1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

r20622: Add in a hack to avoid permitting searches on the value of protected

attributes.

Andrew Bartlett
This commit is contained in:
Andrew Bartlett 2007-01-09 03:45:50 +00:00 committed by Gerald (Jerry) Carter
parent 4a8e07286f
commit 5aa2195ec2

View File

@ -147,7 +147,8 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
{
struct kludge_acl_context *ac;
struct ldb_request *down_req;
int ret;
struct kludge_private_data *data;
int ret, i;
req->handle = NULL;
@ -156,6 +157,8 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
return LDB_ERR_OPERATIONS_ERROR;
}
data = talloc_get_type(module->private_data, struct kludge_private_data);
ac->module = module;
ac->up_context = req->context;
ac->up_callback = req->callback;
@ -172,6 +175,25 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
down_req->op.search.tree = req->op.search.tree;
down_req->op.search.attrs = req->op.search.attrs;
/* FIXME: I hink we should copy the tree and keep the original
* unmodified. SSS */
/* replace any attributes in the parse tree that are private,
so we don't allow a search for 'sambaPassword=penguin',
just as we would not allow that attribute to be returned */
switch (ac->user_type) {
case SYSTEM:
case ADMINISTRATOR:
break;
default:
/* remove password attributes */
for (i = 0; data && data->password_attrs && data->password_attrs[i]; i++) {
ldb_parse_tree_attr_replace(down_req->op.search.tree,
data->password_attrs[i],
"kludgeACLredactedattribute");
}
}
down_req->controls = req->controls;
down_req->context = ac;