svn commit: samba r24060 - in branches/SAMBA_4_0/source: dsdb/samdb/ldb_modules dsdb/schema setup

Fri Jul 27 03:08:16 GMT 2007

Author: abartlet
Date: 2007-07-27 03:08:15 +0000 (Fri, 27 Jul 2007)
New Revision: 24060

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24060

Log:
Fix bug #4806 by Matthias Walln?\195?\182fer <mwallnoefer at yahoo.de>: We need to
include the attribute allowedChildClassesEffective for MMC to allow
the creation of containers.

This may need further refinement, but it seems to work for now. 

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c
   branches/SAMBA_4_0/source/dsdb/schema/schema.h
   branches/SAMBA_4_0/source/dsdb/schema/schema_init.c
   branches/SAMBA_4_0/source/setup/provision_users_modify.ldif


Changeset:
Modified: branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c
===================================================================

--- branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c	2007-07-27 02:07:17 UTC (rev 24059)
+++ branches/SAMBA_4_0/source/dsdb/samdb/ldb_modules/kludge_acl.c	2007-07-27 03:08:15 UTC (rev 24060)
@@ -107,13 +107,15 @@
 	enum user_is user_type;
 	bool allowedAttributes;
 	bool allowedAttributesEffective;
+	bool allowedChildClasses;
+	bool allowedChildClassesEffective;
 	const char **attrs;
 };
 
 /* read all objectClasses */
 
 static int kludge_acl_allowedAttributes(struct ldb_context *ldb, struct ldb_message *msg,
-							 const char *attrName) 
+					const char *attrName) 
 {
 	struct ldb_message_element *oc_el;
 	struct ldb_message_element *allowedAttributes;
@@ -129,12 +131,13 @@
 	   we alter the element array in ldb_msg_add_empty() */
 	oc_el = ldb_msg_find_element(msg, "objectClass");
 
-	for (i=0; i < oc_el->num_values; i++) {
+	for (i=0; oc_el && i < oc_el->num_values; i++) {
 		class = dsdb_class_by_lDAPDisplayName(schema, (const char *)oc_el->values[i].data);
 		if (!class) {
 			/* We don't know this class?  what is going on? */
 			continue;
 		}
+
 		for (j=0; class->mayContain && class->mayContain[j]; j++) {
 			ldb_msg_add_string(msg, attrName, class->mayContain[j]);
 		}
@@ -169,7 +172,58 @@
 	return 0;
 
 }
+/* read all objectClasses */
 
+static int kludge_acl_childClasses(struct ldb_context *ldb, struct ldb_message *msg,
+				   const char *attrName) 
+{
+	struct ldb_message_element *oc_el;
+	struct ldb_message_element *allowedClasses;
+	const struct dsdb_schema *schema = dsdb_get_schema(ldb);
+	const struct dsdb_class *class;
+	int i, j, ret;
+	ret = ldb_msg_add_empty(msg, attrName, 0, &allowedClasses);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+	
+	/* To ensure that oc_el is valid, we must look for it after 
+	   we alter the element array in ldb_msg_add_empty() */
+	oc_el = ldb_msg_find_element(msg, "objectClass");
+
+	for (i=0; oc_el && i < oc_el->num_values; i++) {
+		class = dsdb_class_by_lDAPDisplayName(schema, (const char *)oc_el->values[i].data);
+		if (!class) {
+			/* We don't know this class?  what is going on? */
+			continue;
+		}
+
+		for (j=0; class->possibleInferiors && class->possibleInferiors[j]; j++) {
+			ldb_msg_add_string(msg, attrName, class->possibleInferiors[j]);
+		}
+	}
+		
+	if (allowedClasses->num_values > 1) {
+		qsort(allowedClasses->values, 
+		      allowedClasses->num_values, 
+		      sizeof(*allowedClasses->values),
+		      (comparison_fn_t)data_blob_cmp);
+	
+		for (i=1 ; i < allowedClasses->num_values; i++) {
+			struct ldb_val *val1 = &allowedClasses->values[i-1];
+			struct ldb_val *val2 = &allowedClasses->values[i];
+			if (data_blob_cmp(val1, val2) == 0) {
+				memmove(val1, val2, (allowedClasses->num_values - i) * sizeof( struct ldb_val)); 
+				allowedClasses->num_values--;
+				i--;
+			}
+		}
+	}
+
+	return 0;
+
+}
+
 /* find all attributes allowed by all these objectClasses */
 
 static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
@@ -194,8 +248,15 @@
 		ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributes");
 		if (ret != LDB_SUCCESS) {
 			return ret;
+
 		}
 	}
+	if (ac->allowedChildClasses) {
+		ret = kludge_acl_childClasses(ldb, ares->message, "allowedChildClasses");
+		if (ret != LDB_SUCCESS) {
+			return ret;
+		}
+	}
 
 	if (data && data->password_attrs) /* if we are not initialized just get through */
 	{
@@ -208,6 +269,12 @@
 					return ret;
 				}
 			}
+			if (ac->allowedChildClassesEffective) {
+				ret = kludge_acl_childClasses(ldb, ares->message, "allowedChildClassesEffective");
+				if (ret != LDB_SUCCESS) {
+					return ret;
+				}
+			}
 			break;
 		default:
 			/* remove password attributes */
@@ -217,7 +284,8 @@
 		}
 	}
 
-	if ((ac->allowedAttributes || ac->allowedAttributesEffective) && 
+	if ((ac->allowedAttributes || ac->allowedAttributesEffective
+	     || ac->allowedChildClasses || ac->allowedChildClassesEffective) && 
 	    (!ldb_attr_in_list(ac->attrs, "objectClass") && 
 	     !ldb_attr_in_list(ac->attrs, "*"))) {
 		ldb_msg_remove_attr(ares->message, "objectClass");
@@ -267,7 +335,11 @@
 
 	ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
 
-	if (ac->allowedAttributes || ac->allowedAttributesEffective) {
+	ac->allowedChildClasses = ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
+
+	ac->allowedChildClassesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
+
+	if (ac->allowedAttributes || ac->allowedAttributesEffective || ac->allowedChildClasses || ac->allowedChildClassesEffective) {
 		down_req->op.search.attrs
 			= ldb_attr_list_copy_add(down_req, down_req->op.search.attrs, "objectClass");
 	}

Modified: branches/SAMBA_4_0/source/dsdb/schema/schema.h
===================================================================
--- branches/SAMBA_4_0/source/dsdb/schema/schema.h	2007-07-27 02:07:17 UTC (rev 24059)
+++ branches/SAMBA_4_0/source/dsdb/schema/schema.h	2007-07-27 03:08:15 UTC (rev 24060)
@@ -111,6 +111,7 @@
 	const char **possSuperiors;
 	const char **mustContain;
 	const char **mayContain;
+	const char **possibleInferiors;
 
 	const char *defaultSecurityDescriptor;
 

Modified: branches/SAMBA_4_0/source/dsdb/schema/schema_init.c
===================================================================
--- branches/SAMBA_4_0/source/dsdb/schema/schema_init.c	2007-07-27 02:07:17 UTC (rev 24059)
+++ branches/SAMBA_4_0/source/dsdb/schema/schema_init.c	2007-07-27 03:08:15 UTC (rev 24060)
@@ -492,16 +492,18 @@
 	GET_STRING_LDB(msg, "subClassOf", mem_ctx, obj, subClassOf, True);
 
 	obj->systemAuxiliaryClass	= NULL;
-	obj->systemPossSuperiors	= NULL;
 
 	obj->auxiliaryClass		= NULL;
-	obj->possSuperiors		= NULL;
 
 	GET_STRING_LIST_LDB(msg, "systemMustContain", mem_ctx, obj, systemMustContain, False);
 	GET_STRING_LIST_LDB(msg, "systemMayContain", mem_ctx, obj, systemMayContain, False);
 	GET_STRING_LIST_LDB(msg, "mustContain", mem_ctx, obj, mustContain, False);
 	GET_STRING_LIST_LDB(msg, "mayContain", mem_ctx, obj, mayContain, False);
 
+	GET_STRING_LIST_LDB(msg, "systemPossSuperiors", mem_ctx, obj, systemPossSuperiors, False);
+	GET_STRING_LIST_LDB(msg, "possSuperiors", mem_ctx, obj, possSuperiors, False);
+	GET_STRING_LIST_LDB(msg, "possibleInferiors", mem_ctx, obj, possibleInferiors, False);
+
 	GET_STRING_LDB(msg, "defaultSecurityDescriptor", mem_ctx, obj, defaultSecurityDescriptor, False);
 
 	GET_UINT32_LDB(msg, "schemaFlagsEx", obj, schemaFlagsEx);
@@ -832,6 +834,8 @@
 	obj->mustContain		= NULL;
 	obj->mayContain			= NULL;
 
+	obj->possibleInferiors          = NULL;
+
 	GET_STRING_DS(schema, r, "defaultSecurityDescriptor", mem_ctx, obj, defaultSecurityDescriptor, False);
 
 	GET_UINT32_DS(schema, r, "schemaFlagsEx", obj, schemaFlagsEx);

Modified: branches/SAMBA_4_0/source/setup/provision_users_modify.ldif
===================================================================
--- branches/SAMBA_4_0/source/setup/provision_users_modify.ldif	2007-07-27 02:07:17 UTC (rev 24059)
+++ branches/SAMBA_4_0/source/setup/provision_users_modify.ldif	2007-07-27 03:08:15 UTC (rev 24060)
@@ -17,7 +17,3 @@
 -
 replace: isCriticalSystemObject
 isCriticalSystemObject: TRUE
--
-replace: allowedChildClassesEffective
-allowedChildClassesEffective: user
-allowedChildClassesEffective: group

