diff options
author | Matthias Dieter Wallnöfer <mdw@samba.org> | 2010-05-11 21:43:36 +0200 |
---|---|---|
committer | Matthias Dieter Wallnöfer <mdw@samba.org> | 2010-05-30 23:13:09 +0200 |
commit | 463d5f0afc5b378bf8143558b8b8f372680f9768 (patch) | |
tree | 77adf327380b8323c9809f4c83dda1264878bfad /source4/dsdb | |
parent | 092331d2d8c39ccfbd97c5e357705efb54f1ab6f (diff) | |
download | samba-463d5f0afc5b378bf8143558b8b8f372680f9768.tar.gz samba-463d5f0afc5b378bf8143558b8b8f372680f9768.tar.bz2 samba-463d5f0afc5b378bf8143558b8b8f372680f9768.zip |
s4:samldb LDB module - deny delete operations on some important attributes
Add operations are denied since these are single-valued - only replace is
allowed.
This is only provisorily at the moment - we need to implement the triggers
specified in MS-ADTS.
Diffstat (limited to 'source4/dsdb')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/samldb.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index a07dec961c..d7ce48f758 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -1475,7 +1475,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) /* TODO: do not modify original request, create a new one */ el = ldb_msg_find_element(req->op.mod.message, "groupType"); - if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) { + if (el && (el->flags == LDB_FLAG_MOD_REPLACE) && el->num_values == 1) { uint32_t group_type; req->op.mod.message = msg = ldb_msg_copy_shallow(req, @@ -1492,9 +1492,12 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) el2 = ldb_msg_find_element(msg, "sAMAccountType"); el2->flags = LDB_FLAG_MOD_REPLACE; } + if (el && (el->flags == LDB_FLAG_MOD_DELETE)) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } el = ldb_msg_find_element(req->op.mod.message, "primaryGroupID"); - if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) { + if (el && (el->flags == LDB_FLAG_MOD_REPLACE) && el->num_values == 1) { struct samldb_ctx *ac; ac = samldb_ctx_init(module, req); @@ -1506,9 +1509,12 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) return samldb_prim_group_change(ac); } + if (el && (el->flags == LDB_FLAG_MOD_DELETE)) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } el = ldb_msg_find_element(req->op.mod.message, "userAccountControl"); - if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) { + if (el && (el->flags == LDB_FLAG_MOD_REPLACE) && el->num_values == 1) { uint32_t user_account_control; req->op.mod.message = msg = ldb_msg_copy_shallow(req, @@ -1547,6 +1553,9 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req) } } } + if (el && (el->flags == LDB_FLAG_MOD_DELETE)) { + return LDB_ERR_UNWILLING_TO_PERFORM; + } el = ldb_msg_find_element(req->op.mod.message, "member"); if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) { |