mirror of
https://github.com/samba-team/samba.git
synced 2025-07-30 19:42:05 +03:00
samba-tool: use ldb.binary_encode() on search expression elements
this allows us to deal with search elements containing characters that must be escaped in LDAP Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Amitay Isaacs <amitay@gmail.com>
This commit is contained in:
@ -147,7 +147,7 @@ class dc_join(object):
|
|||||||
# find the krbtgt link
|
# find the krbtgt link
|
||||||
print("checking samaccountname")
|
print("checking samaccountname")
|
||||||
res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
|
res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
|
||||||
expression='samAccountName=%s' % ctx.samname,
|
expression='samAccountName=%s' % ldb.binary_encode(ctx.samname),
|
||||||
attrs=["msDS-krbTgtLink"])
|
attrs=["msDS-krbTgtLink"])
|
||||||
if res:
|
if res:
|
||||||
ctx.del_noerror(res[0].dn, recursive=True)
|
ctx.del_noerror(res[0].dn, recursive=True)
|
||||||
@ -408,7 +408,7 @@ class dc_join(object):
|
|||||||
ctx.samdb.modify(m)
|
ctx.samdb.modify(m)
|
||||||
|
|
||||||
print "Setting account password for %s" % ctx.samname
|
print "Setting account password for %s" % ctx.samname
|
||||||
ctx.samdb.setpassword("(&(objectClass=user)(sAMAccountName=%s))" % ctx.samname,
|
ctx.samdb.setpassword("(&(objectClass=user)(sAMAccountName=%s))" % ldb.binary_encode(ctx.samname),
|
||||||
ctx.acct_pass,
|
ctx.acct_pass,
|
||||||
force_change_at_next_login=False,
|
force_change_at_next_login=False,
|
||||||
username=ctx.samname)
|
username=ctx.samname)
|
||||||
|
@ -72,7 +72,7 @@ class cmd_delegation_show(Command):
|
|||||||
# to the correct domain
|
# to the correct domain
|
||||||
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
|
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
|
||||||
print "Searching for: %s" % (cleanedaccount)
|
print "Searching for: %s" % (cleanedaccount)
|
||||||
res = sam.search(expression="sAMAccountName=%s" % cleanedaccount,
|
res = sam.search(expression="sAMAccountName=%s" % ldb.binary_encode(cleanedaccount),
|
||||||
scope=ldb.SCOPE_SUBTREE,
|
scope=ldb.SCOPE_SUBTREE,
|
||||||
attrs=["userAccountControl", "msDS-AllowedToDelegateTo"])
|
attrs=["userAccountControl", "msDS-AllowedToDelegateTo"])
|
||||||
if len(res) != 1:
|
if len(res) != 1:
|
||||||
@ -122,7 +122,7 @@ class cmd_delegation_for_any_service(Command):
|
|||||||
# to the correct domain
|
# to the correct domain
|
||||||
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
|
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
|
||||||
|
|
||||||
search_filter = "sAMAccountName=%s" % cleanedaccount
|
search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount)
|
||||||
flag = dsdb.UF_TRUSTED_FOR_DELEGATION
|
flag = dsdb.UF_TRUSTED_FOR_DELEGATION
|
||||||
try:
|
try:
|
||||||
sam.toggle_userAccountFlags(search_filter, flag, on=on, strict=True)
|
sam.toggle_userAccountFlags(search_filter, flag, on=on, strict=True)
|
||||||
@ -154,7 +154,7 @@ class cmd_delegation_for_any_protocol(Command):
|
|||||||
# to the correct domain
|
# to the correct domain
|
||||||
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
|
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
|
||||||
|
|
||||||
search_filter = "sAMAccountName=%s" % cleanedaccount
|
search_filter = "sAMAccountName=%s" % ldb.binary_encode(cleanedaccount)
|
||||||
flag = dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
|
flag = dsdb.UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
|
||||||
try:
|
try:
|
||||||
sam.toggle_userAccountFlags(search_filter, flag, on=on, strict=True)
|
sam.toggle_userAccountFlags(search_filter, flag, on=on, strict=True)
|
||||||
@ -178,7 +178,7 @@ class cmd_delegation_add_service(Command):
|
|||||||
# to the correct domain
|
# to the correct domain
|
||||||
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
|
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
|
||||||
|
|
||||||
res = sam.search(expression="sAMAccountName=%s" % cleanedaccount,
|
res = sam.search(expression="sAMAccountName=%s" % ldb.binary_encode(cleanedaccount),
|
||||||
scope=ldb.SCOPE_SUBTREE,
|
scope=ldb.SCOPE_SUBTREE,
|
||||||
attrs=["msDS-AllowedToDelegateTo"])
|
attrs=["msDS-AllowedToDelegateTo"])
|
||||||
if len(res) != 1:
|
if len(res) != 1:
|
||||||
@ -211,7 +211,7 @@ class cmd_delegation_del_service(Command):
|
|||||||
# to the correct domain
|
# to the correct domain
|
||||||
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
|
(cleanedaccount, realm, domain) = _get_user_realm_domain(accountname)
|
||||||
|
|
||||||
res = sam.search(expression="sAMAccountName=%s" % cleanedaccount,
|
res = sam.search(expression="sAMAccountName=%s" % ldb.binary_encode(cleanedaccount),
|
||||||
scope=ldb.SCOPE_SUBTREE,
|
scope=ldb.SCOPE_SUBTREE,
|
||||||
attrs=["msDS-AllowedToDelegateTo"])
|
attrs=["msDS-AllowedToDelegateTo"])
|
||||||
if len(res) != 1:
|
if len(res) != 1:
|
||||||
|
@ -317,7 +317,7 @@ class cmd_domain_machinepassword(Command):
|
|||||||
secretsdb = Ldb(url=url, session_info=system_session(),
|
secretsdb = Ldb(url=url, session_info=system_session(),
|
||||||
credentials=creds, lp=lp)
|
credentials=creds, lp=lp)
|
||||||
result = secretsdb.search(attrs=["secret"],
|
result = secretsdb.search(attrs=["secret"],
|
||||||
expression="(&(objectclass=primaryDomain)(samaccountname=%s))" % secret)
|
expression="(&(objectclass=primaryDomain)(samaccountname=%s))" % ldb.binary_encode(secret))
|
||||||
|
|
||||||
if len(result) != 1:
|
if len(result) != 1:
|
||||||
raise CommandError("search returned %d records, expected 1" % len(result))
|
raise CommandError("search returned %d records, expected 1" % len(result))
|
||||||
|
@ -287,8 +287,9 @@ class cmd_drs_replicate(Command):
|
|||||||
|
|
||||||
# we need to find the NTDS GUID of the source DC
|
# we need to find the NTDS GUID of the source DC
|
||||||
msg = self.samdb.search(base=self.samdb.get_config_basedn(),
|
msg = self.samdb.search(base=self.samdb.get_config_basedn(),
|
||||||
expression="(&(objectCategory=server)(|(name=%s)(dNSHostName=%s)))" % (SOURCE_DC,
|
expression="(&(objectCategory=server)(|(name=%s)(dNSHostName=%s)))" % (
|
||||||
SOURCE_DC),
|
ldb.binary_encode(SOURCE_DC),
|
||||||
|
ldb.binary_encode(SOURCE_DC)),
|
||||||
attrs=[])
|
attrs=[])
|
||||||
if len(msg) == 0:
|
if len(msg) == 0:
|
||||||
raise CommandError("Failed to find source DC %s" % SOURCE_DC)
|
raise CommandError("Failed to find source DC %s" % SOURCE_DC)
|
||||||
|
@ -131,10 +131,10 @@ def get_gpo_info(samdb, gpo=None, displayname=None, dn=None):
|
|||||||
search_scope = ldb.SCOPE_ONELEVEL
|
search_scope = ldb.SCOPE_ONELEVEL
|
||||||
|
|
||||||
if gpo is not None:
|
if gpo is not None:
|
||||||
search_expr = "(&(objectClass=groupPolicyContainer)(name=%s))" % gpo
|
search_expr = "(&(objectClass=groupPolicyContainer)(name=%s))" % ldb.binary_encode(gpo)
|
||||||
|
|
||||||
if displayname is not None:
|
if displayname is not None:
|
||||||
search_expr = "(&(objectClass=groupPolicyContainer)(displayname=%s))" % displayname
|
search_expr = "(&(objectClass=groupPolicyContainer)(displayname=%s))" % ldb.binary_encode(displayname)
|
||||||
|
|
||||||
if dn is not None:
|
if dn is not None:
|
||||||
base_dn = dn
|
base_dn = dn
|
||||||
@ -253,7 +253,7 @@ class cmd_list(Command):
|
|||||||
|
|
||||||
try:
|
try:
|
||||||
msg = self.samdb.search(expression='(&(|(samAccountName=%s)(samAccountName=%s$))(objectClass=User))' %
|
msg = self.samdb.search(expression='(&(|(samAccountName=%s)(samAccountName=%s$))(objectClass=User))' %
|
||||||
(username,username))
|
(ldb.binary_encode(username),ldb.binary_encode(username)))
|
||||||
user_dn = msg[0].dn
|
user_dn = msg[0].dn
|
||||||
except Exception, e:
|
except Exception, e:
|
||||||
raise CommandError("Failed to find account %s" % username, e)
|
raise CommandError("Failed to find account %s" % username, e)
|
||||||
|
@ -52,7 +52,7 @@ class cmd_rodc_preload(Command):
|
|||||||
expression="objectclass=user",
|
expression="objectclass=user",
|
||||||
scope=ldb.SCOPE_BASE, attrs=[])
|
scope=ldb.SCOPE_BASE, attrs=[])
|
||||||
else:
|
else:
|
||||||
res = samdb.search(expression="(&(samAccountName=%s)(objectclass=user))" % account,
|
res = samdb.search(expression="(&(samAccountName=%s)(objectclass=user))" % ldb.binary_encode(account),
|
||||||
scope=ldb.SCOPE_SUBTREE, attrs=[])
|
scope=ldb.SCOPE_SUBTREE, attrs=[])
|
||||||
if len(res) != 1:
|
if len(res) != 1:
|
||||||
raise Exception("Failed to find account '%s'" % account)
|
raise Exception("Failed to find account '%s'" % account)
|
||||||
|
@ -69,7 +69,7 @@ class cmd_spn_list(Command):
|
|||||||
# to the correct domain
|
# to the correct domain
|
||||||
(cleaneduser, realm, domain) = _get_user_realm_domain(user)
|
(cleaneduser, realm, domain) = _get_user_realm_domain(user)
|
||||||
print cleaneduser
|
print cleaneduser
|
||||||
res = sam.search(expression="samaccountname=%s" % cleaneduser,
|
res = sam.search(expression="samaccountname=%s" % ldb.binary_encode(cleaneduser),
|
||||||
scope=ldb.SCOPE_SUBTREE,
|
scope=ldb.SCOPE_SUBTREE,
|
||||||
attrs=["servicePrincipalName"])
|
attrs=["servicePrincipalName"])
|
||||||
if len(res) >0:
|
if len(res) >0:
|
||||||
@ -102,7 +102,7 @@ class cmd_spn_add(Command):
|
|||||||
paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
|
paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
|
||||||
sam = SamDB(paths.samdb, session_info=system_session(),
|
sam = SamDB(paths.samdb, session_info=system_session(),
|
||||||
credentials=creds, lp=lp)
|
credentials=creds, lp=lp)
|
||||||
res = sam.search(expression="servicePrincipalName=%s" % name,
|
res = sam.search(expression="servicePrincipalName=%s" % ldb.binary_encode(name),
|
||||||
scope=ldb.SCOPE_SUBTREE,
|
scope=ldb.SCOPE_SUBTREE,
|
||||||
)
|
)
|
||||||
if len(res) != 0 and not force:
|
if len(res) != 0 and not force:
|
||||||
@ -110,7 +110,7 @@ class cmd_spn_add(Command):
|
|||||||
" affected to another user" % name)
|
" affected to another user" % name)
|
||||||
|
|
||||||
(cleaneduser, realm, domain) = _get_user_realm_domain(user)
|
(cleaneduser, realm, domain) = _get_user_realm_domain(user)
|
||||||
res = sam.search(expression="samaccountname=%s" % cleaneduser,
|
res = sam.search(expression="samaccountname=%s" % ldb.binary_encode(cleaneduser),
|
||||||
scope=ldb.SCOPE_SUBTREE,
|
scope=ldb.SCOPE_SUBTREE,
|
||||||
attrs=["servicePrincipalName"])
|
attrs=["servicePrincipalName"])
|
||||||
if len(res) >0:
|
if len(res) >0:
|
||||||
@ -151,7 +151,7 @@ class cmd_spn_delete(Command):
|
|||||||
paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
|
paths = provision.provision_paths_from_lp(lp, lp.get("realm"))
|
||||||
sam = SamDB(paths.samdb, session_info=system_session(),
|
sam = SamDB(paths.samdb, session_info=system_session(),
|
||||||
credentials=creds, lp=lp)
|
credentials=creds, lp=lp)
|
||||||
res = sam.search(expression="servicePrincipalName=%s" % name,
|
res = sam.search(expression="servicePrincipalName=%s" % ldb.binary_encode(name),
|
||||||
scope=ldb.SCOPE_SUBTREE,
|
scope=ldb.SCOPE_SUBTREE,
|
||||||
attrs=["servicePrincipalName", "samAccountName"])
|
attrs=["servicePrincipalName", "samAccountName"])
|
||||||
if len(res) >0:
|
if len(res) >0:
|
||||||
|
@ -142,7 +142,7 @@ class cmd_user_enable(Command):
|
|||||||
raise CommandError("Either the username or '--filter' must be specified!")
|
raise CommandError("Either the username or '--filter' must be specified!")
|
||||||
|
|
||||||
if filter is None:
|
if filter is None:
|
||||||
filter = "(&(objectClass=user)(sAMAccountName=%s))" % (username)
|
filter = "(&(objectClass=user)(sAMAccountName=%s))" % (ldb.binary_encode(username))
|
||||||
|
|
||||||
lp = sambaopts.get_loadparm()
|
lp = sambaopts.get_loadparm()
|
||||||
creds = credopts.get_credentials(lp, fallback_machine=True)
|
creds = credopts.get_credentials(lp, fallback_machine=True)
|
||||||
@ -178,7 +178,7 @@ class cmd_user_setexpiry(Command):
|
|||||||
raise CommandError("Either the username or '--filter' must be specified!")
|
raise CommandError("Either the username or '--filter' must be specified!")
|
||||||
|
|
||||||
if filter is None:
|
if filter is None:
|
||||||
filter = "(&(objectClass=user)(sAMAccountName=%s))" % (username)
|
filter = "(&(objectClass=user)(sAMAccountName=%s))" % (ldb.binary_encode(username))
|
||||||
|
|
||||||
lp = sambaopts.get_loadparm()
|
lp = sambaopts.get_loadparm()
|
||||||
creds = credopts.get_credentials(lp)
|
creds = credopts.get_credentials(lp)
|
||||||
|
@ -189,7 +189,7 @@ pwdLastSet: 0
|
|||||||
:param groupname: Name of the target group
|
:param groupname: Name of the target group
|
||||||
"""
|
"""
|
||||||
|
|
||||||
groupfilter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (groupname, "CN=Group,CN=Schema,CN=Configuration", self.domain_dn())
|
groupfilter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (ldb.binary_encode(groupname), "CN=Group,CN=Schema,CN=Configuration", self.domain_dn())
|
||||||
self.transaction_start()
|
self.transaction_start()
|
||||||
try:
|
try:
|
||||||
targetgroup = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
|
targetgroup = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
|
||||||
@ -214,7 +214,8 @@ pwdLastSet: 0
|
|||||||
operation
|
operation
|
||||||
"""
|
"""
|
||||||
|
|
||||||
groupfilter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (groupname, "CN=Group,CN=Schema,CN=Configuration", self.domain_dn())
|
groupfilter = "(&(sAMAccountName=%s)(objectCategory=%s,%s))" % (
|
||||||
|
ldb.binary_encode(groupname), "CN=Group,CN=Schema,CN=Configuration", self.domain_dn())
|
||||||
groupmembers = listofmembers.split(',')
|
groupmembers = listofmembers.split(',')
|
||||||
|
|
||||||
self.transaction_start()
|
self.transaction_start()
|
||||||
@ -234,7 +235,8 @@ changetype: modify
|
|||||||
|
|
||||||
for member in groupmembers:
|
for member in groupmembers:
|
||||||
targetmember = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
|
targetmember = self.search(base=self.domain_dn(), scope=ldb.SCOPE_SUBTREE,
|
||||||
expression="(|(sAMAccountName=%s)(CN=%s))" % (member, member), attrs=[])
|
expression="(|(sAMAccountName=%s)(CN=%s))" % (
|
||||||
|
ldb.binary_encode(member), ldb.binary_encode(member)), attrs=[])
|
||||||
|
|
||||||
if len(targetmember) != 1:
|
if len(targetmember) != 1:
|
||||||
continue
|
continue
|
||||||
@ -378,7 +380,7 @@ member: %s
|
|||||||
|
|
||||||
# Sets the password for it
|
# Sets the password for it
|
||||||
if setpassword:
|
if setpassword:
|
||||||
self.setpassword("(samAccountName=%s)" % username, password,
|
self.setpassword("(samAccountName=%s)" % ldb.binary_encode(username), password,
|
||||||
force_password_change_at_next_login_req)
|
force_password_change_at_next_login_req)
|
||||||
except Exception:
|
except Exception:
|
||||||
self.transaction_cancel()
|
self.transaction_cancel()
|
||||||
|
Reference in New Issue
Block a user