4 Copyright (C) Simo Sorce 2006-2008
5 Copyright (C) Nadezhda Ivanova 2009
6 Copyright (C) Anatoliy Atanasov 2009
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 * Component: ldb ACL module
27 * Description: Module that performs authorisation access checks based on the
28 * account's security context and the DACL of the object being polled.
29 * Only DACL checks implemented at this point
31 * Authors: Nadezhda Ivanova, Anatoliy Atanasov
35 #include "ldb_module.h"
36 #include "auth/auth.h"
37 #include "libcli/security/security.h"
38 #include "dsdb/samdb/samdb.h"
39 #include "librpc/gen_ndr/ndr_security.h"
40 #include "param/param.h"
41 #include "dsdb/samdb/ldb_modules/util.h"
42 #include "lib/util/tsort.h"
43 #include "system/kerberos.h"
44 #include "auth/kerberos/kerberos.h"
49 struct extended_access_check_attribute
{
51 const uint32_t requires_rights
;
56 const char **password_attrs
;
57 void *cached_schema_ptr
;
58 uint64_t cached_schema_metadata_usn
;
59 uint64_t cached_schema_loaded_usn
;
60 const char **confidential_attrs
;
61 bool userPassword_support
;
65 struct ldb_module
*module
;
66 struct ldb_request
*req
;
68 bool am_administrator
;
70 bool constructed_attrs
;
71 bool allowedAttributes
;
72 bool allowedAttributesEffective
;
73 bool allowedChildClasses
;
74 bool allowedChildClassesEffective
;
75 bool sDRightsEffective
;
77 const char * const *attrs
;
78 struct dsdb_schema
*schema
;
81 static int acl_module_init(struct ldb_module
*module
)
83 struct ldb_context
*ldb
;
84 struct acl_private
*data
;
88 static const char * const attrs
[] = { "passwordAttribute", NULL
};
89 static const char * const secret_attrs
[] = {
90 DSDB_SECRET_ATTRIBUTES
92 struct ldb_result
*res
;
93 struct ldb_message
*msg
;
94 struct ldb_message_element
*password_attributes
;
96 ldb
= ldb_module_get_ctx(module
);
98 ret
= ldb_mod_register_control(module
, LDB_CONTROL_SD_FLAGS_OID
);
99 if (ret
!= LDB_SUCCESS
) {
100 ldb_debug(ldb
, LDB_DEBUG_ERROR
,
101 "acl_module_init: Unable to register control with rootdse!\n");
102 return ldb_operr(ldb
);
105 data
= talloc_zero(module
, struct acl_private
);
110 data
->acl_search
= lpcfg_parm_bool(ldb_get_opaque(ldb
, "loadparm"),
111 NULL
, "acl", "search", true);
112 ldb_module_set_private(module
, data
);
114 mem_ctx
= talloc_new(module
);
119 ret
= dsdb_module_search_dn(module
, mem_ctx
, &res
,
120 ldb_dn_new(mem_ctx
, ldb
, "@KLUDGEACL"),
122 DSDB_FLAG_NEXT_MODULE
|
125 if (ret
!= LDB_SUCCESS
) {
128 if (res
->count
== 0) {
132 if (res
->count
> 1) {
133 talloc_free(mem_ctx
);
134 return LDB_ERR_CONSTRAINT_VIOLATION
;
139 password_attributes
= ldb_msg_find_element(msg
, "passwordAttribute");
140 if (!password_attributes
) {
143 data
->password_attrs
= talloc_array(data
, const char *,
144 password_attributes
->num_values
+
145 ARRAY_SIZE(secret_attrs
) + 1);
146 if (!data
->password_attrs
) {
147 talloc_free(mem_ctx
);
152 for (i
=0; i
< password_attributes
->num_values
; i
++) {
153 data
->password_attrs
[n
] = (const char *)password_attributes
->values
[i
].data
;
154 talloc_steal(data
->password_attrs
, password_attributes
->values
[i
].data
);
158 for (i
=0; i
< ARRAY_SIZE(secret_attrs
); i
++) {
161 for (j
=0; j
< n
; j
++) {
162 if (strcasecmp(data
->password_attrs
[j
], secret_attrs
[i
]) == 0) {
172 data
->password_attrs
[n
] = talloc_strdup(data
->password_attrs
,
174 if (data
->password_attrs
[n
] == NULL
) {
175 talloc_free(mem_ctx
);
180 data
->password_attrs
[n
] = NULL
;
183 talloc_free(mem_ctx
);
184 ret
= ldb_next_init(module
);
186 if (ret
!= LDB_SUCCESS
) {
191 * Check this after the modules have be initialised so we
192 * can actually read the backend DB.
194 data
->userPassword_support
195 = dsdb_user_password_support(module
,
201 static int acl_allowedAttributes(struct ldb_module
*module
,
202 const struct dsdb_schema
*schema
,
203 struct ldb_message
*sd_msg
,
204 struct ldb_message
*msg
,
205 struct acl_context
*ac
)
207 struct ldb_message_element
*oc_el
;
208 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
210 const char **attr_list
;
212 const struct dsdb_class
*objectclass
;
214 /* If we don't have a schema yet, we can't do anything... */
215 if (schema
== NULL
) {
216 ldb_asprintf_errstring(ldb
, "cannot add allowedAttributes to %s because no schema is loaded", ldb_dn_get_linearized(msg
->dn
));
217 return LDB_ERR_OPERATIONS_ERROR
;
220 /* Must remove any existing attribute */
221 if (ac
->allowedAttributes
) {
222 ldb_msg_remove_attr(msg
, "allowedAttributes");
225 mem_ctx
= talloc_new(msg
);
230 oc_el
= ldb_msg_find_element(sd_msg
, "objectClass");
231 attr_list
= dsdb_full_attribute_list(mem_ctx
, schema
, oc_el
, DSDB_SCHEMA_ALL
);
233 ldb_asprintf_errstring(ldb
, "acl: Failed to get list of attributes");
234 talloc_free(mem_ctx
);
235 return LDB_ERR_OPERATIONS_ERROR
;
239 * Get the top-most structural object class for the ACL check
241 objectclass
= dsdb_get_last_structural_class(ac
->schema
,
243 if (objectclass
== NULL
) {
244 ldb_asprintf_errstring(ldb
, "acl_read: Failed to find a structural class for %s",
245 ldb_dn_get_linearized(sd_msg
->dn
));
246 talloc_free(mem_ctx
);
247 return LDB_ERR_OPERATIONS_ERROR
;
250 if (ac
->allowedAttributes
) {
251 for (i
=0; attr_list
&& attr_list
[i
]; i
++) {
252 ldb_msg_add_string(msg
, "allowedAttributes", attr_list
[i
]);
255 if (ac
->allowedAttributesEffective
) {
256 struct security_descriptor
*sd
;
257 struct dom_sid
*sid
= NULL
;
258 struct ldb_control
*as_system
= ldb_request_get_control(ac
->req
,
259 LDB_CONTROL_AS_SYSTEM_OID
);
261 if (as_system
!= NULL
) {
262 as_system
->critical
= 0;
265 ldb_msg_remove_attr(msg
, "allowedAttributesEffective");
266 if (ac
->am_system
|| as_system
) {
267 for (i
=0; attr_list
&& attr_list
[i
]; i
++) {
268 ldb_msg_add_string(msg
, "allowedAttributesEffective", attr_list
[i
]);
273 ret
= dsdb_get_sd_from_ldb_message(ldb_module_get_ctx(module
), mem_ctx
, sd_msg
, &sd
);
275 if (ret
!= LDB_SUCCESS
) {
279 sid
= samdb_result_dom_sid(mem_ctx
, sd_msg
, "objectSid");
280 for (i
=0; attr_list
&& attr_list
[i
]; i
++) {
281 const struct dsdb_attribute
*attr
= dsdb_attribute_by_lDAPDisplayName(schema
,
284 return ldb_operr(ldb
);
286 /* remove constructed attributes */
287 if (attr
->systemFlags
& DS_FLAG_ATTR_IS_CONSTRUCTED
289 || (attr
->linkID
!= 0 && attr
->linkID
% 2 != 0 )) {
292 ret
= acl_check_access_on_attribute(module
,
299 if (ret
== LDB_SUCCESS
) {
300 ldb_msg_add_string(msg
, "allowedAttributesEffective", attr_list
[i
]);
307 static int acl_childClasses(struct ldb_module
*module
,
308 const struct dsdb_schema
*schema
,
309 struct ldb_message
*sd_msg
,
310 struct ldb_message
*msg
,
311 const char *attrName
)
313 struct ldb_message_element
*oc_el
;
314 struct ldb_message_element
*allowedClasses
;
315 const struct dsdb_class
*sclass
;
319 /* If we don't have a schema yet, we can't do anything... */
320 if (schema
== NULL
) {
321 ldb_asprintf_errstring(ldb_module_get_ctx(module
), "cannot add childClassesEffective to %s because no schema is loaded", ldb_dn_get_linearized(msg
->dn
));
322 return LDB_ERR_OPERATIONS_ERROR
;
325 /* Must remove any existing attribute, or else confusion reins */
326 ldb_msg_remove_attr(msg
, attrName
);
327 ret
= ldb_msg_add_empty(msg
, attrName
, 0, &allowedClasses
);
328 if (ret
!= LDB_SUCCESS
) {
332 oc_el
= ldb_msg_find_element(sd_msg
, "objectClass");
334 for (i
=0; oc_el
&& i
< oc_el
->num_values
; i
++) {
335 sclass
= dsdb_class_by_lDAPDisplayName_ldb_val(schema
, &oc_el
->values
[i
]);
337 /* We don't know this class? what is going on? */
341 for (j
=0; sclass
->possibleInferiors
&& sclass
->possibleInferiors
[j
]; j
++) {
342 ldb_msg_add_string(msg
, attrName
, sclass
->possibleInferiors
[j
]);
345 if (allowedClasses
->num_values
> 1) {
346 TYPESAFE_QSORT(allowedClasses
->values
, allowedClasses
->num_values
, data_blob_cmp
);
347 for (i
=1 ; i
< allowedClasses
->num_values
; i
++) {
348 struct ldb_val
*val1
= &allowedClasses
->values
[i
-1];
349 struct ldb_val
*val2
= &allowedClasses
->values
[i
];
350 if (data_blob_cmp(val1
, val2
) == 0) {
351 memmove(val1
, val2
, (allowedClasses
->num_values
- i
) * sizeof(struct ldb_val
));
352 allowedClasses
->num_values
--;
361 static int acl_childClassesEffective(struct ldb_module
*module
,
362 const struct dsdb_schema
*schema
,
363 struct ldb_message
*sd_msg
,
364 struct ldb_message
*msg
,
365 struct acl_context
*ac
)
367 struct ldb_message_element
*oc_el
;
368 struct ldb_message_element
*allowedClasses
= NULL
;
369 const struct dsdb_class
*sclass
;
370 struct security_descriptor
*sd
;
371 struct ldb_control
*as_system
= ldb_request_get_control(ac
->req
,
372 LDB_CONTROL_AS_SYSTEM_OID
);
373 struct dom_sid
*sid
= NULL
;
377 if (as_system
!= NULL
) {
378 as_system
->critical
= 0;
381 if (ac
->am_system
|| as_system
) {
382 return acl_childClasses(module
, schema
, sd_msg
, msg
, "allowedChildClassesEffective");
385 /* If we don't have a schema yet, we can't do anything... */
386 if (schema
== NULL
) {
387 ldb_asprintf_errstring(ldb_module_get_ctx(module
), "cannot add allowedChildClassesEffective to %s because no schema is loaded", ldb_dn_get_linearized(msg
->dn
));
388 return LDB_ERR_OPERATIONS_ERROR
;
391 /* Must remove any existing attribute, or else confusion reins */
392 ldb_msg_remove_attr(msg
, "allowedChildClassesEffective");
394 oc_el
= ldb_msg_find_element(sd_msg
, "objectClass");
395 ret
= dsdb_get_sd_from_ldb_message(ldb_module_get_ctx(module
), msg
, sd_msg
, &sd
);
396 if (ret
!= LDB_SUCCESS
) {
400 sid
= samdb_result_dom_sid(msg
, sd_msg
, "objectSid");
401 for (i
=0; oc_el
&& i
< oc_el
->num_values
; i
++) {
402 sclass
= dsdb_class_by_lDAPDisplayName_ldb_val(schema
, &oc_el
->values
[i
]);
404 /* We don't know this class? what is going on? */
408 for (j
=0; sclass
->possibleInferiors
&& sclass
->possibleInferiors
[j
]; j
++) {
409 const struct dsdb_class
*sc
;
411 sc
= dsdb_class_by_lDAPDisplayName(schema
,
412 sclass
->possibleInferiors
[j
]);
414 /* We don't know this class? what is going on? */
418 ret
= acl_check_access_on_objectclass(module
, ac
,
420 SEC_ADS_CREATE_CHILD
,
422 if (ret
== LDB_SUCCESS
) {
423 ldb_msg_add_string(msg
, "allowedChildClassesEffective",
424 sclass
->possibleInferiors
[j
]);
428 allowedClasses
= ldb_msg_find_element(msg
, "allowedChildClassesEffective");
429 if (!allowedClasses
) {
433 if (allowedClasses
->num_values
> 1) {
434 TYPESAFE_QSORT(allowedClasses
->values
, allowedClasses
->num_values
, data_blob_cmp
);
435 for (i
=1 ; i
< allowedClasses
->num_values
; i
++) {
436 struct ldb_val
*val1
= &allowedClasses
->values
[i
-1];
437 struct ldb_val
*val2
= &allowedClasses
->values
[i
];
438 if (data_blob_cmp(val1
, val2
) == 0) {
439 memmove(val1
, val2
, (allowedClasses
->num_values
- i
) * sizeof( struct ldb_val
));
440 allowedClasses
->num_values
--;
448 static int acl_sDRightsEffective(struct ldb_module
*module
,
449 struct ldb_message
*sd_msg
,
450 struct ldb_message
*msg
,
451 struct acl_context
*ac
)
453 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
454 struct ldb_message_element
*rightsEffective
;
456 struct security_descriptor
*sd
;
457 struct ldb_control
*as_system
= ldb_request_get_control(ac
->req
,
458 LDB_CONTROL_AS_SYSTEM_OID
);
459 struct dom_sid
*sid
= NULL
;
462 if (as_system
!= NULL
) {
463 as_system
->critical
= 0;
466 /* Must remove any existing attribute, or else confusion reins */
467 ldb_msg_remove_attr(msg
, "sDRightsEffective");
468 ret
= ldb_msg_add_empty(msg
, "sDRightsEffective", 0, &rightsEffective
);
469 if (ret
!= LDB_SUCCESS
) {
472 if (ac
->am_system
|| as_system
) {
473 flags
= SECINFO_OWNER
| SECINFO_GROUP
| SECINFO_SACL
| SECINFO_DACL
;
475 const struct dsdb_class
*objectclass
;
476 const struct dsdb_attribute
*attr
;
478 objectclass
= dsdb_get_structural_oc_from_msg(ac
->schema
, sd_msg
);
479 if (objectclass
== NULL
) {
480 return ldb_operr(ldb
);
483 attr
= dsdb_attribute_by_lDAPDisplayName(ac
->schema
,
484 "nTSecurityDescriptor");
486 return ldb_operr(ldb
);
489 /* Get the security descriptor from the message */
490 ret
= dsdb_get_sd_from_ldb_message(ldb
, msg
, sd_msg
, &sd
);
491 if (ret
!= LDB_SUCCESS
) {
494 sid
= samdb_result_dom_sid(msg
, sd_msg
, "objectSid");
495 ret
= acl_check_access_on_attribute(module
,
502 if (ret
== LDB_SUCCESS
) {
503 flags
|= SECINFO_OWNER
| SECINFO_GROUP
;
505 ret
= acl_check_access_on_attribute(module
,
512 if (ret
== LDB_SUCCESS
) {
513 flags
|= SECINFO_DACL
;
515 ret
= acl_check_access_on_attribute(module
,
519 SEC_FLAG_SYSTEM_SECURITY
,
522 if (ret
== LDB_SUCCESS
) {
523 flags
|= SECINFO_SACL
;
526 return samdb_msg_add_uint(ldb_module_get_ctx(module
), msg
, msg
,
527 "sDRightsEffective", flags
);
530 static int acl_validate_spn_value(TALLOC_CTX
*mem_ctx
,
531 struct ldb_context
*ldb
,
532 const char *spn_value
,
533 uint32_t userAccountControl
,
534 const char *samAccountName
,
535 const char *dnsHostName
,
536 const char *netbios_name
,
537 const char *ntds_guid
)
540 krb5_context krb_ctx
;
541 krb5_error_code kerr
;
542 krb5_principal principal
;
546 const char *forest_name
= samdb_forest_name(ldb
, mem_ctx
);
547 const char *base_domain
= samdb_default_domain_name(ldb
, mem_ctx
);
548 struct loadparm_context
*lp_ctx
= talloc_get_type(ldb_get_opaque(ldb
, "loadparm"),
549 struct loadparm_context
);
550 bool is_dc
= (userAccountControl
& UF_SERVER_TRUST_ACCOUNT
) ||
551 (userAccountControl
& UF_PARTIAL_SECRETS_ACCOUNT
);
553 if (strcasecmp_m(spn_value
, samAccountName
) == 0) {
554 /* MacOS X sets this value, and setting an SPN of your
555 * own samAccountName is both pointless and safe */
559 kerr
= smb_krb5_init_context_basic(mem_ctx
,
563 return ldb_error(ldb
, LDB_ERR_OPERATIONS_ERROR
,
564 "Could not initialize kerberos context.");
567 ret
= krb5_parse_name(krb_ctx
, spn_value
, &principal
);
569 krb5_free_context(krb_ctx
);
570 return LDB_ERR_CONSTRAINT_VIOLATION
;
573 princ_size
= krb5_princ_size(krb_ctx
, principal
);
574 if (princ_size
< 2) {
575 DBG_WARNING("princ_size=%d\n", princ_size
);
579 instanceName
= smb_krb5_principal_get_comp_string(mem_ctx
, krb_ctx
,
581 serviceType
= smb_krb5_principal_get_comp_string(mem_ctx
, krb_ctx
,
583 if (krb5_princ_size(krb_ctx
, principal
) == 3) {
584 serviceName
= smb_krb5_principal_get_comp_string(mem_ctx
, krb_ctx
,
592 DBG_WARNING("is_dc=false, serviceName=%s,"
593 "serviceType=%s\n", serviceName
,
597 if (strcasecmp(serviceType
, "ldap") == 0) {
598 if (strcasecmp(serviceName
, netbios_name
) != 0 &&
599 strcasecmp(serviceName
, forest_name
) != 0) {
600 DBG_WARNING("serviceName=%s\n", serviceName
);
604 } else if (strcasecmp(serviceType
, "gc") == 0) {
605 if (strcasecmp(serviceName
, forest_name
) != 0) {
606 DBG_WARNING("serviceName=%s\n", serviceName
);
610 if (strcasecmp(serviceName
, base_domain
) != 0 &&
611 strcasecmp(serviceName
, netbios_name
) != 0) {
612 DBG_WARNING("serviceType=%s, "
614 serviceType
, serviceName
);
619 /* instanceName can be samAccountName without $ or dnsHostName
620 * or "ntds_guid._msdcs.forest_domain for DC objects */
621 if (strlen(instanceName
) == (strlen(samAccountName
) - 1)
622 && strncasecmp(instanceName
, samAccountName
,
623 strlen(samAccountName
) - 1) == 0) {
626 if ((dnsHostName
!= NULL
) &&
627 (strcasecmp(instanceName
, dnsHostName
) == 0)) {
631 const char *guid_str
;
632 guid_str
= talloc_asprintf(mem_ctx
,"%s._msdcs.%s",
635 if (strcasecmp(instanceName
, guid_str
) == 0) {
641 krb5_free_principal(krb_ctx
, principal
);
642 krb5_free_context(krb_ctx
);
643 ldb_debug_set(ldb
, LDB_DEBUG_WARNING
,
644 "acl: spn validation failed for "
645 "spn[%s] uac[0x%x] account[%s] hostname[%s] "
646 "nbname[%s] ntds[%s] forest[%s] domain[%s]\n",
647 spn_value
, (unsigned)userAccountControl
,
648 samAccountName
, dnsHostName
,
649 netbios_name
, ntds_guid
,
650 forest_name
, base_domain
);
651 return LDB_ERR_CONSTRAINT_VIOLATION
;
654 krb5_free_principal(krb_ctx
, principal
);
655 krb5_free_context(krb_ctx
);
660 * Passing in 'el' is critical, we want to check all the values.
663 static int acl_check_spn(TALLOC_CTX
*mem_ctx
,
664 struct ldb_module
*module
,
665 struct ldb_request
*req
,
666 const struct ldb_message_element
*el
,
667 struct security_descriptor
*sd
,
669 const struct dsdb_attribute
*attr
,
670 const struct dsdb_class
*objectclass
)
674 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
675 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
676 struct ldb_result
*acl_res
;
677 struct ldb_result
*netbios_res
;
678 struct ldb_dn
*partitions_dn
= samdb_partitions_dn(ldb
, tmp_ctx
);
679 uint32_t userAccountControl
;
680 const char *samAccountName
;
681 const char *dnsHostName
;
682 const char *netbios_name
;
684 char *ntds_guid
= NULL
;
686 static const char *acl_attrs
[] = {
689 "userAccountControl",
692 static const char *netbios_attrs
[] = {
697 /* if we have wp, we can do whatever we like */
698 if (acl_check_access_on_attribute(module
,
703 attr
, objectclass
) == LDB_SUCCESS
) {
704 talloc_free(tmp_ctx
);
708 ret
= acl_check_extended_right(tmp_ctx
,
713 acl_user_token(module
),
714 GUID_DRS_VALIDATE_SPN
,
718 if (ret
== LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
) {
719 dsdb_acl_debug(sd
, acl_user_token(module
),
720 req
->op
.mod
.message
->dn
,
723 talloc_free(tmp_ctx
);
728 * If we have "validated write spn", allow delete of any
729 * existing value (this keeps constrained delete to the same
730 * rules as unconstrained)
732 if (req
->operation
== LDB_MODIFY
) {
734 * If not add or replace (eg delete),
738 & (LDB_FLAG_MOD_ADD
|LDB_FLAG_MOD_REPLACE
)) == 0) {
739 talloc_free(tmp_ctx
);
744 ret
= dsdb_module_search_dn(module
, tmp_ctx
,
745 &acl_res
, req
->op
.mod
.message
->dn
,
747 DSDB_FLAG_NEXT_MODULE
|
748 DSDB_FLAG_AS_SYSTEM
|
749 DSDB_SEARCH_SHOW_RECYCLED
,
751 if (ret
!= LDB_SUCCESS
) {
752 talloc_free(tmp_ctx
);
756 userAccountControl
= ldb_msg_find_attr_as_uint(acl_res
->msgs
[0], "userAccountControl", 0);
757 dnsHostName
= ldb_msg_find_attr_as_string(acl_res
->msgs
[0], "dnsHostName", NULL
);
758 samAccountName
= ldb_msg_find_attr_as_string(acl_res
->msgs
[0], "samAccountName", NULL
);
760 ret
= dsdb_module_search(module
, tmp_ctx
,
761 &netbios_res
, partitions_dn
,
764 DSDB_FLAG_NEXT_MODULE
|
768 ldb_dn_get_linearized(ldb_get_default_basedn(ldb
)));
770 netbios_name
= ldb_msg_find_attr_as_string(netbios_res
->msgs
[0], "nETBIOSName", NULL
);
772 /* NTDSDSA objectGuid of object we are checking SPN for */
773 if (userAccountControl
& (UF_SERVER_TRUST_ACCOUNT
| UF_PARTIAL_SECRETS_ACCOUNT
)) {
774 ret
= dsdb_module_find_ntdsguid_for_computer(module
, tmp_ctx
,
775 req
->op
.mod
.message
->dn
, &ntds
, req
);
776 if (ret
!= LDB_SUCCESS
) {
777 ldb_asprintf_errstring(ldb
, "Failed to find NTDSDSA objectGuid for %s: %s",
778 ldb_dn_get_linearized(req
->op
.mod
.message
->dn
),
780 talloc_free(tmp_ctx
);
781 return LDB_ERR_OPERATIONS_ERROR
;
783 ntds_guid
= GUID_string(tmp_ctx
, &ntds
);
786 for (i
=0; i
< el
->num_values
; i
++) {
787 ret
= acl_validate_spn_value(tmp_ctx
,
789 (char *)el
->values
[i
].data
,
795 if (ret
!= LDB_SUCCESS
) {
796 talloc_free(tmp_ctx
);
800 talloc_free(tmp_ctx
);
804 static int acl_add(struct ldb_module
*module
, struct ldb_request
*req
)
807 struct ldb_dn
*parent
;
808 struct ldb_context
*ldb
;
809 const struct dsdb_schema
*schema
;
810 const struct dsdb_class
*objectclass
;
811 struct ldb_control
*as_system
;
812 struct ldb_message_element
*el
;
813 unsigned int instanceType
= 0;
815 if (ldb_dn_is_special(req
->op
.add
.message
->dn
)) {
816 return ldb_next_request(module
, req
);
819 as_system
= ldb_request_get_control(req
, LDB_CONTROL_AS_SYSTEM_OID
);
820 if (as_system
!= NULL
) {
821 as_system
->critical
= 0;
824 if (dsdb_module_am_system(module
) || as_system
) {
825 return ldb_next_request(module
, req
);
828 ldb
= ldb_module_get_ctx(module
);
830 parent
= ldb_dn_get_parent(req
, req
->op
.add
.message
->dn
);
831 if (parent
== NULL
) {
835 schema
= dsdb_get_schema(ldb
, req
);
837 return ldb_operr(ldb
);
840 objectclass
= dsdb_get_structural_oc_from_msg(schema
, req
->op
.add
.message
);
842 ldb_asprintf_errstring(ldb_module_get_ctx(module
),
843 "acl: unable to find or validate structural objectClass on %s\n",
844 ldb_dn_get_linearized(req
->op
.add
.message
->dn
));
845 return ldb_module_done(req
, NULL
, NULL
, LDB_ERR_OPERATIONS_ERROR
);
848 el
= ldb_msg_find_element(req
->op
.add
.message
, "instanceType");
849 if ((el
!= NULL
) && (el
->num_values
!= 1)) {
850 ldb_set_errstring(ldb
, "acl: the 'instanceType' attribute is single-valued!");
851 return LDB_ERR_UNWILLING_TO_PERFORM
;
854 instanceType
= ldb_msg_find_attr_as_uint(req
->op
.add
.message
,
856 if (instanceType
& INSTANCE_TYPE_IS_NC_HEAD
) {
857 static const char *no_attrs
[] = { NULL
};
858 struct ldb_result
*partition_res
;
859 struct ldb_dn
*partitions_dn
;
861 partitions_dn
= samdb_partitions_dn(ldb
, req
);
862 if (!partitions_dn
) {
863 ldb_set_errstring(ldb
, "acl: CN=partitions dn could not be generated!");
864 return LDB_ERR_UNWILLING_TO_PERFORM
;
867 ret
= dsdb_module_search(module
, req
, &partition_res
,
868 partitions_dn
, LDB_SCOPE_ONELEVEL
,
870 DSDB_FLAG_NEXT_MODULE
|
871 DSDB_FLAG_AS_SYSTEM
|
872 DSDB_SEARCH_ONE_ONLY
|
873 DSDB_SEARCH_SHOW_RECYCLED
,
875 "(&(nCName=%s)(objectClass=crossRef))",
876 ldb_dn_get_linearized(req
->op
.add
.message
->dn
));
878 if (ret
== LDB_SUCCESS
) {
879 /* Check that we can write to the crossRef object MS-ADTS 3.1.1.5.2.8.2 */
880 ret
= dsdb_module_check_access_on_dn(module
, req
, partition_res
->msgs
[0]->dn
,
882 &objectclass
->schemaIDGUID
, req
);
883 if (ret
!= LDB_SUCCESS
) {
884 ldb_asprintf_errstring(ldb_module_get_ctx(module
),
885 "acl: ACL check failed on crossRef object %s: %s\n",
886 ldb_dn_get_linearized(partition_res
->msgs
[0]->dn
),
892 * TODO: Remaining checks, like if we are
893 * the naming master etc need to be handled
894 * in the instanceType module
896 return ldb_next_request(module
, req
);
899 /* Check that we can create a crossRef object MS-ADTS 3.1.1.5.2.8.2 */
900 ret
= dsdb_module_check_access_on_dn(module
, req
, partitions_dn
,
901 SEC_ADS_CREATE_CHILD
,
902 &objectclass
->schemaIDGUID
, req
);
903 if (ret
== LDB_ERR_NO_SUCH_OBJECT
&&
904 ldb_request_get_control(req
, LDB_CONTROL_RELAX_OID
))
906 /* Allow provision bootstrap */
909 if (ret
!= LDB_SUCCESS
) {
910 ldb_asprintf_errstring(ldb_module_get_ctx(module
),
911 "acl: ACL check failed on CN=Partitions crossRef container %s: %s\n",
912 ldb_dn_get_linearized(partitions_dn
), ldb_errstring(ldb
));
917 * TODO: Remaining checks, like if we are the naming
918 * master and adding the crossRef object need to be
919 * handled in the instanceType module
921 return ldb_next_request(module
, req
);
924 ret
= dsdb_module_check_access_on_dn(module
, req
, parent
,
925 SEC_ADS_CREATE_CHILD
,
926 &objectclass
->schemaIDGUID
, req
);
927 if (ret
!= LDB_SUCCESS
) {
928 ldb_asprintf_errstring(ldb_module_get_ctx(module
),
929 "acl: unable to get access to %s\n",
930 ldb_dn_get_linearized(req
->op
.add
.message
->dn
));
933 return ldb_next_request(module
, req
);
936 /* checks if modifications are allowed on "Member" attribute */
937 static int acl_check_self_membership(TALLOC_CTX
*mem_ctx
,
938 struct ldb_module
*module
,
939 struct ldb_request
*req
,
940 struct security_descriptor
*sd
,
942 const struct dsdb_attribute
*attr
,
943 const struct dsdb_class
*objectclass
)
947 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
948 struct ldb_dn
*user_dn
;
949 struct ldb_message_element
*member_el
;
950 const struct ldb_message
*msg
= NULL
;
952 if (req
->operation
== LDB_MODIFY
) {
953 msg
= req
->op
.mod
.message
;
954 } else if (req
->operation
== LDB_ADD
) {
955 msg
= req
->op
.add
.message
;
957 return LDB_ERR_OPERATIONS_ERROR
;
960 /* if we have wp, we can do whatever we like */
961 if (acl_check_access_on_attribute(module
,
966 attr
, objectclass
) == LDB_SUCCESS
) {
969 /* if we are adding/deleting ourselves, check for self membership */
970 ret
= dsdb_find_dn_by_sid(ldb
, mem_ctx
,
971 &acl_user_token(module
)->sids
[PRIMARY_USER_SID_INDEX
],
973 if (ret
!= LDB_SUCCESS
) {
976 member_el
= ldb_msg_find_element(msg
, "member");
978 return ldb_operr(ldb
);
980 /* user can only remove oneself */
981 if (member_el
->num_values
== 0) {
982 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
;
984 for (i
= 0; i
< member_el
->num_values
; i
++) {
985 if (strcasecmp((const char *)member_el
->values
[i
].data
,
986 ldb_dn_get_extended_linearized(mem_ctx
, user_dn
, 1)) != 0) {
987 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
;
990 ret
= acl_check_extended_right(mem_ctx
,
995 acl_user_token(module
),
996 GUID_DRS_SELF_MEMBERSHIP
,
999 if (ret
== LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
) {
1000 dsdb_acl_debug(sd
, acl_user_token(module
),
1008 static int acl_check_password_rights(
1009 TALLOC_CTX
*mem_ctx
,
1010 struct ldb_module
*module
,
1011 struct ldb_request
*req
,
1012 struct security_descriptor
*sd
,
1013 struct dom_sid
*sid
,
1014 const struct dsdb_class
*objectclass
,
1016 struct dsdb_control_password_acl_validation
**control_for_response
)
1018 int ret
= LDB_SUCCESS
;
1019 unsigned int del_attr_cnt
= 0, add_attr_cnt
= 0, rep_attr_cnt
= 0;
1020 unsigned int del_val_cnt
= 0, add_val_cnt
= 0, rep_val_cnt
= 0;
1021 struct ldb_message_element
*el
;
1022 struct ldb_message
*msg
;
1023 struct ldb_control
*c
= NULL
;
1024 const char *passwordAttrs
[] = { "userPassword", "clearTextPassword",
1025 "unicodePwd", NULL
}, **l
;
1026 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
1027 struct dsdb_control_password_acl_validation
*pav
= NULL
;
1029 if (tmp_ctx
== NULL
) {
1030 return LDB_ERR_OPERATIONS_ERROR
;
1033 pav
= talloc_zero(req
, struct dsdb_control_password_acl_validation
);
1035 talloc_free(tmp_ctx
);
1036 return LDB_ERR_OPERATIONS_ERROR
;
1039 * Set control_for_response to pav so it can be added to the response
1040 * and be passed up to the audit_log module which uses it to identify
1041 * password reset attempts.
1043 *control_for_response
= pav
;
1045 c
= ldb_request_get_control(req
, DSDB_CONTROL_PASSWORD_CHANGE_OID
);
1047 pav
->pwd_reset
= false;
1050 * The "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we
1051 * have a user password change and not a set as the message
1052 * looks like. In it's value blob it contains the NT and/or LM
1053 * hash of the old password specified by the user. This control
1054 * is used by the SAMR and "kpasswd" password change mechanisms.
1056 * This control can't be used by real LDAP clients,
1057 * the only caller is samdb_set_password_internal(),
1058 * so we don't have to strict verification of the input.
1060 ret
= acl_check_extended_right(tmp_ctx
,
1065 acl_user_token(module
),
1066 GUID_DRS_USER_CHANGE_PASSWORD
,
1067 SEC_ADS_CONTROL_ACCESS
,
1072 c
= ldb_request_get_control(req
, DSDB_CONTROL_PASSWORD_HASH_VALUES_OID
);
1074 pav
->pwd_reset
= true;
1077 * The "DSDB_CONTROL_PASSWORD_HASH_VALUES_OID" control, without
1078 * "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we
1079 * have a force password set.
1080 * This control is used by the SAMR/NETLOGON/LSA password
1083 * This control can't be used by real LDAP clients,
1084 * the only caller is samdb_set_password_internal(),
1085 * so we don't have to strict verification of the input.
1087 ret
= acl_check_extended_right(tmp_ctx
,
1092 acl_user_token(module
),
1093 GUID_DRS_FORCE_CHANGE_PASSWORD
,
1094 SEC_ADS_CONTROL_ACCESS
,
1099 el
= ldb_msg_find_element(req
->op
.mod
.message
, "dBCSPwd");
1102 * dBCSPwd is only allowed with a control.
1104 talloc_free(tmp_ctx
);
1105 return LDB_ERR_UNWILLING_TO_PERFORM
;
1108 msg
= ldb_msg_copy_shallow(tmp_ctx
, req
->op
.mod
.message
);
1110 return ldb_module_oom(module
);
1112 for (l
= passwordAttrs
; *l
!= NULL
; l
++) {
1113 if ((!userPassword
) && (ldb_attr_cmp(*l
, "userPassword") == 0)) {
1117 while ((el
= ldb_msg_find_element(msg
, *l
)) != NULL
) {
1118 if (LDB_FLAG_MOD_TYPE(el
->flags
) == LDB_FLAG_MOD_DELETE
) {
1120 del_val_cnt
+= el
->num_values
;
1122 if (LDB_FLAG_MOD_TYPE(el
->flags
) == LDB_FLAG_MOD_ADD
) {
1124 add_val_cnt
+= el
->num_values
;
1126 if (LDB_FLAG_MOD_TYPE(el
->flags
) == LDB_FLAG_MOD_REPLACE
) {
1128 rep_val_cnt
+= el
->num_values
;
1130 ldb_msg_remove_element(msg
, el
);
1134 /* single deletes will be handled by the "password_hash" LDB module
1135 * later in the stack, so we let it though here */
1136 if ((del_attr_cnt
> 0) && (add_attr_cnt
== 0) && (rep_attr_cnt
== 0)) {
1137 talloc_free(tmp_ctx
);
1142 if (rep_attr_cnt
> 0) {
1143 pav
->pwd_reset
= true;
1145 ret
= acl_check_extended_right(tmp_ctx
,
1150 acl_user_token(module
),
1151 GUID_DRS_FORCE_CHANGE_PASSWORD
,
1152 SEC_ADS_CONTROL_ACCESS
,
1157 if (add_attr_cnt
!= del_attr_cnt
) {
1158 pav
->pwd_reset
= true;
1160 ret
= acl_check_extended_right(tmp_ctx
,
1165 acl_user_token(module
),
1166 GUID_DRS_FORCE_CHANGE_PASSWORD
,
1167 SEC_ADS_CONTROL_ACCESS
,
1172 if (add_val_cnt
== 1 && del_val_cnt
== 1) {
1173 pav
->pwd_reset
= false;
1175 ret
= acl_check_extended_right(tmp_ctx
,
1180 acl_user_token(module
),
1181 GUID_DRS_USER_CHANGE_PASSWORD
,
1182 SEC_ADS_CONTROL_ACCESS
,
1184 /* Very strange, but we get constraint violation in this case */
1185 if (ret
== LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
) {
1186 ret
= LDB_ERR_CONSTRAINT_VIOLATION
;
1191 if (add_val_cnt
== 1 && del_val_cnt
== 0) {
1192 pav
->pwd_reset
= true;
1194 ret
= acl_check_extended_right(tmp_ctx
,
1199 acl_user_token(module
),
1200 GUID_DRS_FORCE_CHANGE_PASSWORD
,
1201 SEC_ADS_CONTROL_ACCESS
,
1203 /* Very strange, but we get constraint violation in this case */
1204 if (ret
== LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
) {
1205 ret
= LDB_ERR_CONSTRAINT_VIOLATION
;
1211 * Everything else is handled by the password_hash module where it will
1212 * fail, but with the correct error code when the module is again
1213 * checking the attributes. As the change request will lack the
1214 * DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control, we can be sure that
1215 * any modification attempt that went this way will be rejected.
1218 talloc_free(tmp_ctx
);
1222 if (ret
!= LDB_SUCCESS
) {
1223 dsdb_acl_debug(sd
, acl_user_token(module
),
1224 req
->op
.mod
.message
->dn
,
1227 talloc_free(tmp_ctx
);
1231 ret
= ldb_request_add_control(req
,
1232 DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID
, false, pav
);
1233 if (ret
!= LDB_SUCCESS
) {
1234 ldb_debug(ldb_module_get_ctx(module
), LDB_DEBUG_ERROR
,
1235 "Unable to register ACL validation control!\n");
1242 * Context needed by acl_callback
1244 struct acl_callback_context
{
1245 struct ldb_request
*request
;
1246 struct ldb_module
*module
;
1250 * @brief Copy the password validation control to the reply.
1252 * Copy the dsdb_control_password_acl_validation control from the request,
1253 * to the reply. The control is used by the audit_log module to identify
1256 * @param req the ldb request.
1257 * @param ares the result, updated with the control.
1259 static void copy_password_acl_validation_control(
1260 struct ldb_request
*req
,
1261 struct ldb_reply
*ares
)
1263 struct ldb_control
*pav_ctrl
= NULL
;
1264 struct dsdb_control_password_acl_validation
*pav
= NULL
;
1266 pav_ctrl
= ldb_request_get_control(
1268 DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID
);
1269 if (pav_ctrl
== NULL
) {
1273 pav
= talloc_get_type_abort(
1275 struct dsdb_control_password_acl_validation
);
1279 ldb_reply_add_control(
1281 DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID
,
1286 * @brief call back function for acl_modify.
1288 * Calls acl_copy to copy the dsdb_control_password_acl_validation from
1289 * the request to the reply.
1291 * @param req the ldb_request.
1292 * @param ares the operation result.
1294 * @return the LDB_STATUS
1296 static int acl_callback(struct ldb_request
*req
, struct ldb_reply
*ares
)
1298 struct acl_callback_context
*ac
= NULL
;
1300 ac
= talloc_get_type(req
->context
, struct acl_callback_context
);
1303 return ldb_module_done(
1307 LDB_ERR_OPERATIONS_ERROR
);
1310 /* pass on to the callback */
1311 switch (ares
->type
) {
1312 case LDB_REPLY_ENTRY
:
1313 return ldb_module_send_entry(
1318 case LDB_REPLY_REFERRAL
:
1319 return ldb_module_send_referral(
1323 case LDB_REPLY_DONE
:
1325 * Copy the ACL control from the request to the response
1327 copy_password_acl_validation_control(req
, ares
);
1328 return ldb_module_done(
1336 return LDB_ERR_OPERATIONS_ERROR
;
1340 static int acl_modify(struct ldb_module
*module
, struct ldb_request
*req
)
1343 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1344 const struct dsdb_schema
*schema
;
1346 const struct dsdb_class
*objectclass
;
1347 struct ldb_result
*acl_res
;
1348 struct security_descriptor
*sd
;
1349 struct dom_sid
*sid
= NULL
;
1350 struct ldb_control
*as_system
;
1351 struct ldb_control
*is_undelete
;
1353 bool password_rights_checked
= false;
1354 TALLOC_CTX
*tmp_ctx
;
1355 const struct ldb_message
*msg
= req
->op
.mod
.message
;
1356 static const char *acl_attrs
[] = {
1357 "nTSecurityDescriptor",
1362 struct acl_callback_context
*context
= NULL
;
1363 struct ldb_request
*new_req
= NULL
;
1364 struct dsdb_control_password_acl_validation
*pav
= NULL
;
1365 struct ldb_control
**controls
= NULL
;
1367 if (ldb_dn_is_special(msg
->dn
)) {
1368 return ldb_next_request(module
, req
);
1371 as_system
= ldb_request_get_control(req
, LDB_CONTROL_AS_SYSTEM_OID
);
1372 if (as_system
!= NULL
) {
1373 as_system
->critical
= 0;
1376 is_undelete
= ldb_request_get_control(req
, DSDB_CONTROL_RESTORE_TOMBSTONE_OID
);
1378 /* Don't print this debug statement if elements[0].name is going to be NULL */
1379 if (msg
->num_elements
> 0) {
1380 DEBUG(10, ("ldb:acl_modify: %s\n", msg
->elements
[0].name
));
1382 if (dsdb_module_am_system(module
) || as_system
) {
1383 return ldb_next_request(module
, req
);
1386 tmp_ctx
= talloc_new(req
);
1387 if (tmp_ctx
== NULL
) {
1388 return ldb_oom(ldb
);
1391 ret
= dsdb_module_search_dn(module
, tmp_ctx
, &acl_res
, msg
->dn
,
1393 DSDB_FLAG_NEXT_MODULE
|
1394 DSDB_FLAG_AS_SYSTEM
|
1395 DSDB_SEARCH_SHOW_RECYCLED
,
1398 if (ret
!= LDB_SUCCESS
) {
1402 userPassword
= dsdb_user_password_support(module
, req
, req
);
1404 schema
= dsdb_get_schema(ldb
, tmp_ctx
);
1406 talloc_free(tmp_ctx
);
1407 return ldb_error(ldb
, LDB_ERR_OPERATIONS_ERROR
,
1408 "acl_modify: Error obtaining schema.");
1411 ret
= dsdb_get_sd_from_ldb_message(ldb
, tmp_ctx
, acl_res
->msgs
[0], &sd
);
1412 if (ret
!= LDB_SUCCESS
) {
1413 talloc_free(tmp_ctx
);
1414 return ldb_error(ldb
, LDB_ERR_OPERATIONS_ERROR
,
1415 "acl_modify: Error retrieving security descriptor.");
1417 /* Theoretically we pass the check if the object has no sd */
1422 objectclass
= dsdb_get_structural_oc_from_msg(schema
, acl_res
->msgs
[0]);
1424 talloc_free(tmp_ctx
);
1425 return ldb_error(ldb
, LDB_ERR_OPERATIONS_ERROR
,
1426 "acl_modify: Error retrieving object class for GUID.");
1428 sid
= samdb_result_dom_sid(req
, acl_res
->msgs
[0], "objectSid");
1429 for (i
=0; i
< msg
->num_elements
; i
++) {
1430 const struct ldb_message_element
*el
= &msg
->elements
[i
];
1431 const struct dsdb_attribute
*attr
;
1434 * This basic attribute existence check with the right errorcode
1435 * is needed since this module is the first one which requests
1436 * schema attribute information.
1437 * The complete attribute checking is done in the
1438 * "objectclass_attrs" module behind this one.
1440 * NOTE: "clearTextPassword" is not defined in the schema.
1442 attr
= dsdb_attribute_by_lDAPDisplayName(schema
, el
->name
);
1443 if (!attr
&& ldb_attr_cmp("clearTextPassword", el
->name
) != 0) {
1444 ldb_asprintf_errstring(ldb
, "acl_modify: attribute '%s' "
1445 "on entry '%s' was not found in the schema!",
1446 req
->op
.mod
.message
->elements
[i
].name
,
1447 ldb_dn_get_linearized(req
->op
.mod
.message
->dn
));
1448 ret
= LDB_ERR_NO_SUCH_ATTRIBUTE
;
1452 if (ldb_attr_cmp("nTSecurityDescriptor", el
->name
) == 0) {
1453 uint32_t sd_flags
= dsdb_request_sd_flags(req
, NULL
);
1454 uint32_t access_mask
= 0;
1456 if (sd_flags
& (SECINFO_OWNER
|SECINFO_GROUP
)) {
1457 access_mask
|= SEC_STD_WRITE_OWNER
;
1459 if (sd_flags
& SECINFO_DACL
) {
1460 access_mask
|= SEC_STD_WRITE_DAC
;
1462 if (sd_flags
& SECINFO_SACL
) {
1463 access_mask
|= SEC_FLAG_SYSTEM_SECURITY
;
1466 ret
= acl_check_access_on_attribute(module
,
1473 if (ret
!= LDB_SUCCESS
) {
1474 ldb_asprintf_errstring(ldb_module_get_ctx(module
),
1475 "Object %s has no write dacl access\n",
1476 ldb_dn_get_linearized(msg
->dn
));
1478 acl_user_token(module
),
1482 ret
= LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
;
1485 } else if (ldb_attr_cmp("member", el
->name
) == 0) {
1486 ret
= acl_check_self_membership(tmp_ctx
,
1493 if (ret
!= LDB_SUCCESS
) {
1496 } else if (ldb_attr_cmp("dBCSPwd", el
->name
) == 0) {
1497 /* this one is not affected by any rights, we should let it through
1498 so that passwords_hash returns the correct error */
1500 } else if (ldb_attr_cmp("unicodePwd", el
->name
) == 0 ||
1501 (userPassword
&& ldb_attr_cmp("userPassword", el
->name
) == 0) ||
1502 ldb_attr_cmp("clearTextPassword", el
->name
) == 0) {
1504 * Ideally we would do the acl_check_password_rights
1505 * before we checked the other attributes, i.e. in a
1506 * loop before the current one.
1507 * Have not done this as yet in order to limit the size
1508 * of the change. To limit the possibility of breaking
1511 if (password_rights_checked
) {
1514 ret
= acl_check_password_rights(tmp_ctx
,
1522 if (ret
!= LDB_SUCCESS
) {
1525 password_rights_checked
= true;
1526 } else if (ldb_attr_cmp("servicePrincipalName", el
->name
) == 0) {
1527 ret
= acl_check_spn(tmp_ctx
,
1535 if (ret
!= LDB_SUCCESS
) {
1538 } else if (is_undelete
!= NULL
&& (ldb_attr_cmp("isDeleted", el
->name
) == 0)) {
1540 * in case of undelete op permissions on
1541 * isDeleted are irrelevant and
1542 * distinguishedName is removed by the
1543 * tombstone_reanimate module
1547 ret
= acl_check_access_on_attribute(module
,
1554 if (ret
!= LDB_SUCCESS
) {
1555 ldb_asprintf_errstring(ldb_module_get_ctx(module
),
1556 "Object %s has no write property access\n",
1557 ldb_dn_get_linearized(msg
->dn
));
1559 acl_user_token(module
),
1563 ret
= LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
;
1570 talloc_free(tmp_ctx
);
1571 context
= talloc_zero(req
, struct acl_callback_context
);
1573 if (context
== NULL
) {
1574 return ldb_oom(ldb
);
1576 context
->request
= req
;
1577 context
->module
= module
;
1578 ret
= ldb_build_mod_req(
1582 req
->op
.mod
.message
,
1587 if (ret
!= LDB_SUCCESS
) {
1590 return ldb_next_request(module
, new_req
);
1592 talloc_free(tmp_ctx
);
1594 * We copy the pav into the result, so that the password reset
1595 * logging code in audit_log can log failed password reset attempts.
1598 struct ldb_control
*control
= NULL
;
1600 controls
= talloc_zero_array(req
, struct ldb_control
*, 2);
1601 if (controls
== NULL
) {
1602 return ldb_oom(ldb
);
1605 control
= talloc(controls
, struct ldb_control
);
1607 if (control
== NULL
) {
1608 return ldb_oom(ldb
);
1611 control
->oid
= talloc_strdup(
1613 DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID
);
1614 if (control
->oid
== NULL
) {
1615 return ldb_oom(ldb
);
1617 control
->critical
= false;
1618 control
->data
= pav
;
1619 *controls
= control
;
1621 return ldb_module_done(req
, controls
, NULL
, ret
);
1624 /* similar to the modify for the time being.
1625 * We need to consider the special delete tree case, though - TODO */
1626 static int acl_delete(struct ldb_module
*module
, struct ldb_request
*req
)
1629 struct ldb_dn
*parent
;
1630 struct ldb_context
*ldb
;
1631 struct ldb_dn
*nc_root
;
1632 struct ldb_control
*as_system
;
1633 const struct dsdb_schema
*schema
;
1634 const struct dsdb_class
*objectclass
;
1635 struct security_descriptor
*sd
= NULL
;
1636 struct dom_sid
*sid
= NULL
;
1637 struct ldb_result
*acl_res
;
1638 static const char *acl_attrs
[] = {
1639 "nTSecurityDescriptor",
1645 if (ldb_dn_is_special(req
->op
.del
.dn
)) {
1646 return ldb_next_request(module
, req
);
1649 as_system
= ldb_request_get_control(req
, LDB_CONTROL_AS_SYSTEM_OID
);
1650 if (as_system
!= NULL
) {
1651 as_system
->critical
= 0;
1654 if (dsdb_module_am_system(module
) || as_system
) {
1655 return ldb_next_request(module
, req
);
1658 DEBUG(10, ("ldb:acl_delete: %s\n", ldb_dn_get_linearized(req
->op
.del
.dn
)));
1660 ldb
= ldb_module_get_ctx(module
);
1662 parent
= ldb_dn_get_parent(req
, req
->op
.del
.dn
);
1663 if (parent
== NULL
) {
1664 return ldb_oom(ldb
);
1667 /* Make sure we aren't deleting a NC */
1669 ret
= dsdb_find_nc_root(ldb
, req
, req
->op
.del
.dn
, &nc_root
);
1670 if (ret
!= LDB_SUCCESS
) {
1673 if (ldb_dn_compare(nc_root
, req
->op
.del
.dn
) == 0) {
1674 talloc_free(nc_root
);
1675 DEBUG(10,("acl:deleting a NC\n"));
1676 /* Windows returns "ERR_UNWILLING_TO_PERFORM */
1677 return ldb_module_done(req
, NULL
, NULL
,
1678 LDB_ERR_UNWILLING_TO_PERFORM
);
1680 talloc_free(nc_root
);
1682 ret
= dsdb_module_search_dn(module
, req
, &acl_res
,
1683 req
->op
.del
.dn
, acl_attrs
,
1684 DSDB_FLAG_NEXT_MODULE
|
1685 DSDB_FLAG_AS_SYSTEM
|
1686 DSDB_SEARCH_SHOW_RECYCLED
, req
);
1687 /* we sould be able to find the parent */
1688 if (ret
!= LDB_SUCCESS
) {
1689 DEBUG(10,("acl: failed to find object %s\n",
1690 ldb_dn_get_linearized(req
->op
.rename
.olddn
)));
1694 ret
= dsdb_get_sd_from_ldb_message(ldb
, req
, acl_res
->msgs
[0], &sd
);
1695 if (ret
!= LDB_SUCCESS
) {
1696 return ldb_operr(ldb
);
1699 return ldb_operr(ldb
);
1702 schema
= dsdb_get_schema(ldb
, req
);
1704 return ldb_operr(ldb
);
1707 sid
= samdb_result_dom_sid(req
, acl_res
->msgs
[0], "objectSid");
1709 objectclass
= dsdb_get_structural_oc_from_msg(schema
, acl_res
->msgs
[0]);
1711 return ldb_error(ldb
, LDB_ERR_OPERATIONS_ERROR
,
1712 "acl_modify: Error retrieving object class for GUID.");
1715 if (ldb_request_get_control(req
, LDB_CONTROL_TREE_DELETE_OID
)) {
1716 ret
= acl_check_access_on_objectclass(module
, req
, sd
, sid
,
1717 SEC_ADS_DELETE_TREE
,
1719 if (ret
!= LDB_SUCCESS
) {
1723 return ldb_next_request(module
, req
);
1726 /* First check if we have delete object right */
1727 ret
= acl_check_access_on_objectclass(module
, req
, sd
, sid
,
1730 if (ret
== LDB_SUCCESS
) {
1731 return ldb_next_request(module
, req
);
1734 /* Nope, we don't have delete object. Lets check if we have delete
1735 * child on the parent */
1736 ret
= dsdb_module_check_access_on_dn(module
, req
, parent
,
1737 SEC_ADS_DELETE_CHILD
,
1738 &objectclass
->schemaIDGUID
,
1740 if (ret
!= LDB_SUCCESS
) {
1744 return ldb_next_request(module
, req
);
1746 static int acl_check_reanimate_tombstone(TALLOC_CTX
*mem_ctx
,
1747 struct ldb_module
*module
,
1748 struct ldb_request
*req
,
1749 struct ldb_dn
*nc_root
)
1752 struct ldb_result
*acl_res
;
1753 struct security_descriptor
*sd
= NULL
;
1754 struct dom_sid
*sid
= NULL
;
1755 const struct dsdb_schema
*schema
= NULL
;
1756 const struct dsdb_class
*objectclass
= NULL
;
1757 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
1758 static const char *acl_attrs
[] = {
1759 "nTSecurityDescriptor",
1765 ret
= dsdb_module_search_dn(module
, mem_ctx
, &acl_res
,
1767 DSDB_FLAG_NEXT_MODULE
|
1768 DSDB_FLAG_AS_SYSTEM
|
1769 DSDB_SEARCH_SHOW_RECYCLED
, req
);
1770 if (ret
!= LDB_SUCCESS
) {
1771 DEBUG(10,("acl: failed to find object %s\n",
1772 ldb_dn_get_linearized(nc_root
)));
1776 ret
= dsdb_get_sd_from_ldb_message(mem_ctx
, req
, acl_res
->msgs
[0], &sd
);
1777 sid
= samdb_result_dom_sid(mem_ctx
, acl_res
->msgs
[0], "objectSid");
1778 schema
= dsdb_get_schema(ldb
, req
);
1780 return LDB_ERR_OPERATIONS_ERROR
;
1782 objectclass
= dsdb_get_structural_oc_from_msg(schema
, acl_res
->msgs
[0]);
1783 if (ret
!= LDB_SUCCESS
|| !sd
) {
1784 return ldb_operr(ldb_module_get_ctx(module
));
1786 return acl_check_extended_right(mem_ctx
,
1791 acl_user_token(module
),
1792 GUID_DRS_REANIMATE_TOMBSTONE
,
1793 SEC_ADS_CONTROL_ACCESS
, sid
);
1796 static int acl_rename(struct ldb_module
*module
, struct ldb_request
*req
)
1799 struct ldb_dn
*oldparent
;
1800 struct ldb_dn
*newparent
;
1801 const struct dsdb_schema
*schema
;
1802 const struct dsdb_class
*objectclass
;
1803 const struct dsdb_attribute
*attr
= NULL
;
1804 struct ldb_context
*ldb
;
1805 struct security_descriptor
*sd
= NULL
;
1806 struct dom_sid
*sid
= NULL
;
1807 struct ldb_result
*acl_res
;
1808 struct ldb_dn
*nc_root
;
1809 struct ldb_control
*as_system
;
1810 struct ldb_control
*is_undelete
;
1811 TALLOC_CTX
*tmp_ctx
;
1812 const char *rdn_name
;
1813 static const char *acl_attrs
[] = {
1814 "nTSecurityDescriptor",
1820 if (ldb_dn_is_special(req
->op
.rename
.olddn
)) {
1821 return ldb_next_request(module
, req
);
1824 as_system
= ldb_request_get_control(req
, LDB_CONTROL_AS_SYSTEM_OID
);
1825 if (as_system
!= NULL
) {
1826 as_system
->critical
= 0;
1829 DEBUG(10, ("ldb:acl_rename: %s\n", ldb_dn_get_linearized(req
->op
.rename
.olddn
)));
1830 if (dsdb_module_am_system(module
) || as_system
) {
1831 return ldb_next_request(module
, req
);
1834 ldb
= ldb_module_get_ctx(module
);
1836 tmp_ctx
= talloc_new(req
);
1837 if (tmp_ctx
== NULL
) {
1838 return ldb_oom(ldb
);
1841 oldparent
= ldb_dn_get_parent(tmp_ctx
, req
->op
.rename
.olddn
);
1842 if (oldparent
== NULL
) {
1843 return ldb_oom(ldb
);
1845 newparent
= ldb_dn_get_parent(tmp_ctx
, req
->op
.rename
.newdn
);
1846 if (newparent
== NULL
) {
1847 return ldb_oom(ldb
);
1850 /* Make sure we aren't renaming/moving a NC */
1852 ret
= dsdb_find_nc_root(ldb
, req
, req
->op
.rename
.olddn
, &nc_root
);
1853 if (ret
!= LDB_SUCCESS
) {
1856 if (ldb_dn_compare(nc_root
, req
->op
.rename
.olddn
) == 0) {
1857 talloc_free(nc_root
);
1858 DEBUG(10,("acl:renaming/moving a NC\n"));
1859 /* Windows returns "ERR_UNWILLING_TO_PERFORM */
1860 return ldb_module_done(req
, NULL
, NULL
,
1861 LDB_ERR_UNWILLING_TO_PERFORM
);
1864 /* special check for undelete operation */
1865 is_undelete
= ldb_request_get_control(req
, DSDB_CONTROL_RESTORE_TOMBSTONE_OID
);
1866 if (is_undelete
!= NULL
) {
1867 is_undelete
->critical
= 0;
1868 ret
= acl_check_reanimate_tombstone(tmp_ctx
, module
, req
, nc_root
);
1869 if (ret
!= LDB_SUCCESS
) {
1870 talloc_free(tmp_ctx
);
1874 talloc_free(nc_root
);
1876 /* Look for the parent */
1878 ret
= dsdb_module_search_dn(module
, tmp_ctx
, &acl_res
,
1879 req
->op
.rename
.olddn
, acl_attrs
,
1880 DSDB_FLAG_NEXT_MODULE
|
1881 DSDB_FLAG_AS_SYSTEM
|
1882 DSDB_SEARCH_SHOW_RECYCLED
, req
);
1883 /* we sould be able to find the parent */
1884 if (ret
!= LDB_SUCCESS
) {
1885 DEBUG(10,("acl: failed to find object %s\n",
1886 ldb_dn_get_linearized(req
->op
.rename
.olddn
)));
1887 talloc_free(tmp_ctx
);
1891 ret
= dsdb_get_sd_from_ldb_message(ldb
, req
, acl_res
->msgs
[0], &sd
);
1892 if (ret
!= LDB_SUCCESS
) {
1893 talloc_free(tmp_ctx
);
1894 return ldb_operr(ldb
);
1897 talloc_free(tmp_ctx
);
1898 return ldb_operr(ldb
);
1901 schema
= dsdb_get_schema(ldb
, acl_res
);
1903 talloc_free(tmp_ctx
);
1904 return ldb_operr(ldb
);
1907 sid
= samdb_result_dom_sid(req
, acl_res
->msgs
[0], "objectSid");
1909 objectclass
= dsdb_get_structural_oc_from_msg(schema
, acl_res
->msgs
[0]);
1911 talloc_free(tmp_ctx
);
1912 return ldb_error(ldb
, LDB_ERR_OPERATIONS_ERROR
,
1913 "acl_modify: Error retrieving object class for GUID.");
1916 attr
= dsdb_attribute_by_lDAPDisplayName(schema
, "name");
1918 talloc_free(tmp_ctx
);
1919 return ldb_operr(ldb
);
1922 ret
= acl_check_access_on_attribute(module
, tmp_ctx
, sd
, sid
,
1925 if (ret
!= LDB_SUCCESS
) {
1926 ldb_asprintf_errstring(ldb_module_get_ctx(module
),
1927 "Object %s has no wp on %s\n",
1928 ldb_dn_get_linearized(req
->op
.rename
.olddn
),
1929 attr
->lDAPDisplayName
);
1931 acl_user_token(module
),
1932 req
->op
.rename
.olddn
,
1935 talloc_free(tmp_ctx
);
1936 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
;
1939 rdn_name
= ldb_dn_get_rdn_name(req
->op
.rename
.olddn
);
1940 if (rdn_name
== NULL
) {
1941 talloc_free(tmp_ctx
);
1942 return ldb_operr(ldb
);
1945 attr
= dsdb_attribute_by_lDAPDisplayName(schema
, rdn_name
);
1947 talloc_free(tmp_ctx
);
1948 return ldb_operr(ldb
);
1951 ret
= acl_check_access_on_attribute(module
, tmp_ctx
, sd
, sid
,
1954 if (ret
!= LDB_SUCCESS
) {
1955 ldb_asprintf_errstring(ldb_module_get_ctx(module
),
1956 "Object %s has no wp on %s\n",
1957 ldb_dn_get_linearized(req
->op
.rename
.olddn
),
1958 attr
->lDAPDisplayName
);
1960 acl_user_token(module
),
1961 req
->op
.rename
.olddn
,
1964 talloc_free(tmp_ctx
);
1965 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
;
1968 if (ldb_dn_compare(oldparent
, newparent
) == 0) {
1969 /* regular rename, not move, nothing more to do */
1970 talloc_free(tmp_ctx
);
1971 return ldb_next_request(module
, req
);
1974 /* new parent should have create child */
1975 ret
= dsdb_module_check_access_on_dn(module
, req
, newparent
,
1976 SEC_ADS_CREATE_CHILD
,
1977 &objectclass
->schemaIDGUID
, req
);
1978 if (ret
!= LDB_SUCCESS
) {
1979 ldb_asprintf_errstring(ldb_module_get_ctx(module
),
1980 "acl:access_denied renaming %s",
1981 ldb_dn_get_linearized(req
->op
.rename
.olddn
));
1982 talloc_free(tmp_ctx
);
1986 /* do we have delete object on the object? */
1987 /* this access is not necessary for undelete ops */
1988 if (is_undelete
== NULL
) {
1989 ret
= acl_check_access_on_objectclass(module
, tmp_ctx
, sd
, sid
,
1992 if (ret
== LDB_SUCCESS
) {
1993 talloc_free(tmp_ctx
);
1994 return ldb_next_request(module
, req
);
1996 /* what about delete child on the current parent */
1997 ret
= dsdb_module_check_access_on_dn(module
, req
, oldparent
,
1998 SEC_ADS_DELETE_CHILD
,
1999 &objectclass
->schemaIDGUID
,
2001 if (ret
!= LDB_SUCCESS
) {
2002 ldb_asprintf_errstring(ldb_module_get_ctx(module
),
2003 "acl:access_denied renaming %s", ldb_dn_get_linearized(req
->op
.rename
.olddn
));
2004 talloc_free(tmp_ctx
);
2005 return ldb_module_done(req
, NULL
, NULL
, ret
);
2008 talloc_free(tmp_ctx
);
2010 return ldb_next_request(module
, req
);
2013 static int acl_search_update_confidential_attrs(struct acl_context
*ac
,
2014 struct acl_private
*data
)
2016 struct dsdb_attribute
*a
;
2019 if (data
->acl_search
) {
2021 * If acl:search is activated, the acl_read module
2022 * protects confidential attributes.
2027 if ((ac
->schema
== data
->cached_schema_ptr
) &&
2028 (ac
->schema
->metadata_usn
== data
->cached_schema_metadata_usn
))
2033 data
->cached_schema_ptr
= NULL
;
2034 data
->cached_schema_loaded_usn
= 0;
2035 data
->cached_schema_metadata_usn
= 0;
2036 TALLOC_FREE(data
->confidential_attrs
);
2038 if (ac
->schema
== NULL
) {
2042 for (a
= ac
->schema
->attributes
; a
; a
= a
->next
) {
2043 const char **attrs
= data
->confidential_attrs
;
2045 if (!(a
->searchFlags
& SEARCH_FLAG_CONFIDENTIAL
)) {
2049 attrs
= talloc_realloc(data
, attrs
, const char *, n
+ 2);
2050 if (attrs
== NULL
) {
2051 TALLOC_FREE(data
->confidential_attrs
);
2052 return ldb_module_oom(ac
->module
);
2055 attrs
[n
] = a
->lDAPDisplayName
;
2059 data
->confidential_attrs
= attrs
;
2062 data
->cached_schema_ptr
= ac
->schema
;
2063 data
->cached_schema_metadata_usn
= ac
->schema
->metadata_usn
;
2068 static int acl_search_callback(struct ldb_request
*req
, struct ldb_reply
*ares
)
2070 struct acl_context
*ac
;
2071 struct acl_private
*data
;
2072 struct ldb_result
*acl_res
;
2073 static const char *acl_attrs
[] = {
2075 "nTSecurityDescriptor",
2082 ac
= talloc_get_type(req
->context
, struct acl_context
);
2083 data
= talloc_get_type(ldb_module_get_private(ac
->module
), struct acl_private
);
2085 return ldb_module_done(ac
->req
, NULL
, NULL
,
2086 LDB_ERR_OPERATIONS_ERROR
);
2088 if (ares
->error
!= LDB_SUCCESS
) {
2089 return ldb_module_done(ac
->req
, ares
->controls
,
2090 ares
->response
, ares
->error
);
2093 switch (ares
->type
) {
2094 case LDB_REPLY_ENTRY
:
2095 if (ac
->constructed_attrs
) {
2096 ret
= dsdb_module_search_dn(ac
->module
, ac
, &acl_res
, ares
->message
->dn
,
2098 DSDB_FLAG_NEXT_MODULE
|
2099 DSDB_FLAG_AS_SYSTEM
|
2100 DSDB_SEARCH_SHOW_RECYCLED
,
2102 if (ret
!= LDB_SUCCESS
) {
2103 return ldb_module_done(ac
->req
, NULL
, NULL
, ret
);
2107 if (ac
->allowedAttributes
|| ac
->allowedAttributesEffective
) {
2108 ret
= acl_allowedAttributes(ac
->module
, ac
->schema
,
2111 if (ret
!= LDB_SUCCESS
) {
2112 return ldb_module_done(ac
->req
, NULL
, NULL
, ret
);
2116 if (ac
->allowedChildClasses
) {
2117 ret
= acl_childClasses(ac
->module
, ac
->schema
,
2120 "allowedChildClasses");
2121 if (ret
!= LDB_SUCCESS
) {
2122 return ldb_module_done(ac
->req
, NULL
, NULL
, ret
);
2126 if (ac
->allowedChildClassesEffective
) {
2127 ret
= acl_childClassesEffective(ac
->module
, ac
->schema
,
2130 if (ret
!= LDB_SUCCESS
) {
2131 return ldb_module_done(ac
->req
, NULL
, NULL
, ret
);
2135 if (ac
->sDRightsEffective
) {
2136 ret
= acl_sDRightsEffective(ac
->module
,
2139 if (ret
!= LDB_SUCCESS
) {
2140 return ldb_module_done(ac
->req
, NULL
, NULL
, ret
);
2145 return ldb_module_send_entry(ac
->req
, ares
->message
,
2149 if (ac
->am_system
) {
2150 return ldb_module_send_entry(ac
->req
, ares
->message
,
2154 if (data
->password_attrs
!= NULL
) {
2155 for (i
= 0; data
->password_attrs
[i
]; i
++) {
2156 if ((!ac
->userPassword
) &&
2157 (ldb_attr_cmp(data
->password_attrs
[i
],
2158 "userPassword") == 0))
2163 ldb_msg_remove_attr(ares
->message
, data
->password_attrs
[i
]);
2167 if (ac
->am_administrator
) {
2168 return ldb_module_send_entry(ac
->req
, ares
->message
,
2172 ret
= acl_search_update_confidential_attrs(ac
, data
);
2173 if (ret
!= LDB_SUCCESS
) {
2177 if (data
->confidential_attrs
!= NULL
) {
2178 for (i
= 0; data
->confidential_attrs
[i
]; i
++) {
2179 ldb_msg_remove_attr(ares
->message
,
2180 data
->confidential_attrs
[i
]);
2184 return ldb_module_send_entry(ac
->req
, ares
->message
, ares
->controls
);
2186 case LDB_REPLY_REFERRAL
:
2187 return ldb_module_send_referral(ac
->req
, ares
->referral
);
2189 case LDB_REPLY_DONE
:
2190 return ldb_module_done(ac
->req
, ares
->controls
,
2191 ares
->response
, LDB_SUCCESS
);
2197 static int acl_search(struct ldb_module
*module
, struct ldb_request
*req
)
2199 struct ldb_context
*ldb
;
2200 struct acl_context
*ac
;
2201 struct ldb_parse_tree
*down_tree
;
2202 struct ldb_request
*down_req
;
2203 struct acl_private
*data
;
2207 if (ldb_dn_is_special(req
->op
.search
.base
)) {
2208 return ldb_next_request(module
, req
);
2211 ldb
= ldb_module_get_ctx(module
);
2213 ac
= talloc_zero(req
, struct acl_context
);
2215 return ldb_oom(ldb
);
2217 data
= talloc_get_type(ldb_module_get_private(module
), struct acl_private
);
2219 ac
->module
= module
;
2221 ac
->am_system
= dsdb_module_am_system(module
);
2222 ac
->am_administrator
= dsdb_module_am_administrator(module
);
2223 ac
->constructed_attrs
= false;
2224 ac
->modify_search
= true;
2225 ac
->allowedAttributes
= ldb_attr_in_list(req
->op
.search
.attrs
, "allowedAttributes");
2226 ac
->allowedAttributesEffective
= ldb_attr_in_list(req
->op
.search
.attrs
, "allowedAttributesEffective");
2227 ac
->allowedChildClasses
= ldb_attr_in_list(req
->op
.search
.attrs
, "allowedChildClasses");
2228 ac
->allowedChildClassesEffective
= ldb_attr_in_list(req
->op
.search
.attrs
, "allowedChildClassesEffective");
2229 ac
->sDRightsEffective
= ldb_attr_in_list(req
->op
.search
.attrs
, "sDRightsEffective");
2230 ac
->userPassword
= true;
2231 ac
->schema
= dsdb_get_schema(ldb
, ac
);
2233 ac
->constructed_attrs
|= ac
->allowedAttributes
;
2234 ac
->constructed_attrs
|= ac
->allowedChildClasses
;
2235 ac
->constructed_attrs
|= ac
->allowedChildClassesEffective
;
2236 ac
->constructed_attrs
|= ac
->allowedAttributesEffective
;
2237 ac
->constructed_attrs
|= ac
->sDRightsEffective
;
2240 ac
->modify_search
= false;
2242 if (ac
->am_system
) {
2243 ac
->modify_search
= false;
2246 if (!ac
->constructed_attrs
&& !ac
->modify_search
) {
2248 return ldb_next_request(module
, req
);
2251 data
= talloc_get_type(ldb_module_get_private(ac
->module
), struct acl_private
);
2253 return ldb_error(ldb
, LDB_ERR_OPERATIONS_ERROR
,
2254 "acl_private data is missing");
2256 ac
->userPassword
= data
->userPassword_support
;
2258 ret
= acl_search_update_confidential_attrs(ac
, data
);
2259 if (ret
!= LDB_SUCCESS
) {
2263 down_tree
= ldb_parse_tree_copy_shallow(ac
, req
->op
.search
.tree
);
2264 if (down_tree
== NULL
) {
2265 return ldb_oom(ldb
);
2268 if (!ac
->am_system
&& data
->password_attrs
) {
2269 for (i
= 0; data
->password_attrs
[i
]; i
++) {
2270 if ((!ac
->userPassword
) &&
2271 (ldb_attr_cmp(data
->password_attrs
[i
],
2272 "userPassword") == 0))
2277 ldb_parse_tree_attr_replace(down_tree
,
2278 data
->password_attrs
[i
],
2279 "kludgeACLredactedattribute");
2283 if (!ac
->am_system
&& !ac
->am_administrator
&& data
->confidential_attrs
) {
2284 for (i
= 0; data
->confidential_attrs
[i
]; i
++) {
2285 ldb_parse_tree_attr_replace(down_tree
,
2286 data
->confidential_attrs
[i
],
2287 "kludgeACLredactedattribute");
2291 ret
= ldb_build_search_req_ex(&down_req
,
2293 req
->op
.search
.base
,
2294 req
->op
.search
.scope
,
2296 req
->op
.search
.attrs
,
2298 ac
, acl_search_callback
,
2300 LDB_REQ_SET_LOCATION(down_req
);
2301 if (ret
!= LDB_SUCCESS
) {
2304 /* perform the search */
2305 return ldb_next_request(module
, down_req
);
2308 static int acl_extended(struct ldb_module
*module
, struct ldb_request
*req
)
2310 struct ldb_context
*ldb
= ldb_module_get_ctx(module
);
2311 struct ldb_control
*as_system
= ldb_request_get_control(req
, LDB_CONTROL_AS_SYSTEM_OID
);
2313 /* allow everybody to read the sequence number */
2314 if (strcmp(req
->op
.extended
.oid
,
2315 LDB_EXTENDED_SEQUENCE_NUMBER
) == 0) {
2316 return ldb_next_request(module
, req
);
2319 if (dsdb_module_am_system(module
) ||
2320 dsdb_module_am_administrator(module
) || as_system
) {
2321 return ldb_next_request(module
, req
);
2323 ldb_asprintf_errstring(ldb
,
2325 "attempted database modify not permitted. "
2326 "User %s is not SYSTEM or an administrator",
2327 acl_user_name(req
, module
));
2328 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS
;
2332 static const struct ldb_module_ops ldb_acl_module_ops
= {
2334 .search
= acl_search
,
2336 .modify
= acl_modify
,
2338 .rename
= acl_rename
,
2339 .extended
= acl_extended
,
2340 .init_context
= acl_module_init
2343 int ldb_acl_module_init(const char *version
)
2345 LDB_MODULE_CHECK_VERSION(version
);
2346 return ldb_register_module(&ldb_acl_module_ops
);