TALLOC_CTX *mem_ctx;
const char **attr_list;
int i, ret;
+ const struct dsdb_class *objectclass;
/* If we don't have a schema yet, we can't do anything... */
if (schema == NULL) {
talloc_free(mem_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
+
+ /*
+ * Get the top-most structural object class for the ACL check
+ */
+ objectclass = dsdb_get_last_structural_class(ac->schema,
+ oc_el);
+ if (objectclass == NULL) {
+ ldb_asprintf_errstring(ldb, "acl_read: Failed to find a structural class for %s",
+ ldb_dn_get_linearized(sd_msg->dn));
+ talloc_free(mem_ctx);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
if (ac->allowedAttributes) {
for (i=0; attr_list && attr_list[i]; i++) {
ldb_msg_add_string(msg, "allowedAttributes", attr_list[i]);
sd,
sid,
SEC_ADS_WRITE_PROP,
- attr);
+ attr,
+ objectclass);
if (ret == LDB_SUCCESS) {
ldb_msg_add_string(msg, "allowedAttributesEffective", attr_list[i]);
}
}
if (ac->am_system || as_system) {
flags = SECINFO_OWNER | SECINFO_GROUP | SECINFO_SACL | SECINFO_DACL;
- }
- else {
+ } else {
+ const struct dsdb_class *objectclass;
const struct dsdb_attribute *attr;
+ objectclass = dsdb_get_structural_oc_from_msg(ac->schema, sd_msg);
+ if (objectclass == NULL) {
+ return ldb_operr(ldb);
+ }
+
attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
"nTSecurityDescriptor");
if (attr == NULL) {
sd,
sid,
SEC_STD_WRITE_OWNER,
- attr);
+ attr,
+ objectclass);
if (ret == LDB_SUCCESS) {
flags |= SECINFO_OWNER | SECINFO_GROUP;
}
sd,
sid,
SEC_STD_WRITE_DAC,
- attr);
+ attr,
+ objectclass);
if (ret == LDB_SUCCESS) {
flags |= SECINFO_DACL;
}
sd,
sid,
SEC_FLAG_SYSTEM_SECURITY,
- attr);
+ attr,
+ objectclass);
if (ret == LDB_SUCCESS) {
flags |= SECINFO_SACL;
}
struct ldb_request *req,
struct security_descriptor *sd,
struct dom_sid *sid,
- const struct GUID *oc_guid,
- const struct dsdb_attribute *attr)
+ const struct dsdb_attribute *attr,
+ const struct dsdb_class *objectclass)
{
int ret;
unsigned int i;
sd,
sid,
SEC_ADS_WRITE_PROP,
- attr) == LDB_SUCCESS) {
+ attr, objectclass) == LDB_SUCCESS) {
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
struct ldb_request *req,
struct security_descriptor *sd,
struct dom_sid *sid,
- const struct GUID *oc_guid,
- const struct dsdb_attribute *attr)
+ const struct dsdb_attribute *attr,
+ const struct dsdb_class *objectclass)
{
int ret;
unsigned int i;
sd,
sid,
SEC_ADS_WRITE_PROP,
- attr) == LDB_SUCCESS) {
+ attr, objectclass) == LDB_SUCCESS) {
return LDB_SUCCESS;
}
/* if we are adding/deleting ourselves, check for self membership */
struct ldb_request *req,
struct security_descriptor *sd,
struct dom_sid *sid,
- const struct GUID *oc_guid,
+ const struct dsdb_class *objectclass,
bool userPassword)
{
int ret = LDB_SUCCESS;
req,
sd,
sid,
- &objectclass->schemaIDGUID,
- attr);
+ attr,
+ objectclass);
if (ret != LDB_SUCCESS) {
goto fail;
}
req,
sd,
sid,
- &objectclass->schemaIDGUID,
+ objectclass,
userPassword);
if (ret != LDB_SUCCESS) {
goto fail;
req,
sd,
sid,
- &objectclass->schemaIDGUID,
- attr);
+ attr,
+ objectclass);
if (ret != LDB_SUCCESS) {
goto fail;
}
struct dom_sid *sid = NULL;
TALLOC_CTX *tmp_ctx;
uint32_t instanceType;
+ const struct dsdb_class *objectclass;
ac = talloc_get_type(req->context, struct aclread_context);
ldb = ldb_module_get_ctx(ac->module);
ret = LDB_ERR_OPERATIONS_ERROR;
goto fail;
}
+ /*
+ * Get the most specific structural object class for the ACL check
+ */
+ objectclass = dsdb_get_structural_oc_from_msg(ac->schema, msg);
+ if (objectclass == NULL) {
+ ldb_asprintf_errstring(ldb, "acl_read: Failed to find a structural class for %s",
+ ldb_dn_get_linearized(msg->dn));
+ ret = LDB_ERR_OPERATIONS_ERROR;
+ goto fail;
+ }
+
sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
/* get the object instance type */
instanceType = ldb_msg_find_attr_as_uint(msg,
sd,
sid,
access_mask,
- attr);
+ attr,
+ objectclass);
/*
* Dirsync control needs the replpropertymetadata attribute