diff options
author | Matthias Dieter Wallnöfer <mdw@samba.org> | 2010-10-11 18:41:05 +0200 |
---|---|---|
committer | Matthias Dieter Wallnöfer <mdw@samba.org> | 2010-10-13 13:35:21 +0000 |
commit | 4638bd11b59de1d771a34d328e3c287549cde54c (patch) | |
tree | dc625e4999d4625cfc18a5ef97f1f2dcf43fbdb6 /source4/dsdb | |
parent | 8806008024e353ede2a276937880cc9cd732d9dc (diff) | |
download | samba-4638bd11b59de1d771a34d328e3c287549cde54c.tar.gz samba-4638bd11b59de1d771a34d328e3c287549cde54c.tar.bz2 samba-4638bd11b59de1d771a34d328e3c287549cde54c.zip |
s4:objectclass LDB module - deny the creation of "isCriticalSystemObject" entries
They're only allowed to be created with the RELAX control specified.
Diffstat (limited to 'source4/dsdb')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index 940290bace..86708eb820 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -734,6 +734,15 @@ static int objectclass_do_add(struct oc_context *ac) return ret; } } + + /* make sure that "isCriticalSystemObject" is not specified! */ + el = ldb_msg_find_element(msg, "isCriticalSystemObject"); + if ((el != NULL) && + !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) { + ldb_set_errstring(ldb, + "objectclass: 'isCriticalSystemObject' must not be specified!"); + return LDB_ERR_UNWILLING_TO_PERFORM; + } } ret = ldb_msg_sanity_check(ldb, msg); |