[Samba 4] Access checking util function
Andrew Bartlett
abartlet at samba.org
Thu Mar 11 16:03:55 MST 2010
On Fri, 2010-03-12 at 00:27 +0200, Nadezhda Ivanova wrote:
> Hi guys,
> I created an util function - dsdb_access_check_on_dn, which will allow
> access checks from outside the acl module, when there are needed. These are
> all cases when a control access right or a validate write needs to me
> checked by the system, currently in drs, for example. The function used to
> be static to the acl module. Pls take a look in case something needs to be
> fixed/improved. This is in preparation to introduce the getncchanges access
> checks.
>
> http://git.samba.org/?p=samba.git;a=commit;h=222b955237ed2a0d838738b4bacffc1106af2dc3
Nadya,
I think this needs to be split up a bit differently. We should not, in
general, do ldb_* operations from inside the module stack. See the
dsdb_module_* helper functions for synchronous operations in modules.
This ensures that operations continue down the module stack - and don't
for example need the ACL module to evaluate if you have the right to
read an ACL...
So, perhaps rework the functions to have two entry points - one for
inside the mdoule stack, and one for outside. Both would then call the
same dsdb_check_access_on_dn() bottom half (ie, the big after the
search).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100312/846e8ba2/attachment.pgp>
More information about the samba-technical
mailing list