The branch, v4-17-test has been updated via cb204cfc69b VERSION: Bump version up to Samba 4.17.8... via 2761e60b563 VERSION: Disable GIT_SNAPSHOT for the 4.17.7 release. via 68bdc867b87 WHATSNEW: Add release notes for Samba 4.17.7. via 04e5a7eb03a CVE-2023-0922 set default ldap client sasl wrapping to seal via 888c6ae8177 CVE-2023-0225 s4-acl: Don't return early if dNSHostName element has no values via 54691236fc8 CVE-2023-0225 pytest/acl: test deleting dNSHostName as unprivileged user via 307b2e65d51 CVE-2023-0225 CVE-2020-25720 pydsdb: Add dsHeuristics constant definitions via b7af8aa2552 CVE-2023-0225 CVE-2020-25720 s4/dsdb/util: Add functions for dsHeuristics 28, 29 via 6b92716e7f8 CVE-2023-0614 ldb: Release LDB 2.6.2 via 0313aa744f1 CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN via f17179189c6 CVE-2023-0614 lib/ldb-samba: Add test for SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and ACL hidden attributes via eaeb3dc461f CVE-2023-0614 dsdb: Add pre-cleanup and self.addCleanup() of OU created in match_rules tests via 07fffb3e906 CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTED via d148a7dd88d CVE-2023-0614 s4-dsdb: Treat confidential attributes as unindexed via e08188bb984 CVE-2023-0614 ldb: Filter on search base before redacting message via b98f8c1af77 CVE-2023-0614 ldb: Centralise checking for inaccessible matches via bd69d5e9626 CVE-2023-0614 ldb: Use binary search to check whether attribute is secret via 8811e67cb2e CVE-2023-0614 s4-acl: Avoid calling dsdb_module_am_system() if we can help it via c1921f5ae08 CVE-2023-0614 ldb: Prevent disclosure of confidential attributes via 2e3ed6cfd24 CVE-2023-0614 s4-acl: Split out function to set up access checking variables via 1ef01830573 CVE-2023-0614 s4-dsdb: Add samdb_result_dom_sid_buf() via bfab55ebb69 CVE-2023-0614 s4-acl: Split out logic to remove access checking attributes via 64604c41c19 CVE-2023-0614 ldb: Add ldb_parse_tree_get_attr() via efd1cfab96f CVE-2023-0614 tests/krb5: Add test for confidential attributes timing differences via a45fc44c39c CVE-2023-0614 schema_samba4.ldif: Allocate previously added OID via 65249df5259 schema_samba4.ldif: Allocate previously added OIDs via d9a20068a3d CVE-2023-0614 s4:dsdb:tests: Fix <GUID={}> search in confidential attributes test via 2ea5bbc269e CVE-2023-0614 s4:dsdb/extended_dn_in: Don't modify a search tree we don't own via 78a7f247dba CVE-2023-0614 ldb: Make use of ldb_filter_attrs_in_place() via 4ed84d8fabe CVE-2023-0614 ldb: Make ldb_filter_attrs_in_place() work in place via ec3737404e6 CVE-2023-0614 ldb: Add function to filter message in place via ddf1ed69d8f CVE-2023-0614 ldb: Add function to add distinguishedName to message via d97e92efafc CVE-2023-0614 ldb: Add function to remove excess capacity from an ldb message via 43746e79f67 CVE-2023-0614 ldb: Add function to take ownership of an ldb message via b4f3aa03e2f CVE-2023-0614 ldb:tests: Ensure all tests are accounted for via 132028692f3 CVE-2023-0614 ldb:tests: Ensure ldb_val data is zero-terminated via 188e9887210 CVE-2023-0614 s4-acl: Use ldb functions for handling inaccessible message elements via cbf8f1c2eb8 CVE-2023-0614 ldb: Add functions for handling inaccessible message elements via 7f98e3abdc4 CVE-2023-0614 s4-acl: Make some parameters const via 9c8bbbf3b57 CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more consistently via 50a678be1a6 CVE-2023-0614 libcli/security: Make some parameters const via a8c573012f5 CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py to be slower by matching on large objects via a91fc6e9f1d CVE-2023-0614 selftest: Use setUpClass() to reduce "make test TESTS=large_ldap" time via eb20778b5e6 CVE-2023-0614 lib/ldb: Avoid allocation and memcpy() for every wildcard match candidate from 1b775335f57 VERSION: Bump version up to Samba 4.17.7...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-test - Log ----------------------------------------------------------------- commit cb204cfc69bbc9a850b3c8783465d295f3a3d99f Author: Jule Anger <jan...@samba.org> Date: Wed Mar 29 16:35:38 2023 +0200 VERSION: Bump version up to Samba 4.17.8... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger <jan...@samba.org> ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 74 +- .../smbdotconf/ldap/clientldapsaslwrapping.xml | 27 +- lib/ldb-samba/ldb_matching_rules.c | 17 +- lib/ldb-samba/tests/match_rules.py | 135 +-- lib/ldb-samba/tests/match_rules_remote.py | 104 ++ lib/ldb/ABI/{ldb-2.6.1.sigs => ldb-2.6.2.sigs} | 10 + ...pyldb-util-2.1.0.sigs => pyldb-util-2.6.2.sigs} | 0 lib/ldb/common/ldb_match.c | 111 ++- lib/ldb/common/ldb_msg.c | 42 + lib/ldb/common/ldb_pack.c | 105 +- lib/ldb/common/ldb_parse.c | 25 + lib/ldb/include/ldb_module.h | 31 + lib/ldb/include/ldb_private.h | 21 + lib/ldb/ldb_key_value/ldb_kv.h | 6 +- lib/ldb/ldb_key_value/ldb_kv_index.c | 59 +- lib/ldb/ldb_key_value/ldb_kv_search.c | 115 ++- lib/ldb/tests/ldb_filter_attrs_in_place_test.c | 940 ++++++++++++++++++ lib/ldb/tests/ldb_filter_attrs_test.c | 171 ++-- lib/ldb/wscript | 13 +- lib/param/loadparm.c | 2 +- libcli/security/access_check.c | 10 +- libcli/security/access_check.h | 2 +- libds/common/flags.h | 2 + python/samba/tests/auth_log.py | 2 +- source3/param/loadparm.c | 2 +- source4/dsdb/common/util.c | 24 + source4/dsdb/common/util.h | 1 + source4/dsdb/pydsdb.c | 30 + source4/dsdb/samdb/ldb_modules/acl.c | 195 +--- source4/dsdb/samdb/ldb_modules/acl_read.c | 1015 +++++++++++++------- source4/dsdb/samdb/ldb_modules/acl_util.c | 6 +- source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 50 +- source4/dsdb/samdb/ldb_modules/linked_attributes.c | 2 +- source4/dsdb/samdb/ldb_modules/password_hash.c | 2 +- source4/dsdb/samdb/ldb_modules/util.c | 40 + source4/dsdb/samdb/samdb.h | 2 + source4/dsdb/schema/schema_description.c | 7 + source4/dsdb/schema/schema_init.c | 11 +- source4/dsdb/schema/schema_set.c | 9 +- source4/dsdb/tests/python/acl_modify.py | 236 +++++ source4/dsdb/tests/python/confidential_attr.py | 180 +++- source4/dsdb/tests/python/large_ldap.py | 85 +- source4/selftest/tests.py | 2 + source4/setup/schema_samba4.ldif | 4 + source4/torture/ldb/ldb.c | 12 +- 46 files changed, 3092 insertions(+), 849 deletions(-) create mode 100755 lib/ldb-samba/tests/match_rules_remote.py copy lib/ldb/ABI/{ldb-2.6.1.sigs => ldb-2.6.2.sigs} (97%) copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.6.2.sigs} (100%) create mode 100644 lib/ldb/tests/ldb_filter_attrs_in_place_test.c create mode 100755 source4/dsdb/tests/python/acl_modify.py Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 73ab7109fa3..1f6b6ae84f9 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=17 -SAMBA_VERSION_RELEASE=7 +SAMBA_VERSION_RELEASE=8 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 865697ce109..694e29c45eb 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,74 @@ + ============================== + Release Notes for Samba 4.17.7 + March 29, 2023 + ============================== + + +This is a security release in order to address the following defects: + +o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated + but otherwise unprivileged users to delete this attribute from + any object in the directory. + https://www.samba.org/samba/security/CVE-2023-0225.html + +o CVE-2023-0922: The Samba AD DC administration tool, when operating against a + remote LDAP server, will by default send new or reset + passwords over a signed-only connection. + https://www.samba.org/samba/security/CVE-2023-0922.html + +o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 + Confidential attribute disclosure via LDAP filters was + insufficient and an attacker may be able to obtain + confidential BitLocker recovery keys from a Samba AD DC. + Installations with such secrets in their Samba AD should + assume they have been obtained and need replacing. + https://www.samba.org/samba/security/CVE-2023-0614.html + + +Changes since 4.17.6 +-------------------- + +o Douglas Bagnall <douglas.bagn...@catalyst.net.nz> + * BUG 15276: CVE-2023-0225. + +o Andrew Bartlett <abart...@samba.org> + * BUG 15270: CVE-2023-0614. + * BUG 15331: ldb wildcard matching makes excessive allocations. + * BUG 15332: large_ldap test is inefficient. + +o Rob van der Linde <r...@catalyst.net.nz> + * BUG 15315: CVE-2023-0922. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not + allow full write to all attributes (additional changes). + * BUG 15270: CVE-2023-0614. + * BUG 15276: CVE-2023-0225. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- ============================== Release Notes for Samba 4.17.6 March 09, 2023 @@ -58,8 +129,7 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- ============================== Release Notes for Samba 4.17.5 January 26, 2023 diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml index 3152f0682dd..21bd2090057 100644 --- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml +++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml @@ -18,25 +18,24 @@ </para> <para> - This option is needed in the case of Domain Controllers enforcing - the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher). - LDAP sign and seal can be controlled with the registry key - "<literal>HKLM\System\CurrentControlSet\Services\</literal> - <literal>NTDS\Parameters\LDAPServerIntegrity</literal>" - on the Windows server side. - </para> + This option is needed firstly to secure the privacy of + administrative connections from <command>samba-tool</command>, + including in particular new or reset passwords for users. For + this reason the default is <emphasis>seal</emphasis>.</para> - <para> - Depending on the used KRB5 library (MIT and older Heimdal versions) - it is possible that the message "integrity only" is not supported. - In this case, <emphasis>sign</emphasis> is just an alias for - <emphasis>seal</emphasis>. + <para>Additionally, <command>winbindd</command> and the + <command>net</command> tool can use LDAP to communicate with + Domain Controllers, so this option also controls the level of + privacy for those connections. All supported AD DC versions + will enforce the usage of at least signed LDAP connections by + default, so a value of at least <emphasis>sign</emphasis> is + required in practice. </para> <para> - The default value is <emphasis>sign</emphasis>. That implies synchronizing the time + The default value is <emphasis>seal</emphasis>. That implies synchronizing the time with the KDC in the case of using <emphasis>Kerberos</emphasis>. </para> </description> -<value type="default">sign</value> +<value type="default">seal</value> </samba:parameter> diff --git a/lib/ldb-samba/ldb_matching_rules.c b/lib/ldb-samba/ldb_matching_rules.c index 827f3920ae8..59d1385f4e3 100644 --- a/lib/ldb-samba/ldb_matching_rules.c +++ b/lib/ldb-samba/ldb_matching_rules.c @@ -67,7 +67,12 @@ static int ldb_eval_transitive_filter_helper(TALLOC_CTX *mem_ctx, * Note also that we don't have the original request * here, so we can not apply controls or timeouts here. */ - ret = dsdb_search_dn(ldb, tmp_ctx, &res, to_visit->dn, attrs, 0); + ret = dsdb_search_dn(ldb, + tmp_ctx, + &res, + to_visit->dn, + attrs, + DSDB_MARK_REQ_UNTRUSTED); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; @@ -370,6 +375,11 @@ static int dsdb_match_for_dns_to_tombstone_time(struct ldb_context *ldb, return LDB_SUCCESS; } + if (ldb_msg_element_is_inaccessible(el)) { + *matched = false; + return LDB_SUCCESS; + } + session_info = talloc_get_type(ldb_get_opaque(ldb, "sessionInfo"), struct auth_session_info); if (session_info == NULL) { @@ -489,6 +499,11 @@ static int dsdb_match_for_expunge(struct ldb_context *ldb, return LDB_SUCCESS; } + if (ldb_msg_element_is_inaccessible(el)) { + *matched = false; + return LDB_SUCCESS; + } + session_info = talloc_get_type(ldb_get_opaque(ldb, DSDB_SESSION_INFO), struct auth_session_info); diff --git a/lib/ldb-samba/tests/match_rules.py b/lib/ldb-samba/tests/match_rules.py index abf485c9eab..2fe6c3e2264 100755 --- a/lib/ldb-samba/tests/match_rules.py +++ b/lib/ldb-samba/tests/match_rules.py @@ -20,22 +20,35 @@ from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL # Windows appear to preserve casing of the RDN and uppercase the other keys. -class MatchRulesTests(samba.tests.TestCase): +class MatchRulesTestsBase(samba.tests.TestCase): def setUp(self): - super(MatchRulesTests, self).setUp() - self.lp = lp - self.ldb = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp) + super().setUp() + self.lp = self.sambaopts.get_loadparm() + self.creds = self.credopts.get_credentials(self.lp) + + self.ldb = SamDB(self.host, credentials=self.creds, + session_info=system_session(self.lp), + lp=self.lp) self.base_dn = self.ldb.domain_dn() - self.ou = "OU=matchrulestest,%s" % self.base_dn + self.ou_rdn = "OU=matchrulestest" + self.ou = self.ou_rdn + "," + self.base_dn self.ou_users = "OU=users,%s" % self.ou self.ou_groups = "OU=groups,%s" % self.ou self.ou_computers = "OU=computers,%s" % self.ou + try: + self.ldb.delete(self.ou, ["tree_delete:1"]) + except LdbError as e: + pass + # Add a organizational unit to create objects self.ldb.add({ "dn": self.ou, "objectclass": "organizationalUnit"}) + self.addCleanup(self.ldb.delete, self.ou, controls=['tree_delete:0']) + + # Add the following OU hierarchy and set otherWellKnownObjects, # which has BinaryDN syntax: # @@ -204,6 +217,39 @@ class MatchRulesTests(samba.tests.TestCase): FLAG_MOD_ADD, "member") self.ldb.modify(m) + # Add a couple of ms-Exch-Configuration-Container to test forward-link + # attributes without backward link (addressBookRoots2) + # e1 + # |--> e2 + # | |--> c1 + self.ldb.add({ + "dn": "cn=e1,%s" % self.ou, + "objectclass": "msExchConfigurationContainer"}) + self.ldb.add({ + "dn": "cn=e2,%s" % self.ou, + "objectclass": "msExchConfigurationContainer"}) + + m = Message() + m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou) + m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers, + FLAG_MOD_ADD, "addressBookRoots2") + self.ldb.modify(m) + + m = Message() + m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou) + m["e1"] = MessageElement("cn=e2,%s" % self.ou, + FLAG_MOD_ADD, "addressBookRoots2") + self.ldb.modify(m) + + + +class MatchRulesTests(MatchRulesTestsBase): + def setUp(self): + self.sambaopts = sambaopts + self.credopts = credopts + self.host = host + super().setUp() + # The msDS-RevealedUsers is owned by system and cannot be modified # directly. Set the schemaUpgradeInProgress flag as workaround # and create this hierarchy: @@ -243,33 +289,6 @@ class MatchRulesTests(samba.tests.TestCase): m["e1"] = MessageElement("0", FLAG_MOD_REPLACE, "schemaUpgradeInProgress") self.ldb.modify(m) - # Add a couple of ms-Exch-Configuration-Container to test forward-link - # attributes without backward link (addressBookRoots2) - # e1 - # |--> e2 - # | |--> c1 - self.ldb.add({ - "dn": "cn=e1,%s" % self.ou, - "objectclass": "msExchConfigurationContainer"}) - self.ldb.add({ - "dn": "cn=e2,%s" % self.ou, - "objectclass": "msExchConfigurationContainer"}) - - m = Message() - m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou) - m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers, - FLAG_MOD_ADD, "addressBookRoots2") - self.ldb.modify(m) - - m = Message() - m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou) - m["e1"] = MessageElement("cn=e2,%s" % self.ou, - FLAG_MOD_ADD, "addressBookRoots2") - self.ldb.modify(m) - - def tearDown(self): - super(MatchRulesTests, self).tearDown() - self.ldb.delete(self.ou, controls=['tree_delete:0']) def test_u1_member_of_g4(self): # Search without transitive match must return 0 results @@ -945,8 +964,12 @@ class MatchRulesTests(samba.tests.TestCase): class MatchRuleConditionTests(samba.tests.TestCase): def setUp(self): super(MatchRuleConditionTests, self).setUp() - self.lp = lp - self.ldb = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp) + self.lp = sambaopts.get_loadparm() + self.creds = credopts.get_credentials(self.lp) + + self.ldb = SamDB(host, credentials=self.creds, + session_info=system_session(self.lp), + lp=self.lp) self.base_dn = self.ldb.domain_dn() self.ou = "OU=matchruleconditiontests,%s" % self.base_dn self.ou_users = "OU=users,%s" % self.ou @@ -1745,32 +1768,30 @@ class MatchRuleConditionTests(samba.tests.TestCase): self.ou_groups, self.ou_computers)) self.assertEqual(len(res1), 0) +if __name__ == "__main__": -parser = optparse.OptionParser("match_rules.py [options] <host>") -sambaopts = options.SambaOptions(parser) -parser.add_option_group(sambaopts) -parser.add_option_group(options.VersionOptions(parser)) - -# use command line creds if available -credopts = options.CredentialsOptions(parser) -parser.add_option_group(credopts) -opts, args = parser.parse_args() -subunitopts = SubunitOptions(parser) -parser.add_option_group(subunitopts) + parser = optparse.OptionParser("match_rules.py [options] <host>") + sambaopts = options.SambaOptions(parser) + parser.add_option_group(sambaopts) + parser.add_option_group(options.VersionOptions(parser)) -if len(args) < 1: - parser.print_usage() - sys.exit(1) + # use command line creds if available + credopts = options.CredentialsOptions(parser) + parser.add_option_group(credopts) + opts, args = parser.parse_args() + subunitopts = SubunitOptions(parser) + parser.add_option_group(subunitopts) -host = args[0] + if len(args) < 1: + parser.print_usage() + sys.exit(1) -lp = sambaopts.get_loadparm() -creds = credopts.get_credentials(lp) + host = args[0] -if "://" not in host: - if os.path.isfile(host): - host = "tdb://%s" % host - else: - host = "ldap://%s" % host + if "://" not in host: + if os.path.isfile(host): + host = "tdb://%s" % host + else: + host = "ldap://%s" % host -TestProgram(module=__name__, opts=subunitopts) + TestProgram(module=__name__, opts=subunitopts) diff --git a/lib/ldb-samba/tests/match_rules_remote.py b/lib/ldb-samba/tests/match_rules_remote.py new file mode 100755 index 00000000000..122231f2a60 --- /dev/null +++ b/lib/ldb-samba/tests/match_rules_remote.py @@ -0,0 +1,104 @@ +#!/usr/bin/env python3 + +import optparse +import sys +import os +import samba +import samba.getopt as options + +from samba.tests.subunitrun import SubunitOptions, TestProgram + +from samba.samdb import SamDB +from samba.auth import system_session +from samba import sd_utils +from samba.ndr import ndr_unpack +from ldb import Message, MessageElement, Dn, LdbError +from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE +from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL + +from match_rules import MatchRulesTestsBase + + +class MatchRulesTestsUser(MatchRulesTestsBase): + def setUp(self): + self.sambaopts = sambaopts + self.credopts = credopts + self.host = host + super().setUp() + self.sd_utils = sd_utils.SDUtils(self.ldb) + + self.user_pass = "samba123@" + self.match_test_user = "matchtestuser" + self.ldb.newuser(self.match_test_user, + self.user_pass, + userou=self.ou_rdn) + user_creds = self.insta_creds(template=self.creds, + username=self.match_test_user, + userpass=self.user_pass) + self.user_ldb = SamDB(host, credentials=user_creds, lp=self.lp) + token_res = self.user_ldb.search(scope=SCOPE_BASE, + base="", + attrs=["tokenGroups"]) + self.user_sid = ndr_unpack(samba.dcerpc.security.dom_sid, + token_res[0]["tokenGroups"][0]) + + self.member_attr_guid = "bf9679c0-0de6-11d0-a285-00aa003049e2" + + def test_with_denied_link(self): + + # add an ACE that denies the user Read Property (RP) access to + # the member attr (which is similar to making the attribute + # confidential) + ace = "(OD;;RP;{0};;{1})".format(self.member_attr_guid, + self.user_sid) + g2_dn = Dn(self.ldb, "CN=g2,%s" % self.ou_groups) + + # add the ACE that denies access to the attr under test + self.sd_utils.dacl_add_ace(g2_dn, ace) + + # Search without transitive match must return 0 results + res1 = self.ldb.search("cn=g4,%s" % self.ou_groups, + scope=SCOPE_BASE, + expression="member=cn=u1,%s" % self.ou_users) + self.assertEqual(len(res1), 0) + + # Search with transitive match must return 1 results + res1 = self.ldb.search("cn=g4,%s" % self.ou_groups, + scope=SCOPE_BASE, + expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users) + self.assertEqual(len(res1), 1) + self.assertEqual(str(res1[0].dn).lower(), ("CN=g4,%s" % self.ou_groups).lower()) + + # Search as a user match must return 0 results as the intermediate link can't be seen + res1 = self.user_ldb.search("cn=g4,%s" % self.ou_groups, + scope=SCOPE_BASE, + expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users) + self.assertEqual(len(res1), 0) + + + +parser = optparse.OptionParser("match_rules_remote.py [options] <host>") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) + +# use command line creds if available +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +opts, args = parser.parse_args() +subunitopts = SubunitOptions(parser) +parser.add_option_group(subunitopts) + +if len(args) < 1: + parser.print_usage() + sys.exit(1) + +host = args[0] + +if "://" not in host: + if os.path.isfile(host): + host = "tdb://%s" % host + else: + host = "ldap://%s" % host + +TestProgram(module=__name__, opts=subunitopts) diff --git a/lib/ldb/ABI/ldb-2.6.1.sigs b/lib/ldb/ABI/ldb-2.6.2.sigs similarity index 97% copy from lib/ldb/ABI/ldb-2.6.1.sigs copy to lib/ldb/ABI/ldb-2.6.2.sigs index 40388d9e330..b4c5e20e8c7 100644 --- a/lib/ldb/ABI/ldb-2.6.1.sigs +++ b/lib/ldb/ABI/ldb-2.6.2.sigs @@ -86,6 +86,7 @@ ldb_errstring: const char *(struct ldb_context *) ldb_extended: int (struct ldb_context *, const char *, void *, struct ldb_result **) ldb_extended_default_callback: int (struct ldb_request *, struct ldb_reply *) ldb_filter_attrs: int (struct ldb_context *, const struct ldb_message *, const char * const *, struct ldb_message *) +ldb_filter_attrs_in_place: int (struct ldb_message *, const char * const *) ldb_filter_from_tree: char *(TALLOC_CTX *, const struct ldb_parse_tree *) ldb_get_config_basedn: struct ldb_dn *(struct ldb_context *) ldb_get_create_perms: unsigned int (struct ldb_context *) -- Samba Shared Repository