1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4-drs: Do not allow system-critical attributes to be RODC filtered

Signed-off-by: Andrew Tridgell <tridge@samba.org>
This commit is contained in:
Fernando J V da Silva 2010-03-25 16:58:58 -03:00 committed by Andrew Tridgell
parent e11f92ba73
commit c023fc217e
2 changed files with 36 additions and 0 deletions

View File

@ -155,6 +155,9 @@
#define SYSTEM_FLAG_CONFIG_ALLOW_RENAME 0x40000000
#define SYSTEM_FLAG_DISALLOW_DELETE 0x80000000
/* schemaFlags_Ex */
#define SCHEMA_FLAG_ATTR_IS_CRITICAL 0x0000001
/* "searchFlags" */
#define SEARCH_FLAG_ATTINDEX 0x0000001
#define SEARCH_FLAG_PDNTATTINDEX 0x0000002

View File

@ -378,6 +378,27 @@ static int fix_check_attributes(struct ldb_context *ldb,
return LDB_SUCCESS;
}
/*
* return true if msg carries an attributeSchema that is intended to be RODC
* filtered but is also a system-critical attribute.
*/
static bool check_rodc_critical_attribute(struct ldb_message *msg)
{
uint32_t schemaFlagsEx, searchFlags, rodc_filtered_flags;
schemaFlagsEx = ldb_msg_find_attr_as_uint(msg, "schemaFlagsEx", 0);
searchFlags = ldb_msg_find_attr_as_uint(msg, "searchFlags", 0);
rodc_filtered_flags = (SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL);
if ((schemaFlagsEx & SCHEMA_FLAG_ATTR_IS_CRITICAL) &&
((searchFlags & rodc_filtered_flags) == rodc_filtered_flags)) {
return true;
} else {
return false;
}
}
static int objectclass_do_add(struct oc_context *ac);
static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
@ -404,6 +425,12 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
return LDB_ERR_OBJECT_CLASS_VIOLATION;
}
/* do not allow to mark an attributeSchema as RODC filtered if it
* is system-critical */
if (check_rodc_critical_attribute(req->op.add.message)) {
return LDB_ERR_UNWILLING_TO_PERFORM;
}
ac = oc_init_context(module, req);
if (ac == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
@ -722,6 +749,12 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req
return LDB_ERR_UNWILLING_TO_PERFORM;
}
/* do not allow to mark an attributeSchema as RODC filtered if it
* is system-critical */
if (check_rodc_critical_attribute(req->op.mod.message)) {
return LDB_ERR_UNWILLING_TO_PERFORM;
}
ac = oc_init_context(module, req);
if (ac == NULL) {
ldb_oom(ldb);