diff options
author | Matthias Dieter Wallnöfer <mdw@samba.org> | 2010-11-03 17:29:58 +0100 |
---|---|---|
committer | Matthias Dieter Wallnöfer <mdw@samba.org> | 2010-11-03 17:48:18 +0000 |
commit | 4311438528aaf30fff878c3862fd1d76f6059f56 (patch) | |
tree | 748eb71cf98104d54402210c6b123463e471777e /source4/dsdb | |
parent | 0baa1fb4e494afd11904a3f9b940f2ef265378a4 (diff) | |
download | samba-4311438528aaf30fff878c3862fd1d76f6059f56.tar.gz samba-4311438528aaf30fff878c3862fd1d76f6059f56.tar.bz2 samba-4311438528aaf30fff878c3862fd1d76f6059f56.zip |
s4:objectclass_attrs LDB module - introduce the hardcoded delete-protected attributes list
This is a hardcoded list in AD of attributes, which can never be deleted.
Diffstat (limited to 'source4/dsdb')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c index bd4e0be646..62bc9ae8b2 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c @@ -240,6 +240,10 @@ static int attr_handler2(struct oc_context *ac) struct ldb_message_element *oc_element; struct ldb_message *msg; const char **must_contain, **may_contain, **found_must_contain; + /* There exists a hardcoded delete-protected attributes list in AD */ + const char *del_prot_attributes[] = { "nTSecurityDescriptor", + "objectSid", "sAMAccountType", "sAMAccountName", "groupType", + "primaryGroupID", "userAccountControl", NULL }, **l; const struct dsdb_attribute *attr; unsigned int i; bool found; @@ -268,9 +272,23 @@ static int attr_handler2(struct oc_context *ac) return ldb_operr(ldb); } + /* Check the delete-protected attributes list */ + msg = ac->search_res->message; + for (l = del_prot_attributes; *l != NULL; l++) { + found = str_list_check_ci(must_contain, *l); + if (!found) { + found = str_list_check_ci(may_contain, *l); + } + if (found && (ldb_msg_find_element(msg, *l) == NULL)) { + ldb_asprintf_errstring(ldb, "objectclass_attrs: delete protected attribute '%s' on entry '%s' missing!", + *l, + ldb_dn_get_linearized(msg->dn)); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + } + /* Check if all specified attributes are valid in the given * objectclasses and if they meet additional schema restrictions. */ - msg = ac->search_res->message; for (i = 0; i < msg->num_elements; i++) { attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, msg->elements[i].name); |