[SCM] Samba Shared Repository - branch master updated

Matthias Dieter Wallnöfer mdw at samba.org
Thu Nov 26 03:22:09 MST 2009


The branch, master has been updated
       via  9755337... s4:ldap.py - add a test for the enhanced operational attributes check
       via  b6efbd5... s4:objectclass LDB module - Prevent write operations on constructed attributes
       via  393b839... s4:operational LDB module - Don't do the write checks here
      from  5b3a32b... s3-kerberos: next step to resolve Bug #6929: build with recent heimdal.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 97553373d182671a8da1553cc47465c664ae69f0
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date:   Thu Nov 26 09:51:56 2009 +0100

    s4:ldap.py - add a test for the enhanced operational attributes check
    
    (Deny creation of entries with operational attributes specified)

commit b6efbd5b4c5ba3a2e2040033b6b634d60ed2d3f5
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date:   Thu Nov 26 10:54:20 2009 +0100

    s4:objectclass LDB module - Prevent write operations on constructed attributes

commit 393b83979d11dddcf6d38ca24b3aea7bb645e0d0
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date:   Thu Nov 26 10:21:44 2009 +0100

    s4:operational LDB module - Don't do the write checks here
    
    Let this perform the schema in the "objectclass" module.

-----------------------------------------------------------------------

Summary of changes:
 source4/dsdb/samdb/ldb_modules/objectclass.c |   25 +++++++++++++++++++------
 source4/dsdb/samdb/ldb_modules/operational.c |   16 ----------------
 source4/lib/ldb/tests/python/ldap.py         |   11 +++++++++++
 3 files changed, 30 insertions(+), 22 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 53c1cc7..82b8835 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -366,9 +366,12 @@ static int fix_dn(TALLOC_CTX *mem_ctx,
 }
 
 /* Fix all attribute names to be in the correct case, and check they are all valid per the schema */
-static int fix_attributes(struct ldb_context *ldb, const struct dsdb_schema *schema, struct ldb_message *msg) 
+static int fix_check_attributes(struct ldb_context *ldb,
+				const struct dsdb_schema *schema,
+				struct ldb_message *msg,
+				enum ldb_request_type op)
 {
-	int i;
+	unsigned int i;
 	for (i=0; i < msg->num_elements; i++) {
 		const struct dsdb_attribute *attribute = dsdb_attribute_by_lDAPDisplayName(schema, msg->elements[i].name);
 		/* Add in a very special case for 'clearTextPassword',
@@ -382,6 +385,16 @@ static int fix_attributes(struct ldb_context *ldb, const struct dsdb_schema *sch
 			}
 		} else {
 			msg->elements[i].name = attribute->lDAPDisplayName;
+
+			/* We have to deny write operations on constructed attributes */
+			if ((attribute->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED) != 0) {
+				if (op == LDB_ADD) {
+					return LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE;
+				} else {
+					return LDB_ERR_CONSTRAINT_VIOLATION;
+				}
+			}
+
 		}
 	}
 
@@ -500,7 +513,7 @@ static int objectclass_do_add(struct oc_context *ac)
 
 	}
 	if (schema) {
-		ret = fix_attributes(ldb, schema, msg);
+		ret = fix_check_attributes(ldb, schema, msg, ac->req->operation);
 		if (ret != LDB_SUCCESS) {
 			talloc_free(mem_ctx);
 			return ret;
@@ -738,7 +751,7 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req
 			return LDB_ERR_OPERATIONS_ERROR;
 		}
 		
-		ret = fix_attributes(ldb, schema, msg);
+		ret = fix_check_attributes(ldb, schema, msg, req->operation);
 		if (ret != LDB_SUCCESS) {
 			return ret;
 		}
@@ -775,7 +788,7 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req
 			return LDB_ERR_OPERATIONS_ERROR;
 		}
 
-		ret = fix_attributes(ldb, schema, msg);
+		ret = fix_check_attributes(ldb, schema, msg, req->operation);
 		if (ret != LDB_SUCCESS) {
 			talloc_free(mem_ctx);
 			return ret;
@@ -851,7 +864,7 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
-	ret = fix_attributes(ldb, schema, msg);
+	ret = fix_check_attributes(ldb, schema, msg, req->operation);
 	if (ret != LDB_SUCCESS) {
 		ldb_oom(ldb);
 		return ret;
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index 46d4745..e48f91b 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -434,24 +434,8 @@ static int operational_init(struct ldb_module *ctx)
 	return LDB_SUCCESS;
 }
 
-static int operational_modify(struct ldb_module *module, struct ldb_request *req)
-{
-	unsigned int i;
-
-	for (i = 0; i < ARRAY_SIZE(search_sub); i++) {
-		if (ldb_msg_find_element(req->op.mod.message, search_sub[i].attr) != NULL) {
-			/* operational attributes cannot be changed! */
-			return LDB_ERR_CONSTRAINT_VIOLATION;
-		}
-	}
-
-	/* No operational attribute will be changed -> go on */
-	return ldb_next_request(module, req);
-}
-
 const struct ldb_module_ops ldb_operational_module_ops = {
 	.name              = "operational",
 	.search            = operational_search,
-	.modify            = operational_modify,
 	.init_context	   = operational_init
 };
diff --git a/source4/lib/ldb/tests/python/ldap.py b/source4/lib/ldb/tests/python/ldap.py
index 9a7976b..a5a9d7c 100755
--- a/source4/lib/ldb/tests/python/ldap.py
+++ b/source4/lib/ldb/tests/python/ldap.py
@@ -23,6 +23,7 @@ from ldb import ERR_NOT_ALLOWED_ON_NON_LEAF, ERR_OTHER, ERR_INVALID_DN_SYNTAX
 from ldb import ERR_NO_SUCH_ATTRIBUTE, ERR_INSUFFICIENT_ACCESS_RIGHTS
 from ldb import ERR_OBJECT_CLASS_VIOLATION, ERR_NOT_ALLOWED_ON_RDN
 from ldb import ERR_NAMING_VIOLATION, ERR_CONSTRAINT_VIOLATION
+from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE
 from ldb import Message, MessageElement, Dn
 from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
 from samba import Ldb, param, dom_sid_to_rid
@@ -764,6 +765,16 @@ objectClass: container
         """Test the primary group token behaviour (hidden-generated-readonly attribute on groups)"""
         print "Testing primary group token behaviour\n"
 
+        try:
+            ldb.add({
+                "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
+                "objectclass": "group",
+                "primaryGroupToken": "100"})
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_UNDEFINED_ATTRIBUTE_TYPE)
+        self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+
         ldb.add({
             "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
             "objectclass": ["user", "person"]})


-- 
Samba Shared Repository


More information about the samba-cvs mailing list