diff options
| author | Matthias Dieter Wallnöfer <mdw@samba.org> | 2010-08-01 17:36:11 +0200 |
|---|---|---|
| committer | Matthias Dieter Wallnöfer <mdw@samba.org> | 2010-08-01 21:30:29 +0200 |
| commit | ba4578f98b411f175803160a9a1f81c1c3786f1f (patch) | |
| tree | a6060ece9d8990ccb6c49577fa067407d59eb86b /source4/dsdb | |
| parent | 89c7859006a47d646762f8f3e2256f72d6133c70 (diff) | |
| download | samba-ba4578f98b411f175803160a9a1f81c1c3786f1f.tar.gz samba-ba4578f98b411f175803160a9a1f81c1c3786f1f.tar.bz2 samba-ba4578f98b411f175803160a9a1f81c1c3786f1f.zip | |
s4:objectclass LDB module - consider the "instanceType" when adding NCs
This is requested by MS-ADTS 3.1.1.5.2.2 (NC add operation).
Diffstat (limited to 'source4/dsdb')
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass.c | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index b71f91f185..44d8889dd5 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -374,11 +374,14 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, req); } - /* An add operation on the root basedn has a special handling when the - * relax control isn't specified. */ - if (ldb_dn_compare(ldb_get_root_basedn(ldb), req->op.add.message->dn) == 0) { - if (ldb_request_get_control(req, - LDB_CONTROL_RELAX_OID) == NULL) { + /* An add operation on the basedn without "NC-add" operation isn't + * allowed. */ + if (ldb_dn_compare(ldb_get_default_basedn(ldb), req->op.add.message->dn) == 0) { + unsigned int instanceType; + + instanceType = ldb_msg_find_attr_as_uint(req->op.add.message, + "instanceType", 0); + if (!(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) { /* When we are trying to readd the root basedn then * this is denied, but with an interesting mechanism: * there is generated a referral with the last @@ -457,15 +460,20 @@ static int objectclass_do_add(struct oc_context *ac) /* Check if we have a valid parent - this check is needed since * we don't get a LDB_ERR_NO_SUCH_OBJECT error. */ if (ac->search_res == NULL) { - if (ldb_dn_compare(ldb_get_root_basedn(ldb), msg->dn) == 0) { - /* Allow the tree to be started but don't keep any - * error strings - they're meaningless. */ - ldb_set_errstring(ldb, NULL); - } else { + unsigned int instanceType; + + /* An add operation on partition DNs without "NC-add" operation + * isn't allowed. */ + instanceType = ldb_msg_find_attr_as_uint(ac->req->op.add.message, + "instanceType", 0); + if (!(instanceType & INSTANCE_TYPE_IS_NC_HEAD)) { ldb_asprintf_errstring(ldb, "objectclass: Cannot add %s, parent does not exist!", ldb_dn_get_linearized(msg->dn)); return LDB_ERR_NO_SUCH_OBJECT; } + + /* Don't keep any error messages - we've to add a partition */ + ldb_set_errstring(ldb, NULL); } else { /* Fix up the DN to be in the standard form, taking * particular care to match the parent DN */ |