svn commit: samba r20622 - in branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules: .

[abartlet at samba.org]

Author: abartlet
Date: 2007-01-09 03:45:50 +0000 (Tue, 09 Jan 2007)
New Revision: 20622

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=20622

Log:
Add in a hack to avoid permitting searches on the value of protected
attributes.

Andrew Bartlett


Modified:
   branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c


Changeset:
Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c
===================================================================
--- branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c	2007-01-09 00:00:30 UTC (rev 20621)
+++ branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c	2007-01-09 03:45:50 UTC (rev 20622)
@@ -147,7 +147,8 @@
 {
 	struct kludge_acl_context *ac;
 	struct ldb_request *down_req;
-	int ret;
+	struct kludge_private_data *data;
+	int ret, i;
 
 	req->handle = NULL;
 
@@ -156,6 +157,8 @@
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
+	data = talloc_get_type(module->private_data, struct kludge_private_data);
+
 	ac->module = module;
 	ac->up_context = req->context;
 	ac->up_callback = req->callback;
@@ -172,6 +175,25 @@
 	down_req->op.search.tree = req->op.search.tree;
 	down_req->op.search.attrs = req->op.search.attrs;
 	
+
+	/*  FIXME: I hink we should copy the tree and keep the original
+	 *  unmodified. SSS */
+	/* replace any attributes in the parse tree that are private,
+	   so we don't allow a search for 'sambaPassword=penguin',
+	   just as we would not allow that attribute to be returned */
+	switch (ac->user_type) {
+	case SYSTEM:
+	case ADMINISTRATOR:
+		break;
+	default:
+		/* remove password attributes */
+		for (i = 0; data && data->password_attrs && data->password_attrs[i]; i++) {
+			ldb_parse_tree_attr_replace(down_req->op.search.tree, 
+						    data->password_attrs[i],
+						    "kludgeACLredactedattribute");
+		}
+	}
+
 	down_req->controls = req->controls;
 
 	down_req->context = ac;