Author: abartlet Date: 2007-01-09 03:45:50 +0000 (Tue, 09 Jan 2007) New Revision: 20622
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=20622 Log: Add in a hack to avoid permitting searches on the value of protected attributes. Andrew Bartlett Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c Changeset: Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c =================================================================== --- branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c 2007-01-09 00:00:30 UTC (rev 20621) +++ branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c 2007-01-09 03:45:50 UTC (rev 20622) @@ -147,7 +147,8 @@ { struct kludge_acl_context *ac; struct ldb_request *down_req; - int ret; + struct kludge_private_data *data; + int ret, i; req->handle = NULL; @@ -156,6 +157,8 @@ return LDB_ERR_OPERATIONS_ERROR; } + data = talloc_get_type(module->private_data, struct kludge_private_data); + ac->module = module; ac->up_context = req->context; ac->up_callback = req->callback; @@ -172,6 +175,25 @@ down_req->op.search.tree = req->op.search.tree; down_req->op.search.attrs = req->op.search.attrs; + + /* FIXME: I hink we should copy the tree and keep the original + * unmodified. SSS */ + /* replace any attributes in the parse tree that are private, + so we don't allow a search for 'sambaPassword=penguin', + just as we would not allow that attribute to be returned */ + switch (ac->user_type) { + case SYSTEM: + case ADMINISTRATOR: + break; + default: + /* remove password attributes */ + for (i = 0; data && data->password_attrs && data->password_attrs[i]; i++) { + ldb_parse_tree_attr_replace(down_req->op.search.tree, + data->password_attrs[i], + "kludgeACLredactedattribute"); + } + } + down_req->controls = req->controls; down_req->context = ac;
