diff options
| author | Matthias Dieter Wallnöfer <mdw@samba.org> | 2010-11-23 15:07:49 +0100 |
|---|---|---|
| committer | Matthias Dieter Wallnöfer <mdw@samba.org> | 2010-11-24 17:39:18 +0100 |
| commit | 8c01d6a837718344b52aa117820d0dba7655f295 (patch) | |
| tree | e14cb4b04c5b28a0484315a2408215d6d4dd94d1 /source4/dsdb/samdb | |
| parent | 0a6834e6305c99b74662c4bea97e2291d8b42cb3 (diff) | |
| download | samba-8c01d6a837718344b52aa117820d0dba7655f295.tar.gz samba-8c01d6a837718344b52aa117820d0dba7655f295.tar.bz2 samba-8c01d6a837718344b52aa117820d0dba7655f295.zip | |
s4:objectclass LDB module - move one checks into the "objectclass derivation loop"
This denies objects created from possible derivated classes from the prohibited
ones.
Also small cosmetic improvements for another check.
Diffstat (limited to 'source4/dsdb/samdb')
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass.c | 28 |
1 files changed, 17 insertions, 11 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index e69026a226..0bb33aaf35 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -567,12 +567,24 @@ static int objectclass_do_add(struct oc_context *ac) /* Move from the linked list back into an ldb msg */ for (current = sorted; current; current = current->next) { - value = talloc_strdup(msg, current->objectclass->lDAPDisplayName); + value = talloc_strdup(msg, + current->objectclass->lDAPDisplayName); if (value == NULL) { talloc_free(mem_ctx); return ldb_module_oom(ac->module); } + /* LSA-specific objectclasses per default not allowed */ + if (((strcmp(value, "secret") == 0) || + (strcmp(value, "trustedDomain") == 0)) && + !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) { + ldb_asprintf_errstring(ldb, + "objectclass: object class '%s' is LSA-specific, rejecting creation of '%s'!", + value, + ldb_dn_get_linearized(msg->dn)); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + ret = ldb_msg_add_string(msg, "objectClass", value); if (ret != LDB_SUCCESS) { ldb_set_errstring(ldb, @@ -624,16 +636,10 @@ static int objectclass_do_add(struct oc_context *ac) if (objectclass->systemOnly && !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) && !check_rodc_ntdsdsa_add(ac, objectclass)) { - ldb_asprintf_errstring(ldb, "objectClass %s is systemOnly, rejecting creation of %s", - objectclass->lDAPDisplayName, ldb_dn_get_linearized(msg->dn)); - return LDB_ERR_UNWILLING_TO_PERFORM; - } - - if (((strcmp(objectclass->lDAPDisplayName, "secret") == 0) || - (strcmp(objectclass->lDAPDisplayName, "trustedDomain") == 0)) && - !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) { - ldb_asprintf_errstring(ldb, "objectClass %s is LSA-specific, rejecting creation of %s", - objectclass->lDAPDisplayName, ldb_dn_get_linearized(msg->dn)); + ldb_asprintf_errstring(ldb, + "objectclass: object class '%s' is system-only, rejecting creation of '%s'!", + objectclass->lDAPDisplayName, + ldb_dn_get_linearized(msg->dn)); return LDB_ERR_UNWILLING_TO_PERFORM; } |