summaryrefslogtreecommitdiff
path: root/source4/dsdb
diff options
context:
space:
mode:
authorMatthias Dieter Wallnöfer <mdw@samba.org>2010-11-03 17:29:58 +0100
committerMatthias Dieter Wallnöfer <mdw@samba.org>2010-11-03 17:48:18 +0000
commit4311438528aaf30fff878c3862fd1d76f6059f56 (patch)
tree748eb71cf98104d54402210c6b123463e471777e /source4/dsdb
parent0baa1fb4e494afd11904a3f9b940f2ef265378a4 (diff)
downloadsamba-4311438528aaf30fff878c3862fd1d76f6059f56.tar.gz
samba-4311438528aaf30fff878c3862fd1d76f6059f56.tar.bz2
samba-4311438528aaf30fff878c3862fd1d76f6059f56.zip
s4:objectclass_attrs LDB module - introduce the hardcoded delete-protected attributes list
This is a hardcoded list in AD of attributes, which can never be deleted.
Diffstat (limited to 'source4/dsdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass_attrs.c20
1 files changed, 19 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
index bd4e0be646..62bc9ae8b2 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
@@ -240,6 +240,10 @@ static int attr_handler2(struct oc_context *ac)
struct ldb_message_element *oc_element;
struct ldb_message *msg;
const char **must_contain, **may_contain, **found_must_contain;
+ /* There exists a hardcoded delete-protected attributes list in AD */
+ const char *del_prot_attributes[] = { "nTSecurityDescriptor",
+ "objectSid", "sAMAccountType", "sAMAccountName", "groupType",
+ "primaryGroupID", "userAccountControl", NULL }, **l;
const struct dsdb_attribute *attr;
unsigned int i;
bool found;
@@ -268,9 +272,23 @@ static int attr_handler2(struct oc_context *ac)
return ldb_operr(ldb);
}
+ /* Check the delete-protected attributes list */
+ msg = ac->search_res->message;
+ for (l = del_prot_attributes; *l != NULL; l++) {
+ found = str_list_check_ci(must_contain, *l);
+ if (!found) {
+ found = str_list_check_ci(may_contain, *l);
+ }
+ if (found && (ldb_msg_find_element(msg, *l) == NULL)) {
+ ldb_asprintf_errstring(ldb, "objectclass_attrs: delete protected attribute '%s' on entry '%s' missing!",
+ *l,
+ ldb_dn_get_linearized(msg->dn));
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ }
+
/* Check if all specified attributes are valid in the given
* objectclasses and if they meet additional schema restrictions. */
- msg = ac->search_res->message;
for (i = 0; i < msg->num_elements; i++) {
attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
msg->elements[i].name);