sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-14 01:57:53 +03:00
Code

Remove ldapsam_search_one_user_by_uid from pdb_ldap.

Browse Source 
sambaAccount requires the rid to be present, and doing this fallback is quite
dangerous, becouse it assumes that alorithmic RIDs are in use - which is quite
often not the case.

Also finish of vl's work on 'use a function pointer, not embedded logic' to
tell lower levels that they should/should not attempt to set the user's password
into LDAP with the extended operation.

Andrew Bartlett
This commit is contained in:
Andrew Bartlett -
parent 4dd84707f9
commit 715d0bd804
2 changed files with 22 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
source/passdb/passdb.c
View File

@ -647,8 +647,7 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use
return False; return False;
} }
/* This now does the 'generic' mapping in pdb_unix */ /* see if the passdb can help us with the name of the user */
/* 'guest' is also handled there */
if (pdb_getsampwsid(sam_account, sid)) { if (pdb_getsampwsid(sam_account, sid)) {
fstrcpy(name, pdb_get_username(sam_account)); fstrcpy(name, pdb_get_username(sam_account));
*psid_name_use = SID_NAME_USER; *psid_name_use = SID_NAME_USER;

83
source/passdb/pdb_ldap.c
View File

@ -710,40 +710,6 @@ static int ldapsam_search_one_user_by_name (struct ldapsam_privates *ldap_state,
return ldapsam_search_one_user(ldap_state, filter, result); return ldapsam_search_one_user(ldap_state, filter, result);
} }
/*******************************************************************
run the search by uid.
******************************************************************/
static int ldapsam_search_one_user_by_uid(struct ldapsam_privates *ldap_state,
int uid,
LDAPMessage ** result)
{
struct passwd *user;
pstring filter;
char *escape_user;
/* Get the username from the system and look that up in the LDAP */
if ((user = getpwuid_alloc(uid)) == NULL) {
DEBUG(3,("ldapsam_search_one_user_by_uid: Failed to locate uid [%d]\n", uid));
return LDAP_NO_SUCH_OBJECT;
}
pstrcpy(filter, lp_ldap_filter());
escape_user = escape_ldap_string_alloc(user->pw_name);
if (!escape_user) {
passwd_free(&user);
return LDAP_NO_MEMORY;
}
all_string_sub(filter, "%u", escape_user, sizeof(pstring));
passwd_free(&user);
SAFE_FREE(escape_user);
return ldapsam_search_one_user(ldap_state, filter, result);
}
/******************************************************************* /*******************************************************************
run the search by rid. run the search by rid.
******************************************************************/ ******************************************************************/
@ -759,11 +725,6 @@ static int ldapsam_search_one_user_by_rid (struct ldapsam_privates *ldap_state,
snprintf(filter, sizeof(filter) - 1, "rid=%i", rid); snprintf(filter, sizeof(filter) - 1, "rid=%i", rid);
rc = ldapsam_search_one_user(ldap_state, filter, result); rc = ldapsam_search_one_user(ldap_state, filter, result);
if (rc != LDAP_SUCCESS)
rc = ldapsam_search_one_user_by_uid(ldap_state,
fallback_pdb_user_rid_to_uid(rid),
result);
return rc; return rc;
} }
@ -1299,21 +1260,6 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
return True; return True;
} }
/**********************************************************************
An LDAP modification is needed in two cases:
* If we are updating the record AND the attribute is CHANGED.
* If we are adding the record AND it is SET or CHANGED (ie not default)
*********************************************************************/
#ifdef LDAP_EXOP_X_MODIFY_PASSWD
static BOOL need_ldap_mod(BOOL pdb_add, const SAM_ACCOUNT * sampass, enum pdb_elements element) {
if (pdb_add) {
return (!IS_SAM_DEFAULT(sampass, element));
} else {
return IS_SAM_CHANGED(sampass, element);
}
}
#endif
/********************************************************************** /**********************************************************************
Set attribute to newval in LDAP, regardless of what value the Set attribute to newval in LDAP, regardless of what value the
attribute had in LDAP before. attribute had in LDAP before.
@ -1414,13 +1360,18 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
ldap_mods_free(*mods, 1); ldap_mods_free(*mods, 1);
return False; return False;
} }
}
slprintf(temp, sizeof(temp) - 1, "%i", rid); slprintf(temp, sizeof(temp) - 1, "%i", rid);
if (need_update(sampass, PDB_USERSID))
make_ldap_mod(ldap_state->ldap_struct, existing, mods, make_ldap_mod(ldap_state->ldap_struct, existing, mods,
"rid", temp); "rid", temp);
} else {
slprintf(temp, sizeof(temp) - 1, "%i", rid);
if (need_update(sampass, PDB_USERSID))
make_ldap_mod(ldap_state->ldap_struct, existing, mods,
"rid", temp);
}
rid = pdb_get_group_rid(sampass); rid = pdb_get_group_rid(sampass);
@ -1867,7 +1818,9 @@ it it set.
static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods, static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
SAM_ACCOUNT *newpwd, char *dn, SAM_ACCOUNT *newpwd, char *dn,
LDAPMod **mods, int ldap_op, BOOL pdb_add) LDAPMod **mods, int ldap_op,
BOOL (*need_update)(const SAM_ACCOUNT *,
enum pdb_elements))
{ {
struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data; struct ldapsam_privates *ldap_state = (struct ldapsam_privates *)my_methods->private_data;
int rc; int rc;
@ -1909,9 +1862,9 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
} }
#ifdef LDAP_EXOP_X_MODIFY_PASSWD #ifdef LDAP_EXOP_X_MODIFY_PASSWD
if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST))&& if (!(pdb_get_acct_ctrl(newpwd)&(ACB_WSTRUST|ACB_SVRTRUST|ACB_DOMTRUST)) &&
(lp_ldap_passwd_sync()!=LDAP_PASSWD_SYNC_OFF)&& (lp_ldap_passwd_sync() != LDAP_PASSWD_SYNC_OFF) &&
need_ldap_mod(pdb_add, newpwd, PDB_PLAINTEXT_PW)&& need_update(newpwd, PDB_PLAINTEXT_PW) &&
(pdb_get_plaintext_passwd(newpwd)!=NULL)) { (pdb_get_plaintext_passwd(newpwd)!=NULL)) {
BerElement *ber; BerElement *ber;
struct berval *bv; struct berval *bv;
@ -1940,7 +1893,9 @@ static NTSTATUS ldapsam_modify_entry(struct pdb_methods *my_methods,
pdb_get_username(newpwd),ldap_err2string(rc))); pdb_get_username(newpwd),ldap_err2string(rc)));
} else { } else {
DEBUG(3,("LDAP Password changed for user %s\n",pdb_get_username(newpwd))); DEBUG(3,("LDAP Password changed for user %s\n",pdb_get_username(newpwd)));
#ifdef DEBUG_PASSWORD
DEBUG(100,("LDAP Password changed to %s\n",pdb_get_plaintext_passwd(newpwd)));
#endif
ber_bvfree(retdata); ber_bvfree(retdata);
ber_memfree(retoid); ber_memfree(retoid);
} }
@ -2041,7 +1996,7 @@ static NTSTATUS ldapsam_update_sam_account(struct pdb_methods *my_methods, SAM_A
return NT_STATUS_OK; return NT_STATUS_OK;
} }
ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, False); ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,LDAP_MOD_REPLACE, element_is_changed);
ldap_mods_free(mods,1); ldap_mods_free(mods,1);
if (!NT_STATUS_IS_OK(ret)) { if (!NT_STATUS_IS_OK(ret)) {
@ -2156,7 +2111,7 @@ static NTSTATUS ldapsam_add_sam_account(struct pdb_methods *my_methods, SAM_ACCO
make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount"); make_a_mod(&mods, LDAP_MOD_ADD, "objectclass", "sambaAccount");
ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, True); ret = ldapsam_modify_entry(my_methods,newpwd,dn,mods,ldap_op, element_is_set_or_changed);
if (NT_STATUS_IS_ERR(ret)) { if (NT_STATUS_IS_ERR(ret)) {
DEBUG(0,("failed to modify/add user with uid = %s (dn = %s)\n", DEBUG(0,("failed to modify/add user with uid = %s (dn = %s)\n",
pdb_get_username(newpwd),dn)); pdb_get_username(newpwd),dn));