summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthias Dieter Wallnöfer <mdw@samba.org>2010-08-01 17:36:11 +0200
committerMatthias Dieter Wallnöfer <mdw@samba.org>2010-08-01 21:30:29 +0200
commitba4578f98b411f175803160a9a1f81c1c3786f1f (patch)
treea6060ece9d8990ccb6c49577fa067407d59eb86b
parent89c7859006a47d646762f8f3e2256f72d6133c70 (diff)
downloadsamba-ba4578f98b411f175803160a9a1f81c1c3786f1f.tar.gz
samba-ba4578f98b411f175803160a9a1f81c1c3786f1f.tar.bz2
samba-ba4578f98b411f175803160a9a1f81c1c3786f1f.zip
s4:objectclass LDB module - consider the "instanceType" when adding NCs
This is requested by MS-ADTS 3.1.1.5.2.2 (NC add operation).
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass.c28
1 files changed, 18 insertions, 10 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index b71f91f185..44d8889dd5 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -374,11 +374,14 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req)
return ldb_next_request(module, req);
}
- /* An add operation on the root basedn has a special handling when the
- * relax control isn't specified. */
- if (ldb_dn_compare(ldb_get_root_basedn(ldb), req->op.add.message->dn) == 0) {
- if (ldb_request_get_control(req,
- LDB_CONTROL_RELAX_OID) == NULL) {
+ /* An add operation on the basedn without "NC-add" operation isn't
+ * allowed. */
+ if (ldb_dn_compare(ldb_get_default_basedn(ldb), req->op.add.message->dn) == 0) {
+ unsigned int instanceType;
+
+ instanceType = ldb_msg_find_attr_as_uint(req->op.add.message,
+ "instanceType", 0);
+ if (!(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) {
/* When we are trying to readd the root basedn then
* this is denied, but with an interesting mechanism:
* there is generated a referral with the last
@@ -457,15 +460,20 @@ static int objectclass_do_add(struct oc_context *ac)
/* Check if we have a valid parent - this check is needed since
* we don't get a LDB_ERR_NO_SUCH_OBJECT error. */
if (ac->search_res == NULL) {
- if (ldb_dn_compare(ldb_get_root_basedn(ldb), msg->dn) == 0) {
- /* Allow the tree to be started but don't keep any
- * error strings - they're meaningless. */
- ldb_set_errstring(ldb, NULL);
- } else {
+ unsigned int instanceType;
+
+ /* An add operation on partition DNs without "NC-add" operation
+ * isn't allowed. */
+ instanceType = ldb_msg_find_attr_as_uint(ac->req->op.add.message,
+ "instanceType", 0);
+ if (!(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) {
ldb_asprintf_errstring(ldb, "objectclass: Cannot add %s, parent does not exist!",
ldb_dn_get_linearized(msg->dn));
return LDB_ERR_NO_SUCH_OBJECT;
}
+
+ /* Don't keep any error messages - we've to add a partition */
+ ldb_set_errstring(ldb, NULL);
} else {
/* Fix up the DN to be in the standard form, taking
* particular care to match the parent DN */