1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00

dsdb-acl: introduce a 'msg' helper variable to acl_modify()

Signed-off-by: Stefan Metzmacher <metze@samba.org>

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher 2013-01-18 09:17:25 +01:00
parent c2853f55fc
commit 71b856a3f0

View File

@ -1000,6 +1000,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
struct ldb_control *as_system;
bool userPassword;
TALLOC_CTX *tmp_ctx;
const struct ldb_message *msg = req->op.mod.message;
static const char *acl_attrs[] = {
"nTSecurityDescriptor",
"objectClass",
@ -1007,7 +1008,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
NULL
};
if (ldb_dn_is_special(req->op.mod.message->dn)) {
if (ldb_dn_is_special(msg->dn)) {
return ldb_next_request(module, req);
}
@ -1017,9 +1018,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
}
/* Don't print this debug statement if elements[0].name is going to be NULL */
if(req->op.mod.message->num_elements > 0)
{
DEBUG(10, ("ldb:acl_modify: %s\n", req->op.mod.message->elements[0].name));
if (msg->num_elements > 0) {
DEBUG(10, ("ldb:acl_modify: %s\n", msg->elements[0].name));
}
if (dsdb_module_am_system(module) || as_system) {
return ldb_next_request(module, req);
@ -1030,7 +1030,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
return ldb_oom(ldb);
}
ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res, req->op.mod.message->dn,
ret = dsdb_module_search_dn(module, tmp_ctx, &acl_res, msg->dn,
acl_attrs,
DSDB_FLAG_NEXT_MODULE |
DSDB_FLAG_AS_SYSTEM |
@ -1068,12 +1068,12 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
"acl_modify: Error retrieving object class GUID.");
}
sid = samdb_result_dom_sid(req, acl_res->msgs[0], "objectSid");
for (i=0; i < req->op.mod.message->num_elements; i++){
for (i=0; i < msg->num_elements; i++) {
const struct dsdb_attribute *attr;
attr = dsdb_attribute_by_lDAPDisplayName(schema,
req->op.mod.message->elements[i].name);
msg->elements[i].name);
if (ldb_attr_cmp("nTSecurityDescriptor", req->op.mod.message->elements[i].name) == 0) {
if (ldb_attr_cmp("nTSecurityDescriptor", msg->elements[i].name) == 0) {
uint32_t sd_flags = dsdb_request_sd_flags(req, NULL);
uint32_t access_mask = 0;
@ -1096,17 +1096,17 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
if (!NT_STATUS_IS_OK(status)) {
ldb_asprintf_errstring(ldb_module_get_ctx(module),
"Object %s has no write dacl access\n",
ldb_dn_get_linearized(req->op.mod.message->dn));
ldb_dn_get_linearized(msg->dn));
dsdb_acl_debug(sd,
acl_user_token(module),
req->op.mod.message->dn,
msg->dn,
true,
10);
ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
goto fail;
}
}
else if (ldb_attr_cmp("member", req->op.mod.message->elements[i].name) == 0) {
else if (ldb_attr_cmp("member", msg->elements[i].name) == 0) {
ret = acl_check_self_membership(tmp_ctx,
module,
req,
@ -1118,14 +1118,14 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
goto fail;
}
}
else if (ldb_attr_cmp("dBCSPwd", req->op.mod.message->elements[i].name) == 0) {
else if (ldb_attr_cmp("dBCSPwd", msg->elements[i].name) == 0) {
/* this one is not affected by any rights, we should let it through
so that passwords_hash returns the correct error */
continue;
}
else if (ldb_attr_cmp("unicodePwd", req->op.mod.message->elements[i].name) == 0 ||
(userPassword && ldb_attr_cmp("userPassword", req->op.mod.message->elements[i].name) == 0) ||
ldb_attr_cmp("clearTextPassword", req->op.mod.message->elements[i].name) == 0) {
else if (ldb_attr_cmp("unicodePwd", msg->elements[i].name) == 0 ||
(userPassword && ldb_attr_cmp("userPassword", msg->elements[i].name) == 0) ||
ldb_attr_cmp("clearTextPassword", msg->elements[i].name) == 0) {
ret = acl_check_password_rights(tmp_ctx,
module,
req,
@ -1136,7 +1136,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
if (ret != LDB_SUCCESS) {
goto fail;
}
} else if (ldb_attr_cmp("servicePrincipalName", req->op.mod.message->elements[i].name) == 0) {
} else if (ldb_attr_cmp("servicePrincipalName", msg->elements[i].name) == 0) {
ret = acl_check_spn(tmp_ctx,
module,
req,
@ -1159,8 +1159,8 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
*/
if (!attr) {
ldb_asprintf_errstring(ldb, "acl_modify: attribute '%s' on entry '%s' was not found in the schema!",
req->op.mod.message->elements[i].name,
ldb_dn_get_linearized(req->op.mod.message->dn));
msg->elements[i].name,
ldb_dn_get_linearized(msg->dn));
ret = LDB_ERR_NO_SUCH_ATTRIBUTE;
goto fail;
}
@ -1197,10 +1197,10 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
if (!NT_STATUS_IS_OK(status)) {
ldb_asprintf_errstring(ldb_module_get_ctx(module),
"Object %s has no write property access\n",
ldb_dn_get_linearized(req->op.mod.message->dn));
ldb_dn_get_linearized(msg->dn));
dsdb_acl_debug(sd,
acl_user_token(module),
req->op.mod.message->dn,
msg->dn,
true,
10);
ret = LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;