summaryrefslogtreecommitdiff
path: root/source4/dsdb
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2009-09-24 15:14:49 -0700
committerMatthias Dieter Wallnöfer <mwallnoefer@yahoo.de>2009-10-03 12:37:55 +0200
commit4bc9a39eed3e47cd87ea8cd24f9ac4f9e2712f43 (patch)
tree2263ad9a71b972498e1723833cee4f54336563ee /source4/dsdb
parent0e028fcb7d141d68de2baadeb2c0fae262f2bedc (diff)
downloadsamba-4bc9a39eed3e47cd87ea8cd24f9ac4f9e2712f43.tar.gz
samba-4bc9a39eed3e47cd87ea8cd24f9ac4f9e2712f43.tar.bz2
samba-4bc9a39eed3e47cd87ea8cd24f9ac4f9e2712f43.zip
s4:dsdb Use possibleInferiors to restrict creation of child objects
This also uses systemPossibleInferiors when the 'relax' control is specified, which is done by the provision. Andrew Bartlett
Diffstat (limited to 'source4/dsdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass.c19
1 files changed, 15 insertions, 4 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index b68149f2f2..51a1ac845e 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -42,6 +42,7 @@
#include "libcli/security/security.h"
#include "auth/auth.h"
#include "param/param.h"
+#include "../libds/common/flags.h"
struct oc_context {
@@ -566,7 +567,7 @@ static int objectclass_do_add(struct oc_context *ac)
bool allowed_class = false;
int i, j;
- for (i=0; !allowed_class && oc_el && i < oc_el->num_values; i++) {
+ for (i=0; allowed_class == false && oc_el && i < oc_el->num_values; i++) {
const struct dsdb_class *sclass;
sclass = dsdb_class_by_lDAPDisplayName_ldb_val(schema, &oc_el->values[i]);
@@ -574,9 +575,19 @@ static int objectclass_do_add(struct oc_context *ac)
/* We don't know this class? what is going on? */
continue;
}
- for (j=0; !allowed_class && sclass->possibleInferiors && sclass->possibleInferiors[j]; j++) {
- if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, sclass->possibleInferiors[j]) == 0) {
- allowed_class = true;
+ if (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) {
+ for (j=0; sclass->systemPossibleInferiors && sclass->systemPossibleInferiors[j]; j++) {
+ if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, sclass->systemPossibleInferiors[j]) == 0) {
+ allowed_class = true;
+ break;
+ }
+ }
+ } else {
+ for (j=0; sclass->systemPossibleInferiors && sclass->systemPossibleInferiors[j]; j++) {
+ if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, sclass->systemPossibleInferiors[j]) == 0) {
+ allowed_class = true;
+ break;
+ }
}
}
}