4 Copyright (C) Andrew Bartlett 2005
5 Copyright (C) Simo Sorce 2006
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
25 * Component: ldb kludge ACL module
27 * Description: Simple module to enforce a simple form of access
28 * control, sufficient for securing a default Samba4
31 * Author: Andrew Bartlett
35 #include "ldb/include/ldb.h"
36 #include "ldb/include/ldb_errors.h"
37 #include "ldb/include/ldb_private.h"
38 #include "auth/auth.h"
39 #include "libcli/security/proto.h"
43 * - System can read passwords
44 * - Administrators can write anything
45 * - Users can read anything that is not a password
56 struct kludge_private_data {
57 const char **password_attrs;
60 static enum user_is what_is_user(struct ldb_module *module)
62 struct auth_session_info *session_info
63 = ldb_get_opaque(module->ldb, "sessionInfo");
68 if (security_token_is_system(session_info->security_token)) {
72 if (security_token_is_anonymous(session_info->security_token)) {
76 if (security_token_has_builtin_administrators(session_info->security_token)) {
80 if (security_token_has_nt_authenticated_users(session_info->security_token)) {
87 static const char *user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
89 struct auth_session_info *session_info
90 = ldb_get_opaque(module->ldb, "sessionInfo");
92 return "UNKNOWN (NULL)";
95 return talloc_asprintf(mem_ctx, "%s\\%s",
96 session_info->server_info->domain_name,
97 session_info->server_info->account_name);
101 static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
103 struct kludge_private_data *data = talloc_get_type(module->private_data, struct kludge_private_data);
104 struct ldb_message *msg;
105 enum user_is user_type;
108 /* go down the path and wait for reply to filter out stuff if needed */
109 ret = ldb_next_request(module, req);
111 /* We may not be fully initialised yet, or we might have just
113 if (ret != LDB_SUCCESS || !data->password_attrs) {
117 user_type = what_is_user(module);
123 /* For every message, remove password attributes */
124 for (i=0; i < req->op.search.res->count; i++) {
125 msg = req->op.search.res->msgs[i];
126 for (j=0; data->password_attrs[j]; j++) {
127 ldb_msg_remove_attr(msg, data->password_attrs[j]);
135 struct kludge_acl_async_context {
137 struct ldb_module *module;
139 int (*up_callback)(struct ldb_context *, void *, struct ldb_async_result *);
142 enum user_is user_type;
145 static int kludge_acl_async_callback(struct ldb_context *ldb, void *context, struct ldb_async_result *ares)
147 struct kludge_acl_async_context *ac;
148 struct kludge_private_data *data;
151 if (!context || !ares) {
152 ldb_set_errstring(ldb, talloc_asprintf(ldb, "NULL Context or Result in callback"));
156 ac = talloc_get_type(context, struct kludge_acl_async_context);
157 data = talloc_get_type(ac->module->private_data, struct kludge_private_data);
159 if (ares->type == LDB_REPLY_ENTRY
160 && data->password_attrs) /* if we are not initialized just get through */
162 switch (ac->user_type) {
167 /* remove password attributes */
168 for (i = 0; data->password_attrs[i]; i++) {
169 ldb_msg_remove_attr(ares->message, data->password_attrs[i]);
174 return ac->up_callback(ldb, ac->up_context, ares);
178 return LDB_ERR_OPERATIONS_ERROR;
181 static int kludge_acl_search_async(struct ldb_module *module, struct ldb_request *req)
183 struct kludge_acl_async_context *ac;
184 struct ldb_request *down_req;
187 req->async.handle = NULL;
189 ac = talloc(req, struct kludge_acl_async_context);
191 return LDB_ERR_OPERATIONS_ERROR;
195 ac->up_context = req->async.context;
196 ac->up_callback = req->async.callback;
197 ac->timeout = req->async.timeout;
198 ac->user_type = what_is_user(module);
200 down_req = talloc_zero(req, struct ldb_request);
201 if (down_req == NULL) {
202 return LDB_ERR_OPERATIONS_ERROR;
205 down_req->operation = req->operation;
206 down_req->op.search.base = req->op.search.base;
207 down_req->op.search.scope = req->op.search.scope;
208 down_req->op.search.tree = req->op.search.tree;
209 down_req->op.search.attrs = req->op.search.attrs;
211 down_req->controls = req->controls;
212 down_req->creds = req->creds;
214 down_req->async.context = ac;
215 down_req->async.callback = kludge_acl_async_callback;
216 down_req->async.timeout = req->async.timeout;
218 /* perform the search */
219 ret = ldb_next_request(module, down_req);
221 /* do not free down_req as the call results may be linked to it,
222 * it will be freed when the upper level request get freed */
223 if (ret == LDB_SUCCESS) {
224 req->async.handle = down_req->async.handle;
230 /* ANY change type */
231 static int kludge_acl_change(struct ldb_module *module, struct ldb_request *req){
232 enum user_is user_type = what_is_user(module);
236 return ldb_next_request(module, req);
238 ldb_set_errstring(module->ldb,
239 talloc_asprintf(req, "kludge_acl_change: "
240 "attempted database modify not permitted. User %s is not SYSTEM or an administrator",
241 user_name(req, module)));
242 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
246 /* start a transaction */
247 static int kludge_acl_start_trans(struct ldb_module *module)
249 return ldb_next_start_trans(module);
252 /* end a transaction */
253 static int kludge_acl_end_trans(struct ldb_module *module)
255 return ldb_next_end_trans(module);
258 /* delete a transaction */
259 static int kludge_acl_del_trans(struct ldb_module *module)
261 return ldb_next_del_trans(module);
264 static int kludge_acl_request(struct ldb_module *module, struct ldb_request *req)
266 switch (req->operation) {
271 case LDB_ASYNC_MODIFY:
273 case LDB_ASYNC_DELETE:
275 case LDB_ASYNC_RENAME:
276 return kludge_acl_change(module, req);
279 return kludge_acl_search(module, req);
281 case LDB_ASYNC_SEARCH:
282 return kludge_acl_search_async(module, req);
284 case LDB_REQ_REGISTER:
285 return ldb_next_request(module, req);
288 /* anything else must be something new, let's throw an error */
289 return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS;
293 static int kludge_acl_init(struct ldb_module *module)
296 TALLOC_CTX *mem_ctx = talloc_new(module);
297 const char *attrs[] = { "attribute", NULL };
298 struct ldb_result *res;
299 struct ldb_message *msg;
300 struct ldb_message_element *password_attributes;
302 struct kludge_private_data *data;
304 data = talloc(module, struct kludge_private_data);
306 return LDB_ERR_OPERATIONS_ERROR;
309 data->password_attrs = NULL;
310 module->private_data = data;
313 return LDB_ERR_OPERATIONS_ERROR;
316 ret = ldb_search(module->ldb, ldb_dn_explode(mem_ctx, "@KLUDGEACL"),
320 if (ret != LDB_SUCCESS) {
323 talloc_steal(mem_ctx, res);
324 if (res->count == 0) {
328 if (res->count > 1) {
329 talloc_free(mem_ctx);
330 return LDB_ERR_CONSTRAINT_VIOLATION;
335 password_attributes = ldb_msg_find_element(msg, "passwordAttribute");
336 if (!password_attributes) {
339 data->password_attrs = talloc_array(data, const char *, password_attributes->num_values + 1);
340 if (!data->password_attrs) {
341 talloc_free(mem_ctx);
342 return LDB_ERR_OPERATIONS_ERROR;
344 for (i=0; i < password_attributes->num_values; i++) {
345 data->password_attrs[i] = (const char *)password_attributes->values[i].data;
346 talloc_steal(data->password_attrs, password_attributes->values[i].data);
348 data->password_attrs[i] = NULL;
351 talloc_free(mem_ctx);
352 return ldb_next_init(module);
355 static const struct ldb_module_ops kludge_acl_ops = {
356 .name = "kludge_acl",
357 .request = kludge_acl_request,
358 .start_transaction = kludge_acl_start_trans,
359 .end_transaction = kludge_acl_end_trans,
360 .del_transaction = kludge_acl_del_trans,
361 .init_context = kludge_acl_init
364 int ldb_kludge_acl_init(void)
366 return ldb_register_module(&kludge_acl_ops);