diff options
author | Matthias Dieter Wallnöfer <mdw@samba.org> | 2010-08-05 21:01:38 +0200 |
---|---|---|
committer | Matthias Dieter Wallnöfer <mdw@samba.org> | 2010-08-07 14:22:41 +0200 |
commit | ace6f52d57e40d3e198f844fd3f2f35392ffc620 (patch) | |
tree | aa8e557345f3aba5ce866aa5adb4a6e41ac09917 | |
parent | 9f0cbe1558ec473f0a75b662bbc123473aa0a7aa (diff) | |
download | samba-ace6f52d57e40d3e198f844fd3f2f35392ffc620.tar.gz samba-ace6f52d57e40d3e198f844fd3f2f35392ffc620.tar.bz2 samba-ace6f52d57e40d3e198f844fd3f2f35392ffc620.zip |
s4:objectclass LDB module - "add operation" - deny multiple "objectclass" message elements
Requested by MS-ADTS 3.1.1.5.2.2
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass.c | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index a3fa39e80a..59f6cb0191 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -509,17 +509,26 @@ static int objectclass_do_add(struct oc_context *ac) return ret; } - ldb_msg_remove_attr(msg, "objectClass"); + ldb_msg_remove_element(msg, objectclass_element); + + /* Well, now we shouldn't find any additional "objectClass" + * message element (required by the AD specification). */ + objectclass_element = ldb_msg_find_element(msg, "objectClass"); + if (objectclass_element != NULL) { + ldb_asprintf_errstring(ldb, "objectclass: Cannot add %s, only one 'objectclass' attribute specification is allowed!", + ldb_dn_get_linearized(msg->dn)); + talloc_free(mem_ctx); + return LDB_ERR_OBJECT_CLASS_VIOLATION; + } + + /* We must completely replace the existing objectClass entry, + * because we need it sorted. */ ret = ldb_msg_add_empty(msg, "objectClass", 0, NULL); - if (ret != LDB_SUCCESS) { talloc_free(mem_ctx); return ret; } - /* We must completely replace the existing objectClass entry, - * because we need it sorted */ - /* Move from the linked list back into an ldb msg */ for (current = sorted; current; current = current->next) { value = talloc_strdup(msg, current->objectclass->lDAPDisplayName); |