diff options
| author | Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de> | 2009-11-26 10:54:20 +0100 |
|---|---|---|
| committer | Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de> | 2009-11-26 11:21:01 +0100 |
| commit | b6efbd5b4c5ba3a2e2040033b6b634d60ed2d3f5 (patch) | |
| tree | 286958bb83a9807b436a5cf0139f678a2962a1ce | |
| parent | 393b83979d11dddcf6d38ca24b3aea7bb645e0d0 (diff) | |
| download | samba-b6efbd5b4c5ba3a2e2040033b6b634d60ed2d3f5.tar.gz samba-b6efbd5b4c5ba3a2e2040033b6b634d60ed2d3f5.tar.bz2 samba-b6efbd5b4c5ba3a2e2040033b6b634d60ed2d3f5.zip | |
s4:objectclass LDB module - Prevent write operations on constructed attributes
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass.c | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index 53c1cc7574..82b8835b0b 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -366,9 +366,12 @@ static int fix_dn(TALLOC_CTX *mem_ctx, } /* Fix all attribute names to be in the correct case, and check they are all valid per the schema */ -static int fix_attributes(struct ldb_context *ldb, const struct dsdb_schema *schema, struct ldb_message *msg) +static int fix_check_attributes(struct ldb_context *ldb, + const struct dsdb_schema *schema, + struct ldb_message *msg, + enum ldb_request_type op) { - int i; + unsigned int i; for (i=0; i < msg->num_elements; i++) { const struct dsdb_attribute *attribute = dsdb_attribute_by_lDAPDisplayName(schema, msg->elements[i].name); /* Add in a very special case for 'clearTextPassword', @@ -382,6 +385,16 @@ static int fix_attributes(struct ldb_context *ldb, const struct dsdb_schema *sch } } else { msg->elements[i].name = attribute->lDAPDisplayName; + + /* We have to deny write operations on constructed attributes */ + if ((attribute->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED) != 0) { + if (op == LDB_ADD) { + return LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE; + } else { + return LDB_ERR_CONSTRAINT_VIOLATION; + } + } + } } @@ -500,7 +513,7 @@ static int objectclass_do_add(struct oc_context *ac) } if (schema) { - ret = fix_attributes(ldb, schema, msg); + ret = fix_check_attributes(ldb, schema, msg, ac->req->operation); if (ret != LDB_SUCCESS) { talloc_free(mem_ctx); return ret; @@ -738,7 +751,7 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req return LDB_ERR_OPERATIONS_ERROR; } - ret = fix_attributes(ldb, schema, msg); + ret = fix_check_attributes(ldb, schema, msg, req->operation); if (ret != LDB_SUCCESS) { return ret; } @@ -775,7 +788,7 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req return LDB_ERR_OPERATIONS_ERROR; } - ret = fix_attributes(ldb, schema, msg); + ret = fix_check_attributes(ldb, schema, msg, req->operation); if (ret != LDB_SUCCESS) { talloc_free(mem_ctx); return ret; @@ -851,7 +864,7 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req return LDB_ERR_OPERATIONS_ERROR; } - ret = fix_attributes(ldb, schema, msg); + ret = fix_check_attributes(ldb, schema, msg, req->operation); if (ret != LDB_SUCCESS) { ldb_oom(ldb); return ret; |