summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb/ldb_modules
diff options
context:
space:
mode:
authorMatthias Dieter Wallnöfer <mdw@samba.org>2010-11-23 15:07:49 +0100
committerMatthias Dieter Wallnöfer <mdw@samba.org>2010-11-24 17:39:18 +0100
commit8c01d6a837718344b52aa117820d0dba7655f295 (patch)
treee14cb4b04c5b28a0484315a2408215d6d4dd94d1 /source4/dsdb/samdb/ldb_modules
parent0a6834e6305c99b74662c4bea97e2291d8b42cb3 (diff)
downloadsamba-8c01d6a837718344b52aa117820d0dba7655f295.tar.gz
samba-8c01d6a837718344b52aa117820d0dba7655f295.tar.bz2
samba-8c01d6a837718344b52aa117820d0dba7655f295.zip
s4:objectclass LDB module - move one checks into the "objectclass derivation loop"
This denies objects created from possible derivated classes from the prohibited ones. Also small cosmetic improvements for another check.
Diffstat (limited to 'source4/dsdb/samdb/ldb_modules')
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass.c28
1 files changed, 17 insertions, 11 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index e69026a226..0bb33aaf35 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -567,12 +567,24 @@ static int objectclass_do_add(struct oc_context *ac)
/* Move from the linked list back into an ldb msg */
for (current = sorted; current; current = current->next) {
- value = talloc_strdup(msg, current->objectclass->lDAPDisplayName);
+ value = talloc_strdup(msg,
+ current->objectclass->lDAPDisplayName);
if (value == NULL) {
talloc_free(mem_ctx);
return ldb_module_oom(ac->module);
}
+ /* LSA-specific objectclasses per default not allowed */
+ if (((strcmp(value, "secret") == 0) ||
+ (strcmp(value, "trustedDomain") == 0)) &&
+ !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) {
+ ldb_asprintf_errstring(ldb,
+ "objectclass: object class '%s' is LSA-specific, rejecting creation of '%s'!",
+ value,
+ ldb_dn_get_linearized(msg->dn));
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+
ret = ldb_msg_add_string(msg, "objectClass", value);
if (ret != LDB_SUCCESS) {
ldb_set_errstring(ldb,
@@ -624,16 +636,10 @@ static int objectclass_do_add(struct oc_context *ac)
if (objectclass->systemOnly &&
!ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) &&
!check_rodc_ntdsdsa_add(ac, objectclass)) {
- ldb_asprintf_errstring(ldb, "objectClass %s is systemOnly, rejecting creation of %s",
- objectclass->lDAPDisplayName, ldb_dn_get_linearized(msg->dn));
- return LDB_ERR_UNWILLING_TO_PERFORM;
- }
-
- if (((strcmp(objectclass->lDAPDisplayName, "secret") == 0) ||
- (strcmp(objectclass->lDAPDisplayName, "trustedDomain") == 0)) &&
- !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) {
- ldb_asprintf_errstring(ldb, "objectClass %s is LSA-specific, rejecting creation of %s",
- objectclass->lDAPDisplayName, ldb_dn_get_linearized(msg->dn));
+ ldb_asprintf_errstring(ldb,
+ "objectclass: object class '%s' is system-only, rejecting creation of '%s'!",
+ objectclass->lDAPDisplayName,
+ ldb_dn_get_linearized(msg->dn));
return LDB_ERR_UNWILLING_TO_PERFORM;
}