The branch, master has been updated
via 6a2171c s4:rootdse LDB module - remove unused variable
via 8680c6f s4:objectclass LDB module - simply use "msg" when
requesting the message
via 848010b s4:objectclass LDB module - move the "mem_ctx" allocation
to a better place
via 7048ad1 s4-dsdb Reorganise and clarify the LSA objectClass check
(forbidden on LDAP)
via 439a2d6 s4-objectclass Use a specific local variable name, not
'value'
from bf52cff s4-kcc: fixed valgrind errors in drs replicaInfo server side
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 6a2171c7393a8dfff849090b2822200f9f672617
Author: Matthias Dieter Wallnöfer <m...@samba.org>
Date: Fri Nov 26 13:10:20 2010 +0100
s4:rootdse LDB module - remove unused variable
Autobuild-User: Matthias Dieter Wallnöfer <m...@samba.org>
Autobuild-Date: Fri Nov 26 13:58:27 CET 2010 on sn-devel-104
commit 8680c6f888f76159b6155d055d394a0e1214c3cf
Author: Matthias Dieter Wallnöfer <m...@samba.org>
Date: Fri Nov 26 13:08:27 2010 +0100
s4:objectclass LDB module - simply use "msg" when requesting the message
commit 848010b5705eb6e11d1b9361c5a7243c9da4e886
Author: Matthias Dieter Wallnöfer <m...@samba.org>
Date: Fri Nov 26 13:03:59 2010 +0100
s4:objectclass LDB module - move the "mem_ctx" allocation to a better place
It's only needed if we've a schema around.
commit 7048ad11f518b88897a73fb5e0a46520b703a7d6
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Nov 26 10:11:30 2010 +1100
s4-dsdb Reorganise and clarify the LSA objectClass check (forbidden on LDAP)
This arranged the check to avoid talloc_strdup() (the schema pointers
are constant, and can be relied upon), and checks the untrusted bit
first (it is faster), before the ldb_attr_cmp().
The strcmp() here was valid, if unusual, because the ldapDisplayName
values are already in the correct case, but strcasecmp() is more
correct, as for the small extra cost, we avoid a difficult to diagnose
bug later.
Andrew Bartlett
Signed-off-by: Matthias Dieter Wallnöfer <m...@samba.org>
commit 439a2d69831aea4a737e5e0e35226a551b11ad29
Author: Andrew Bartlett <abart...@samba.org>
Date: Fri Nov 26 10:10:01 2010 +1100
s4-objectclass Use a specific local variable name, not 'value'
This makes it clearer what the local variable in use here does.
Andrew Bartlett
Signed-off-by: Matthias Dieter Wallnöfer <m...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/objectclass.c | 69 +++++++++++++++----------
source4/dsdb/samdb/ldb_modules/rootdse.c | 1 -
2 files changed, 41 insertions(+), 29 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c
b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 21f3164..48813e5 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -368,7 +368,6 @@ static int objectclass_add(struct ldb_module *module,
struct ldb_request *req)
struct oc_context *ac;
struct ldb_dn *parent_dn;
const struct ldb_val *val;
- char *value;
int ret;
static const char * const parent_attrs[] = { "objectClass", NULL };
@@ -389,6 +388,7 @@ static int objectclass_add(struct ldb_module *module,
struct ldb_request *req)
instanceType = ldb_msg_find_attr_as_uint(req->op.add.message,
"instanceType", 0);
if (!(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) {
+ char *referral_uri;
/* When we are trying to readd the root basedn then
* this is denied, but with an interesting mechanism:
* there is generated a referral with the last
@@ -398,13 +398,13 @@ static int objectclass_add(struct ldb_module *module,
struct ldb_request *req)
if (val == NULL) {
return ldb_operr(ldb);
}
- value = talloc_asprintf(req, "ldap://%s/%s";, val->data,
-
ldb_dn_get_linearized(req->op.add.message->dn));
- if (value == NULL) {
+ referral_uri = talloc_asprintf(req, "ldap://%s/%s";,
val->data,
+
ldb_dn_get_linearized(req->op.add.message->dn));
+ if (referral_uri == NULL) {
return ldb_module_oom(module);
}
- return ldb_module_send_referral(req, value);
+ return ldb_module_send_referral(req, referral_uri);
}
}
@@ -490,8 +490,8 @@ static int objectclass_do_add(struct oc_context *ac)
/* An add operation on partition DNs without "NC-add" operation
* isn't allowed. */
- instanceType =
ldb_msg_find_attr_as_uint(ac->req->op.add.message,
- "instanceType", 0);
+ instanceType = ldb_msg_find_attr_as_uint(msg, "instanceType",
+ 0);
if (!(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) {
ldb_asprintf_errstring(ldb, "objectclass: Cannot add
%s, parent does not exist!",
ldb_dn_get_linearized(msg->dn));
@@ -514,26 +514,24 @@ static int objectclass_do_add(struct oc_context *ac)
}
}
- mem_ctx = talloc_new(ac);
- if (mem_ctx == NULL) {
- return ldb_module_oom(ac->module);
- }
-
if (ac->schema != NULL) {
objectclass_element = ldb_msg_find_element(msg, "objectClass");
if (!objectclass_element) {
ldb_asprintf_errstring(ldb, "objectclass: Cannot add
%s, no objectclass specified!",
ldb_dn_get_linearized(msg->dn));
- talloc_free(mem_ctx);
return LDB_ERR_OBJECT_CLASS_VIOLATION;
}
if (objectclass_element->num_values == 0) {
ldb_asprintf_errstring(ldb, "objectclass: Cannot add
%s, at least one (structural) objectclass has to be specified!",
ldb_dn_get_linearized(msg->dn));
- talloc_free(mem_ctx);
return LDB_ERR_CONSTRAINT_VIOLATION;
}
+ mem_ctx = talloc_new(ac);
+ if (mem_ctx == NULL) {
+ return ldb_module_oom(ac->module);
+ }
+
/* Here we do now get the "objectClass" list from the
* database. */
ret = objectclass_sort(ac->module, ac->schema, mem_ctx,
@@ -565,25 +563,40 @@ static int objectclass_do_add(struct oc_context *ac)
/* Move from the linked list back into an ldb msg */
for (current = sorted; current; current = current->next) {
- value = talloc_strdup(msg,
-
current->objectclass->lDAPDisplayName);
- if (value == NULL) {
- talloc_free(mem_ctx);
- return ldb_module_oom(ac->module);
- }
-
- /* LSA-specific objectclasses per default not allowed */
- if (((strcmp(value, "secret") == 0) ||
- (strcmp(value, "trustedDomain") == 0)) &&
- ldb_req_is_untrusted(ac->req)) {
+ const char *objectclass_name =
current->objectclass->lDAPDisplayName;
+
+ /* LSA-specific objectclasses per default not
+ * allowed to be created over LDAP, so we need
+ * to tell if this connection is LDAP (ie
+ * marked as untrusted), and if the client is
+ * adding these particular objectClass values
+ * we must reject */
+
+ /* Hongwei Sun from Microsoft explians:
+ The constraint in 3.1.1.5.2.2 MS-ADTS means that the
TDO
+ cannot be added through LDAP interface, instead it
can only be
+ created through LSA Policy API. This is also
explained in
+ 7.1.6.9.7 MS-ADTS as follows:
+
+ "Despite being replicated normally between peer DCs
in a domain,
+ the process of creating or manipulating TDOs is
specifically
+ restricted to the LSA Policy APIs, as detailed in
[MS-LSAD] section
+ 3.1.1.5. Unlike other objects in the DS, TDOs may
not be created or
+ manipulated by client machines over the LDAPv3
transport."
+ */
+
+ if (ldb_req_is_untrusted(ac->req) &&
+ ((strcasecmp(objectclass_name, "secret") == 0) ||
+ (strcasecmp(objectclass_name, "trustedDomain") ==
0))) {
ldb_asprintf_errstring(ldb,
- "objectclass: object
class '%s' is LSA-specific, rejecting creation of '%s'!",
- value,
+ "objectclass: object
class '%s' is LSA-specific, rejecting creation of '%s' over LDAP!",
+ objectclass_name,
ldb_dn_get_linearized(msg->dn));
+ talloc_free(mem_ctx);
return LDB_ERR_UNWILLING_TO_PERFORM;
}
- ret = ldb_msg_add_string(msg, "objectClass", value);
+ ret = ldb_msg_add_string(msg, "objectClass",
objectclass_name);
if (ret != LDB_SUCCESS) {
ldb_set_errstring(ldb,
"objectclass: could not
re-add sorted "
diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c
b/source4/dsdb/samdb/ldb_modules/rootdse.c
index 263c6f5..5eac74f 100644
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -1308,7 +1308,6 @@ static int rootdse_delete(struct ldb_module *module,
struct ldb_request *req)
static int rootdse_extended(struct ldb_module *module, struct ldb_request *req)
{
- struct ldb_context *ldb = ldb_module_get_ctx(module);
int ret;
ret = rootdse_filter_operations(module, req);
--
Samba Shared Repository
