dsdb: Add msDS-ResultantPSO constructed attribute support
authorTim Beale <timbeale@catalyst.net.nz>
Tue, 20 Mar 2018 21:45:38 +0000 (10:45 +1300)
committerGarming Sam <garming@samba.org>
Wed, 23 May 2018 04:55:29 +0000 (06:55 +0200)
commit4c42d3f7165e7532cd95645b7b27173a32fa53df
treef7a110c58d17a115baa92e45beaea12413767606
parent754a840946cae308fb97a2927ea263e29de9e7b4
dsdb: Add msDS-ResultantPSO constructed attribute support

Add support for the msDS-ResultantPSO constructed attribute, which
indicates the PSO (if any) that should apply to a given user. First we
consider any PSOs that apply directly to a user. If none apply directly,
we consider PSOs that apply to any groups the user is a member of. (PSO
lookups are done by finding any 'msDS-PSOAppliesTo' links that apply to
the user or group SIDs we're interested in.

Note: the PSO should be selected based on the RevMembGetAccountGroups
membership, which doesn't include builtin groups. Looking at the spec,
it appears that perhaps our tokenGroups implementation should also
exclude builtin groups. However, in the short-term, I've added a new
ACCOUNT_GROUPS option to the enum, which is only used internally for
PSOs.

The PSO test cases (which are currently only checking the constructed
attribute) now pass, showing that the correct msDS-ResultantPSO value is
being returned, even if the corresponding password-policy settings are
not yet being applied.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
selftest/knownfail.d/password_settings
source4/dsdb/samdb/ldb_modules/operational.c