[Samba 4] Access checking util function

Nadezhda Ivanova nivanova at samba.org
Thu Mar 11 16:14:08 MST 2010


Good point, Andrew, thanks!
The ldb_* stuff remained in the ACL module since September, when I made it
sync from async in a couple of days. Will change it to use the dsdb_module_*
instead.

Regards,
Nadya

On Fri, Mar 12, 2010 at 1:03 AM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Fri, 2010-03-12 at 00:27 +0200, Nadezhda Ivanova wrote:
> > Hi guys,
> > I created an util function - dsdb_access_check_on_dn, which will allow
> > access checks from outside the acl module, when there are needed. These
> are
> > all cases when a control access right or a validate write needs to me
> > checked by the system, currently in drs, for example. The function used
> to
> > be static to the acl module. Pls take a look in case something needs to
> be
> > fixed/improved. This is in preparation to introduce the getncchanges
> access
> > checks.
> >
> >
> http://git.samba.org/?p=samba.git;a=commit;h=222b955237ed2a0d838738b4bacffc1106af2dc3
>
> Nadya,
>
> I think this needs to be split up a bit differently.  We should not, in
> general, do ldb_* operations from inside the module stack.  See the
> dsdb_module_* helper functions for synchronous operations in modules.
> This ensures that operations continue down the module stack - and don't
> for example need the ACL module to evaluate if you have the right to
> read an ACL...
>
> So, perhaps rework the functions to have two entry points - one for
> inside the mdoule stack, and one for outside.  Both would then call the
> same dsdb_check_access_on_dn() bottom half (ie, the big after the
> search).
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/<http://samba.org/%7Eabartlet/>
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Cisco Inc.
>
>


More information about the samba-technical mailing list