sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-26 10:04:02 +03:00
Code

s4-dsdb: moved rodc schema validation to samldb.c

Browse Source 
This means we are only doing the checks for schema changes

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Andrew Tridgell 2010-04-22 13:32:55 +10:00
parent 73513fb7e7
commit 70cc9fd5c6
2 changed files with 37 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
source4/dsdb/samdb/ldb_modules/objectclass.c
View File

@ -378,27 +378,6 @@ static int fix_check_attributes(struct ldb_context *ldb,
return LDB_SUCCESS;
}
/*
* return true if msg carries an attributeSchema that is intended to be RODC
* filtered but is also a system-critical attribute.
*/
static bool check_rodc_critical_attribute(struct ldb_message *msg)
{
uint32_t schemaFlagsEx, searchFlags, rodc_filtered_flags;
schemaFlagsEx = ldb_msg_find_attr_as_uint(msg, "schemaFlagsEx", 0);
searchFlags = ldb_msg_find_attr_as_uint(msg, "searchFlags", 0);
rodc_filtered_flags = (SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL);
if ((schemaFlagsEx & SCHEMA_FLAG_ATTR_IS_CRITICAL) &&
((searchFlags & rodc_filtered_flags) == rodc_filtered_flags)) {
return true;
} else {
return false;
}
}
static int objectclass_do_add(struct oc_context *ac);
static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
@ -425,12 +404,6 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
return LDB_ERR_OBJECT_CLASS_VIOLATION;
}
/* do not allow to mark an attributeSchema as RODC filtered if it
* is system-critical */
if (check_rodc_critical_attribute(req->op.add.message)) {
return LDB_ERR_UNWILLING_TO_PERFORM;
}
ac = oc_init_context(module, req);
if (ac == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
@ -749,12 +722,6 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req
return LDB_ERR_UNWILLING_TO_PERFORM;
}
/* do not allow to mark an attributeSchema as RODC filtered if it
* is system-critical */
if (check_rodc_critical_attribute(req->op.mod.message)) {
return LDB_ERR_UNWILLING_TO_PERFORM;
}
ac = oc_init_context(module, req);
if (ac == NULL) {
ldb_oom(ldb);

37
source4/dsdb/samdb/ldb_modules/samldb.c
View File

@ -826,6 +826,26 @@ static int samldb_add_entry(struct samldb_ctx *ac)
return ldb_next_request(ac->module, req);
}
/*
* return true if msg carries an attributeSchema that is intended to be RODC
* filtered but is also a system-critical attribute.
*/
static bool check_rodc_critical_attribute(struct ldb_message *msg)
{
uint32_t schemaFlagsEx, searchFlags, rodc_filtered_flags;
schemaFlagsEx = ldb_msg_find_attr_as_uint(msg, "schemaFlagsEx", 0);
searchFlags = ldb_msg_find_attr_as_uint(msg, "searchFlags", 0);
rodc_filtered_flags = (SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL);
if ((schemaFlagsEx & SCHEMA_FLAG_ATTR_IS_CRITICAL) &&
((searchFlags & rodc_filtered_flags) == rodc_filtered_flags)) {
return true;
} else {
return false;
}
}
static int samldb_fill_object(struct samldb_ctx *ac, const char *type)
{
@ -885,6 +905,15 @@ static int samldb_fill_object(struct samldb_ctx *ac, const char *type)
"rdnAttId", "cn");
if (ret != LDB_SUCCESS) return ret;
/* do not allow to mark an attributeSchema as RODC filtered if it
* is system-critical */
if (check_rodc_critical_attribute(ac->msg)) {
ldb_asprintf_errstring(ldb, "Refusing schema add of %s - cannot combine critical class with RODC filtering",
ldb_dn_get_linearized(ac->msg->dn));
return LDB_ERR_UNWILLING_TO_PERFORM;
}
rdn_value = ldb_dn_get_rdn_val(ac->msg->dn);
if (!ldb_msg_find_element(ac->msg, "lDAPDisplayName")) {
/* the RDN has prefix "CN" */
@ -932,6 +961,14 @@ static int samldb_fill_object(struct samldb_ctx *ac, const char *type)
}
}
/* do not allow to mark an attributeSchema as RODC filtered if it
* is system-critical */
if (check_rodc_critical_attribute(ac->msg)) {
ldb_asprintf_errstring(ldb, "Refusing schema add of %s - cannot combine critical attribute with RODC filtering",
ldb_dn_get_linearized(ac->msg->dn));
return LDB_ERR_UNWILLING_TO_PERFORM;
}
ret = samdb_find_or_add_attribute(ldb, ac->msg,
"isSingleValued", "FALSE");
if (ret != LDB_SUCCESS) return ret;