summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2008-09-08 11:10:24 +1000
committerAndrew Bartlett <abartlet@samba.org>2008-09-08 11:10:24 +1000
commitc222f8196ab018c53579ceb3ffeeb1a9b3e77b6b (patch)
treed4ab8a88529586d1d97c0255d6bbfe3be7501141
parent4c386ce366cfa08e670f58e5560bf1253b8b6c29 (diff)
downloadsamba-c222f8196ab018c53579ceb3ffeeb1a9b3e77b6b.tar.gz
samba-c222f8196ab018c53579ceb3ffeeb1a9b3e77b6b.tar.bz2
samba-c222f8196ab018c53579ceb3ffeeb1a9b3e77b6b.zip
Try to implement the right logic for systemFlags
The MS-ADTS document has quite detailed instrucitons on how these flags should be processed. This change also causes the correct sign-wrapping to occour, as these are declared as signed integers. Andrew Bartlett (This used to be commit 5c3d237a6d721dc75166bdc5ac0c6e76a4495bf7)
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass.c37
1 files changed, 37 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 4d4ef585cb..b048a8d8e1 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -534,6 +534,8 @@ static int objectclass_do_add(struct ldb_handle *h)
}
/* Last one is the critical one */
if (!current->next) {
+ struct ldb_message_element *el;
+ int32_t systemFlags = 0;
if (!ldb_msg_find_element(msg, "objectCategory")) {
ldb_msg_add_string(msg, "objectCategory",
current->objectclass->defaultObjectCategory);
@@ -548,6 +550,41 @@ static int objectclass_do_add(struct ldb_handle *h)
ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd);
}
}
+
+ /* There are very special rules for systemFlags, see MS-ADTS 3.1.1.5.2.4 */
+ el = ldb_msg_find_element(msg, "systemFlags");
+
+ systemFlags = ldb_msg_find_attr_as_int(msg, "systemFlags", 0);
+
+ if (el) {
+ /* Only these flags may be set by a client, but we can't tell between a client and our provision at this point */
+ /* systemFlags &= ( SYSTEM_FLAG_CONFIG_ALLOW_RENAME | SYSTEM_FLAG_CONFIG_ALLOW_MOVE | SYSTEM_FLAG_CONFIG_LIMITED_MOVE); */
+ ldb_msg_remove_element(msg, el);
+ }
+
+ /* This flag is only allowed on attributeSchema objects */
+ if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, "attributeSchema") == 0) {
+ systemFlags &= ~SYSTEM_FLAG_ATTR_IS_RDN;
+ }
+
+ if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, "server") == 0) {
+ systemFlags |= (int32_t)(SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE | SYSTEM_FLAG_CONFIG_ALLOW_RENAME | SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE);
+ } else if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, "site") == 0
+ || ldb_attr_cmp(current->objectclass->lDAPDisplayName, "serverContainer") == 0
+ || ldb_attr_cmp(current->objectclass->lDAPDisplayName, "ntDSDSA") == 0) {
+ systemFlags |= (int32_t)(SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE);
+
+ } else if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, "siteLink") == 0
+ || ldb_attr_cmp(current->objectclass->lDAPDisplayName, "siteLinkBridge") == 0
+ || ldb_attr_cmp(current->objectclass->lDAPDisplayName, "nTDSConnection") == 0) {
+ systemFlags |= (int32_t)(SYSTEM_FLAG_CONFIG_ALLOW_RENAME);
+ }
+
+ /* TODO: If parent object is site or subnet, also add (SYSTEM_FLAG_CONFIG_ALLOW_RENAME) */
+
+ if (el || systemFlags != 0) {
+ samdb_msg_add_int(ac->module->ldb, msg, msg, "systemFlags", systemFlags);
+ }
}
}
}