[SCM] Samba Shared Repository - branch master updated
Matthias Dieter Wallnöfer
mdw at samba.org
Thu Nov 26 03:22:09 MST 2009
The branch, master has been updated
via 9755337... s4:ldap.py - add a test for the enhanced operational attributes check
via b6efbd5... s4:objectclass LDB module - Prevent write operations on constructed attributes
via 393b839... s4:operational LDB module - Don't do the write checks here
from 5b3a32b... s3-kerberos: next step to resolve Bug #6929: build with recent heimdal.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 97553373d182671a8da1553cc47465c664ae69f0
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Thu Nov 26 09:51:56 2009 +0100
s4:ldap.py - add a test for the enhanced operational attributes check
(Deny creation of entries with operational attributes specified)
commit b6efbd5b4c5ba3a2e2040033b6b634d60ed2d3f5
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Thu Nov 26 10:54:20 2009 +0100
s4:objectclass LDB module - Prevent write operations on constructed attributes
commit 393b83979d11dddcf6d38ca24b3aea7bb645e0d0
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Thu Nov 26 10:21:44 2009 +0100
s4:operational LDB module - Don't do the write checks here
Let this perform the schema in the "objectclass" module.
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/objectclass.c | 25 +++++++++++++++++++------
source4/dsdb/samdb/ldb_modules/operational.c | 16 ----------------
source4/lib/ldb/tests/python/ldap.py | 11 +++++++++++
3 files changed, 30 insertions(+), 22 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 53c1cc7..82b8835 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -366,9 +366,12 @@ static int fix_dn(TALLOC_CTX *mem_ctx,
}
/* Fix all attribute names to be in the correct case, and check they are all valid per the schema */
-static int fix_attributes(struct ldb_context *ldb, const struct dsdb_schema *schema, struct ldb_message *msg)
+static int fix_check_attributes(struct ldb_context *ldb,
+ const struct dsdb_schema *schema,
+ struct ldb_message *msg,
+ enum ldb_request_type op)
{
- int i;
+ unsigned int i;
for (i=0; i < msg->num_elements; i++) {
const struct dsdb_attribute *attribute = dsdb_attribute_by_lDAPDisplayName(schema, msg->elements[i].name);
/* Add in a very special case for 'clearTextPassword',
@@ -382,6 +385,16 @@ static int fix_attributes(struct ldb_context *ldb, const struct dsdb_schema *sch
}
} else {
msg->elements[i].name = attribute->lDAPDisplayName;
+
+ /* We have to deny write operations on constructed attributes */
+ if ((attribute->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED) != 0) {
+ if (op == LDB_ADD) {
+ return LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE;
+ } else {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ }
+
}
}
@@ -500,7 +513,7 @@ static int objectclass_do_add(struct oc_context *ac)
}
if (schema) {
- ret = fix_attributes(ldb, schema, msg);
+ ret = fix_check_attributes(ldb, schema, msg, ac->req->operation);
if (ret != LDB_SUCCESS) {
talloc_free(mem_ctx);
return ret;
@@ -738,7 +751,7 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req
return LDB_ERR_OPERATIONS_ERROR;
}
- ret = fix_attributes(ldb, schema, msg);
+ ret = fix_check_attributes(ldb, schema, msg, req->operation);
if (ret != LDB_SUCCESS) {
return ret;
}
@@ -775,7 +788,7 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req
return LDB_ERR_OPERATIONS_ERROR;
}
- ret = fix_attributes(ldb, schema, msg);
+ ret = fix_check_attributes(ldb, schema, msg, req->operation);
if (ret != LDB_SUCCESS) {
talloc_free(mem_ctx);
return ret;
@@ -851,7 +864,7 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req
return LDB_ERR_OPERATIONS_ERROR;
}
- ret = fix_attributes(ldb, schema, msg);
+ ret = fix_check_attributes(ldb, schema, msg, req->operation);
if (ret != LDB_SUCCESS) {
ldb_oom(ldb);
return ret;
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index 46d4745..e48f91b 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -434,24 +434,8 @@ static int operational_init(struct ldb_module *ctx)
return LDB_SUCCESS;
}
-static int operational_modify(struct ldb_module *module, struct ldb_request *req)
-{
- unsigned int i;
-
- for (i = 0; i < ARRAY_SIZE(search_sub); i++) {
- if (ldb_msg_find_element(req->op.mod.message, search_sub[i].attr) != NULL) {
- /* operational attributes cannot be changed! */
- return LDB_ERR_CONSTRAINT_VIOLATION;
- }
- }
-
- /* No operational attribute will be changed -> go on */
- return ldb_next_request(module, req);
-}
-
const struct ldb_module_ops ldb_operational_module_ops = {
.name = "operational",
.search = operational_search,
- .modify = operational_modify,
.init_context = operational_init
};
diff --git a/source4/lib/ldb/tests/python/ldap.py b/source4/lib/ldb/tests/python/ldap.py
index 9a7976b..a5a9d7c 100755
--- a/source4/lib/ldb/tests/python/ldap.py
+++ b/source4/lib/ldb/tests/python/ldap.py
@@ -23,6 +23,7 @@ from ldb import ERR_NOT_ALLOWED_ON_NON_LEAF, ERR_OTHER, ERR_INVALID_DN_SYNTAX
from ldb import ERR_NO_SUCH_ATTRIBUTE, ERR_INSUFFICIENT_ACCESS_RIGHTS
from ldb import ERR_OBJECT_CLASS_VIOLATION, ERR_NOT_ALLOWED_ON_RDN
from ldb import ERR_NAMING_VIOLATION, ERR_CONSTRAINT_VIOLATION
+from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE
from ldb import Message, MessageElement, Dn
from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
from samba import Ldb, param, dom_sid_to_rid
@@ -764,6 +765,16 @@ objectClass: container
"""Test the primary group token behaviour (hidden-generated-readonly attribute on groups)"""
print "Testing primary group token behaviour\n"
+ try:
+ ldb.add({
+ "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
+ "objectclass": "group",
+ "primaryGroupToken": "100"})
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNDEFINED_ATTRIBUTE_TYPE)
+ self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+
ldb.add({
"dn": "cn=ldaptestuser,cn=users," + self.base_dn,
"objectclass": ["user", "person"]})
--
Samba Shared Repository
More information about the samba-cvs
mailing list