diff options
author | Andrew Bartlett <abartlet@samba.org> | 2009-09-24 15:14:49 -0700 |
---|---|---|
committer | Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de> | 2009-10-03 12:37:55 +0200 |
commit | 4bc9a39eed3e47cd87ea8cd24f9ac4f9e2712f43 (patch) | |
tree | 2263ad9a71b972498e1723833cee4f54336563ee /source4/dsdb | |
parent | 0e028fcb7d141d68de2baadeb2c0fae262f2bedc (diff) | |
download | samba-4bc9a39eed3e47cd87ea8cd24f9ac4f9e2712f43.tar.gz samba-4bc9a39eed3e47cd87ea8cd24f9ac4f9e2712f43.tar.bz2 samba-4bc9a39eed3e47cd87ea8cd24f9ac4f9e2712f43.zip |
s4:dsdb Use possibleInferiors to restrict creation of child objects
This also uses systemPossibleInferiors when the 'relax' control is
specified, which is done by the provision.
Andrew Bartlett
Diffstat (limited to 'source4/dsdb')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass.c | 19 |
1 files changed, 15 insertions, 4 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index b68149f2f2..51a1ac845e 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -42,6 +42,7 @@ #include "libcli/security/security.h" #include "auth/auth.h" #include "param/param.h" +#include "../libds/common/flags.h" struct oc_context { @@ -566,7 +567,7 @@ static int objectclass_do_add(struct oc_context *ac) bool allowed_class = false; int i, j; - for (i=0; !allowed_class && oc_el && i < oc_el->num_values; i++) { + for (i=0; allowed_class == false && oc_el && i < oc_el->num_values; i++) { const struct dsdb_class *sclass; sclass = dsdb_class_by_lDAPDisplayName_ldb_val(schema, &oc_el->values[i]); @@ -574,9 +575,19 @@ static int objectclass_do_add(struct oc_context *ac) /* We don't know this class? what is going on? */ continue; } - for (j=0; !allowed_class && sclass->possibleInferiors && sclass->possibleInferiors[j]; j++) { - if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, sclass->possibleInferiors[j]) == 0) { - allowed_class = true; + if (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) { + for (j=0; sclass->systemPossibleInferiors && sclass->systemPossibleInferiors[j]; j++) { + if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, sclass->systemPossibleInferiors[j]) == 0) { + allowed_class = true; + break; + } + } + } else { + for (j=0; sclass->systemPossibleInferiors && sclass->systemPossibleInferiors[j]; j++) { + if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, sclass->systemPossibleInferiors[j]) == 0) { + allowed_class = true; + break; + } } } } |