diff options
author | Matthias Dieter Wallnöfer <mdw@samba.org> | 2010-10-06 19:30:56 +0200 |
---|---|---|
committer | Matthias Dieter Wallnöfer <mdw@samba.org> | 2010-10-13 13:35:21 +0000 |
commit | 9bcb656bba21eb1a27befe642051bf761ede6278 (patch) | |
tree | bad3ba53552da15dd745d2e117ec77f7f2a1e090 | |
parent | 4638bd11b59de1d771a34d328e3c287549cde54c (diff) | |
download | samba-9bcb656bba21eb1a27befe642051bf761ede6278.tar.gz samba-9bcb656bba21eb1a27befe642051bf761ede6278.tar.bz2 samba-9bcb656bba21eb1a27befe642051bf761ede6278.zip |
s4:samldb LDB module - deny also the direct modification of "isCriticalSystemObject" on modify operations
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/samldb.c | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index 9fc3905332..ce17eecaf0 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -1247,11 +1247,22 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) ldb = ldb_module_get_ctx(module); - if (ldb_msg_find_element(req->op.mod.message, "sAMAccountType") != NULL) { - ldb_asprintf_errstring(ldb, - "sAMAccountType must not be specified!"); + /* make sure that "sAMAccountType" is not specified */ + el = ldb_msg_find_element(req->op.mod.message, "sAMAccountType"); + if (el != NULL) { + ldb_set_errstring(ldb, + "samldb: sAMAccountType must not be specified!"); return LDB_ERR_UNWILLING_TO_PERFORM; } + /* make sure that "isCriticalSystemObject" is not specified */ + el = ldb_msg_find_element(req->op.mod.message, "isCriticalSystemObject"); + if (el != NULL) { + if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID) == NULL) { + ldb_set_errstring(ldb, + "samldb: isCriticalSystemObject must not be specified!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + } /* msDS-IntId is not allowed to be modified * except when modification comes from replication */ |