diff options
| author | Simo Sorce <ssorce@redhat.com> | 2010-10-25 16:33:31 -0400 |
|---|---|---|
| committer | Simo Sorce <ssorce@redhat.com> | 2010-10-28 07:58:31 -0400 |
| commit | 2a141bf2c12ae0f9a54e130e7f149d2ba7997942 (patch) | |
| tree | 5f2e9b8bb9d6838d02673405a214df5dd21b7936 /daemons | |
| parent | 7fc6dfbcac04966b5a42f3c707a0215e068d232c (diff) | |
| download | freeipa-2a141bf2c12ae0f9a54e130e7f149d2ba7997942.tar.gz freeipa-2a141bf2c12ae0f9a54e130e7f149d2ba7997942.tar.xz freeipa-2a141bf2c12ae0f9a54e130e7f149d2ba7997942.zip | |
ipa-uuid: Add enforce mode
By setting the enforce flag in the configuration we prevent anyone from storing
arbitrary values and allow only Directory Manager to override the plugin.
Users can only set the value to the magic value (usually 0) to have the uuid
regenerated, and nothing else.
Diffstat (limited to 'daemons')
| -rw-r--r-- | daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c index 886234573..eb5b40d73 100644 --- a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c +++ b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c @@ -90,6 +90,7 @@ int slapi_uniqueIDGenerateString(char **uId); #define IPAUUID_GENERATE "ipaUuidMagicRegen" #define IPAUUID_FILTER "ipaUuidFilter" #define IPAUUID_SCOPE "ipaUuidScope" +#define IPAUUID_ENFORCE "ipaUuidEnforce" #define IPAUUID_FEATURE_DESC "IPA UUID" #define IPAUUID_PLUGIN_DESC "IPA UUID plugin" @@ -116,6 +117,7 @@ struct configEntry { Slapi_Filter *slapi_filter; char *generate; char *scope; + bool enforce; }; static PRCList *ipauuid_global_config = NULL; @@ -565,6 +567,10 @@ ipauuid_parse_config_entry(Slapi_Entry * e, bool apply) } LOG_CONFIG("----------> %s [%s]\n", IPAUUID_SCOPE, entry->scope); + entry->enforce = slapi_entry_attr_get_bool(e, IPAUUID_ENFORCE); + LOG_CONFIG("----------> %s [%s]\n", + IPAUUID_ENFORCE, entry->enforce ? "True" : "False"); + /* If we were only called to validate config, we can * just bail out before applying the config changes */ if (!apply) { @@ -1067,6 +1073,23 @@ static int ipauuid_pre_op(Slapi_PBlock *pb, int modtype) slapi_ch_free_string(&value); slapi_ch_free_string(&new_value); + } else { + char *bindDN = NULL; + int is_root; + + slapi_pblock_get(pb, SLAPI_CONN_DN, &bindDN); + is_root = slapi_dn_isroot(bindDN); + + /* If not set to the magic value, check enforcement */ + if (cfgentry->enforce && is_root != 1) { + /* only Directory Manager can set arbitrary values when + * enforce is enabled. */ + errstr = slapi_ch_smprintf("Only the Directory Manager " + "can set arbitrary values " + "for %s\n", cfgentry->attr); + ret = LDAP_INSUFFICIENT_ACCESS; + goto done; + } } } |