svn commit: samba r24060 - in branches/SAMBA_4_0/source:
dsdb/samdb/ldb_modules dsdb/schema setup
abartlet at samba.org
abartlet at samba.org
Fri Jul 27 03:08:16 GMT 2007
Author: abartlet
Date: 2007-07-27 03:08:15 +0000 (Fri, 27 Jul 2007)
New Revision: 24060
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24060
Log:
Fix bug #4806 by Matthias Walln?\195?\182fer <mwallnoefer at yahoo.de>: We need to
include the attribute allowedChildClassesEffective for MMC to allow
the creation of containers.
This may need further refinement, but it seems to work for now.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c
branches/SAMBA_4_0/source/dsdb/schema/schema.h
branches/SAMBA_4_0/source/dsdb/schema/schema_init.c
branches/SAMBA_4_0/source/setup/provision_users_modify.ldif
Changeset:
Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c
===================================================================
--- branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c 2007-07-27 02:07:17 UTC (rev 24059)
+++ branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c 2007-07-27 03:08:15 UTC (rev 24060)
@@ -107,13 +107,15 @@
enum user_is user_type;
bool allowedAttributes;
bool allowedAttributesEffective;
+ bool allowedChildClasses;
+ bool allowedChildClassesEffective;
const char **attrs;
};
/* read all objectClasses */
static int kludge_acl_allowedAttributes(struct ldb_context *ldb, struct ldb_message *msg,
- const char *attrName)
+ const char *attrName)
{
struct ldb_message_element *oc_el;
struct ldb_message_element *allowedAttributes;
@@ -129,12 +131,13 @@
we alter the element array in ldb_msg_add_empty() */
oc_el = ldb_msg_find_element(msg, "objectClass");
- for (i=0; i < oc_el->num_values; i++) {
+ for (i=0; oc_el && i < oc_el->num_values; i++) {
class = dsdb_class_by_lDAPDisplayName(schema, (const char *)oc_el->values[i].data);
if (!class) {
/* We don't know this class? what is going on? */
continue;
}
+
for (j=0; class->mayContain && class->mayContain[j]; j++) {
ldb_msg_add_string(msg, attrName, class->mayContain[j]);
}
@@ -169,7 +172,58 @@
return 0;
}
+/* read all objectClasses */
+static int kludge_acl_childClasses(struct ldb_context *ldb, struct ldb_message *msg,
+ const char *attrName)
+{
+ struct ldb_message_element *oc_el;
+ struct ldb_message_element *allowedClasses;
+ const struct dsdb_schema *schema = dsdb_get_schema(ldb);
+ const struct dsdb_class *class;
+ int i, j, ret;
+ ret = ldb_msg_add_empty(msg, attrName, 0, &allowedClasses);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ /* To ensure that oc_el is valid, we must look for it after
+ we alter the element array in ldb_msg_add_empty() */
+ oc_el = ldb_msg_find_element(msg, "objectClass");
+
+ for (i=0; oc_el && i < oc_el->num_values; i++) {
+ class = dsdb_class_by_lDAPDisplayName(schema, (const char *)oc_el->values[i].data);
+ if (!class) {
+ /* We don't know this class? what is going on? */
+ continue;
+ }
+
+ for (j=0; class->possibleInferiors && class->possibleInferiors[j]; j++) {
+ ldb_msg_add_string(msg, attrName, class->possibleInferiors[j]);
+ }
+ }
+
+ if (allowedClasses->num_values > 1) {
+ qsort(allowedClasses->values,
+ allowedClasses->num_values,
+ sizeof(*allowedClasses->values),
+ (comparison_fn_t)data_blob_cmp);
+
+ for (i=1 ; i < allowedClasses->num_values; i++) {
+ struct ldb_val *val1 = &allowedClasses->values[i-1];
+ struct ldb_val *val2 = &allowedClasses->values[i];
+ if (data_blob_cmp(val1, val2) == 0) {
+ memmove(val1, val2, (allowedClasses->num_values - i) * sizeof( struct ldb_val));
+ allowedClasses->num_values--;
+ i--;
+ }
+ }
+ }
+
+ return 0;
+
+}
+
/* find all attributes allowed by all these objectClasses */
static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
@@ -194,8 +248,15 @@
ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributes");
if (ret != LDB_SUCCESS) {
return ret;
+
}
}
+ if (ac->allowedChildClasses) {
+ ret = kludge_acl_childClasses(ldb, ares->message, "allowedChildClasses");
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
if (data && data->password_attrs) /* if we are not initialized just get through */
{
@@ -208,6 +269,12 @@
return ret;
}
}
+ if (ac->allowedChildClassesEffective) {
+ ret = kludge_acl_childClasses(ldb, ares->message, "allowedChildClassesEffective");
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ }
break;
default:
/* remove password attributes */
@@ -217,7 +284,8 @@
}
}
- if ((ac->allowedAttributes || ac->allowedAttributesEffective) &&
+ if ((ac->allowedAttributes || ac->allowedAttributesEffective
+ || ac->allowedChildClasses || ac->allowedChildClassesEffective) &&
(!ldb_attr_in_list(ac->attrs, "objectClass") &&
!ldb_attr_in_list(ac->attrs, "*"))) {
ldb_msg_remove_attr(ares->message, "objectClass");
@@ -267,7 +335,11 @@
ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
- if (ac->allowedAttributes || ac->allowedAttributesEffective) {
+ ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
+
+ ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
+
+ if (ac->allowedAttributes || ac->allowedAttributesEffective || ac->allowedChildClasses || ac->allowedChildClassesEffective) {
down_req->op.search.attrs
= ldb_attr_list_copy_add(down_req, down_req->op.search.attrs, "objectClass");
}
Modified: branches/SAMBA_4_0/source/dsdb/schema/schema.h
===================================================================
--- branches/SAMBA_4_0/source/dsdb/schema/schema.h 2007-07-27 02:07:17 UTC (rev 24059)
+++ branches/SAMBA_4_0/source/dsdb/schema/schema.h 2007-07-27 03:08:15 UTC (rev 24060)
@@ -111,6 +111,7 @@
const char **possSuperiors;
const char **mustContain;
const char **mayContain;
+ const char **possibleInferiors;
const char *defaultSecurityDescriptor;
Modified: branches/SAMBA_4_0/source/dsdb/schema/schema_init.c
===================================================================
--- branches/SAMBA_4_0/source/dsdb/schema/schema_init.c 2007-07-27 02:07:17 UTC (rev 24059)
+++ branches/SAMBA_4_0/source/dsdb/schema/schema_init.c 2007-07-27 03:08:15 UTC (rev 24060)
@@ -492,16 +492,18 @@
GET_STRING_LDB(msg, "subClassOf", mem_ctx, obj, subClassOf, True);
obj->systemAuxiliaryClass = NULL;
- obj->systemPossSuperiors = NULL;
obj->auxiliaryClass = NULL;
- obj->possSuperiors = NULL;
GET_STRING_LIST_LDB(msg, "systemMustContain", mem_ctx, obj, systemMustContain, False);
GET_STRING_LIST_LDB(msg, "systemMayContain", mem_ctx, obj, systemMayContain, False);
GET_STRING_LIST_LDB(msg, "mustContain", mem_ctx, obj, mustContain, False);
GET_STRING_LIST_LDB(msg, "mayContain", mem_ctx, obj, mayContain, False);
+ GET_STRING_LIST_LDB(msg, "systemPossSuperiors", mem_ctx, obj, systemPossSuperiors, False);
+ GET_STRING_LIST_LDB(msg, "possSuperiors", mem_ctx, obj, possSuperiors, False);
+ GET_STRING_LIST_LDB(msg, "possibleInferiors", mem_ctx, obj, possibleInferiors, False);
+
GET_STRING_LDB(msg, "defaultSecurityDescriptor", mem_ctx, obj, defaultSecurityDescriptor, False);
GET_UINT32_LDB(msg, "schemaFlagsEx", obj, schemaFlagsEx);
@@ -832,6 +834,8 @@
obj->mustContain = NULL;
obj->mayContain = NULL;
+ obj->possibleInferiors = NULL;
+
GET_STRING_DS(schema, r, "defaultSecurityDescriptor", mem_ctx, obj, defaultSecurityDescriptor, False);
GET_UINT32_DS(schema, r, "schemaFlagsEx", obj, schemaFlagsEx);
Modified: branches/SAMBA_4_0/source/setup/provision_users_modify.ldif
===================================================================
--- branches/SAMBA_4_0/source/setup/provision_users_modify.ldif 2007-07-27 02:07:17 UTC (rev 24059)
+++ branches/SAMBA_4_0/source/setup/provision_users_modify.ldif 2007-07-27 03:08:15 UTC (rev 24060)
@@ -17,7 +17,3 @@
-
replace: isCriticalSystemObject
isCriticalSystemObject: TRUE
--
-replace: allowedChildClassesEffective
-allowedChildClassesEffective: user
-allowedChildClassesEffective: group
More information about the samba-cvs
mailing list