From 5aa2195ec26d9ddf82e51f2b242cdf7c8ab52f52 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 9 Jan 2007 03:45:50 +0000 Subject: [PATCH] r20622: Add in a hack to avoid permitting searches on the value of protected attributes. Andrew Bartlett --- source/dsdb/samdb/ldb_modules/kludge_acl.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/source/dsdb/samdb/ldb_modules/kludge_acl.c b/source/dsdb/samdb/ldb_modules/kludge_acl.c index 176cfbf3a5f..7b2150bec8e 100644 --- a/source/dsdb/samdb/ldb_modules/kludge_acl.c +++ b/source/dsdb/samdb/ldb_modules/kludge_acl.c @@ -147,7 +147,8 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req) { struct kludge_acl_context *ac; struct ldb_request *down_req; - int ret; + struct kludge_private_data *data; + int ret, i; req->handle = NULL; @@ -156,6 +157,8 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req) return LDB_ERR_OPERATIONS_ERROR; } + data = talloc_get_type(module->private_data, struct kludge_private_data); + ac->module = module; ac->up_context = req->context; ac->up_callback = req->callback; @@ -172,6 +175,25 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req) down_req->op.search.tree = req->op.search.tree; down_req->op.search.attrs = req->op.search.attrs; + + /* FIXME: I hink we should copy the tree and keep the original + * unmodified. SSS */ + /* replace any attributes in the parse tree that are private, + so we don't allow a search for 'sambaPassword=penguin', + just as we would not allow that attribute to be returned */ + switch (ac->user_type) { + case SYSTEM: + case ADMINISTRATOR: + break; + default: + /* remove password attributes */ + for (i = 0; data && data->password_attrs && data->password_attrs[i]; i++) { + ldb_parse_tree_attr_replace(down_req->op.search.tree, + data->password_attrs[i], + "kludgeACLredactedattribute"); + } + } + down_req->controls = req->controls; down_req->context = ac; -- 2.11.4.GIT