access_on_attribute(module,
tmp_ctx,
&acl_res, req->op.mod.message->dn,
acl_attrs,
DSDB_FLAG_NEXT_MODULE |
- DSDB_SEARCH_SHOW_DELETED, req);
+ DSDB_FLAG_AS_SYSTEM |
+ DSDB_SEARCH_SHOW_RECYCLED,
+ req);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
- userAccountControl = ldb_msg_find_attr_as_int(acl_res->msgs[0], "userAccountControl", 0);
+ userAccountControl = ldb_msg_find_attr_as_uint(acl_res->msgs[0], "userAccountControl", 0);
dnsHostName = ldb_msg_find_attr_as_string(acl_res->msgs[0], "dnsHostName", NULL);
samAccountName = ldb_msg_find_attr_as_string(acl_res->msgs[0], "samAccountName", NULL);
&netbios_res, partitions_dn,
LDB_SCOPE_ONELEVEL,
netbios_attrs,
- DSDB_FLAG_NEXT_MODULE,
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_AS_SYSTEM,
req,
"(ncName=%s)",
ldb_dn_get_linearized(ldb_get_default_basedn(ldb)));
"Error finding element for servicePrincipalName.");
}
+ /* NTDSDSA objectGuid of object we are checking SPN for */
+ if (userAccountControl & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) {
+ ret = dsdb_module_find_ntdsguid_for_computer(module, tmp_ctx,
+ req->op.mod.message->dn, &ntds, req);
+ if (ret != LDB_SUCCESS) {
+ ldb_asprintf_errstring(ldb, "Failed to find NTDSDSA objectGuid for %s: %s",
+ ldb_dn_get_linearized(req->op.mod.message->dn),
+ ldb_strerror(ret));
+ talloc_free(tmp_ctx);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ ntds_guid = GUID_string(tmp_ctx, &ntds);
+ }
+
for (i=0; i < el->num_values; i++) {
ret = acl_validate_spn_value(tmp_ctx,
ldb,
oc_el = ldb_msg_find_element(req->op.add.message, "objectClass");
if (!oc_el || oc_el->num_values == 0) {
- DEBUG(10,("acl:operation error %s\n", ldb_dn_get_linearized(req->op.add.message->dn)));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl: unable to find objectClass on %s\n",
+ ldb_dn_get_linearized(req->op.add.message->dn));
return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
}
return ret;
}
+static const struct GUID *get_oc_guid_from_message(const struct dsdb_schema *schema,
+ struct ldb_message *msg)
+{
+ struct ldb_message_element *oc_el;
+ const struct dsdb_class *object_class;
+
+ oc_el = ldb_msg_find_element(msg, "objectClass");
+ if (!oc_el) {
+ return NULL;
+ }
+
+ object_class = dsdb_get_last_structural_class(schema, oc_el);
+ if (object_class == NULL) {
+ return NULL;
+ }
+
+ return &object_class->schemaIDGUID;
+}
+
+
static int acl_modify(struct ldb_module *module, struct ldb_request *req)
{
int ret;
}
ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res, req->op.mod.message->dn,
acl_attrs,
- DSDB_FLAG_NEXT_MODULE, req);
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_AS_SYSTEM |
+ DSDB_SEARCH_SHOW_RECYCLED,
+ req);
if (ret != LDB_SUCCESS) {
goto fail;
goto success;
}
- guid = get_oc_guid_from_message(module, schema, acl_res->msgs[0]);
+ guid = get_oc_guid_from_message(schema, acl_res->msgs[0]);
if (!guid) {
talloc_free(tmp_ctx);
return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
req->op.mod.message->elements[i].name);
if (ldb_attr_cmp("nTSecurityDescriptor", req->op.mod.message->elements[i].name) == 0) {
+ uint32_t sd_flags = dsdb_request_sd_flags(req, NULL);
+ uint32_t access_mask = 0;
+
+ if (sd_flags & (SECINFO_OWNER|SECINFO_GROUP)) {
+ access_mask |= SEC_STD_WRITE_OWNER;
+ }
+ if (sd_flags & SECINFO_DACL) {
+ access_mask |= SEC_STD_WRITE_DAC;
+ }
+ if (sd_flags & SECINFO_SACL) {
+ access_mask |= SEC_FLAG_SYSTEM_SECURITY;
+ }
+
status = sec_access_check_ds(sd, acl_user_token(module),
- SEC_STD_WRITE_DAC,
+ access_mask,
&access_granted,
NULL,
sid);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("Object %s has no write dacl access\n",
- ldb_dn_get_linearized(req->op.mod.message->dn)));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "Object %s has no write dacl access\n",
+ ldb_dn_get_linearized(req->op.mod.message->dn));
dsdb_acl_debug(sd,
acl_user_token(module),
req->op.mod.message->dn,
/* This basic attribute existence check with the right errorcode
* is needed since this module is the first one which requests
- * schema attribute informations.
+ * schema attribute information.
* The complete attribute checking is done in the
* "objectclass_attrs" module behind this one.
*/
if (!insert_in_object_tree(tmp_ctx,
&attr->attributeSecurityGUID, SEC_ADS_WRITE_PROP,
&new_node, &new_node)) {
- DEBUG(10, ("acl_modify: cannot add to object tree securityGUID\n"));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl_modify: cannot add to object tree securityGUID\n");
ret = LDB_ERR_OPERATIONS_ERROR;
goto fail;
}
if (!insert_in_object_tree(tmp_ctx,
&attr->schemaIDGUID, SEC_ADS_WRITE_PROP, &new_node, &new_node)) {
- DEBUG(10, ("acl_modify: cannot add to object tree attributeGUID\n"));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl_modify: cannot add to object tree attributeGUID\n");
ret = LDB_ERR_OPERATIONS_ERROR;
goto fail;
}
sid);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("Object %s has no write property access\n",
- ldb_dn_get_linearized(req->op.mod.message->dn)));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "Object %s has no write property access\n",
+ ldb_dn_get_linearized(req->op.mod.message->dn));
dsdb_acl_debug(sd,
- acl_user_token(module),
- req->op.mod.message->dn,
- true,
- 10);
+ acl_user_token(module),
+ req->op.mod.message->dn,
+ true,
+ 10);
ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
goto fail;
}
ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res,
req->op.rename.olddn, acl_attrs,
DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_AS_SYSTEM |
DSDB_SEARCH_SHOW_RECYCLED, req);
/* we sould be able to find the parent */
if (ret != LDB_SUCCESS) {
return ldb_operr(ldb);
}
- guid = get_oc_guid_from_message(module, schema, acl_res->msgs[0]);
+ guid = get_oc_guid_from_message(schema, acl_res->msgs[0]);
if (!insert_in_object_tree(tmp_ctx, guid, SEC_ADS_WRITE_PROP,
&root, &new_node)) {
talloc_free(tmp_ctx);
sid);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(10, ("Object %s has no wp on name\n",
- ldb_dn_get_linearized(req->op.rename.olddn)));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "Object %s has no wp on name\n",
+ ldb_dn_get_linearized(req->op.rename.olddn));
dsdb_acl_debug(sd,
acl_user_token(module),
req->op.rename.olddn,
/* new parent should have create child */
root = NULL;
new_node = NULL;
- guid = get_oc_guid_from_message(module, schema, acl_res->msgs[0]);
+ guid = get_oc_guid_from_message(schema, acl_res->msgs[0]);
if (!guid) {
- DEBUG(10,("acl:renamed object has no object class\n"));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl:renamed object has no object class\n");
talloc_free(tmp_ctx);
return ldb_module_done(req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
}
ret = dsdb_module_check_access_on_dn(module, req, newparent, SEC_ADS_CREATE_CHILD, guid, req);
if (ret != LDB_SUCCESS) {
- DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl:access_denied renaming %s",
+ ldb_dn_get_linearized(req->op.rename.olddn));
talloc_free(tmp_ctx);
return ret;
}
/* what about delete child on the current parent */
ret = dsdb_module_check_access_on_dn(module, req, oldparent, SEC_ADS_DELETE_CHILD, NULL, req);
if (ret != LDB_SUCCESS) {
- DEBUG(10,("acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn)));
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "acl:access_denied renaming %s", ldb_dn_get_linearized(req->op.rename.olddn));
talloc_free(tmp_ctx);
return ldb_module_done(req, NULL, NULL, ret);
}
return ldb_next_request(module, req);
}
+static int acl_search_update_confidential_attrs(struct acl_context *ac,
+ struct acl_private *data)
+{
+ struct dsdb_attribute *a;
+ uint32_t n = 0;
+
+ if (data->acl_search) {
+ /*
+ * if acl:search is activated we
+ * the acl_read module protects
+ * confidential attributes.
+ */
+ return LDB_SUCCESS;
+ }
+
+ if ((ac->schema == data->cached_schema_ptr) &&
+ (ac->schema->loaded_usn == data->cached_schema_loaded_usn) &&
+ (ac->schema->metadata_usn == data->cached_schema_metadata_usn))
+ {
+ return LDB_SUCCESS;
+ }
+
+ data->cached_schema_ptr = NULL;
+ data->cached_schema_loaded_usn = 0;
+ data->cached_schema_metadata_usn = 0;
+ TALLOC_FREE(data->confidential_attrs);
+
+ if (ac->schema == NULL) {
+ return LDB_SUCCESS;
+ }
+
+ for (a = ac->schema->attributes; a; a = a->next) {
+ const char **attrs = data->confidential_attrs;
+
+ if (!(a->searchFlags & SEARCH_FLAG_CONFIDENTIAL)) {
+ continue;
+ }
+
+ attrs = talloc_realloc(data, attrs, const char *, n + 2);
+ if (attrs == NULL) {
+ TALLOC_FREE(data->confidential_attrs);
+ return ldb_module_oom(ac->module);
+ }
+
+ attrs[n] = a->lDAPDisplayName;
+ attrs[n+1] = NULL;
+ n++;
+
+ data->confidential_attrs = attrs;
+ }
+
+ data->cached_schema_ptr = ac->schema;
+ data->cached_schema_loaded_usn = ac->schema->loaded_usn;
+ data->cached_schema_metadata_usn = ac->schema->metadata_usn;
+
+ return LDB_SUCCESS;
+}
+
static int acl_search_callback(struct ldb_request *req, struct ldb_reply *ares)
{
- struct ldb_context *ldb;
struct acl_context *ac;
struct acl_private *data;
struct ldb_result *acl_res;
ac = talloc_get_type(req->context, struct acl_context);
data = talloc_get_type(ldb_module_get_private(ac->module), struct acl_private);
- ldb = ldb_module_get_ctx(ac->module);
-
if (!ares) {
return ldb_module_done(ac->req, NULL, NULL,
LDB_ERR_OPERATIONS_ERROR);
switch (ares->type) {
case LDB_REPLY_ENTRY:
- if (ac->allowedAttributes
- || ac->allowedChildClasses
- || ac->allowedChildClassesEffective
- || ac->allowedAttributesEffective
- || ac->sDRightsEffective) {
+ if (ac->constructed_attrs) {
ret = dsdb_module_search_dn(ac->module, ac, &acl_res, ares->message->dn,
acl_attrs,
- DSDB_FLAG_NEXT_MODULE, req);
+ DSDB_FLAG_NEXT_MODULE |
+ DSDB_FLAG_AS_SYSTEM |
+ DSDB_SEARCH_SHOW_RECYCLED,
+ req);
if (ret != LDB_SUCCESS) {
return ldb_module_done(ac->req, NULL, NULL, ret);
}
- if (ac->allowedAttributes || ac->allowedAttributesEffective) {
- ret = acl_allowedAttributes(ac->module, ac->schema, acl_res->msgs[0], ares->message, ac);
- if (ret != LDB_SUCCESS) {
- return ldb_module_done(ac->req, NULL, NULL, ret);
- }
+ }
+
+ if (ac->allowedAttributes || ac->allowedAttributesEffective) {
+ ret = acl_allowedAttributes(ac->module, ac->schema,
+ acl_res->msgs[0],
+ ares->message, ac);
+ if (ret != LDB_SUCCESS) {
+ return ldb_module_done(ac->req, NULL, NULL, ret);
}
- if (ac->allowedChildClasses) {
- ret = acl_childClasses(ac->module, ac->schema, acl_res->msgs[0],
- ares->message, "allowedChildClasses");
- if (ret != LDB_SUCCESS) {
- return ldb_module_done(ac->req, NULL, NULL, ret);
- }
+ }
+
+ if (ac->allowedChildClasses) {
+ ret = acl_childClasses(ac->module, ac->schema,
+ acl_res->msgs[0],
+ ares->message,
+ "allowedChildClasses");
+ if (ret != LDB_SUCCESS) {
+ return ldb_module_done(ac->req, NULL, NULL, ret);
}
- if (ac->allowedChildClassesEffective) {
- ret = acl_childClassesEffective(ac->module, ac->schema,
- acl_res->msgs[0], ares->message, ac);
- if (ret != LDB_SUCCESS) {
- return ldb_module_done(ac->req, NULL, NULL, ret);
- }
+ }
+
+ if (ac->allowedChildClassesEffective) {
+ ret = acl_childClassesEffective(ac->module, ac->schema,
+ acl_res->msgs[0],
+ ares->message, ac);
+ if (ret != LDB_SUCCESS) {
+ return ldb_module_done(ac->req, NULL, NULL, ret);
}
- if (ac->sDRightsEffective) {
- ret = acl_sDRightsEffective(ac->module,
- acl_res->msgs[0], ares->message, ac);
- if (ret != LDB_SUCCESS) {
- return ldb_module_done(ac->req, NULL, NULL, ret);
- }
+ }
+
+ if (ac->sDRightsEffective) {
+ ret = acl_sDRightsEffective(ac->module,
+ acl_res->msgs[0],
+ ares->message, ac);
+ if (ret != LDB_SUCCESS) {
+ return ldb_module_done(ac->req, NULL, NULL, ret);
}
}
- if (data && data->password_attrs) {
- if (!ac->am_system) {
- for (i = 0; data->password_attrs[i]; i++) {
- if ((!ac->userPassword) &&
- (ldb_attr_cmp(data->password_attrs[i],
- "userPassword") == 0))
- continue;
- ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
+ if (data == NULL) {
+ return ldb_module_send_entry(ac->req, ares->message,
+ ares->controls);
+ }
+
+ if (ac->am_system) {
+ return ldb_module_send_entry(ac->req, ares->message,
+ ares->controls);
+ }
+
+ if (data->password_attrs != NULL) {
+ for (i = 0; data->password_attrs[i]; i++) {
+ if ((!ac->userPassword) &&
+ (ldb_attr_cmp(data->password_attrs[i],
+ "userPassword") == 0))
+ {
+ continue;
}
+
+ ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
}
}
+
+ if (ac->am_administrator) {
+ return ldb_module_send_entry(ac->req, ares->message,
+ ares->controls);
+ }
+
+ ret = acl_search_update_confidential_attrs(ac, data);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (data->confidential_attrs != NULL) {
+ for (i = 0; data->confidential_attrs[i]; i++) {
+ ldb_msg_remove_attr(ares->message,
+ data->confidential_attrs[i]);
+ }
+ }
+
return ldb_module_send_entry(ac->req, ares->message, ares->controls);
case LDB_REPLY_REFERRAL:
{
struct ldb_context *ldb;
struct acl_context *ac;
+ struct ldb_parse_tree *down_tree;
struct ldb_request *down_req;
struct acl_private *data;
int ret;
ac->module = module;
ac->req = req;
ac->am_system = dsdb_module_am_system(module);
+ ac->am_administrator = dsdb_module_am_administrator(module);
+ ac->constructed_attrs = false;
+ ac->modify_search = true;
ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes");
ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
ac->userPassword = dsdb_user_password_support(module, ac, req);
ac->schema = dsdb_get_schema(ldb, ac);
- /* replace any attributes in the parse tree that are private,
- so we don't allow a search for 'userPassword=penguin',
- just as we would not allow that attribute to be returned */
+ ac->constructed_attrs |= ac->allowedAttributes;
+ ac->constructed_attrs |= ac->allowedChildClasses;
+ ac->constructed_attrs |= ac->allowedChildClassesEffective;
+ ac->constructed_attrs |= ac->allowedAttributesEffective;
+ ac->constructed_attrs |= ac->sDRightsEffective;
+
+ if (data == NULL) {
+ ac->modify_search = false;
+ }
if (ac->am_system) {
- /* FIXME: We should copy the tree and keep the original unmodified. */
- /* remove password attributes */
- if (data && data->password_attrs) {
- for (i = 0; data->password_attrs[i]; i++) {
- if ((!ac->userPassword) &&
- (ldb_attr_cmp(data->password_attrs[i],
- "userPassword") == 0))
- continue;
+ ac->modify_search = false;
+ }
+
+ if (!ac->constructed_attrs && !ac->modify_search) {
+ return ldb_next_request(module, req);
+ }
+
+ ret = acl_search_update_confidential_attrs(ac, data);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
- ldb_parse_tree_attr_replace(req->op.search.tree,
- data->password_attrs[i],
- "kludgeACLredactedattribute");
+ down_tree = ldb_parse_tree_copy_shallow(ac, req->op.search.tree);
+ if (down_tree == NULL) {
+ return ldb_oom(ldb);
+ }
+
+ if (!ac->am_system && data->password_attrs) {
+ for (i = 0; data->password_attrs[i]; i++) {
+ if ((!ac->userPassword) &&
+ (ldb_attr_cmp(data->password_attrs[i],
+ "userPassword") == 0))
+ {
+ continue;
}
+
+ ldb_parse_tree_attr_replace(down_tree,
+ data->password_attrs[i],
+ "kludgeACLredactedattribute");
}
}
+
+ if (!ac->am_system && !ac->am_administrator && data->confidential_attrs) {
+ for (i = 0; data->confidential_attrs[i]; i++) {
+ ldb_parse_tree_attr_replace(down_tree,
+ data->confidential_attrs[i],
+ "kludgeACLredactedattribute");
+ }
+ }
+
ret = ldb_build_search_req_ex(&down_req,
ldb, ac,
req->op.search.base,
req->op.search.scope,
- req->op.search.tree,
+ down_tree,
req->op.search.attrs,
req->controls,
ac, acl_search_callback,