4 Copyright (C) Andrew Bartlett 2005
5 Copyright (C) Simo Sorce 2006
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 * Component: ldb kludge ACL module
27 * Description: Simple module to enforce a simple form of access
28 * control, sufficient for securing a default Samba4
31 * Author: Andrew Bartlett
35 #include "ldb/include/ldb.h"
36 #include "ldb/include/ldb_errors.h"
37 #include "ldb/include/ldb_private.h"
38 #include "auth/auth.h"
39 #include "libcli/security/security.h"
43 * - System can read passwords
44 * - Administrators can write anything
45 * - Users can read anything that is not a password
56 struct kludge_private_data {
57 const char **password_attrs;
60 static enum user_is what_is_user(struct ldb_module *module)
62 struct auth_session_info *session_info
63 = ldb_get_opaque(module->ldb, "sessionInfo");
68 if (security_token_is_system(session_info->security_token)) {
72 if (security_token_is_anonymous(session_info->security_token)) {
76 if (security_token_has_builtin_administrators(session_info->security_token)) {
80 if (security_token_has_nt_authenticated_users(session_info->security_token)) {
87 static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
89 struct auth_session_info *session_info
90 = ldb_get_opaque(module->ldb, "sessionInfo");
92 return "UNKNOWN (NULL)";
95 return talloc_asprintf(mem_ctx, "%s\\%s",
96 session_info->server_info->domain_name,
97 session_info->server_info->account_name);
101 struct kludge_acl_context {
103 struct ldb_module *module;
105 int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *);
107 enum user_is user_type;
110 static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
112 struct kludge_acl_context *ac;
113 struct kludge_private_data *data;
116 if (!context || !ares) {
117 ldb_set_errstring(ldb, talloc_asprintf(ldb, "NULL Context or Result in callback"));
121 ac = talloc_get_type(context, struct kludge_acl_context);
122 data = talloc_get_type(ac->module->private_data, struct kludge_private_data);
124 if (ares->type == LDB_REPLY_ENTRY
125 && data->password_attrs) /* if we are not initialized just get through */
127 switch (ac->user_type) {
132 /* remove password attributes */
133 for (i = 0; data->password_attrs[i]; i++) {
134 ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
139 return ac->up_callback(ldb, ac->up_context, ares);
143 return LDB_ERR_OPERATIONS_ERROR;
146 static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
148 struct kludge_acl_context *ac;
149 struct ldb_request *down_req;
154 ac = talloc(req, struct kludge_acl_context);
156 return LDB_ERR_OPERATIONS_ERROR;
160 ac->up_context = req->context;
161 ac->up_callback = req->callback;
162 ac->user_type = what_is_user(module);
164 down_req = talloc_zero(req, struct ldb_request);
165 if (down_req == NULL) {
166 return LDB_ERR_OPERATIONS_ERROR;
169 down_req->operation = req->operation;
170 down_req->op.search.base = req->op.search.base;
171 down_req->op.search.scope = req->op.search.scope;
172 down_req->op.search.tree = req->op.search.tree;
173 down_req->op.search.attrs = req->op.search.attrs;
175 down_req->controls = req->controls;
177 down_req->context = ac;
178 down_req->callback = kludge_acl_callback;
179 ldb_set_timeout_from_prev_req(module->ldb, req, down_req);
181 /* perform the search */
182 ret = ldb_next_request(module, down_req);
184 /* do not free down_req as the call results may be linked to it,
185 * it will be freed when the upper level request get freed */
186 if (ret == LDB_SUCCESS) {
187 req->handle = down_req->handle;
193 /* ANY change type */
194 static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req)
196 enum user_is user_type = what_is_user(module);
200 return ldb_next_request(module, req);
202 ldb_set_errstring(module->ldb,
203 talloc_asprintf(req, "kludge_acl_change: "
204 "attempted database modify not permitted. User %s is not SYSTEM or an administrator",
205 user_name(req, module)));
206 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
210 static int kludge_acl_init(struct ldb_module *module)
213 TALLOC_CTX *mem_ctx = talloc_new(module);
214 static const char *attrs[] = { "passwordAttribute", NULL };
215 struct ldb_result *res;
216 struct ldb_message *msg;
217 struct ldb_message_element *password_attributes;
219 struct kludge_private_data *data;
221 data = talloc(module, struct kludge_private_data);
223 return LDB_ERR_OPERATIONS_ERROR;
226 data->password_attrs = NULL;
227 module->private_data = data;
230 return LDB_ERR_OPERATIONS_ERROR;
233 ret = ldb_search(module->ldb, ldb_dn_explode(mem_ctx, "@KLUDGEACL"),
237 if (ret != LDB_SUCCESS) {
240 talloc_steal(mem_ctx, res);
241 if (res->count == 0) {
245 if (res->count > 1) {
246 talloc_free(mem_ctx);
247 return LDB_ERR_CONSTRAINT_VIOLATION;
252 password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
253 if (!password_attributes) {
256 data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1);
257 if (!data->password_attrs) {
258 talloc_free(mem_ctx);
259 return LDB_ERR_OPERATIONS_ERROR;
261 for (i=0; i < password_attributes->num_values; i++) {
262 data->password_attrs[i] = (const char *)password_attributes->values[i].data;
263 talloc_steal(data->password_attrs, password_attributes->values[i].data);
265 data->password_attrs[i] = NULL;
268 talloc_free(mem_ctx);
269 return ldb_next_init(module);
272 static const struct ldb_module_ops kludge_acl_ops = {
273 .name = "kludge_acl",
274 .search = kludge_acl_search,
275 .add = kludge_acl_change,
276 .modify = kludge_acl_change,
277 .del = kludge_acl_change,
278 .rename = kludge_acl_change,
279 .init_context = kludge_acl_init
282 int ldb_kludge_acl_init(void)
284 return ldb_register_module(&kludge_acl_ops);