s4:objectclass LDB module - deny the creation of "isCriticalSystemObject" entries

They're only allowed to be created with the RELAX control specified.
author: Matthias Dieter Wallnöfer <mdw@samba.org> 2010-10-11 18:41:05 +0200
committer: Matthias Dieter Wallnöfer <mdw@samba.org> 2010-10-13 13:35:21 +0000
commit: 4638bd11b59de1d771a34d328e3c287549cde54c (patch)
tree: dc625e4999d4625cfc18a5ef97f1f2dcf43fbdb6 /source4/dsdb
parent: 8806008024e353ede2a276937880cc9cd732d9dc (diff)
download: samba-4638bd11b59de1d771a34d328e3c287549cde54c.tar.gz
samba-4638bd11b59de1d771a34d328e3c287549cde54c.tar.bz2
samba-4638bd11b59de1d771a34d328e3c287549cde54c.zip
1 files changed, 9 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 940290bace..86708eb820 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -734,6 +734,15 @@ static int objectclass_do_add(struct oc_context *ac)
 				return ret;
 			}
 		}
+
+		/* make sure that "isCriticalSystemObject" is not specified! */
+		el = ldb_msg_find_element(msg, "isCriticalSystemObject");
+		if ((el != NULL) &&
+                    !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) {
+			ldb_set_errstring(ldb,
+					  "objectclass: 'isCriticalSystemObject' must not be specified!");
+			return LDB_ERR_UNWILLING_TO_PERFORM;
+		}
 	}
 
 	ret = ldb_msg_sanity_check(ldb, msg);
author	Matthias Dieter Wallnöfer <mdw@samba.org>	2010-10-11 18:41:05 +0200
committer	Matthias Dieter Wallnöfer <mdw@samba.org>	2010-10-13 13:35:21 +0000
commit	4638bd11b59de1d771a34d328e3c287549cde54c (patch)
tree	dc625e4999d4625cfc18a5ef97f1f2dcf43fbdb6 /source4/dsdb
parent	8806008024e353ede2a276937880cc9cd732d9dc (diff)
download	samba-4638bd11b59de1d771a34d328e3c287549cde54c.tar.gz samba-4638bd11b59de1d771a34d328e3c287549cde54c.tar.bz2 samba-4638bd11b59de1d771a34d328e3c287549cde54c.zip