#include "lib/util/tsort.h"
#include "dsdb/common/util.h"
#include "lib/socket/socket.h"
+#include "dsdb/samdb/ldb_modules/util.h"
/*
search the sam for the specified attributes in a specific domain, filter on
talloc_free(tmp_ctx);
return LDB_SUCCESS;
}
+
+const char *rodc_fas_list[] = {"ms-PKI-DPAPIMasterKeys",
+ "ms-PKI-AccountCredentials",
+ "ms-PKI-RoamingTimeStamp",
+ "ms-FVE-KeyPackage",
+ "ms-FVE-RecoveryGuid",
+ "ms-FVE-RecoveryInformation",
+ "ms-FVE-RecoveryPassword",
+ "ms-FVE-VolumeGuid",
+ "ms-TPM-OwnerInformation",
+ NULL};
+/*
+ check if the attribute belongs to the RODC filtered attribute set
+*/
+bool dsdb_attr_in_rodc_fas(uint32_t replica_flags, const struct dsdb_attribute *sa)
+{
+ int rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL;
+ bool drs_write_replica = ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0);
+
+ if (drs_write_replica && (sa->searchFlags & rodc_filtered_flags)) {
+ return true;
+ }
+ if (drs_write_replica && is_attr_in_list(rodc_fas_list, sa->cn)) {
+ return true;
+ }
+ return false;
+}
#include "librpc/gen_ndr/ndr_security.h"
#include "librpc/ndr/libndr.h"
#include "dsdb/samdb/samdb.h"
+#include "util.h"
struct extended_dn_out_private {
bool dereference;
struct dsdb_openldap_dereference_control *dereference_control;
};
-static bool is_attr_in_list(const char * const * attrs, const char *attr)
-{
- unsigned int i;
-
- for (i = 0; attrs[i]; i++) {
- if (ldb_attr_cmp(attrs[i], attr) == 0)
- return true;
- }
-
- return false;
-}
-
static char **copy_attrs(void *mem_ctx, const char * const * attrs)
{
char **nattrs;
talloc_free(partitions_dn);
return LDB_SUCCESS;
}
+
+bool is_attr_in_list(const char * const * attrs, const char *attr)
+{
+ unsigned int i;
+
+ for (i = 0; attrs[i]; i++) {
+ if (ldb_attr_cmp(attrs[i], attr) == 0)
+ return true;
+ }
+
+ return false;
+}
const char *rdn;
const struct dsdb_attribute *rdn_sa;
unsigned int instanceType;
- int rodc_filtered_flags;
instanceType = ldb_msg_find_attr_as_uint(msg, "instanceType", 0);
if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
continue;
}
- /* if the recipient is a RODC, then we should not add any
- * RODC filtered attribute */
- /* TODO: This is not strictly correct, as it doesn't allow for administrators
- to setup some users to transfer passwords to specific RODCs. To support that
- we would instead remove this check and rely on extended ACL checking in the dsdb
- acl module. */
- rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL;
- if ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0 &&
- (sa->searchFlags & rodc_filtered_flags)) {
+ /*
+ * If the recipient is a RODC, then we should not add any
+ * RODC filtered attribute
+ *
+ * TODO: This is not strictly correct, as it doesn't allow for administrators
+ * to setup some users to transfer passwords to specific RODCs. To support that
+ * we would instead remove this check and rely on extended ACL checking in the dsdb
+ * acl module.
+ */
+ if (dsdb_attr_in_rodc_fas(replica_flags, sa)) {
continue;
}
-
obj->meta_data_ctr->meta_data[n].originating_change_time = md.ctr.ctr1.array[i].originating_change_time;
obj->meta_data_ctr->meta_data[n].version = md.ctr.ctr1.array[i].version;
obj->meta_data_ctr->meta_data[n].originating_invocation_id = md.ctr.ctr1.array[i].originating_invocation_id;