summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthias Dieter Wallnöfer <mdw@samba.org>2010-10-06 19:30:56 +0200
committerMatthias Dieter Wallnöfer <mdw@samba.org>2010-10-13 13:35:21 +0000
commit9bcb656bba21eb1a27befe642051bf761ede6278 (patch)
treebad3ba53552da15dd745d2e117ec77f7f2a1e090
parent4638bd11b59de1d771a34d328e3c287549cde54c (diff)
downloadsamba-9bcb656bba21eb1a27befe642051bf761ede6278.tar.gz
samba-9bcb656bba21eb1a27befe642051bf761ede6278.tar.bz2
samba-9bcb656bba21eb1a27befe642051bf761ede6278.zip
s4:samldb LDB module - deny also the direct modification of "isCriticalSystemObject" on modify operations
-rw-r--r--source4/dsdb/samdb/ldb_modules/samldb.c17
1 files changed, 14 insertions, 3 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 9fc3905332..ce17eecaf0 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1247,11 +1247,22 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
ldb = ldb_module_get_ctx(module);
- if (ldb_msg_find_element(req->op.mod.message, "sAMAccountType") != NULL) {
- ldb_asprintf_errstring(ldb,
- "sAMAccountType must not be specified!");
+ /* make sure that "sAMAccountType" is not specified */
+ el = ldb_msg_find_element(req->op.mod.message, "sAMAccountType");
+ if (el != NULL) {
+ ldb_set_errstring(ldb,
+ "samldb: sAMAccountType must not be specified!");
return LDB_ERR_UNWILLING_TO_PERFORM;
}
+ /* make sure that "isCriticalSystemObject" is not specified */
+ el = ldb_msg_find_element(req->op.mod.message, "isCriticalSystemObject");
+ if (el != NULL) {
+ if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID) == NULL) {
+ ldb_set_errstring(ldb,
+ "samldb: isCriticalSystemObject must not be specified!");
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ }
/* msDS-IntId is not allowed to be modified
* except when modification comes from replication */