static int acl_search(struct ldb_module *module, struct ldb_request *req)
{
struct ldb_context *ldb;
struct acl_context *ac;
struct ldb_request *down_req;
struct acl_private *data;
int ret, i;
ldb = ldb_module_get_ctx(module);
ac = talloc_zero(req, struct acl_context);
if (ac == NULL) {
ldb_oom(ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
data = talloc_get_type(ldb_module_get_private(module), struct acl_private);
ac->module = module;
ac->req = req;
ac->user_type = what_is_user(module);
ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes");
ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
ac->sDRightsEffective = ldb_attr_in_list(req->op.search.attrs, "sDRightsEffective");
/* replace any attributes in the parse tree that are private,
so we don't allow a search for 'userPassword=penguin',
just as we would not allow that attribute to be returned */
if (ac->user_type != SECURITY_SYSTEM) {
/* FIXME: We should copy the tree and keep the original unmodified. */
/* remove password attributes */
if (data && data->password_attrs) {
for (i = 0; data->password_attrs[i]; i++) {
ldb_parse_tree_attr_replace(req->op.search.tree,
data->password_attrs[i],
"kludgeACLredactedattribute");
}
}
}
ret = ldb_build_search_req_ex(&down_req,
ldb, ac,
req->op.search.base,
req->op.search.scope,
req->op.search.tree,
req->op.search.attrs,
req->controls,
ac, acl_search_callback,
req);
if (ret != LDB_SUCCESS) {
return ret;
}
/* perform the search */
return ldb_next_request(module, down_req);
}
ADS_STATUS ads_do_search_all_sd_flags (ADS_STRUCT *ads, const char *dn, int scope,
const char *filter, const char **attrs,
uint32_t sd_flags, LDAPMessage **res)
{
int rv;
struct ldb_request *req;
struct ldb_control **controls;
struct ldb_parse_tree *tree;
struct ldb_dn *ldb_dn;
controls = talloc_zero_array(ads, struct ldb_control *, 2);
controls[0] = talloc(ads, struct ldb_control);
controls[0]->oid = LDB_CONTROL_SD_FLAGS_OID;
controls[0]->data = &sd_flags;
controls[0]->critical = 1;
tree = ldb_parse_tree(ads, filter);
ldb_dn = ldb_dn_new(ads, ads->ldbctx, dn);
rv = ldb_build_search_req_ex(&req, ads->ldbctx, (TALLOC_CTX *)res, ldb_dn, scope, tree, attrs, controls,
res, ldb_search_default_callback, NULL);
if (rv != LDB_SUCCESS) {
talloc_free(*res);
talloc_free(req);
talloc_free(tree);
return ADS_ERROR(rv);
}
rv = ldb_request(ads->ldbctx, req);
if (rv == LDB_SUCCESS) {
rv = ldb_wait(req->handle, LDB_WAIT_ALL);
}
talloc_free(req);
talloc_free(tree);
return ADS_ERROR(rv);
}
int dsdb_module_search_tree(struct ldb_module *module,
TALLOC_CTX *mem_ctx,
struct ldb_result **_res,
struct ldb_dn *basedn,
enum ldb_scope scope,
struct ldb_parse_tree *tree,
const char * const *attrs,
int dsdb_flags,
struct ldb_request *parent)
{
int ret;
struct ldb_request *req;
TALLOC_CTX *tmp_ctx;
struct ldb_result *res;
tmp_ctx = talloc_new(mem_ctx);
/* cross-partitions searches with a basedn break multi-domain support */
SMB_ASSERT(basedn == NULL || (dsdb_flags & DSDB_SEARCH_SEARCH_ALL_PARTITIONS) == 0);
res = talloc_zero(tmp_ctx, struct ldb_result);
if (!res) {
talloc_free(tmp_ctx);
return ldb_oom(ldb_module_get_ctx(module));
}
ret = ldb_build_search_req_ex(&req, ldb_module_get_ctx(module), tmp_ctx,
basedn,
scope,
tree,
attrs,
NULL,
res,
ldb_search_default_callback,
parent);
LDB_REQ_SET_LOCATION(req);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
ret = dsdb_request_add_controls(req, dsdb_flags);
if (ret != LDB_SUCCESS) {
talloc_free(tmp_ctx);
return ret;
}
if (dsdb_flags & DSDB_FLAG_TRUSTED) {
ldb_req_mark_trusted(req);
}
if (dsdb_flags & DSDB_FLAG_NEXT_MODULE) {
ret = ldb_next_request(module, req);
} else if (dsdb_flags & DSDB_FLAG_TOP_MODULE) {
ret = ldb_request(ldb_module_get_ctx(module), req);
} else {
const struct ldb_module_ops *ops = ldb_module_get_ops(module);
SMB_ASSERT(dsdb_flags & DSDB_FLAG_OWN_MODULE);
ret = ops->search(module, req);
}
if (ret == LDB_SUCCESS) {
ret = ldb_wait(req->handle, LDB_WAIT_ALL);
}
talloc_free(req);
if (ret == LDB_SUCCESS) {
*_res = talloc_steal(mem_ctx, res);
}
talloc_free(tmp_ctx);
return ret;
}
