sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00
Code

Don't expose passwords, even to the administrator.

Browse Source 
This ensures they don't leak over LDAP, but does not prevent access,
as ldbsearch locally still bypasses these controls.

Andrew Bartlett
(This used to be commit fa3f3bab33)
This commit is contained in:
Andrew Bartlett 2008-09-08 11:09:02 +10:00
parent b3cee235f5
commit 4c386ce366
1 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
source4/dsdb/samdb/ldb_modules/kludge_acl.c
View File

@ -238,7 +238,6 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld
{
switch (ac->user_type) {
case SECURITY_SYSTEM:
case SECURITY_ADMINISTRATOR:
if (ac->allowedAttributesEffective) {
ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributesEffective");
if (ret != LDB_SUCCESS) {
@ -252,6 +251,20 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld
}
}
break;
case SECURITY_ADMINISTRATOR:
if (ac->allowedAttributesEffective) {
ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributesEffective");
if (ret != LDB_SUCCESS) {
return ret;
}
}
if (ac->allowedChildClassesEffective) {
ret = kludge_acl_childClasses(ldb, ares->message, "allowedChildClassesEffective");
if (ret != LDB_SUCCESS) {
return ret;
}
}
/* fall though */
default:
/* remove password attributes */
for (i = 0; data->password_attrs[i]; i++) {