Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15:Update
adcli.16659
0017-join-add-all-attributes-while-creating-com...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0017-join-add-all-attributes-while-creating-computer-obje.patch of Package adcli.16659
From 07ea3d55f318b7feeef08ee1c160112310828dd2 Mon Sep 17 00:00:00 2001 From: Sumit Bose <sbose@redhat.com> Date: Mon, 11 Jun 2018 09:44:49 +0200 Subject: [PATCH 17/25] join: add all attributes while creating computer object It is possible to create special accounts which can only join a computer to a domain but is not allowed to do any further operations which the computer object. As a result if such an account is used during the join only the ldapadd operation is permitted but not any later ldapmodify operation. To create the computer object correctly in this case all attributes must be added while the object is created and not later. Related to https://bugzilla.redhat.com/show_bug.cgi?id=1542354 --- library/adenroll.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 47 insertions(+), 5 deletions(-) diff --git a/library/adenroll.c b/library/adenroll.c index 923a811..deaef0f 100644 --- a/library/adenroll.c +++ b/library/adenroll.c @@ -568,7 +568,7 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype) is_2008_or_later = adcli_conn_server_has_capability (enroll->conn, ADCLI_CAP_V60_OID); /* In 2008 or later, use the msDS-supportedEncryptionTypes attribute */ - if (is_2008_or_later) { + if (is_2008_or_later && enroll->computer_attributes != NULL) { value = _adcli_ldap_parse_value (ldap, enroll->computer_attributes, "msDS-supportedEncryptionTypes"); @@ -613,7 +613,6 @@ calculate_enctypes (adcli_enroll *enroll, char **enctype) return ADCLI_SUCCESS; } - static adcli_result create_computer_account (adcli_enroll *enroll, LDAP *ldap) @@ -623,22 +622,65 @@ create_computer_account (adcli_enroll *enroll, char *vals_sAMAccountName[] = { enroll->computer_sam, NULL }; LDAPMod sAMAccountName = { LDAP_MOD_ADD, "sAMAccountName", { vals_sAMAccountName, } }; char *vals_userAccountControl[] = { "69632", NULL }; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD */ - LDAPMod userAccountControl = { LDAP_MOD_REPLACE, "userAccountControl", { vals_userAccountControl, } }; + LDAPMod userAccountControl = { LDAP_MOD_ADD, "userAccountControl", { vals_userAccountControl, } }; + char *vals_supportedEncryptionTypes[] = { NULL, NULL }; + LDAPMod encTypes = { LDAP_MOD_ADD, "msDS-supportedEncryptionTypes", { vals_supportedEncryptionTypes, } }; + char *vals_dNSHostName[] = { enroll->host_fqdn, NULL }; + LDAPMod dNSHostName = { LDAP_MOD_ADD, "dNSHostName", { vals_dNSHostName, } }; + char *vals_operatingSystem[] = { enroll->os_name, NULL }; + LDAPMod operatingSystem = { LDAP_MOD_ADD, "operatingSystem", { vals_operatingSystem, } }; + char *vals_operatingSystemVersion[] = { enroll->os_version, NULL }; + LDAPMod operatingSystemVersion = { LDAP_MOD_ADD, "operatingSystemVersion", { vals_operatingSystemVersion, } }; + char *vals_operatingSystemServicePack[] = { enroll->os_service_pack, NULL }; + LDAPMod operatingSystemServicePack = { LDAP_MOD_ADD, "operatingSystemServicePack", { vals_operatingSystemServicePack, } }; + char *vals_userPrincipalName[] = { enroll->user_principal, NULL }; + LDAPMod userPrincipalName = { LDAP_MOD_ADD, "userPrincipalName", { vals_userPrincipalName, }, }; + LDAPMod servicePrincipalName = { LDAP_MOD_ADD, "servicePrincipalName", { enroll->service_principals, } }; + + char *val = NULL; int ret; + size_t c; + size_t m; - LDAPMod *mods[] = { + LDAPMod *all_mods[] = { &objectClass, &sAMAccountName, &userAccountControl, - NULL, + &encTypes, + &dNSHostName, + &operatingSystem, + &operatingSystemVersion, + &operatingSystemServicePack, + &userPrincipalName, + &servicePrincipalName, + NULL }; + size_t mods_count = sizeof (all_mods) / sizeof (LDAPMod *); + LDAPMod *mods[mods_count]; + if (adcli_enroll_get_trusted_for_delegation (enroll)) { vals_userAccountControl[0] = "593920"; /* WORKSTATION_TRUST_ACCOUNT | DONT_EXPIRE_PASSWD | TRUSTED_FOR_DELEGATION */ } + ret = calculate_enctypes (enroll, &val); + if (ret != ADCLI_SUCCESS) { + return ret; + } + vals_supportedEncryptionTypes[0] = val; + + m = 0; + for (c = 0; c < mods_count - 1; c++) { + /* Skip empty LDAP sttributes */ + if (all_mods[c]->mod_vals.modv_strvals[0] != NULL) { + mods[m++] = all_mods[c]; + } + } + mods[m] = NULL; + ret = ldap_add_ext_s (ldap, enroll->computer_dn, mods, NULL, NULL); + free (val); /* * Hand to head. This is really dumb... AD returns -- 2.16.4
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor