4 Copyright (C) Andrew Bartlett 2005
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 * Component: ldb kludge ACL module
26 * Description: Simple module to enforce a simple form of access
27 * control, sufficient for securing a default Samba4
30 * Author: Andrew Bartlett
34 #include "ldb/include/ldb.h"
35 #include "ldb/include/ldb_errors.h"
36 #include "ldb/include/ldb_private.h"
37 #include "auth/auth.h"
41 * - System can read passwords
42 * - Administrators can write anything
43 * - Users can read anything that is not a password
54 struct kludge_private_data {
55 const char **password_attrs;
58 static enum user_is what_is_user(struct ldb_module *module)
60 struct auth_session_info *session_info
61 = ldb_get_opaque(module->ldb, "sessionInfo");
66 if (is_system_token(session_info->security_token)) {
70 if (is_administrator_token(session_info->security_token)) {
73 if (is_authenticated_token(session_info->security_token)) {
76 if (is_anonymous_token(session_info->security_token)) {
82 static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
84 struct auth_session_info *session_info
85 = ldb_get_opaque(module->ldb, "sessionInfo");
87 return "UNKNOWN (NULL)";
90 return talloc_asprintf(mem_ctx, "%s\\%s",
91 session_info->server_info->domain_name,
92 session_info->server_info->account_name);
97 static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
99 struct kludge_private_data *data = talloc_get_type(module->private_data, struct kludge_private_data);
100 struct ldb_message *msg;
101 enum user_is user_type;
104 /* go down the path and wait for reply to filter out stuff if needed */
105 ret = ldb_next_request(module, req);
107 /* We may not be fully initialised yet, or we might have just
109 if (ret != LDB_SUCCESS || !data->password_attrs) {
113 user_type = what_is_user(module);
119 /* For every message, remove password attributes */
120 for (i=0; i < req->op.search.res->count; i++) {
121 msg = req->op.search.res->msgs[i];
122 for (j=0; data->password_attrs[j]; j++) {
123 ldb_msg_remove_attr(msg, data->password_attrs[j]);
130 /* ANY change type */
131 static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req){
132 enum user_is user_type = what_is_user(module);
136 return ldb_next_request(module, req);
138 ldb_set_errstring(module,
139 talloc_asprintf(req, "kludge_acl_change: "
140 "attempted database modify not permitted. User %s is not SYSTEM or an administrator",
141 user_name(req, module)));
142 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
146 /* start a transaction */
147 static int kludge_acl_start_trans(struct ldb_module *module)
149 return ldb_next_start_trans(module);
152 /* end a transaction */
153 static int kludge_acl_end_trans(struct ldb_module *module)
155 return ldb_next_end_trans(module);
158 /* delete a transaction */
159 static int kludge_acl_del_trans(struct ldb_module *module)
161 return ldb_next_del_trans(module);
164 static int kludge_acl_request(struct ldb_module *module, struct ldb_request *req)
166 switch (req->operation) {
169 return kludge_acl_search(module, req);
170 case LDB_REQ_REGISTER:
171 return ldb_next_request(module, req);
173 /* anything else must be a change of some kind */
174 return kludge_acl_change(module, req);
178 static int kludge_acl_init_2(struct ldb_module *module)
181 TALLOC_CTX *mem_ctx = talloc_new(module);
182 const char *attrs[] = { "attribute", NULL };
183 struct ldb_result *res;
184 struct ldb_message *msg;
185 struct ldb_message_element *password_attributes;
187 struct kludge_private_data *data = talloc_get_type(module->private_data, struct kludge_private_data);
188 data->password_attrs = NULL;
191 return LDB_ERR_OPERATIONS_ERROR;
194 ret = ldb_search(module->ldb, ldb_dn_explode(mem_ctx, "@KLUDGEACL"),
198 if (ret != LDB_SUCCESS) {
199 talloc_free(mem_ctx);
202 talloc_steal(mem_ctx, res);
203 if (res->count == 0) {
204 talloc_free(mem_ctx);
205 data->password_attrs = NULL;
209 if (res->count > 1) {
210 talloc_free(mem_ctx);
211 return LDB_ERR_CONSTRAINT_VIOLATION;
216 password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
217 if (!password_attributes) {
218 talloc_free(mem_ctx);
221 data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1);
222 if (!data->password_attrs) {
223 talloc_free(mem_ctx);
224 return LDB_ERR_OPERATIONS_ERROR;
226 for (i=0; i < password_attributes->num_values; i++) {
227 data->password_attrs[i] = (const char *)password_attributes->values[i].data;
228 talloc_steal(data->password_attrs, password_attributes->values[i].data);
230 data->password_attrs[i] = NULL;
231 talloc_free(mem_ctx);
235 static const struct ldb_module_ops kludge_acl_ops = {
236 .name = "kludge_acl",
237 .request = kludge_acl_request,
238 .start_transaction = kludge_acl_start_trans,
239 .end_transaction = kludge_acl_end_trans,
240 .del_transaction = kludge_acl_del_trans,
241 .second_stage_init = kludge_acl_init_2
244 struct ldb_module *kludge_acl_module_init(struct ldb_context *ldb, const char *options[])
246 struct ldb_module *ctx;
247 struct kludge_private_data *data;
249 ctx = talloc(ldb, struct ldb_module);
253 data = talloc(ctx, struct kludge_private_data);
259 data->password_attrs = NULL;
260 ctx->private_data = data;
263 ctx->prev = ctx->next = NULL;
264 ctx->ops = &kludge_acl_ops;