[SCM] Samba Shared Repository - branch master updated
Matthias Dieter Wallnöfer
mdw at samba.org
Sun Aug 1 02:19:19 MDT 2010
The branch, master has been updated
via 81cc92c... s4:ldap.py - performs some "systemFlags" testing
via 3cdc83d... s4:subtree_rename LDB module - introduce the "systemFlags" protection rules
via 3244f6f... s4:dsdb/pydsdb.c - import "systemFlags" into Python
via 4e3afb3... s4:subtree_rename LDB module - "subren_ctx_init" - fix the "out of memory" return
from 1b7029b... s4:torture/winreg.c - fix warnings of Solaris 10 cc through the appropriate casts
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 81cc92c5af1a6e8c140e5c388d610f9061ca86db
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Fri Jul 9 19:22:01 2010 +0200
s4:ldap.py - performs some "systemFlags" testing
commit 3cdc83d4f9a67011cfa51b242cb84f3f6b59e226
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sun Jul 4 20:07:09 2010 +0200
s4:subtree_rename LDB module - introduce the "systemFlags" protection rules
This is done in a dedicated call "check_system_flags".
commit 3244f6feaab218984978ac14e156d62e101a1104
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Thu Jul 8 21:05:33 2010 +0200
s4:dsdb/pydsdb.c - import "systemFlags" into Python
Needed by ldap.py tests
commit 4e3afb36dab12b460cdd0cbc95607d4032115c05
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sat Jul 31 21:26:38 2010 +0200
s4:subtree_rename LDB module - "subren_ctx_init" - fix the "out of memory" return
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/pydsdb.c | 26 +++++
source4/dsdb/samdb/ldb_modules/subtree_rename.c | 129 ++++++++++++++++++++++-
source4/dsdb/tests/python/ldap.py | 56 ++++++++++
3 files changed, 206 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c
index 6966762..1967b33 100644
--- a/source4/dsdb/pydsdb.c
+++ b/source4/dsdb/pydsdb.c
@@ -580,6 +580,32 @@ void initdsdb(void)
PyModule_AddObject(m, "DS_DOMAIN_FUNCTION_2008_R2",
PyInt_FromLong(DS_DOMAIN_FUNCTION_2008_R2));
+ /* "systemFlags" */
+ PyModule_AddObject(m, "SYSTEM_FLAG_CR_NTDS_NC",
+ PyInt_FromLong(SYSTEM_FLAG_CR_NTDS_NC));
+ PyModule_AddObject(m, "SYSTEM_FLAG_CR_NTDS_DOMAIN",
+ PyInt_FromLong(SYSTEM_FLAG_CR_NTDS_DOMAIN));
+ PyModule_AddObject(m, "SYSTEM_FLAG_CR_NTDS_NOT_GC_REPLICATED",
+ PyInt_FromLong(SYSTEM_FLAG_CR_NTDS_NOT_GC_REPLICATED));
+ PyModule_AddObject(m, "SYSTEM_FLAG_SCHEMA_BASE_OBJECT",
+ PyInt_FromLong(SYSTEM_FLAG_SCHEMA_BASE_OBJECT));
+ PyModule_AddObject(m, "SYSTEM_FLAG_ATTR_IS_RDN",
+ PyInt_FromLong(SYSTEM_FLAG_ATTR_IS_RDN));
+ PyModule_AddObject(m, "SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE",
+ PyInt_FromLong(SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE));
+ PyModule_AddObject(m, "SYSTEM_FLAG_DOMAIN_DISALLOW_MOVE",
+ PyInt_FromLong(SYSTEM_FLAG_DOMAIN_DISALLOW_MOVE));
+ PyModule_AddObject(m, "SYSTEM_FLAG_DOMAIN_DISALLOW_RENAME",
+ PyInt_FromLong(SYSTEM_FLAG_DOMAIN_DISALLOW_RENAME));
+ PyModule_AddObject(m, "SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE",
+ PyInt_FromLong(SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE));
+ PyModule_AddObject(m, "SYSTEM_FLAG_CONFIG_ALLOW_MOVE",
+ PyInt_FromLong(SYSTEM_FLAG_CONFIG_ALLOW_MOVE));
+ PyModule_AddObject(m, "SYSTEM_FLAG_CONFIG_ALLOW_RENAME",
+ PyInt_FromLong(SYSTEM_FLAG_CONFIG_ALLOW_RENAME));
+ PyModule_AddObject(m, "SYSTEM_FLAG_DISALLOW_DELETE",
+ PyInt_FromLong(SYSTEM_FLAG_DISALLOW_DELETE));
+
/* Kerberos encryption type constants */
PyModule_AddObject(m, "ENC_ALL_TYPES",
PyInt_FromLong(ENC_ALL_TYPES));
diff --git a/source4/dsdb/samdb/ldb_modules/subtree_rename.c b/source4/dsdb/samdb/ldb_modules/subtree_rename.c
index 6d79db1..590f6f7 100644
--- a/source4/dsdb/samdb/ldb_modules/subtree_rename.c
+++ b/source4/dsdb/samdb/ldb_modules/subtree_rename.c
@@ -31,6 +31,8 @@
#include "includes.h"
#include <ldb.h>
#include <ldb_module.h>
+#include "libds/common/flags.h"
+#include "dsdb/samdb/samdb.h"
struct subren_msg_store {
struct subren_msg_store *next;
@@ -47,7 +49,7 @@ struct subtree_rename_context {
};
static struct subtree_rename_context *subren_ctx_init(struct ldb_module *module,
- struct ldb_request *req)
+ struct ldb_request *req)
{
struct ldb_context *ldb;
struct subtree_rename_context *ac;
@@ -56,7 +58,6 @@ static struct subtree_rename_context *subren_ctx_init(struct ldb_module *module,
ac = talloc_zero(req, struct subtree_rename_context);
if (ac == NULL) {
- ldb_oom(ldb);
return NULL;
}
@@ -140,6 +141,110 @@ static int subtree_rename_next_request(struct subtree_rename_context *ac)
return ldb_next_request(ac->module, req);
}
+static int check_system_flags(struct ldb_message *msg,
+ struct subtree_rename_context *ac,
+ struct ldb_dn *olddn, struct ldb_dn *newdn)
+{
+ struct ldb_context *ldb = ldb_module_get_ctx(ac->module);
+ struct ldb_dn *dn1, *dn2;
+ int32_t systemFlags;
+ bool move_op = false;
+ bool rename_op = false;
+
+ if (ldb_dn_compare(olddn, newdn) == 0) {
+ return LDB_SUCCESS;
+ }
+
+ dn1 = ldb_dn_get_parent(ac, olddn);
+ dn2 = ldb_dn_get_parent(ac, newdn);
+
+ if (ldb_dn_compare(dn1, dn2) == 0) {
+ rename_op = true;
+ } else {
+ move_op = true;
+ }
+
+ talloc_free(dn1);
+ talloc_free(dn2);
+
+ systemFlags = ldb_msg_find_attr_as_int(msg, "systemFlags", 0);
+
+ /* the config system flags don't apply for the schema partition */
+ if ((ldb_dn_compare_base(ldb_get_config_basedn(ldb), olddn) == 0) &&
+ (ldb_dn_compare_base(ldb_get_schema_basedn(ldb), olddn) != 0)) {
+ if (move_op &&
+ (systemFlags & SYSTEM_FLAG_CONFIG_ALLOW_MOVE) == 0) {
+ /* Here we have to do more: control the
+ * "ALLOW_LIMITED_MOVE" flag. This means that the
+ * grand-grand-parents of two objects have to be equal
+ * in order to perform the move (this is used for
+ * moving "server" objects in the "sites" container). */
+ bool limited_move =
+ systemFlags & SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE;
+
+ if (limited_move) {
+ dn1 = ldb_dn_copy(ac, olddn);
+ dn2 = ldb_dn_copy(ac, newdn);
+
+ limited_move &= ldb_dn_remove_child_components(dn1, 3);
+ limited_move &= ldb_dn_remove_child_components(dn2, 3);
+ limited_move &= ldb_dn_compare(dn1, dn2) == 0;
+
+ talloc_free(dn1);
+ talloc_free(dn2);
+ }
+
+ if (!limited_move) {
+ ldb_asprintf_errstring(ldb,
+ "subtree_rename: Cannot move %s, it isn't permitted!",
+ ldb_dn_get_linearized(olddn));
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ }
+ if (rename_op &&
+ (systemFlags & SYSTEM_FLAG_CONFIG_ALLOW_RENAME) == 0) {
+ ldb_asprintf_errstring(ldb,
+ "subtree_rename: Cannot rename %s, it isn't permitted!",
+ ldb_dn_get_linearized(olddn));
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ }
+ if (ldb_dn_compare_base(ldb_get_schema_basedn(ldb), olddn) == 0) {
+ if (move_op) {
+ ldb_asprintf_errstring(ldb,
+ "subtree_rename: Cannot move %s, it isn't permitted!",
+ ldb_dn_get_linearized(olddn));
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ if (rename_op &&
+ (systemFlags & SYSTEM_FLAG_SCHEMA_BASE_OBJECT) != 0) {
+ ldb_asprintf_errstring(ldb,
+ "subtree_rename: Cannot rename %s, it isn't permitted!",
+ ldb_dn_get_linearized(olddn));
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ }
+ if (ldb_dn_compare_base(ldb_get_default_basedn(ldb),
+ ac->current->olddn) == 0) {
+ if (move_op &&
+ (systemFlags & SYSTEM_FLAG_DOMAIN_DISALLOW_MOVE) != 0) {
+ ldb_asprintf_errstring(ldb,
+ "subtree_rename: Cannot move %s, it isn't permitted!",
+ ldb_dn_get_linearized(olddn));
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ if (rename_op &&
+ (systemFlags & SYSTEM_FLAG_DOMAIN_DISALLOW_RENAME) != 0) {
+ ldb_asprintf_errstring(ldb,
+ "subtree_rename: Cannot rename %s, it isn't permitted!",
+ ldb_dn_get_linearized(olddn));
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ }
+
+ return LDB_SUCCESS;
+}
+
static int subtree_rename_search_callback(struct ldb_request *req,
struct ldb_reply *ares)
{
@@ -160,10 +265,18 @@ static int subtree_rename_search_callback(struct ldb_request *req,
switch (ares->type) {
case LDB_REPLY_ENTRY:
-
if (ldb_dn_compare(ares->message->dn, ac->list->olddn) == 0) {
/* this was already stored by the
* subtree_rename_search() */
+
+ ret = check_system_flags(ares->message, ac,
+ ac->list->olddn,
+ ac->list->newdn);
+ if (ret != LDB_SUCCESS) {
+ return ldb_module_done(ac->req, NULL, NULL,
+ ret);
+ }
+
talloc_free(ares);
return LDB_SUCCESS;
}
@@ -191,6 +304,12 @@ static int subtree_rename_search_callback(struct ldb_request *req,
LDB_ERR_OPERATIONS_ERROR);
}
+ ret = check_system_flags(ares->message, ac,
+ store->olddn, store->newdn);
+ if (ret != LDB_SUCCESS) {
+ return ldb_module_done(ac->req, NULL, NULL, ret);
+ }
+
break;
case LDB_REPLY_REFERRAL:
@@ -219,7 +338,7 @@ static int subtree_rename_search_callback(struct ldb_request *req,
static int subtree_rename(struct ldb_module *module, struct ldb_request *req)
{
struct ldb_context *ldb;
- static const char *attrs[2] = { "distinguishedName", NULL };
+ static const char * const attrs[] = { "systemFlags", NULL };
struct ldb_request *search_req;
struct subtree_rename_context *ac;
int ret;
@@ -241,7 +360,7 @@ static int subtree_rename(struct ldb_module *module, struct ldb_request *req)
ac = subren_ctx_init(module, req);
if (!ac) {
- return ldb_operr(ldb);
+ return ldb_oom(ldb);
}
/* add this entry as the first to do */
diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py
index de8e89b..9911d5d 100755
--- a/source4/dsdb/tests/python/ldap.py
+++ b/source4/dsdb/tests/python/ldap.py
@@ -890,6 +890,53 @@ objectClass: container
self.delete_force(self.ldb, "cn=ldaptestuser3,cn=users," + self.base_dn)
+ # Performs some "systemFlags" testing
+
+ # Move failing since no "SYSTEM_FLAG_CONFIG_ALLOW_MOVE"
+ try:
+ ldb.rename("CN=DisplaySpecifiers," + self.configuration_dn, "CN=DisplaySpecifiers,CN=Services," + self.configuration_dn)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+ # Limited move failing since no "SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE"
+ try:
+ ldb.rename("CN=Directory Service,CN=Windows NT,CN=Services," + self.configuration_dn, "CN=Directory Service,CN=RRAS,CN=Services," + self.configuration_dn)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+ # Rename failing since no "SYSTEM_FLAG_CONFIG_ALLOW_RENAME"
+ try:
+ ldb.rename("CN=DisplaySpecifiers," + self.configuration_dn, "CN=DisplaySpecifiers2," + self.configuration_dn)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+ # It's not really possible to test moves on the schema partition since
+ # there don't exist subcontainers on it.
+
+ # Rename failing since "SYSTEM_FLAG_SCHEMA_BASE_OBJECT"
+ try:
+ ldb.rename("CN=Top," + self.schema_dn, "CN=Top2," + self.schema_dn)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+ # Move failing since "SYSTEM_FLAG_DOMAIN_DISALLOW_MOVE"
+ try:
+ ldb.rename("CN=Users," + self.base_dn, "CN=Users,CN=Computers," + self.base_dn)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+ # Rename failing since "SYSTEM_FLAG_DOMAIN_DISALLOW_RENAME"
+ try:
+ ldb.rename("CN=Users," + self.base_dn, "CN=Users2," + self.base_dn)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
def test_rename_twice(self):
"""Tests the rename operation twice - this corresponds to a past bug"""
print "Tests the rename twice operation"""
@@ -1560,6 +1607,15 @@ objectClass: container
self.delete_force(self.ldb, "cn=entry2,cn=ldaptestcontainer," + self.base_dn)
self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn)
+ # Performs some "systemFlags" testing
+
+ # Delete failing since "SYSTEM_FLAG_DISALLOW_DELETE"
+ try:
+ ldb.delete("CN=Users," + self.base_dn)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
def test_all(self):
"""Basic tests"""
--
Samba Shared Repository
More information about the samba-cvs
mailing list