s4/rodc: RODC FAS initial implementation
authorAnatoliy Atanasov <anatoliy.atanasov@postpath.com>
Mon, 26 Apr 2010 06:56:59 +0000 (09:56 +0300)
committerAnatoliy Atanasov <anatoliy.atanasov@postpath.com>
Thu, 29 Apr 2010 07:18:06 +0000 (10:18 +0300)
source4/dsdb/common/util.c
source4/dsdb/samdb/ldb_modules/extended_dn_out.c
source4/dsdb/samdb/ldb_modules/util.c
source4/rpc_server/drsuapi/getncchanges.c

index 42619b9692096cd4f75e687487e692e2bb6377a2..e4e55fc530fe17248a3499cf41a4ae1c2051c79d 100644 (file)
@@ -41,6 +41,7 @@
 #include "lib/util/tsort.h"
 #include "dsdb/common/util.h"
 #include "lib/socket/socket.h"
+#include "dsdb/samdb/ldb_modules/util.h"
 
 /*
   search the sam for the specified attributes in a specific domain, filter on
@@ -3752,3 +3753,30 @@ int dsdb_validate_dsa_guid(struct ldb_context *ldb,
        talloc_free(tmp_ctx);
        return LDB_SUCCESS;
 }
+
+const char *rodc_fas_list[] = {"ms-PKI-DPAPIMasterKeys",
+                              "ms-PKI-AccountCredentials",
+                              "ms-PKI-RoamingTimeStamp",
+                              "ms-FVE-KeyPackage",
+                              "ms-FVE-RecoveryGuid",
+                              "ms-FVE-RecoveryInformation",
+                              "ms-FVE-RecoveryPassword",
+                              "ms-FVE-VolumeGuid",
+                              "ms-TPM-OwnerInformation",
+                              NULL};
+/*
+  check if the attribute belongs to the RODC filtered attribute set
+*/
+bool dsdb_attr_in_rodc_fas(uint32_t replica_flags, const struct dsdb_attribute *sa)
+{
+       int rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL;
+       bool drs_write_replica = ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0);
+
+       if (drs_write_replica && (sa->searchFlags & rodc_filtered_flags)) {
+               return true;
+       }
+       if (drs_write_replica && is_attr_in_list(rodc_fas_list, sa->cn)) {
+               return true;
+       }
+       return false;
+}
index f28ad8e12fcfdb62ce2a62ccc69b4b8cf12c74af..39af87091cccf165b10d4d3e8f7f8a28eabe9e50 100644 (file)
@@ -40,6 +40,7 @@
 #include "librpc/gen_ndr/ndr_security.h"
 #include "librpc/ndr/libndr.h"
 #include "dsdb/samdb/samdb.h"
+#include "util.h"
 
 struct extended_dn_out_private {
        bool dereference;
@@ -47,18 +48,6 @@ struct extended_dn_out_private {
        struct dsdb_openldap_dereference_control *dereference_control;
 };
 
-static bool is_attr_in_list(const char * const * attrs, const char *attr)
-{
-       unsigned int i;
-
-       for (i = 0; attrs[i]; i++) {
-               if (ldb_attr_cmp(attrs[i], attr) == 0)
-                       return true;
-       }
-
-       return false;
-}
-
 static char **copy_attrs(void *mem_ctx, const char * const * attrs)
 {
        char **nattrs;
index 7913ac8049b8a5fb0f4afabfada15be7f95ff197..18631c4350343f300fae7d0acffe7f6dd64b3898 100644 (file)
@@ -826,3 +826,15 @@ int dsdb_recyclebin_enabled(struct ldb_module *module, bool *enabled)
        talloc_free(partitions_dn);
        return LDB_SUCCESS;
 }
+
+bool is_attr_in_list(const char * const * attrs, const char *attr)
+{
+       unsigned int i;
+
+       for (i = 0; attrs[i]; i++) {
+               if (ldb_attr_cmp(attrs[i], attr) == 0)
+                       return true;
+       }
+
+       return false;
+}
index df8305e155a4a03514b00e6c21cd219b8fe76485..354ebf0f852087061c956d60ee6906f2b91e2848 100644 (file)
@@ -105,7 +105,6 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem
        const char *rdn;
        const struct dsdb_attribute *rdn_sa;
        unsigned int instanceType;
-       int rodc_filtered_flags;
 
        instanceType = ldb_msg_find_attr_as_uint(msg, "instanceType", 0);
        if (instanceType & INSTANCE_TYPE_IS_NC_HEAD) {
@@ -206,19 +205,19 @@ static WERROR get_nc_changes_build_object(struct drsuapi_DsReplicaObjectListItem
                        continue;
                }
 
-               /* if the recipient is a RODC, then we should not add any
-               * RODC filtered attribute */
-               /* TODO: This is not strictly correct, as it doesn't allow for administrators
-                  to setup some users to transfer passwords to specific RODCs. To support that
-                  we would instead remove this check and rely on extended ACL checking in the dsdb
-                  acl module. */
-               rodc_filtered_flags = SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL;
-               if ((replica_flags & DRSUAPI_DRS_WRIT_REP) == 0 &&
-                   (sa->searchFlags & rodc_filtered_flags)) {
+               /*
+                * If the recipient is a RODC, then we should not add any
+                * RODC filtered attribute
+                *
+                * TODO: This is not strictly correct, as it doesn't allow for administrators
+                * to setup some users to transfer passwords to specific RODCs. To support that
+                * we would instead remove this check and rely on extended ACL checking in the dsdb
+                * acl module.
+                */
+               if (dsdb_attr_in_rodc_fas(replica_flags, sa)) {
                        continue;
                }
 
-
                obj->meta_data_ctr->meta_data[n].originating_change_time = md.ctr.ctr1.array[i].originating_change_time;
                obj->meta_data_ctr->meta_data[n].version = md.ctr.ctr1.array[i].version;
                obj->meta_data_ctr->meta_data[n].originating_invocation_id = md.ctr.ctr1.array[i].originating_invocation_id;