The branch, master has been updated via 6a2171c s4:rootdse LDB module - remove unused variable via 8680c6f s4:objectclass LDB module - simply use "msg" when requesting the message via 848010b s4:objectclass LDB module - move the "mem_ctx" allocation to a better place via 7048ad1 s4-dsdb Reorganise and clarify the LSA objectClass check (forbidden on LDAP) via 439a2d6 s4-objectclass Use a specific local variable name, not 'value' from bf52cff s4-kcc: fixed valgrind errors in drs replicaInfo server side
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 6a2171c7393a8dfff849090b2822200f9f672617 Author: Matthias Dieter Wallnöfer <m...@samba.org> Date: Fri Nov 26 13:10:20 2010 +0100 s4:rootdse LDB module - remove unused variable Autobuild-User: Matthias Dieter Wallnöfer <m...@samba.org> Autobuild-Date: Fri Nov 26 13:58:27 CET 2010 on sn-devel-104 commit 8680c6f888f76159b6155d055d394a0e1214c3cf Author: Matthias Dieter Wallnöfer <m...@samba.org> Date: Fri Nov 26 13:08:27 2010 +0100 s4:objectclass LDB module - simply use "msg" when requesting the message commit 848010b5705eb6e11d1b9361c5a7243c9da4e886 Author: Matthias Dieter Wallnöfer <m...@samba.org> Date: Fri Nov 26 13:03:59 2010 +0100 s4:objectclass LDB module - move the "mem_ctx" allocation to a better place It's only needed if we've a schema around. commit 7048ad11f518b88897a73fb5e0a46520b703a7d6 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Nov 26 10:11:30 2010 +1100 s4-dsdb Reorganise and clarify the LSA objectClass check (forbidden on LDAP) This arranged the check to avoid talloc_strdup() (the schema pointers are constant, and can be relied upon), and checks the untrusted bit first (it is faster), before the ldb_attr_cmp(). The strcmp() here was valid, if unusual, because the ldapDisplayName values are already in the correct case, but strcasecmp() is more correct, as for the small extra cost, we avoid a difficult to diagnose bug later. Andrew Bartlett Signed-off-by: Matthias Dieter Wallnöfer <m...@samba.org> commit 439a2d69831aea4a737e5e0e35226a551b11ad29 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Nov 26 10:10:01 2010 +1100 s4-objectclass Use a specific local variable name, not 'value' This makes it clearer what the local variable in use here does. Andrew Bartlett Signed-off-by: Matthias Dieter Wallnöfer <m...@samba.org> ----------------------------------------------------------------------- Summary of changes: source4/dsdb/samdb/ldb_modules/objectclass.c | 69 +++++++++++++++---------- source4/dsdb/samdb/ldb_modules/rootdse.c | 1 - 2 files changed, 41 insertions(+), 29 deletions(-) Changeset truncated at 500 lines: diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index 21f3164..48813e5 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -368,7 +368,6 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req) struct oc_context *ac; struct ldb_dn *parent_dn; const struct ldb_val *val; - char *value; int ret; static const char * const parent_attrs[] = { "objectClass", NULL }; @@ -389,6 +388,7 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req) instanceType = ldb_msg_find_attr_as_uint(req->op.add.message, "instanceType", 0); if (!(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) { + char *referral_uri; /* When we are trying to readd the root basedn then * this is denied, but with an interesting mechanism: * there is generated a referral with the last @@ -398,13 +398,13 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req) if (val == NULL) { return ldb_operr(ldb); } - value = talloc_asprintf(req, "ldap://%s/%s", val->data, - ldb_dn_get_linearized(req->op.add.message->dn)); - if (value == NULL) { + referral_uri = talloc_asprintf(req, "ldap://%s/%s", val->data, + ldb_dn_get_linearized(req->op.add.message->dn)); + if (referral_uri == NULL) { return ldb_module_oom(module); } - return ldb_module_send_referral(req, value); + return ldb_module_send_referral(req, referral_uri); } } @@ -490,8 +490,8 @@ static int objectclass_do_add(struct oc_context *ac) /* An add operation on partition DNs without "NC-add" operation * isn't allowed. */ - instanceType = ldb_msg_find_attr_as_uint(ac->req->op.add.message, - "instanceType", 0); + instanceType = ldb_msg_find_attr_as_uint(msg, "instanceType", + 0); if (!(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) { ldb_asprintf_errstring(ldb, "objectclass: Cannot add %s, parent does not exist!", ldb_dn_get_linearized(msg->dn)); @@ -514,26 +514,24 @@ static int objectclass_do_add(struct oc_context *ac) } } - mem_ctx = talloc_new(ac); - if (mem_ctx == NULL) { - return ldb_module_oom(ac->module); - } - if (ac->schema != NULL) { objectclass_element = ldb_msg_find_element(msg, "objectClass"); if (!objectclass_element) { ldb_asprintf_errstring(ldb, "objectclass: Cannot add %s, no objectclass specified!", ldb_dn_get_linearized(msg->dn)); - talloc_free(mem_ctx); return LDB_ERR_OBJECT_CLASS_VIOLATION; } if (objectclass_element->num_values == 0) { ldb_asprintf_errstring(ldb, "objectclass: Cannot add %s, at least one (structural) objectclass has to be specified!", ldb_dn_get_linearized(msg->dn)); - talloc_free(mem_ctx); return LDB_ERR_CONSTRAINT_VIOLATION; } + mem_ctx = talloc_new(ac); + if (mem_ctx == NULL) { + return ldb_module_oom(ac->module); + } + /* Here we do now get the "objectClass" list from the * database. */ ret = objectclass_sort(ac->module, ac->schema, mem_ctx, @@ -565,25 +563,40 @@ static int objectclass_do_add(struct oc_context *ac) /* Move from the linked list back into an ldb msg */ for (current = sorted; current; current = current->next) { - value = talloc_strdup(msg, - current->objectclass->lDAPDisplayName); - if (value == NULL) { - talloc_free(mem_ctx); - return ldb_module_oom(ac->module); - } - - /* LSA-specific objectclasses per default not allowed */ - if (((strcmp(value, "secret") == 0) || - (strcmp(value, "trustedDomain") == 0)) && - ldb_req_is_untrusted(ac->req)) { + const char *objectclass_name = current->objectclass->lDAPDisplayName; + + /* LSA-specific objectclasses per default not + * allowed to be created over LDAP, so we need + * to tell if this connection is LDAP (ie + * marked as untrusted), and if the client is + * adding these particular objectClass values + * we must reject */ + + /* Hongwei Sun from Microsoft explians: + The constraint in 3.1.1.5.2.2 MS-ADTS means that the TDO + cannot be added through LDAP interface, instead it can only be + created through LSA Policy API. This is also explained in + 7.1.6.9.7 MS-ADTS as follows: + + "Despite being replicated normally between peer DCs in a domain, + the process of creating or manipulating TDOs is specifically + restricted to the LSA Policy APIs, as detailed in [MS-LSAD] section + 3.1.1.5. Unlike other objects in the DS, TDOs may not be created or + manipulated by client machines over the LDAPv3 transport." + */ + + if (ldb_req_is_untrusted(ac->req) && + ((strcasecmp(objectclass_name, "secret") == 0) || + (strcasecmp(objectclass_name, "trustedDomain") == 0))) { ldb_asprintf_errstring(ldb, - "objectclass: object class '%s' is LSA-specific, rejecting creation of '%s'!", - value, + "objectclass: object class '%s' is LSA-specific, rejecting creation of '%s' over LDAP!", + objectclass_name, ldb_dn_get_linearized(msg->dn)); + talloc_free(mem_ctx); return LDB_ERR_UNWILLING_TO_PERFORM; } - ret = ldb_msg_add_string(msg, "objectClass", value); + ret = ldb_msg_add_string(msg, "objectClass", objectclass_name); if (ret != LDB_SUCCESS) { ldb_set_errstring(ldb, "objectclass: could not re-add sorted " diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c index 263c6f5..5eac74f 100644 --- a/source4/dsdb/samdb/ldb_modules/rootdse.c +++ b/source4/dsdb/samdb/ldb_modules/rootdse.c @@ -1308,7 +1308,6 @@ static int rootdse_delete(struct ldb_module *module, struct ldb_request *req) static int rootdse_extended(struct ldb_module *module, struct ldb_request *req) { - struct ldb_context *ldb = ldb_module_get_ctx(module); int ret; ret = rootdse_filter_operations(module, req); -- Samba Shared Repository