LDB/s4 - deny the "(dn=...)" syntax on search filters when in AD mode
authorMatthias Dieter Wallnöfer <mdw@samba.org>
Wed, 26 Oct 2011 07:47:35 +0000 (09:47 +0200)
committerAndrew Bartlett <abartlet@samba.org>
Sun, 25 Mar 2012 22:57:29 +0000 (00:57 +0200)
Achieve this by introducing a "disallowDNFilter" flag.

Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
lib/ldb/ldb_tdb/ldb_cache.c
lib/ldb/ldb_tdb/ldb_index.c
lib/ldb/ldb_tdb/ldb_tdb.h
source4/setup/provision_init.ldif

index 0b93021..6467af1 100644 (file)
@@ -346,11 +346,17 @@ int ltdb_cache_load(struct ldb_module *module)
                goto failed;
        }
        
-       /* set flag for checking base DN on searches */
+       /* set flags if they do exist */
        if (r == LDB_SUCCESS) {
-               ltdb->check_base = ldb_msg_find_attr_as_bool(options, LTDB_CHECK_BASE, false);
+               ltdb->check_base = ldb_msg_find_attr_as_bool(options,
+                                                            LTDB_CHECK_BASE,
+                                                            false);
+               ltdb->disallow_dn_filter = ldb_msg_find_attr_as_bool(options,
+                                                                    LTDB_DISALLOW_DN_FILTER,
+                                                                    false);
        } else {
                ltdb->check_base = false;
+               ltdb->disallow_dn_filter = false;
        }
 
        talloc_free(ltdb->cache->indexlist);
index 24cc93f..a3848ed 100644 (file)
@@ -510,6 +510,15 @@ static int ltdb_index_dn_leaf(struct ldb_module *module,
                              const struct ldb_message *index_list,
                              struct dn_list *list)
 {
+       struct ltdb_private *ltdb = talloc_get_type(ldb_module_get_private(module),
+                                                   struct ltdb_private);
+       if (ltdb->disallow_dn_filter &&
+           (ldb_attr_cmp(tree->u.equality.attr, "dn") == 0)) {
+               /* in AD mode we do not support "(dn=...)" search filters */
+               list->dn = NULL;
+               list->count = 0;
+               return LDB_SUCCESS;
+       }
        if (ldb_attr_dn(tree->u.equality.attr) == 0) {
                list->dn = talloc_array(list, struct ldb_val, 1);
                if (list->dn == NULL) {
index 29856bf..3b87b56 100644 (file)
@@ -26,6 +26,7 @@ struct ltdb_private {
        int in_transaction;
 
        bool check_base;
+       bool disallow_dn_filter;
        struct ltdb_idxptr *idxptr;
        bool prepared_commit;
        int read_lock_count;
@@ -62,6 +63,7 @@ struct ltdb_context {
 /* special attribute types */
 #define LTDB_SEQUENCE_NUMBER "sequenceNumber"
 #define LTDB_CHECK_BASE "checkBaseOnSearch"
+#define LTDB_DISALLOW_DN_FILTER "disallowDNFilter"
 #define LTDB_MOD_TIMESTAMP "whenChanged"
 #define LTDB_OBJECTCLASS "objectClass"
 
index d9ec286..68b3d97 100644 (file)
@@ -20,6 +20,7 @@ passwordAttribute: initialAuthIncoming
 
 dn: @OPTIONS
 checkBaseOnSearch: TRUE
+disallowDNFilter: TRUE
 
 dn: @SAMBA_DSDB
 backendType: ${BACKEND_TYPE}