summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthias Dieter Wallnöfer <mdw@samba.org>2010-08-05 21:01:38 +0200
committerMatthias Dieter Wallnöfer <mdw@samba.org>2010-08-07 14:22:41 +0200
commitace6f52d57e40d3e198f844fd3f2f35392ffc620 (patch)
treeaa8e557345f3aba5ce866aa5adb4a6e41ac09917
parent9f0cbe1558ec473f0a75b662bbc123473aa0a7aa (diff)
downloadsamba-ace6f52d57e40d3e198f844fd3f2f35392ffc620.tar.gz
samba-ace6f52d57e40d3e198f844fd3f2f35392ffc620.tar.bz2
samba-ace6f52d57e40d3e198f844fd3f2f35392ffc620.zip
s4:objectclass LDB module - "add operation" - deny multiple "objectclass" message elements
Requested by MS-ADTS 3.1.1.5.2.2
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass.c19
1 files changed, 14 insertions, 5 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index a3fa39e80a..59f6cb0191 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -509,17 +509,26 @@ static int objectclass_do_add(struct oc_context *ac)
return ret;
}
- ldb_msg_remove_attr(msg, "objectClass");
+ ldb_msg_remove_element(msg, objectclass_element);
+
+ /* Well, now we shouldn't find any additional "objectClass"
+ * message element (required by the AD specification). */
+ objectclass_element = ldb_msg_find_element(msg, "objectClass");
+ if (objectclass_element != NULL) {
+ ldb_asprintf_errstring(ldb, "objectclass: Cannot add %s, only one 'objectclass' attribute specification is allowed!",
+ ldb_dn_get_linearized(msg->dn));
+ talloc_free(mem_ctx);
+ return LDB_ERR_OBJECT_CLASS_VIOLATION;
+ }
+
+ /* We must completely replace the existing objectClass entry,
+ * because we need it sorted. */
ret = ldb_msg_add_empty(msg, "objectClass", 0, NULL);
-
if (ret != LDB_SUCCESS) {
talloc_free(mem_ctx);
return ret;
}
- /* We must completely replace the existing objectClass entry,
- * because we need it sorted */
-
/* Move from the linked list back into an ldb msg */
for (current = sorted; current; current = current->next) {
value = talloc_strdup(msg, current->objectclass->lDAPDisplayName);