diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2009-09-24 15:14:49 -0700 |
|---|---|---|
| committer | Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de> | 2009-10-03 12:37:55 +0200 |
| commit | 4bc9a39eed3e47cd87ea8cd24f9ac4f9e2712f43 (patch) | |
| tree | 2263ad9a71b972498e1723833cee4f54336563ee | |
| parent | 0e028fcb7d141d68de2baadeb2c0fae262f2bedc (diff) | |
| download | samba-4bc9a39eed3e47cd87ea8cd24f9ac4f9e2712f43.tar.gz samba-4bc9a39eed3e47cd87ea8cd24f9ac4f9e2712f43.tar.bz2 samba-4bc9a39eed3e47cd87ea8cd24f9ac4f9e2712f43.zip | |
s4:dsdb Use possibleInferiors to restrict creation of child objects
This also uses systemPossibleInferiors when the 'relax' control is
specified, which is done by the provision.
Andrew Bartlett
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass.c | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index b68149f2f2..51a1ac845e 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -42,6 +42,7 @@ #include "libcli/security/security.h" #include "auth/auth.h" #include "param/param.h" +#include "../libds/common/flags.h" struct oc_context { @@ -566,7 +567,7 @@ static int objectclass_do_add(struct oc_context *ac) bool allowed_class = false; int i, j; - for (i=0; !allowed_class && oc_el && i < oc_el->num_values; i++) { + for (i=0; allowed_class == false && oc_el && i < oc_el->num_values; i++) { const struct dsdb_class *sclass; sclass = dsdb_class_by_lDAPDisplayName_ldb_val(schema, &oc_el->values[i]); @@ -574,9 +575,19 @@ static int objectclass_do_add(struct oc_context *ac) /* We don't know this class? what is going on? */ continue; } - for (j=0; !allowed_class && sclass->possibleInferiors && sclass->possibleInferiors[j]; j++) { - if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, sclass->possibleInferiors[j]) == 0) { - allowed_class = true; + if (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) { + for (j=0; sclass->systemPossibleInferiors && sclass->systemPossibleInferiors[j]; j++) { + if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, sclass->systemPossibleInferiors[j]) == 0) { + allowed_class = true; + break; + } + } + } else { + for (j=0; sclass->systemPossibleInferiors && sclass->systemPossibleInferiors[j]; j++) { + if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, sclass->systemPossibleInferiors[j]) == 0) { + allowed_class = true; + break; + } } } } |