summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthias Dieter Wallnöfer <mdw@samba.org>2010-10-19 15:14:53 +0200
committerMatthias Dieter Wallnöfer <mdw@samba.org>2010-10-25 13:03:17 +0200
commitfedd4aa3cb7a0d4b895ec040d74cfbfbee42cac5 (patch)
tree0077a4aa138087c4d1994347140d91da70dc95be
parent6e407a3c1c7166801bcec364186c487c27b18550 (diff)
downloadsamba-fedd4aa3cb7a0d4b895ec040d74cfbfbee42cac5.tar.gz
samba-fedd4aa3cb7a0d4b895ec040d74cfbfbee42cac5.tar.bz2
samba-fedd4aa3cb7a0d4b895ec040d74cfbfbee42cac5.zip
s4:objectclass_attrs LDB module - deny multi-valued replace requests
This is the AD behaviour. But on attributes with the flag "FLAG_ATTR_REQ_PARTIAL_SET_MEMBER" it is allowed.
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass_attrs.c13
1 files changed, 13 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
index 2024a33d55..b3f7048a39 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
@@ -139,6 +139,19 @@ static int attr_handler(struct oc_context *ac)
}
}
+ /* Multi-valued replace operations are generally denied but
+ * there do exist exceptions where attributes have the flag
+ * "FLAG_ATTR_REQ_PARTIAL_SET_MEMBER" set. */
+ if ((ac->req->operation == LDB_MODIFY) &&
+ (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) == LDB_FLAG_MOD_REPLACE) &&
+ (msg->elements[i].num_values > 1) &&
+ ((attr->systemFlags & DS_FLAG_ATTR_REQ_PARTIAL_SET_MEMBER) == 0)) {
+ ldb_asprintf_errstring(ldb, "objectclass_attrs: attribute '%s' on entry '%s' is replaced multi-valued!",
+ msg->elements[i].name,
+ ldb_dn_get_linearized(msg->dn));
+ return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
+ }
+
/* Substitute the attribute name to match in case */
msg->elements[i].name = attr->lDAPDisplayName;
}