[SCM] Samba Shared Repository - branch master updated

Matthias Dieter Wallnöfer Thu, 26 Nov 2009 02:22:11 -0800

The branch, master has been updated
       via  9755337... s4:ldap.py - add a test for the enhanced operational 
attributes check
       via  b6efbd5... s4:objectclass LDB module - Prevent write operations on 
constructed attributes
       via  393b839... s4:operational LDB module - Don't do the write checks 
here
      from  5b3a32b... s3-kerberos: next step to resolve Bug #6929: build with 
recent heimdal.


http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 97553373d182671a8da1553cc47465c664ae69f0
Author: Matthias Dieter WallnÃ¶fer <mwallnoe...@yahoo.de>
Date:   Thu Nov 26 09:51:56 2009 +0100

    s4:ldap.py - add a test for the enhanced operational attributes check
    
    (Deny creation of entries with operational attributes specified)

commit b6efbd5b4c5ba3a2e2040033b6b634d60ed2d3f5
Author: Matthias Dieter WallnÃ¶fer <mwallnoe...@yahoo.de>
Date:   Thu Nov 26 10:54:20 2009 +0100

    s4:objectclass LDB module - Prevent write operations on constructed 
attributes

commit 393b83979d11dddcf6d38ca24b3aea7bb645e0d0
Author: Matthias Dieter WallnÃ¶fer <mwallnoe...@yahoo.de>
Date:   Thu Nov 26 10:21:44 2009 +0100

    s4:operational LDB module - Don't do the write checks here
    
    Let this perform the schema in the "objectclass" module.

-----------------------------------------------------------------------

Summary of changes:
 source4/dsdb/samdb/ldb_modules/objectclass.c |   25 +++++++++++++++++++------
 source4/dsdb/samdb/ldb_modules/operational.c |   16 ----------------
 source4/lib/ldb/tests/python/ldap.py         |   11 +++++++++++
 3 files changed, 30 insertions(+), 22 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c 
b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 53c1cc7..82b8835 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -366,9 +366,12 @@ static int fix_dn(TALLOC_CTX *mem_ctx,
 }
 
 /* Fix all attribute names to be in the correct case, and check they are all 
valid per the schema */
-static int fix_attributes(struct ldb_context *ldb, const struct dsdb_schema 
*schema, struct ldb_message *msg) 
+static int fix_check_attributes(struct ldb_context *ldb,
+                               const struct dsdb_schema *schema,
+                               struct ldb_message *msg,
+                               enum ldb_request_type op)
 {
-       int i;
+       unsigned int i;
        for (i=0; i < msg->num_elements; i++) {
                const struct dsdb_attribute *attribute = 
dsdb_attribute_by_lDAPDisplayName(schema, msg->elements[i].name);
                /* Add in a very special case for 'clearTextPassword',
@@ -382,6 +385,16 @@ static int fix_attributes(struct ldb_context *ldb, const 
struct dsdb_schema *sch
                        }
                } else {
                        msg->elements[i].name = attribute->lDAPDisplayName;
+
+                       /* We have to deny write operations on constructed 
attributes */
+                       if ((attribute->systemFlags & 
DS_FLAG_ATTR_IS_CONSTRUCTED) != 0) {
+                               if (op == LDB_ADD) {
+                                       return LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE;
+                               } else {
+                                       return LDB_ERR_CONSTRAINT_VIOLATION;
+                               }
+                       }
+
                }
        }
 
@@ -500,7 +513,7 @@ static int objectclass_do_add(struct oc_context *ac)
 
        }
        if (schema) {
-               ret = fix_attributes(ldb, schema, msg);
+               ret = fix_check_attributes(ldb, schema, msg, 
ac->req->operation);
                if (ret != LDB_SUCCESS) {
                        talloc_free(mem_ctx);
                        return ret;
@@ -738,7 +751,7 @@ static int objectclass_modify(struct ldb_module *module, 
struct ldb_request *req
                        return LDB_ERR_OPERATIONS_ERROR;
                }
                
-               ret = fix_attributes(ldb, schema, msg);
+               ret = fix_check_attributes(ldb, schema, msg, req->operation);
                if (ret != LDB_SUCCESS) {
                        return ret;
                }
@@ -775,7 +788,7 @@ static int objectclass_modify(struct ldb_module *module, 
struct ldb_request *req
                        return LDB_ERR_OPERATIONS_ERROR;
                }
 
-               ret = fix_attributes(ldb, schema, msg);
+               ret = fix_check_attributes(ldb, schema, msg, req->operation);
                if (ret != LDB_SUCCESS) {
                        talloc_free(mem_ctx);
                        return ret;
@@ -851,7 +864,7 @@ static int objectclass_modify(struct ldb_module *module, 
struct ldb_request *req
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
-       ret = fix_attributes(ldb, schema, msg);
+       ret = fix_check_attributes(ldb, schema, msg, req->operation);
        if (ret != LDB_SUCCESS) {
                ldb_oom(ldb);
                return ret;
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c 
b/source4/dsdb/samdb/ldb_modules/operational.c
index 46d4745..e48f91b 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -434,24 +434,8 @@ static int operational_init(struct ldb_module *ctx)
        return LDB_SUCCESS;
 }
 
-static int operational_modify(struct ldb_module *module, struct ldb_request 
*req)
-{
-       unsigned int i;
-
-       for (i = 0; i < ARRAY_SIZE(search_sub); i++) {
-               if (ldb_msg_find_element(req->op.mod.message, 
search_sub[i].attr) != NULL) {
-                       /* operational attributes cannot be changed! */
-                       return LDB_ERR_CONSTRAINT_VIOLATION;
-               }
-       }
-
-       /* No operational attribute will be changed -> go on */
-       return ldb_next_request(module, req);
-}
-
 const struct ldb_module_ops ldb_operational_module_ops = {
        .name              = "operational",
        .search            = operational_search,
-       .modify            = operational_modify,
        .init_context      = operational_init
 };
diff --git a/source4/lib/ldb/tests/python/ldap.py 
b/source4/lib/ldb/tests/python/ldap.py
index 9a7976b..a5a9d7c 100755
--- a/source4/lib/ldb/tests/python/ldap.py
+++ b/source4/lib/ldb/tests/python/ldap.py
@@ -23,6 +23,7 @@ from ldb import ERR_NOT_ALLOWED_ON_NON_LEAF, ERR_OTHER, 
ERR_INVALID_DN_SYNTAX
 from ldb import ERR_NO_SUCH_ATTRIBUTE, ERR_INSUFFICIENT_ACCESS_RIGHTS
 from ldb import ERR_OBJECT_CLASS_VIOLATION, ERR_NOT_ALLOWED_ON_RDN
 from ldb import ERR_NAMING_VIOLATION, ERR_CONSTRAINT_VIOLATION
+from ldb import ERR_UNDEFINED_ATTRIBUTE_TYPE
 from ldb import Message, MessageElement, Dn
 from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE
 from samba import Ldb, param, dom_sid_to_rid
@@ -764,6 +765,16 @@ objectClass: container
         """Test the primary group token behaviour (hidden-generated-readonly 
attribute on groups)"""
         print "Testing primary group token behaviour\n"
 
+        try:
+            ldb.add({
+                "dn": "cn=ldaptestgroup,cn=users," + self.base_dn,
+                "objectclass": "group",
+                "primaryGroupToken": "100"})
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_UNDEFINED_ATTRIBUTE_TYPE)
+        self.delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + 
self.base_dn)
+
         ldb.add({
             "dn": "cn=ldaptestuser,cn=users," + self.base_dn,
             "objectclass": ["user", "person"]})


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

Reply via email to