summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb
diff options
context:
space:
mode:
authorMatthias Dieter Wallnöfer <mdw@samba.org>2010-11-15 13:00:58 +0100
committerMatthias Dieter Wallnöfer <mdw@samba.org>2010-11-15 13:10:05 +0000
commit16e73c68cb18fe428e83ee1b5ef9e17af743fae4 (patch)
tree3afe518cb7f876866984ed5638d5722f6322512b /source4/dsdb/samdb
parentc3e24bb89f8a50476ac809aaa3fee409e639b0d0 (diff)
downloadsamba-16e73c68cb18fe428e83ee1b5ef9e17af743fae4.tar.gz
samba-16e73c68cb18fe428e83ee1b5ef9e17af743fae4.tar.bz2
samba-16e73c68cb18fe428e83ee1b5ef9e17af743fae4.zip
s4:objectclass LDB module - implement the "objectClass" change restrictions on Windows 2000 forest function level
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Mon Nov 15 13:10:05 UTC 2010 on sn-devel-104
Diffstat (limited to 'source4/dsdb/samdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass.c25
1 files changed, 25 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index e863d481a0..5e3226a037 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -840,6 +840,31 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req
oc_changes = true;
}
+ /* MS-ADTS 3.1.1.5.3.5 - on a forest level < 2003 we do allow updates
+ * only on application NCs - not on the standard DCs */
+ if (oc_changes &&
+ (dsdb_forest_functional_level(ldb) < DS_DOMAIN_FUNCTION_2003)) {
+ int cnt = samdb_search_count(ldb, ac,
+ ldb_get_default_basedn(ldb),
+ "(distinguishedName=%s)",
+ ldb_dn_get_linearized(req->op.mod.message->dn));
+ if (cnt == 0) {
+ cnt = samdb_search_count(ldb, ac,
+ ldb_get_config_basedn(ldb),
+ "(distinguishedName=%s)",
+ ldb_dn_get_linearized(req->op.mod.message->dn));
+ }
+ if (cnt == 0) {
+ cnt = samdb_search_count(ldb, ac,
+ ldb_get_schema_basedn(ldb),
+ "(distinguishedName=%s)",
+ ldb_dn_get_linearized(req->op.mod.message->dn));
+ }
+ if (cnt != 0) {
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ }
+
ret = ldb_build_mod_req(&down_req, ldb, ac,
msg,
req->controls, ac,