summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb/ldb_modules
diff options
context:
space:
mode:
authorMatthieu Patou <mat@matws.net>2011-06-08 12:20:32 +0400
committerAndrew Tridgell <tridge@samba.org>2011-07-21 11:44:35 +1000
commit72ca5c39c9a911791af3d0abb8a146093b5e3e67 (patch)
tree88db0b835c4db90802b46dd49ac23d09619b5c3d /source4/dsdb/samdb/ldb_modules
parent6362c9c30d213381c5b51783d4842bf83de5074b (diff)
downloadsamba-72ca5c39c9a911791af3d0abb8a146093b5e3e67.tar.gz
samba-72ca5c39c9a911791af3d0abb8a146093b5e3e67.tar.bz2
samba-72ca5c39c9a911791af3d0abb8a146093b5e3e67.zip
s4-dsdb: Use controls provided during the request while searching for object to delete
If the parent request specify the show_deleted control we must use it in order to be able to see the deleted objects. Also we just allow to trusted connections with the system account to remove deleted objects, others receive an unwilling to perform.
Diffstat (limited to 'source4/dsdb/samdb/ldb_modules')
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass.c14
1 files changed, 13 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index fd39937bc9..7ae90d353a 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -1419,6 +1419,7 @@ static int objectclass_delete(struct ldb_module *module, struct ldb_request *req
{
static const char * const attrs[] = { "nCName", "objectClass",
"systemFlags",
+ "isDeleted",
"isCriticalSystemObject", NULL };
struct ldb_context *ldb;
struct ldb_request *search_req;
@@ -1450,7 +1451,7 @@ static int objectclass_delete(struct ldb_module *module, struct ldb_request *req
ret = ldb_build_search_req(&search_req, ldb,
ac, req->op.del.dn, LDB_SCOPE_BASE,
"(objectClass=*)",
- attrs, NULL,
+ attrs, req->controls,
ac, get_search_callback,
req);
LDB_REQ_SET_LOCATION(search_req);
@@ -1505,6 +1506,17 @@ static int objectclass_do_delete(struct oc_context *ac)
talloc_free(dn);
}
+ /* Only trusted request from system account are allowed to delete
+ * deleted objects.
+ */
+ if (ldb_msg_check_string_attribute(ac->search_res->message, "isDeleted", "TRUE") &&
+ (ldb_req_is_untrusted(ac->req) ||
+ !dsdb_module_am_system(ac->module))) {
+ ldb_asprintf_errstring(ldb, "Delete of '%s' failed",
+ ldb_dn_get_linearized(ac->req->op.del.dn));
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+
/* crossRef objects regarding config, schema and default domain NCs */
if (samdb_find_attribute(ldb, ac->search_res->message, "objectClass",
"crossRef") != NULL) {