aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFernando J V da Silva <fernandojvsilva@yahoo.com.br>2010-03-25 16:58:58 -0300
committerAndrew Tridgell <tridge@samba.org>2010-04-22 19:36:14 +1000
commitc023fc217ed370e5c890c1984da533e0133060d9 (patch)
treed3d929e25d640f54905410b46af1f2426734f119
parente11f92ba73028b608207ed91aaa22376756d7a73 (diff)
downloadsamba-c023fc217ed370e5c890c1984da533e0133060d9.tar.gz
samba-c023fc217ed370e5c890c1984da533e0133060d9.tar.xz
samba-c023fc217ed370e5c890c1984da533e0133060d9.zip
s4-drs: Do not allow system-critical attributes to be RODC filtered
Signed-off-by: Andrew Tridgell <tridge@samba.org>
-rw-r--r--libds/common/flags.h3
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass.c33
2 files changed, 36 insertions, 0 deletions
diff --git a/libds/common/flags.h b/libds/common/flags.h
index aa88487d385..de3e71ccac6 100644
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -155,6 +155,9 @@
#define SYSTEM_FLAG_CONFIG_ALLOW_RENAME 0x40000000
#define SYSTEM_FLAG_DISALLOW_DELETE 0x80000000
+/* schemaFlags_Ex */
+#define SCHEMA_FLAG_ATTR_IS_CRITICAL 0x0000001
+
/* "searchFlags" */
#define SEARCH_FLAG_ATTINDEX 0x0000001
#define SEARCH_FLAG_PDNTATTINDEX 0x0000002
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 329bd81ae36..e51038d06f7 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -378,6 +378,27 @@ static int fix_check_attributes(struct ldb_context *ldb,
return LDB_SUCCESS;
}
+/*
+ * return true if msg carries an attributeSchema that is intended to be RODC
+ * filtered but is also a system-critical attribute.
+ */
+static bool check_rodc_critical_attribute(struct ldb_message *msg)
+{
+ uint32_t schemaFlagsEx, searchFlags, rodc_filtered_flags;
+
+ schemaFlagsEx = ldb_msg_find_attr_as_uint(msg, "schemaFlagsEx", 0);
+ searchFlags = ldb_msg_find_attr_as_uint(msg, "searchFlags", 0);
+ rodc_filtered_flags = (SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL);
+
+ if ((schemaFlagsEx & SCHEMA_FLAG_ATTR_IS_CRITICAL) &&
+ ((searchFlags & rodc_filtered_flags) == rodc_filtered_flags)) {
+ return true;
+ } else {
+ return false;
+ }
+}
+
+
static int objectclass_do_add(struct oc_context *ac);
static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
@@ -404,6 +425,12 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
return LDB_ERR_OBJECT_CLASS_VIOLATION;
}
+ /* do not allow to mark an attributeSchema as RODC filtered if it
+ * is system-critical */
+ if (check_rodc_critical_attribute(req->op.add.message)) {
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+
ac = oc_init_context(module, req);
if (ac == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
@@ -722,6 +749,12 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req
return LDB_ERR_UNWILLING_TO_PERFORM;
}
+ /* do not allow to mark an attributeSchema as RODC filtered if it
+ * is system-critical */
+ if (check_rodc_critical_attribute(req->op.mod.message)) {
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+
ac = oc_init_context(module, req);
if (ac == NULL) {
ldb_oom(ldb);