The branch, master has been updated via 9755337... s4:ldap.py - add a test for the enhanced operational attributes check via b6efbd5... s4:objectclass LDB module - Prevent write operations on constructed attributes via 393b839... s4:operational LDB module - Don't do the write checks here from 5b3a32b... s3-kerberos: next step to resolve Bug #6929: build with recent heimdal.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 97553373d182671a8da1553cc47465c664ae69f0 Author: Matthias Dieter Wallnöfer <mwallnoe...@yahoo.de> Date: Thu Nov 26 09:51:56 2009 +0100 s4:ldap.py - add a test for the enhanced operational attributes check (Deny creation of entries with operational attributes specified) commit b6efbd5b4c5ba3a2e2040033b6b634d60ed2d3f5 Author: Matthias Dieter Wallnöfer <mwallnoe...@yahoo.de> Date: Thu Nov 26 10:54:20 2009 +0100 s4:objectclass LDB module - Prevent write operations on constructed attributes commit 393b83979d11dddcf6d38ca24b3aea7bb645e0d0 Author: Matthias Dieter Wallnöfer <mwallnoe...@yahoo.de> Date: Thu Nov 26 10:21:44 2009 +0100 s4:operational LDB module - Don't do the write checks here Let this perform the schema in the "objectclass" module. ----------------------------------------------------------------------- Summary of changes: source4/dsdb/samdb/ldb_modules/objectclass.c | 25 +++++++++++++++++++------ source4/dsdb/samdb/ldb_modules/operational.c | 16 ---------------- source4/lib/ldb/tests/python/ldap.py | 11 +++++++++++ 3 files changed, 30 insertions(+), 22 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index 53c1cc7..82b8835 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -366,9 +366,12 @@ static int fix_dn(TALLOC_CTX *mem_ctx, } /* Fix all attribute names to be in the correct case, and check they are all valid per the schema */ -static int fix_attributes(struct ldb_context *ldb, const struct dsdb_schema *schema, struct ldb_message *msg) +static int fix_check_attributes(struct ldb_context *ldb, + const struct dsdb_schema *schema, + struct ldb_message *msg, + enum ldb_request_type op) { - int i; + unsigned int i; for (i=0; i < msg->num_elements; i++) { const struct dsdb_attribute *attribute = dsdb_attribute_by_lDAPDisplayName(schema, msg->elements[i].name); /* Add in a very special case for 'clearTextPassword', @@ -382,6 +385,16 @@ static int fix_attributes(struct ldb_context *ldb, const struct dsdb_schema *sch } } else { msg->elements[i].name = attribute->lDAPDisplayName; + + /* We have to deny write operations on constructed attributes */ + if ((attribute->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED) != 0) { + if (op == LDB_ADD) { + return LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE; + } else { + return LDB_ERR_CONSTRAINT_VIOLATION; + } + } + } } @@ -500,7 +513,7 @@ static int objectclass_do_add(struct oc_context *ac) } if (schema) { - ret = fix_attributes(ldb, schema, msg); + ret = fix_check_attributes(ldb, schema, msg, ac->req->operation); if (ret != LDB_SUCCESS) { talloc_free(mem_ctx); return ret; @@ -738,7 +751,7 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req return LDB_ERR_OPERATIONS_ERROR; } - ret = fix_attributes(ldb, schema, msg); + ret = fix_check_attributes(ldb, schema, msg, req->operation); if (ret != LDB_SUCCESS) { return ret; } @@ -775,7 +788,7 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req return LDB_ERR_OPERATIONS_ERROR; } - ret = fix_attributes(ldb, schema, msg); + ret = fix_check_attributes(ldb, schema, msg, req->operation); if (ret != LDB_SUCCESS) { talloc_free(mem_ctx); return ret; @@ -851,7 +864,7 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req return LDB_ERR_OPERATIONS_ERROR; } - ret = fix_attributes(ldb, schema, msg); + ret = fix_check_attributes(ldb, schema, msg, req->operation); if (ret != LDB_SUCCESS) { ldb_oom(ldb); return ret; diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c index 46d4745..e48f91b 100644 --- a/source4/dsdb/samdb/ldb_modules/operational.c +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -434,24 +434,8 @@ static int operational_init(struct ldb_module *ctx) return LDB_SUCCESS; } -static int operational_modify(struct ldb_module *module, struct ldb_request *req) -{ - unsigned int i; - - for (i = 0; i < ARRAY_SIZE(search_sub); i++) { - if (ldb_msg_find_element(req->op.mod.message, search_sub[i].attr) != NULL) { - /* operational attributes cannot be changed! */ - return LDB_ERR_CONSTRAINT_VIOLATION; - } - } - - /* No operational attribute will be changed -> go on */ - return ldb_next_request(module, req); -} - const struct ldb_module_ops ldb_operational_module_ops = { .name = "operational", .search = operational_search, - .modify = operational_modify, .init_context = operational_init }; diff --git a/source4/lib/ldb/tests/python/ldap.py b/source4/lib/ldb/tests/python/ldap.py index 9a7976b..a5a9d7c 100755 --- a/source4/lib/ldb/tests/python/ldap.py +++ b/source4/lib/ldb/tests/python/ldap.py @@ -23,6 +23,7 @@ from ldb import ERR_NOT_ALLOWED_ON_NON_LEAF, ERR_OTHER, ERR_INVALID_DN_SYNTAX from ldb import ERR_NO_SUCH_ATTRIBUTE, ERR_INSUFFICIENT_ACCESS_RIGHTS from ldb import ERR_OBJECT_CLASS_VIOLATION, ERR_NOT_ALLOWED_ON_RDN from ldb import ERR_NAMING_VIOLATION, ERR_CONSTRAINT_VIOLATION +from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE from ldb import Message, MessageElement, Dn from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE from samba import Ldb, param, dom_sid_to_rid @@ -764,6 +765,16 @@ objectClass: container """Test the primary group token behaviour (hidden-generated-readonly attribute on groups)""" print "Testing primary group token behaviour\n" + try: + ldb.add({ + "dn": "cn=ldaptestgroup,cn=users," + self.base_dn, + "objectclass": "group", + "primaryGroupToken": "100"}) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_UNDEFINED_ATTRIBUTE_TYPE) + self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn) + ldb.add({ "dn": "cn=ldaptestuser,cn=users," + self.base_dn, "objectclass": ["user", "person"]}) -- Samba Shared Repository