static int acl_search(struct ldb_module *module, struct ldb_request *req)
{
struct ldb_context *ldb;
struct acl_context *ac;
struct ldb_request *down_req;
struct acl_private *data;
int ret, i;
ldb = ldb_module_get_ctx(module);
ac = talloc_zero(req, struct acl_context);
if (ac == NULL) {
ldb_oom(ldb);
return LDB_ERR_OPERATIONS_ERROR;
}
data = talloc_get_type(ldb_module_get_private(module), struct acl_private);
ac->module = module;
ac->req = req;
ac->user_type = what_is_user(module);
ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes");
ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
ac->sDRightsEffective = ldb_attr_in_list(req->op.search.attrs, "sDRightsEffective");
/* replace any attributes in the parse tree that are private,
so we don't allow a search for 'userPassword=penguin',
just as we would not allow that attribute to be returned */
if (ac->user_type != SECURITY_SYSTEM) {
/* FIXME: We should copy the tree and keep the original unmodified. */
/* remove password attributes */
if (data && data->password_attrs) {
for (i = 0; data->password_attrs[i]; i++) {
ldb_parse_tree_attr_replace(req->op.search.tree,
data->password_attrs[i],
"kludgeACLredactedattribute");
}
}
}
ret = ldb_build_search_req_ex(&down_req,
ldb, ac,
req->op.search.base,
req->op.search.scope,
req->op.search.tree,
req->op.search.attrs,
req->controls,
ac, acl_search_callback,
req);
if (ret != LDB_SUCCESS) {
return ret;
}
/* perform the search */
return ldb_next_request(module, down_req);
}
/*
post process a search result record. For any search_sub[] attributes that were
asked for, we need to call the appropriate copy routine to copy the result
into the message, then remove any attributes that we added to the search but
were not asked for by the user
*/
static int operational_search_post_process(struct ldb_module *module,
struct ldb_message *msg,
const char * const *attrs)
{
struct ldb_context *ldb;
int i, a=0;
ldb = ldb_module_get_ctx(module);
for (a=0;attrs && attrs[a];a++) {
for (i=0;i<ARRAY_SIZE(search_sub);i++) {
if (ldb_attr_cmp(attrs[a], search_sub[i].attr) != 0) {
continue;
}
/* construct the new attribute, using either a supplied
constructor or a simple copy */
if (search_sub[i].constructor) {
if (search_sub[i].constructor(module, msg) != 0) {
goto failed;
}
} else if (ldb_msg_copy_attr(msg,
search_sub[i].replace,
search_sub[i].attr) != 0) {
goto failed;
}
/* remove the added search attribute, unless it was
asked for by the user */
if (search_sub[i].replace == NULL ||
ldb_attr_in_list(attrs, search_sub[i].replace) ||
ldb_attr_in_list(attrs, "*")) {
continue;
}
ldb_msg_remove_attr(msg, search_sub[i].replace);
}
}
return 0;
failed:
ldb_debug_set(ldb, LDB_DEBUG_WARNING,
"operational_search_post_process failed for attribute '%s'",
attrs[a]);
return -1;
}
static int dsdb_notification_verify_tree(struct ldb_parse_tree *tree)
{
unsigned int i;
int ret;
unsigned int num_ok = 0;
/*
* these attributes are present on every object
* and windows accepts them.
*
* While [MS-ADTS] says only '(objectClass=*)'
* would be allowed.
*/
static const char * const attrs_ok[] = {
"objectClass",
"objectGUID",
"distinguishedName",
"name",
NULL,
};
switch (tree->operation) {
case LDB_OP_AND:
for (i = 0; i < tree->u.list.num_elements; i++) {
/*
* all elements need to be valid
*/
ret = dsdb_notification_verify_tree(tree->u.list.elements[i]);
if (ret != LDB_SUCCESS) {
return ret;
}
num_ok++;
}
break;
case LDB_OP_OR:
for (i = 0; i < tree->u.list.num_elements; i++) {
/*
* at least one element needs to be valid
*/
ret = dsdb_notification_verify_tree(tree->u.list.elements[i]);
if (ret == LDB_SUCCESS) {
num_ok++;
break;
}
}
break;
case LDB_OP_NOT:
case LDB_OP_EQUALITY:
case LDB_OP_GREATER:
case LDB_OP_LESS:
case LDB_OP_APPROX:
case LDB_OP_SUBSTRING:
case LDB_OP_EXTENDED:
break;
case LDB_OP_PRESENT:
ret = ldb_attr_in_list(attrs_ok, tree->u.present.attr);
if (ret == 1) {
num_ok++;
}
break;
}
if (num_ok != 0) {
return LDB_SUCCESS;
}
return LDB_ERR_UNWILLING_TO_PERFORM;
}
/*
post process a search result record. For any search_sub[] attributes that were
asked for, we need to call the appropriate copy routine to copy the result
into the message, then remove any attributes that we added to the search but
were not asked for by the user
*/
static int operational_search_post_process(struct ldb_module *module,
struct ldb_message *msg,
enum ldb_scope scope,
const char * const *attrs_from_user,
const char * const *attrs_searched_for,
struct op_controls_flags* controls_flags,
struct op_attributes_operations *list,
unsigned int list_size,
struct op_attributes_replace *list_replace,
unsigned int list_replace_size,
struct ldb_request *parent)
{
struct ldb_context *ldb;
unsigned int i, a = 0;
bool constructed_attributes = false;
ldb = ldb_module_get_ctx(module);
/* removed any attrs that should not be shown to the user */
for (i=0; i < list_size; i++) {
ldb_msg_remove_attr(msg, list[i].attr);
}
for (a=0; a < list_replace_size; a++) {
if (check_keep_control_for_attribute(controls_flags,
list_replace[a].attr)) {
continue;
}
/* construct the new attribute, using either a supplied
constructor or a simple copy */
constructed_attributes = true;
if (list_replace[a].constructor != NULL) {
if (list_replace[a].constructor(module, msg, scope, parent) != LDB_SUCCESS) {
goto failed;
}
} else if (ldb_msg_copy_attr(msg,
list_replace[a].replace,
list_replace[a].attr) != LDB_SUCCESS) {
goto failed;
}
}
/* Deletion of the search helper attributes are needed if:
* - we generated constructed attributes and
* - we aren't requesting all attributes
*/
if ((constructed_attributes) && (!ldb_attr_in_list(attrs_from_user, "*"))) {
for (i=0; i < list_replace_size; i++) {
/* remove the added search helper attributes, unless
* they were asked for by the user */
if (list_replace[i].replace != NULL &&
!ldb_attr_in_list(attrs_from_user, list_replace[i].replace)) {
ldb_msg_remove_attr(msg, list_replace[i].replace);
}
if (list_replace[i].extra_attr != NULL &&
!ldb_attr_in_list(attrs_from_user, list_replace[i].extra_attr)) {
ldb_msg_remove_attr(msg, list_replace[i].extra_attr);
}
}
}
return 0;
failed:
ldb_debug_set(ldb, LDB_DEBUG_WARNING,
"operational_search_post_process failed for attribute '%s' - %s",
attrs_from_user[a], ldb_errstring(ldb));
return -1;
}
/*
post process a search result record. For any search_sub[] attributes that were
asked for, we need to call the appropriate copy routine to copy the result
into the message, then remove any attributes that we added to the search but
were not asked for by the user
*/
static int operational_search_post_process(struct ldb_module *module,
struct ldb_message *msg,
enum ldb_scope scope,
const char * const *attrs_from_user,
const char * const *attrs_searched_for,
struct op_controls_flags* controls_flags,
struct ldb_request *parent)
{
struct ldb_context *ldb;
unsigned int i, a = 0;
bool constructed_attributes = false;
ldb = ldb_module_get_ctx(module);
/* removed any attrs that should not be shown to the user */
for (i=0; i<ARRAY_SIZE(operational_remove); i++) {
switch (operational_remove[i].op) {
case OPERATIONAL_REMOVE_UNASKED:
if (ldb_attr_in_list(attrs_from_user, operational_remove[i].attr)) {
continue;
}
if (ldb_attr_in_list(attrs_searched_for, operational_remove[i].attr)) {
continue;
}
case OPERATIONAL_REMOVE_ALWAYS:
ldb_msg_remove_attr(msg, operational_remove[i].attr);
break;
case OPERATIONAL_REMOVE_UNLESS_CONTROL:
if (!check_keep_control_for_attribute(controls_flags, operational_remove[i].attr)) {
ldb_msg_remove_attr(msg, operational_remove[i].attr);
break;
} else {
continue;
}
case OPERATIONAL_SD_FLAGS:
if (controls_flags->sd ||
ldb_attr_in_list(attrs_from_user, operational_remove[i].attr)) {
continue;
}
ldb_msg_remove_attr(msg, operational_remove[i].attr);
break;
}
}
for (a=0;attrs_from_user && attrs_from_user[a];a++) {
if (check_keep_control_for_attribute(controls_flags, attrs_from_user[a])) {
continue;
}
for (i=0;i<ARRAY_SIZE(search_sub);i++) {
if (ldb_attr_cmp(attrs_from_user[a], search_sub[i].attr) != 0) {
continue;
}
/* construct the new attribute, using either a supplied
constructor or a simple copy */
constructed_attributes = true;
if (search_sub[i].constructor != NULL) {
if (search_sub[i].constructor(module, msg, scope, parent) != LDB_SUCCESS) {
goto failed;
}
} else if (ldb_msg_copy_attr(msg,
search_sub[i].replace,
search_sub[i].attr) != LDB_SUCCESS) {
goto failed;
}
}
}
/* Deletion of the search helper attributes are needed if:
* - we generated constructed attributes and
* - we aren't requesting all attributes
*/
if ((constructed_attributes) && (!ldb_attr_in_list(attrs_from_user, "*"))) {
for (i=0;i<ARRAY_SIZE(search_sub);i++) {
/* remove the added search helper attributes, unless
* they were asked for by the user */
if (search_sub[i].replace != NULL &&
!ldb_attr_in_list(attrs_from_user, search_sub[i].replace)) {
ldb_msg_remove_attr(msg, search_sub[i].replace);
}
if (search_sub[i].extra_attr != NULL &&
!ldb_attr_in_list(attrs_from_user, search_sub[i].extra_attr)) {
ldb_msg_remove_attr(msg, search_sub[i].extra_attr);
}
}
}
return 0;
failed:
ldb_debug_set(ldb, LDB_DEBUG_WARNING,
"operational_search_post_process failed for attribute '%s' - %s",
attrs_from_user[a], ldb_errstring(ldb));
return -1;
}
