summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthias Dieter Wallnöfer <mdw@samba.org>2010-11-08 10:16:45 +0100
committerMatthias Dieter Wallnöfer <mdw@samba.org>2010-11-08 10:36:49 +0000
commit4b97e7c8f20b125015417bcf440128f843ac648f (patch)
treea376e4e269a49820aa333dbf4e2b63165642ed8c
parent8caf0ed90980d4118878f0cda10eba8004a8dd4d (diff)
downloadsamba-4b97e7c8f20b125015417bcf440128f843ac648f.tar.gz
samba-4b97e7c8f20b125015417bcf440128f843ac648f.tar.bz2
samba-4b97e7c8f20b125015417bcf440128f843ac648f.zip
s4:objectguid/repl_meta_data LDB module - deny "objectGUID" updates
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Mon Nov 8 10:36:50 UTC 2010 on sn-devel-104
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectguid.c8
-rw-r--r--source4/dsdb/samdb/ldb_modules/repl_meta_data.c9
-rwxr-xr-xsource4/dsdb/tests/python/ldap.py12
3 files changed, 29 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectguid.c b/source4/dsdb/samdb/ldb_modules/objectguid.c
index f21660c4ae..bc3260cf0d 100644
--- a/source4/dsdb/samdb/ldb_modules/objectguid.c
+++ b/source4/dsdb/samdb/ldb_modules/objectguid.c
@@ -185,6 +185,7 @@ static int objectguid_modify(struct ldb_module *module, struct ldb_request *req)
struct ldb_context *ldb;
struct ldb_request *down_req;
struct ldb_message *msg;
+ struct ldb_message_element *el;
int ret;
time_t t = time(NULL);
uint64_t seq_num;
@@ -199,6 +200,13 @@ static int objectguid_modify(struct ldb_module *module, struct ldb_request *req)
return ldb_next_request(module, req);
}
+ el = ldb_msg_find_element(req->op.mod.message, "objectGUID");
+ if (el != NULL) {
+ ldb_set_errstring(ldb,
+ "objectguid: objectGUID must not be specified!");
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+
ac = talloc(req, struct og_context);
if (ac == NULL) {
return ldb_oom(ldb);
diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 95cd0694fc..7838b65fdf 100644
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -2147,6 +2147,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
struct loadparm_context *lp_ctx;
char *referral;
unsigned int functional_level;
+ const DATA_BLOB *guid_blob;
/* do not manipulate our control entries */
if (ldb_dn_is_special(req->op.mod.message->dn)) {
@@ -2166,6 +2167,14 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
return LDB_ERR_OPERATIONS_ERROR;
}
+ guid_blob = ldb_msg_find_ldb_val(req->op.mod.message, "objectGUID");
+ if ( guid_blob != NULL ) {
+ ldb_debug_set(ldb, LDB_DEBUG_ERROR,
+ "replmd_modify: it's not allowed to change the objectGUID\n");
+ talloc_free(ac);
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+
/* we have to copy the message as the caller might have it as a const */
msg = ldb_msg_copy_shallow(ac, req->op.mod.message);
if (msg == NULL) {
diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py
index 26969cca3c..833e141b7d 100755
--- a/source4/dsdb/tests/python/ldap.py
+++ b/source4/dsdb/tests/python/ldap.py
@@ -1324,6 +1324,18 @@ objectGUID: bd3480c9-58af-4cd8-92df-bc4a18b6e44d
self.assertTrue("whenCreated" in res[0])
self.assertTrue("whenChanged" in res[0])
+ # The objectGUID cannot directly be changed
+ try:
+ self.ldb.modify_ldif("""
+dn: cn=ldaptestcontainer,""" + self.base_dn + """
+changetype: modify
+replace: objectGUID
+objectGUID: bd3480c9-58af-4cd8-92df-bc4a18b6e44d
+""")
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn)
def test_parentGUID(self):