[SCM] Samba Shared Repository - branch master updated
Matthias Dieter Wallnöfer
mdw at samba.org
Thu Oct 27 12:28:02 MDT 2011
The branch, master has been updated
via a0f7c99 s4:wscript - install the two missing files "dlz_bind9.so" and "named.conf.dlz"
via 673be97 s4:repl_meta_data LDB module - don't intercept the partition LDB module referrals
via 2ee42eb s4:repl_meta_data LDB module - rename operation - do not overwrite error messages
via 57b8bc7 s4:repl_meta_data LDB module - remove pointless debug messages
via 45b4b82 s4:repl_meta_data LDB module - always return the original LDB result codes on failure
via 3fe7475 s4:repl_meta_data LDB module - "dsdb_search_module_dn" already checks if len(res) == 1
via d95b4c9 s4:ldap.py - fix up the dSHeuristics test to check for the right behaviour
via 6287d0d s4:objectclass_attrs LDB module - implement the dSHeuristics length checks correctly
via bb02aa5 s4:ldap.py - we test the creation of secrets already in the "systemOnly" testcase
via 6fc55cb s4:ldap.py - enhance and fix up the object class test
via 751bab4 s4:objectclass LDB module - objectclass modify op. - remove superflous "talloc_strdup"
via 184c175 s4:objectclass LDB module - objectclass modify operations
via 68b3770 s4:objectclass LDB module - forbid to add unrelated objectclasses
via 730257f s4:objectclass LDB module - "objectclass_add" - small optimisation
via 82d9c9e s4:objectclass LDB module - "check_rodc_ntdsdsa_add"
via 3756508 s4:objectclass LDB module - update copyright
via 7161bb4 s4:password_hash LDB module - fix compiler warning due to unsatisfied "switch"
via c9ac028 s4:ldap.py - fix up the UTF8 tests
via 5875661 s4:ldap.py - reactivate some assertions in "test_all"
via b753965 s4:torture/ldap/basic.c - fix a typo
via 8a6daa3 ldb:common/ldb_modules.c - fix a typo in comment
from b972bd5 s4-torture: Add a user creation check.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a0f7c990f40796a71219a2c3f3d1077b90aae3c9
Author: Geza Gemes <geza at kzsdabas.hu>
Date: Tue Oct 25 21:47:24 2011 +0200
s4:wscript - install the two missing files "dlz_bind9.so" and "named.conf.dlz"
Signed-off-by: Matthias Dieter Wallnöfer <mdw at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User: Matthias Dieter Wallnöfer <mdw at samba.org>
Autobuild-Date: Thu Oct 27 20:27:32 CEST 2011 on sn-devel-104
commit 673be97f1e512623e9930fb4592e917410cfa303
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sat Oct 22 15:57:45 2011 +0200
s4:repl_meta_data LDB module - don't intercept the partition LDB module referrals
Reviewed-by: abartlet
commit 2ee42ebab3776cea89a5b00464d7cb9db78cd27c
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Fri Oct 14 09:51:04 2011 +0200
s4:repl_meta_data LDB module - rename operation - do not overwrite error messages
"ldb_error" could overwrite possibly useful error messages.
Reviewed-by: abartlet
commit 57b8bc74c480b9957109aa9ba196ba2acfea393e
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sat Oct 22 16:02:10 2011 +0200
s4:repl_meta_data LDB module - remove pointless debug messages
These are displayed when an object just doesn't exist!
Reviewed-by: abartlet
commit 45b4b8264abd80ed0fe39cbaec202ad8742a17a5
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Fri Oct 14 09:27:56 2011 +0200
s4:repl_meta_data LDB module - always return the original LDB result codes on failure
And add "ldb_operr()" before the "return ret" to point out the position
where it failed (for "add_time_element" and "add_uint64_element")
Reworked after a suggestion by abartlet.
commit 3fe747538bc79633ed7039c6c001902bacecef04
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Fri Oct 14 09:25:56 2011 +0200
s4:repl_meta_data LDB module - "dsdb_search_module_dn" already checks if len(res) == 1
No need to perform an additional check here. As a return value we should
always give back the original error code and not generate a new one (to
let the caller know what is going on).
Reviewed-by: abartlet
commit d95b4c94978fad40b6cb052522aa191fe77c6663
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Thu Oct 13 09:51:18 2011 +0200
s4:ldap.py - fix up the dSHeuristics test to check for the right behaviour
Reviewed-by: abartlet
commit 6287d0d61c1b63f399edc901133a6f61069224a6
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Thu Oct 13 08:48:08 2011 +0200
s4:objectclass_attrs LDB module - implement the dSHeuristics length checks correctly
Consider bug #8489
Reviewed-by: abartlet
commit bb02aa5e0020e9f41d353d59889888caf9867b91
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Thu Oct 13 08:21:31 2011 +0200
s4:ldap.py - we test the creation of secrets already in the "systemOnly" testcase
Reviewed-by: abartlet
commit 6fc55cb9f2cafc6d9105574a1a40f5d9ad22a860
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Oct 12 08:53:17 2011 +0200
s4:ldap.py - enhance and fix up the object class test
Also address the problem described in bug #8486.
Reviewed-by: abartlet
commit 751bab4fb2478f4ce24f0b41c3c1a1b428892c1b
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Oct 12 20:17:33 2011 +0200
s4:objectclass LDB module - objectclass modify op. - remove superflous "talloc_strdup"
We are adding strings embedded in the schema structure which is basically
global and lives longer than the request - hence no duplication needed.
Reviewed-by: abartlet
commit 184c17587c49a43e45cda66c6547544c2424ae52
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Oct 12 17:58:37 2011 +0200
s4:objectclass LDB module - objectclass modify operations
According to bug #8486 the modification to direct related structural
object classes is possible (equal, child, parent).
Reviewed-by: abartlet
commit 68b3770c45507070af02c110dd540322c61a65f4
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Oct 12 20:33:53 2011 +0200
s4:objectclass LDB module - forbid to add unrelated objectclasses
E.g. unsatisfied abstract objectclasses, additional top-most structural
classes
Reviewed-by: abartlet
commit 730257f4c0ef0df4c30150d956dbf319c3d5aedc
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Oct 12 09:29:08 2011 +0200
s4:objectclass LDB module - "objectclass_add" - small optimisation
This saves us from doing one "ldb_msg_find_element".
Reviewed-by: abartlet
commit 82d9c9e5a0640fbe6871785a1672895d35630996
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Oct 12 20:34:17 2011 +0200
s4:objectclass LDB module - "check_rodc_ntdsdsa_add"
For convention use "ldb_attr_cmp()".
Reviewed-by: abartlet
commit 3756508fece741183cfacbd22f25f9e6c55f4fd2
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Oct 12 19:49:31 2011 +0200
s4:objectclass LDB module - update copyright
Reviewed-by: abartlet
commit 7161bb4b374523fdc075205362cf93997671c3bc
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Oct 26 10:04:11 2011 +0200
s4:password_hash LDB module - fix compiler warning due to unsatisfied "switch"
Bail out on other LDB request types (only add and modify allowed).
commit c9ac02895138239126231ed9752f501ceb8f0747
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sat Oct 22 13:03:44 2011 +0200
s4:ldap.py - fix up the UTF8 tests
Reviewed-by: abartlet
commit 5875661cf22a5d5d61bd1f60d0fb44debd66da28
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sat Oct 22 12:54:23 2011 +0200
s4:ldap.py - reactivate some assertions in "test_all"
There should always be one result on both s4 and Windows.
Reviewed-by: abartlet
commit b75396579f3ebe6f857a2212b7718b32dabcbe45
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sat Oct 22 12:34:42 2011 +0200
s4:torture/ldap/basic.c - fix a typo
Reviewed-by: abartlet
commit 8a6daa3cf9c011721cfca2ce1bcf543994dbd4b6
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Thu Oct 20 22:29:43 2011 +0200
ldb:common/ldb_modules.c - fix a typo in comment
Reviewed-by: abartlet
-----------------------------------------------------------------------
Summary of changes:
lib/ldb/common/ldb_modules.c | 2 +-
libds/common/flags.h | 10 +-
source4/dns_server/wscript_build | 2 +
source4/dsdb/samdb/ldb_modules/objectclass.c | 210 ++++++++++----------
source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 42 ++++-
source4/dsdb/samdb/ldb_modules/password_hash.c | 3 +
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 68 ++++---
source4/dsdb/tests/python/ldap.py | 171 ++++++++++++----
source4/setup/wscript_build | 4 +-
source4/torture/ldap/basic.c | 4 +-
10 files changed, 324 insertions(+), 192 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/ldb/common/ldb_modules.c b/lib/ldb/common/ldb_modules.c
index 47ec434..8904d5a 100644
--- a/lib/ldb/common/ldb_modules.c
+++ b/lib/ldb/common/ldb_modules.c
@@ -723,7 +723,7 @@ int ldb_module_send_entry(struct ldb_request *req,
*
* params:
* req: the original request passed to your module
- * ref: referral string (must be a talloc pointeri, steal)
+ * ref: referral string (must be a talloc pointer, steal)
*/
int ldb_module_send_referral(struct ldb_request *req,
diff --git a/libds/common/flags.h b/libds/common/flags.h
index 714251d..c25a9e9 100644
--- a/libds/common/flags.h
+++ b/libds/common/flags.h
@@ -239,7 +239,15 @@
#define DS_HR_COMPUTE_ANR_STATS 0x0000000F
#define DS_HR_ADMINSDEXMASK 0x00000010
#define DS_HR_KVNOEMUW2K 0x00000011
-#define DS_HR_LDAP_BYPASS_UPPER_LIMIT_BOUNDS 0x00000012
+
+#define DS_HR_TWENTIETH_CHAR 0x00000014
+#define DS_HR_THIRTIETH_CHAR 0x0000001E
+#define DS_HR_FOURTIETH_CHAR 0x00000028
+#define DS_HR_FIFTIETH_CHAR 0x00000032
+#define DS_HR_SIXTIETH_CHAR 0x0000003C
+#define DS_HR_SEVENTIETH_CHAR 0x00000046
+#define DS_HR_EIGHTIETH_CHAR 0x00000050
+#define DS_HR_NINETIETH_CHAR 0x0000005A
/* mS-DS-ReplicatesNCReason */
#define NTDSCONN_KCC_GC_TOPOLOGY 0x00000001
diff --git a/source4/dns_server/wscript_build b/source4/dns_server/wscript_build
index 3500b03..2288f7c 100644
--- a/source4/dns_server/wscript_build
+++ b/source4/dns_server/wscript_build
@@ -14,4 +14,6 @@ bld.SAMBA_LIBRARY('dlz_bind9',
source='dlz_bind9.c',
private_library=True,
link_name='modules/bind9/dlz_bind9.so',
+ realname='dlz_bind9.so',
+ install_path='${MODULESDIR}/bind9',
deps='samba-hostconfig ldbsamba samba-util popt')
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 16a5984..89dd6ef 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -3,7 +3,7 @@
Copyright (C) Simo Sorce 2006-2008
Copyright (C) Andrew Bartlett <abartlet at samba.org> 2005-2009
- Copyright (C) Matthias Dieter Wallnöfer 2010
+ Copyright (C) Matthias Dieter Wallnöfer 2010-2011
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -219,6 +219,60 @@ static int objectclass_sort(struct ldb_module *module,
return LDB_ERR_OBJECT_CLASS_VIOLATION;
}
+/*
+ * This checks if we have unrelated object classes in our entry's "objectClass"
+ * attribute. That means "unsatisfied" abstract classes (no concrete subclass)
+ * or two or more disjunct structural ones.
+ * If one of these conditions are true, blame.
+ */
+static int check_unrelated_objectclasses(struct ldb_module *module,
+ const struct dsdb_schema *schema,
+ const struct dsdb_class *struct_objectclass,
+ struct ldb_message_element *objectclass_element)
+{
+ struct ldb_context *ldb = ldb_module_get_ctx(module);
+ unsigned int i;
+ bool found;
+
+ if (schema == NULL) {
+ return LDB_SUCCESS;
+ }
+
+ for (i = 0; i < objectclass_element->num_values; i++) {
+ const struct dsdb_class *tmp_class = dsdb_class_by_lDAPDisplayName_ldb_val(schema,
+ &objectclass_element->values[i]);
+ const struct dsdb_class *tmp_class2 = struct_objectclass;
+
+ /* Pointer comparison can be used due to the same schema str. */
+ if (tmp_class == NULL ||
+ tmp_class == struct_objectclass ||
+ tmp_class->objectClassCategory > 2 ||
+ ldb_attr_cmp(tmp_class->lDAPDisplayName, "top") == 0) {
+ continue;
+ }
+
+ found = false;
+ while (!found &&
+ ldb_attr_cmp(tmp_class2->lDAPDisplayName, "top") != 0) {
+ tmp_class2 = dsdb_class_by_lDAPDisplayName(schema,
+ tmp_class2->subClassOf);
+ if (tmp_class2 == tmp_class) {
+ found = true;
+ }
+ }
+ if (found) {
+ continue;
+ }
+
+ ldb_asprintf_errstring(ldb,
+ "objectclass: the objectclass '%s' seems to be unrelated to the entry!",
+ tmp_class->lDAPDisplayName);
+ return LDB_ERR_OBJECT_CLASS_VIOLATION;
+ }
+
+ return LDB_SUCCESS;
+}
+
static int get_search_callback(struct ldb_request *req, struct ldb_reply *ares)
{
struct ldb_context *ldb;
@@ -449,7 +503,7 @@ static bool check_rodc_ntdsdsa_add(struct oc_context *ac,
{
struct ldb_control *rodc_control;
- if (strcasecmp(objectclass->lDAPDisplayName, "nTDSDSA") != 0) {
+ if (ldb_attr_cmp(objectclass->lDAPDisplayName, "nTDSDSA") != 0) {
return false;
}
rodc_control = ldb_request_get_control(ac->req, LDB_CONTROL_RODC_DCPROMO_OID);
@@ -555,7 +609,8 @@ static int objectclass_do_add(struct oc_context *ac)
/* We must completely replace the existing objectClass entry,
* because we need it sorted. */
- ret = ldb_msg_add_empty(msg, "objectClass", 0, NULL);
+ ret = ldb_msg_add_empty(msg, "objectClass", 0,
+ &objectclass_element);
if (ret != LDB_SUCCESS) {
talloc_free(mem_ctx);
return ret;
@@ -577,9 +632,6 @@ static int objectclass_do_add(struct oc_context *ac)
talloc_free(mem_ctx);
- /* Retrive the message again so get_last_structural_class works */
- objectclass_element = ldb_msg_find_element(msg, "objectClass");
-
/* Make sure its valid to add an object of this type */
objectclass = get_last_structural_class(ac->schema,
objectclass_element, ac->req);
@@ -590,6 +642,13 @@ static int objectclass_do_add(struct oc_context *ac)
return LDB_ERR_UNWILLING_TO_PERFORM;
}
+ ret = check_unrelated_objectclasses(ac->module, ac->schema,
+ objectclass,
+ objectclass_element);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
rdn_name = ldb_dn_get_rdn_name(msg->dn);
if (rdn_name == NULL) {
return ldb_operr(ldb);
@@ -926,7 +985,6 @@ static int objectclass_do_mod(struct oc_context *ac)
{
struct ldb_context *ldb;
struct ldb_request *mod_req;
- char *value;
struct ldb_message_element *oc_el_entry, *oc_el_change;
struct ldb_val *vals;
struct ldb_message *msg;
@@ -934,7 +992,7 @@ static int objectclass_do_mod(struct oc_context *ac)
struct class_list *sorted, *current;
const struct dsdb_class *objectclass;
unsigned int i, j, k;
- bool found, replace = false;
+ bool found;
int ret;
ldb = ldb_module_get_ctx(ac->module);
@@ -1003,50 +1061,18 @@ static int objectclass_do_mod(struct oc_context *ac)
++(oc_el_entry->num_values);
}
- objectclass = get_last_structural_class(ac->schema,
- oc_el_change, ac->req);
- if (objectclass != NULL) {
- ldb_asprintf_errstring(ldb,
- "objectclass: cannot add a new top-most structural objectclass '%s'!",
- objectclass->lDAPDisplayName);
- talloc_free(mem_ctx);
- return LDB_ERR_OBJECT_CLASS_VIOLATION;
- }
-
- /* Now do the sorting */
- ret = objectclass_sort(ac->module, ac->schema, mem_ctx,
- oc_el_entry, &sorted);
- if (ret != LDB_SUCCESS) {
- talloc_free(mem_ctx);
- return ret;
- }
-
break;
case LDB_FLAG_MOD_REPLACE:
- /* Do the sorting for the change message element */
- ret = objectclass_sort(ac->module, ac->schema, mem_ctx,
- oc_el_change, &sorted);
- if (ret != LDB_SUCCESS) {
- talloc_free(mem_ctx);
- return ret;
- }
-
- /* this is a replace */
- replace = true;
+ /*
+ * In this case the new "oc_el_entry" is simply
+ * "oc_el_change"
+ */
+ oc_el_entry = oc_el_change;
break;
case LDB_FLAG_MOD_DELETE:
- /* get the actual top-most structural objectclass */
- objectclass = get_last_structural_class(ac->schema,
- oc_el_entry, ac->req);
- if (objectclass == NULL) {
- /* no structural objectclass? */
- talloc_free(mem_ctx);
- return ldb_operr(ldb);
- }
-
/* Merge the two message elements */
for (i = 0; i < oc_el_change->num_values; i++) {
found = false;
@@ -1078,40 +1104,40 @@ static int objectclass_do_mod(struct oc_context *ac)
}
}
- /* Make sure that the top-most structural object class
- * hasn't been deleted */
- found = false;
- for (i = 0; i < oc_el_entry->num_values; i++) {
- if (ldb_attr_cmp(objectclass->lDAPDisplayName,
- (char *)oc_el_entry->values[i].data) == 0) {
- found = true;
- break;
- }
- }
- if (!found) {
- ldb_asprintf_errstring(ldb,
- "objectclass: cannot delete the top-most structural objectclass '%s'!",
- objectclass->lDAPDisplayName);
- talloc_free(mem_ctx);
- return LDB_ERR_OBJECT_CLASS_VIOLATION;
- }
+ break;
+ }
- /* Now do the sorting */
- ret = objectclass_sort(ac->module, ac->schema, mem_ctx,
- oc_el_entry, &sorted);
- if (ret != LDB_SUCCESS) {
- talloc_free(mem_ctx);
- return ret;
- }
+ /* Get the new top-most structural object class */
+ objectclass = get_last_structural_class(ac->schema, oc_el_entry,
+ ac->req);
+ if (objectclass == NULL) {
+ ldb_set_errstring(ldb,
+ "objectclass: cannot delete all structural objectclasses!");
+ talloc_free(mem_ctx);
+ return LDB_ERR_OBJECT_CLASS_VIOLATION;
+ }
- break;
+ ret = check_unrelated_objectclasses(ac->module, ac->schema,
+ objectclass,
+ oc_el_entry);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(mem_ctx);
+ return ret;
+ }
+
+ /* Now do the sorting */
+ ret = objectclass_sort(ac->module, ac->schema, mem_ctx,
+ oc_el_entry, &sorted);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(mem_ctx);
+ return ret;
}
/* (Re)-add an empty "objectClass" attribute on the object
* classes change message "msg". */
ldb_msg_remove_attr(msg, "objectClass");
ret = ldb_msg_add_empty(msg, "objectClass",
- LDB_FLAG_MOD_REPLACE, &oc_el_change);
+ LDB_FLAG_MOD_REPLACE, &oc_el_entry);
if (ret != LDB_SUCCESS) {
talloc_free(mem_ctx);
return ret;
@@ -1119,13 +1145,10 @@ static int objectclass_do_mod(struct oc_context *ac)
/* Move from the linked list back into an ldb msg */
for (current = sorted; current; current = current->next) {
- value = talloc_strdup(msg,
- current->objectclass->lDAPDisplayName);
- if (value == NULL) {
- talloc_free(mem_ctx);
- return ldb_module_oom(ac->module);
- }
- ret = ldb_msg_add_string(msg, "objectClass", value);
+ const char *objectclass_name = current->objectclass->lDAPDisplayName;
+
+ ret = ldb_msg_add_string(msg, "objectClass",
+ objectclass_name);
if (ret != LDB_SUCCESS) {
ldb_set_errstring(ldb,
"objectclass: could not re-add sorted objectclasses!");
@@ -1133,37 +1156,6 @@ static int objectclass_do_mod(struct oc_context *ac)
return ret;
}
}
-
- if (replace) {
- /* Well, on replace we are nearly done: we have to test
- * if the change and entry message element are identical
- * ly. We can use "ldb_msg_element_compare" since now
- * the specified objectclasses match for sure in case.
- */
- ret = ldb_msg_element_compare(oc_el_entry,
- oc_el_change);
- if (ret == 0) {
- ret = ldb_msg_element_compare(oc_el_change,
- oc_el_entry);
- }
- if (ret == 0) {
- /* they are the same so we are done in this
- * case */
- talloc_free(mem_ctx);
- return ldb_module_done(ac->req, NULL, NULL,
- LDB_SUCCESS);
- } else {
- ldb_set_errstring(ldb,
- "objectclass: the specified objectclasses are not exactly the same as on the entry!");
- talloc_free(mem_ctx);
- return LDB_ERR_OBJECT_CLASS_VIOLATION;
- }
- }
-
- /* Now we've applied all changes from "oc_el_change" to
- * "oc_el_entry" therefore the new "oc_el_entry" will be
- * "oc_el_change". */
- oc_el_entry = oc_el_change;
}
talloc_free(mem_ctx);
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
index b6f9165..d45c46f 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
@@ -72,15 +72,47 @@ static struct oc_context *oc_init_context(struct ldb_module *module,
static int oc_op_callback(struct ldb_request *req, struct ldb_reply *ares);
-/* checks correctness of dSHeuristics attribute
- * as described in MS-ADTS 7.1.1.2.4.1.2 dSHeuristics */
+/*
+ * Checks the correctness of the "dSHeuristics" attribute as described in both
+ * MS-ADTS 7.1.1.2.4.1.2 dSHeuristics and MS-ADTS 3.1.1.5.3.2 Constraints
+ */
static int oc_validate_dsheuristics(struct ldb_message_element *el)
{
if (el->num_values > 0) {
- if (el->values[0].length > DS_HR_LDAP_BYPASS_UPPER_LIMIT_BOUNDS) {
+ if ((el->values[0].length >= DS_HR_NINETIETH_CHAR) &&
+ (el->values[0].data[DS_HR_NINETIETH_CHAR-1] != '9')) {
return LDB_ERR_CONSTRAINT_VIOLATION;
- } else if (el->values[0].length >= DS_HR_TENTH_CHAR
- && el->values[0].data[DS_HR_TENTH_CHAR-1] != '1') {
+ }
+ if ((el->values[0].length >= DS_HR_EIGHTIETH_CHAR) &&
+ (el->values[0].data[DS_HR_EIGHTIETH_CHAR-1] != '8')) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ if ((el->values[0].length >= DS_HR_SEVENTIETH_CHAR) &&
+ (el->values[0].data[DS_HR_SEVENTIETH_CHAR-1] != '7')) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ if ((el->values[0].length >= DS_HR_SIXTIETH_CHAR) &&
+ (el->values[0].data[DS_HR_SIXTIETH_CHAR-1] != '6')) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ if ((el->values[0].length >= DS_HR_FIFTIETH_CHAR) &&
+ (el->values[0].data[DS_HR_FIFTIETH_CHAR-1] != '5')) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ if ((el->values[0].length >= DS_HR_FOURTIETH_CHAR) &&
+ (el->values[0].data[DS_HR_FOURTIETH_CHAR-1] != '4')) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ if ((el->values[0].length >= DS_HR_THIRTIETH_CHAR) &&
+ (el->values[0].data[DS_HR_THIRTIETH_CHAR-1] != '3')) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ if ((el->values[0].length >= DS_HR_TWENTIETH_CHAR) &&
+ (el->values[0].data[DS_HR_TWENTIETH_CHAR-1] != '2')) {
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ if ((el->values[0].length >= DS_HR_TENTH_CHAR) &&
+ (el->values[0].data[DS_HR_TENTH_CHAR-1] != '1')) {
return LDB_ERR_CONSTRAINT_VIOLATION;
}
}
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 9fcdcf7..bf94ba3 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1673,6 +1673,9 @@ static int setup_last_set_field(struct setup_password_fields_io *io)
case LDB_MODIFY:
msg = io->ac->req->op.mod.message;
break;
+ default:
+ return LDB_ERR_OPERATIONS_ERROR;
+ break;
}
if (io->ac->pwd_last_set_bypass) {
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index b3126c3..194498e 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -1151,7 +1151,7 @@ static int replmd_update_rpmd(struct ldb_module *module,
const char * const *rename_attrs,
struct ldb_message *msg, uint64_t *seq_num,
time_t t,
- bool *is_urgent)
+ bool *is_urgent, bool *rodc)
{
const struct ldb_val *omd_value;
enum ndr_err_code ndr_err;
@@ -1167,7 +1167,7 @@ static int replmd_update_rpmd(struct ldb_module *module,
struct ldb_context *ldb;
struct ldb_message_element *objectclass_el;
enum urgent_situation situation;
- bool rodc, rmd_is_provided;
+ bool rmd_is_provided;
if (rename_attrs) {
attrs = rename_attrs;
@@ -1243,10 +1243,8 @@ static int replmd_update_rpmd(struct ldb_module *module,
DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
DSDB_SEARCH_REVEAL_INTERNALS, req);
- if (ret != LDB_SUCCESS || res->count != 1) {
- DEBUG(0,(__location__ ": Object %s failed to find uSNChanged\n",
- ldb_dn_get_linearized(msg->dn)));
- return LDB_ERR_OPERATIONS_ERROR;
+ if (ret != LDB_SUCCESS) {
+ return ret;
}
objectclass_el = ldb_msg_find_element(res->msgs[0], "objectClass");
@@ -1275,10 +1273,8 @@ static int replmd_update_rpmd(struct ldb_module *module,
DSDB_SEARCH_SHOW_EXTENDED_DN |
DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT |
DSDB_SEARCH_REVEAL_INTERNALS, req);
- if (ret != LDB_SUCCESS || res->count != 1) {
- DEBUG(0,(__location__ ": Object %s failed to find replPropertyMetaData\n",
- ldb_dn_get_linearized(msg->dn)));
- return LDB_ERR_OPERATIONS_ERROR;
+ if (ret != LDB_SUCCESS) {
+ return ret;
}
objectclass_el = ldb_msg_find_element(res->msgs[0], "objectClass");
@@ -1335,11 +1331,11 @@ static int replmd_update_rpmd(struct ldb_module *module,
if (!ldb_request_get_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID)) {
unsigned instanceType;
- ret = samdb_rodc(ldb, &rodc);
+ ret = samdb_rodc(ldb, rodc);
if (ret != LDB_SUCCESS) {
DEBUG(4, (__location__ ": unable to tell if we are an RODC\n"));
- } else if (rodc) {
- ldb_asprintf_errstring(ldb, "RODC modify is forbidden\n");
+ } else if (*rodc) {
+ ldb_set_errstring(ldb, "RODC modify is forbidden!");
return LDB_ERR_REFERRAL;
}
@@ -2249,9 +2245,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
struct ldb_message *msg;
time_t t = time(NULL);
int ret;
- bool is_urgent = false;
- struct loadparm_context *lp_ctx;
- char *referral;
+ bool is_urgent = false, rodc = false;
--
Samba Shared Repository
More information about the samba-cvs
mailing list