The Samba-Bugzilla – Attachment 11342 Details for
Bug 10493
LDAP extended rule 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN not working
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to remove this feature from 4.3
remove_ldb_match_in_chain.patch (text/plain), 15.44 KB, created by
Andrew Bartlett
on 2015-08-17 04:33:56 UTC
(
hide
)
Description:
Patch to remove this feature from 4.3
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2015-08-17 04:33:56 UTC
Size:
15.44 KB
patch
obsolete
>From 8b11f7ed3d333b9c359b3fb838a088d8d19e881c Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 17 Aug 2015 16:09:35 +1200 >Subject: [PATCH 1/2] Revert "dsdb: Only parse > SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL as a DN" > >This reverts commit 1a012d591bca727b5cabacf6455d2009afb16bd7. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=10493 >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 4 +--- > 1 file changed, 1 insertion(+), 3 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c >index b7ca636..4127036 100644 >--- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c >+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c >@@ -35,7 +35,6 @@ > #include <ldb_module.h> > #include "dsdb/samdb/samdb.h" > #include "dsdb/samdb/ldb_modules/util.h" >-#include "lib/ldb-samba/ldb_matching_rules.h" > > /* > TODO: if relax is not set then we need to reject the fancy RMD_* and >@@ -407,8 +406,7 @@ static int extended_dn_filter_callback(struct ldb_parse_tree *tree, void *privat > > if (tree->operation == LDB_OP_EQUALITY) { > dn = ldb_dn_from_ldb_val(filter_ctx, ldb_module_get_ctx(filter_ctx->module), &tree->u.equality.value); >- } else if (tree->operation == LDB_OP_EXTENDED >- && (strcmp(tree->u.extended.rule_id, SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL) == 0)) { >+ } else if (tree->operation == LDB_OP_EXTENDED) { > dn = ldb_dn_from_ldb_val(filter_ctx, ldb_module_get_ctx(filter_ctx->module), &tree->u.extended.value); > } > if (dn == NULL) { >-- >2.5.0 > > >From 25fa7bd5b6098a9b4d77863a3ab8e9ef07f6c591 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Mon, 17 Aug 2015 16:03:10 +1200 >Subject: [PATCH 2/2] Revert "ldb-samba: Implement transitive extended > matching" > >This reverts commit 2a22ba34cd6f28950246b54c6577c922c61f4fdb. > >selftest/knownfail entries are added to ensure 'make test' continues to pass > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=10493 >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > lib/ldb-samba/ldb_matching_rules.c | 338 ------------------------------------- > lib/ldb-samba/ldb_matching_rules.h | 28 --- > lib/ldb-samba/ldif_handlers.c | 6 - > lib/ldb-samba/wscript_build | 2 +- > selftest/knownfail | 13 ++ > 5 files changed, 14 insertions(+), 373 deletions(-) > delete mode 100644 lib/ldb-samba/ldb_matching_rules.c > delete mode 100644 lib/ldb-samba/ldb_matching_rules.h > >diff --git a/lib/ldb-samba/ldb_matching_rules.c b/lib/ldb-samba/ldb_matching_rules.c >deleted file mode 100644 >index 3a51c29..0000000 >--- a/lib/ldb-samba/ldb_matching_rules.c >+++ /dev/null >@@ -1,338 +0,0 @@ >-/* >- Unix SMB/CIFS implementation. >- >- ldb database library - Extended match rules >- >- Copyright (C) 2014 Samuel Cabrero <samuelcabrero@kernevil.me> >- >- This program is free software; you can redistribute it and/or modify >- it under the terms of the GNU General Public License as published by >- the Free Software Foundation; either version 3 of the License, or >- (at your option) any later version. >- >- This program is distributed in the hope that it will be useful, >- but WITHOUT ANY WARRANTY; without even the implied warranty of >- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >- GNU General Public License for more details. >- >- You should have received a copy of the GNU General Public License >- along with this program. If not, see <http://www.gnu.org/licenses/>. >-*/ >- >-#include "includes.h" >-#include <ldb_module.h> >-#include "dsdb/samdb/samdb.h" >-#include "ldb_matching_rules.h" >- >-static int ldb_eval_transitive_filter_helper(TALLOC_CTX *mem_ctx, >- struct ldb_context *ldb, >- const char *attr, >- const struct dsdb_dn *dn_to_match, >- const char *dn_oid, >- struct dsdb_dn *to_visit, >- struct dsdb_dn **visited, >- unsigned int *visited_count, >- bool *matched) >-{ >- TALLOC_CTX *tmp_ctx; >- int ret, i, j; >- struct ldb_result *res; >- struct ldb_message *msg; >- struct ldb_message_element *el; >- const char *attrs[] = { attr, NULL }; >- >- tmp_ctx = talloc_new(mem_ctx); >- if (tmp_ctx == NULL) { >- return LDB_ERR_OPERATIONS_ERROR; >- } >- >- /* >- * Fetch the entry to_visit >- * >- * NOTE: This is a new LDB search from the TOP of the module >- * stack. This means that this search runs the whole stack >- * from top to bottom. >- * >- * This may seem to be in-efficient, but it is also the only >- * way to ensure that the ACLs for this search are applied >- * correctly. >- * >- * Note also that we don't have the original request >- * here, so we can not apply controls or timeouts here. >- */ >- ret = dsdb_search_dn(ldb, tmp_ctx, &res, to_visit->dn, attrs, 0); >- if (ret != LDB_SUCCESS) { >- talloc_free(tmp_ctx); >- return ret; >- } >- if (res->count != 1) { >- talloc_free(tmp_ctx); >- return LDB_ERR_OPERATIONS_ERROR; >- } >- msg = res->msgs[0]; >- >- /* Fetch the attribute to match from the entry being visited */ >- el = ldb_msg_find_element(msg, attr); >- if (el == NULL) { >- /* This entry does not have the attribute to match */ >- talloc_free(tmp_ctx); >- *matched = false; >- return LDB_SUCCESS; >- } >- >- /* >- * If the value to match is present in the attribute values of the >- * current entry being visited, set matched to true and return OK >- */ >- for (i=0; i<el->num_values; i++) { >- struct dsdb_dn *dn; >- dn = dsdb_dn_parse(tmp_ctx, ldb, &el->values[i], dn_oid); >- if (dn == NULL) { >- talloc_free(tmp_ctx); >- *matched = false; >- return LDB_ERR_INVALID_DN_SYNTAX; >- } >- >- if (ldb_dn_compare(dn_to_match->dn, dn->dn) == 0) { >- talloc_free(tmp_ctx); >- *matched = true; >- return LDB_SUCCESS; >- } >- } >- >- /* >- * If arrived here, the value to match is not in the values of the >- * entry being visited. Add the entry being visited (to_visit) >- * to the visited array. The array is (re)allocated in the parent >- * memory context. >- */ >- if (visited == NULL) { >- visited = talloc_array(mem_ctx, struct dsdb_dn *, 1); >- if (visited == NULL) { >- talloc_free(tmp_ctx); >- return LDB_ERR_OPERATIONS_ERROR; >- } >- visited[0] = to_visit; >- (*visited_count) = 1; >- } else { >- visited = talloc_realloc(mem_ctx, visited, struct dsdb_dn *, >- (*visited_count) + 1); >- if (visited == NULL) { >- talloc_free(tmp_ctx); >- return LDB_ERR_OPERATIONS_ERROR; >- } >- visited[(*visited_count)] = to_visit; >- (*visited_count)++; >- } >- >- /* >- * steal to_visit into visited array context, as it has to live until >- * the array is freed. >- */ >- talloc_steal(visited, to_visit); >- >- /* >- * Iterate over the values of the attribute of the entry being >- * visited (to_visit) and follow them, calling this function >- * recursively. >- * If the value is in the visited array, skip it. >- * Otherwise, follow the link and visit it. >- */ >- for (i=0; i<el->num_values; i++) { >- struct dsdb_dn *next_to_visit; >- bool skip = false; >- >- next_to_visit = dsdb_dn_parse(tmp_ctx, ldb, &el->values[i], dn_oid); >- if (next_to_visit == NULL) { >- talloc_free(tmp_ctx); >- *matched = false; >- return LDB_ERR_INVALID_DN_SYNTAX; >- } >- >- /* >- * If the value is already in the visited array, skip it. >- * Note the last element of the array is ignored because it is >- * the current entry DN. >- */ >- for (j=0; j < (*visited_count) - 1; j++) { >- struct dsdb_dn *visited_dn = visited[j]; >- if (ldb_dn_compare(visited_dn->dn, >- next_to_visit->dn) == 0) { >- skip = true; >- break; >- } >- } >- if (skip) { >- talloc_free(next_to_visit); >- continue; >- } >- >- /* If the value is not in the visited array, evaluate it */ >- ret = ldb_eval_transitive_filter_helper(tmp_ctx, ldb, attr, >- dn_to_match, dn_oid, >- next_to_visit, >- visited, visited_count, >- matched); >- if (ret != LDB_SUCCESS) { >- talloc_free(tmp_ctx); >- return ret; >- } >- if (*matched) { >- talloc_free(tmp_ctx); >- return LDB_SUCCESS; >- } >- } >- >- talloc_free(tmp_ctx); >- *matched = false; >- return LDB_SUCCESS; >-} >- >-/* >- * This function parses the linked attribute value to match, whose syntax >- * will be one of the different DN syntaxes, into a ldb_dn struct. >- */ >-static int ldb_eval_transitive_filter(TALLOC_CTX *mem_ctx, >- struct ldb_context *ldb, >- const char *attr, >- const struct ldb_val *value_to_match, >- struct dsdb_dn *current_object_dn, >- bool *matched) >-{ >- const struct dsdb_schema *schema; >- const struct dsdb_attribute *schema_attr; >- struct dsdb_dn *dn_to_match; >- const char *dn_oid; >- unsigned int count; >- >- schema = dsdb_get_schema(ldb, mem_ctx); >- if (schema == NULL) { >- return LDB_ERR_OPERATIONS_ERROR; >- } >- >- schema_attr = dsdb_attribute_by_lDAPDisplayName(schema, attr); >- if (schema_attr == NULL) { >- return LDB_ERR_NO_SUCH_ATTRIBUTE; >- } >- >- /* This is the DN syntax of the attribute being matched */ >- dn_oid = schema_attr->syntax->ldap_oid; >- >- /* >- * Build a ldb_dn struct holding the value to match, which is the >- * value entered in the search filter >- */ >- dn_to_match = dsdb_dn_parse(mem_ctx, ldb, value_to_match, dn_oid); >- if (dn_to_match == NULL) { >- *matched = false; >- return LDB_ERR_INVALID_DN_SYNTAX; >- } >- >- return ldb_eval_transitive_filter_helper(mem_ctx, ldb, attr, >- dn_to_match, dn_oid, >- current_object_dn, >- NULL, &count, matched); >-} >- >-/* >- * This rule provides recursive search of a link attribute >- * >- * Documented in [MS-ADTS] section 3.1.1.3.4.4.3 LDAP_MATCHING_RULE_TRANSITIVE_EVAL >- * This allows a search filter such as: >- * >- * member:1.2.840.113556.1.4.1941:=cn=user,cn=users,dc=samba,dc=example,dc=com >- * >- * This searches not only the member attribute, but also any member >- * attributes that point at an object with this member in them. All the >- * various DN syntax types are supported, not just plain DNs. >- * >- */ >-static int ldb_comparator_trans(struct ldb_context *ldb, >- const char *oid, >- const struct ldb_message *msg, >- const char *attribute_to_match, >- const struct ldb_val *value_to_match, >- bool *matched) >-{ >- const struct dsdb_schema *schema; >- const struct dsdb_attribute *schema_attr; >- struct ldb_dn *msg_dn; >- struct dsdb_dn *dsdb_msg_dn; >- TALLOC_CTX *tmp_ctx; >- int ret; >- >- tmp_ctx = talloc_new(ldb); >- if (tmp_ctx == NULL) { >- return LDB_ERR_OPERATIONS_ERROR; >- } >- >- /* >- * If the target attribute to match is not a linked attribute, then >- * the filter evaluates to undefined >- */ >- schema = dsdb_get_schema(ldb, tmp_ctx); >- if (schema == NULL) { >- talloc_free(tmp_ctx); >- return LDB_ERR_OPERATIONS_ERROR; >- } >- >- schema_attr = dsdb_attribute_by_lDAPDisplayName(schema, attribute_to_match); >- if (schema_attr == NULL) { >- talloc_free(tmp_ctx); >- return LDB_ERR_NO_SUCH_ATTRIBUTE; >- } >- >- /* >- * This extended match filter is only valid for linked attributes, >- * following the MS definition (the schema attribute has a linkID >- * defined). See dochelp request 114111212024789 on cifs-protocols >- * mailing list. >- */ >- if (schema_attr->linkID == 0) { >- talloc_free(tmp_ctx); >- return LDB_ERR_INAPPROPRIATE_MATCHING; >- } >- >- /* Duplicate original msg dn as the msg must not be modified */ >- msg_dn = ldb_dn_copy(tmp_ctx, msg->dn); >- if (msg_dn == NULL) { >- talloc_free(tmp_ctx); >- return LDB_ERR_OPERATIONS_ERROR; >- } >- >- /* >- * Build a dsdb dn from the message copied DN, which should be a plain >- * DN syntax. >- */ >- dsdb_msg_dn = dsdb_dn_construct(tmp_ctx, msg_dn, data_blob_null, >- LDB_SYNTAX_DN); >- if (dsdb_msg_dn == NULL) { >- *matched = false; >- return LDB_ERR_INVALID_DN_SYNTAX; >- } >- >- ret = ldb_eval_transitive_filter(tmp_ctx, ldb, >- attribute_to_match, >- value_to_match, >- dsdb_msg_dn, matched); >- talloc_free(tmp_ctx); >- return ret; >-} >- >- >-int ldb_register_samba_matching_rules(struct ldb_context *ldb) >-{ >- struct ldb_extended_match_rule *transitive_eval; >- int ret; >- >- transitive_eval = talloc_zero(ldb, struct ldb_extended_match_rule); >- transitive_eval->oid = SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL; >- transitive_eval->callback = ldb_comparator_trans; >- ret = ldb_register_extended_match_rule(ldb, transitive_eval); >- if (ret != LDB_SUCCESS) { >- talloc_free(transitive_eval); >- return ret; >- } >- >- return LDB_SUCCESS; >-} >diff --git a/lib/ldb-samba/ldb_matching_rules.h b/lib/ldb-samba/ldb_matching_rules.h >deleted file mode 100644 >index e969b3d..0000000 >--- a/lib/ldb-samba/ldb_matching_rules.h >+++ /dev/null >@@ -1,28 +0,0 @@ >-/* >- Unix SMB/CIFS implementation. >- >- ldb database library - Extended match rules >- >- Copyright (C) 2014 Samuel Cabrero <samuelcabrero@kernevil.me> >- >- This program is free software; you can redistribute it and/or modify >- it under the terms of the GNU General Public License as published by >- the Free Software Foundation; either version 3 of the License, or >- (at your option) any later version. >- >- This program is distributed in the hope that it will be useful, >- but WITHOUT ANY WARRANTY; without even the implied warranty of >- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >- GNU General Public License for more details. >- >- You should have received a copy of the GNU General Public License >- along with this program. If not, see <http://www.gnu.org/licenses/>. >-*/ >- >-#ifndef _LDB_MATCHING_RULES_H_ >-#define _LDB_MATCHING_RULES_H_ >- >-/* This rule provides recursive search of a link attribute */ >-#define SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL "1.2.840.113556.1.4.1941" >- >-#endif /* _LDB_MATCHING_RULES_H_ */ >diff --git a/lib/ldb-samba/ldif_handlers.c b/lib/ldb-samba/ldif_handlers.c >index 3b84084..65f1d88 100644 >--- a/lib/ldb-samba/ldif_handlers.c >+++ b/lib/ldb-samba/ldif_handlers.c >@@ -1697,12 +1697,6 @@ int ldb_register_samba_handlers(struct ldb_context *ldb) > > } > >- ret = ldb_register_samba_matching_rules(ldb); >- if (ret != LDB_SUCCESS) { >- talloc_free(ldb); >- return LDB_SUCCESS; >- } >- > ret = ldb_set_opaque(ldb, "SAMBA_HANDLERS_REGISTERED", (void*)1); > if (ret != LDB_SUCCESS) { > return ret; >diff --git a/lib/ldb-samba/wscript_build b/lib/ldb-samba/wscript_build >index 6ad9698..7016b2f 100644 >--- a/lib/ldb-samba/wscript_build >+++ b/lib/ldb-samba/wscript_build >@@ -5,7 +5,7 @@ > # the symbols of all of ldb_ildap's dependencies. > > bld.SAMBA_LIBRARY('ldbsamba', >- source='ldif_handlers.c ldb_matching_rules.c', >+ source='ldif_handlers.c', > autoproto='ldif_handlers_proto.h', > public_deps='ldb', > deps='samba-security ndr NDR_DRSBLOBS NDR_DNSP ldbwrap samdb-common SAMDB_SCHEMA tdb errors', >diff --git a/selftest/knownfail b/selftest/knownfail >index 901ed39..b7320ad 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -290,3 +290,16 @@ > # This fails because it requires the tombstone_reanimation module to be enabled > # > ^samba4.ldap.acl.python\(.*\).__main__.AclUndeleteTests.test_undelete\(.*\) >+# >+# This fails because the code for transitive extended matching rule >+# LDAP_MATCH_RULE_TRANSITIVE_EVAL had to be disabled >+# >+^samba4.ldap.match_rules.python.__main__.MatchRulesTests.test_extended_dn >+^samba4.ldap.match_rules.python.__main__.MatchRulesTests.test_g1_member_of_g4 >+^samba4.ldap.match_rules.python.__main__.MatchRulesTests.test_object_dn_binary >+^samba4.ldap.match_rules.python.__main__.MatchRulesTests.test_one_way_links >+^samba4.ldap.match_rules.python.__main__.MatchRulesTests.test_u1_groups >+^samba4.ldap.match_rules.python.__main__.MatchRulesTests.test_u1_member_of_g4 >+^samba4.ldap.match_rules.python.__main__.MatchRulesTests.test_u2_groups >+^samba4.ldap.match_rules.python.__main__.MatchRulesTests.test_u3_groups >+^samba4.ldap.match_rules.python.__main__.MatchRulesTests.test_u4_groups >-- >2.5.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 10493
:
10824
|
11341
| 11342