diff options
author | Matthieu Patou <mat@matws.net> | 2011-06-08 12:20:32 +0400 |
---|---|---|
committer | Andrew Tridgell <tridge@samba.org> | 2011-07-21 11:44:35 +1000 |
commit | 72ca5c39c9a911791af3d0abb8a146093b5e3e67 (patch) | |
tree | 88db0b835c4db90802b46dd49ac23d09619b5c3d /source4 | |
parent | 6362c9c30d213381c5b51783d4842bf83de5074b (diff) | |
download | samba-72ca5c39c9a911791af3d0abb8a146093b5e3e67.tar.gz samba-72ca5c39c9a911791af3d0abb8a146093b5e3e67.tar.bz2 samba-72ca5c39c9a911791af3d0abb8a146093b5e3e67.zip |
s4-dsdb: Use controls provided during the request while searching for object to delete
If the parent request specify the show_deleted control we must use it in
order to be able to see the deleted objects.
Also we just allow to trusted connections with the system account to
remove deleted objects, others receive an unwilling to perform.
Diffstat (limited to 'source4')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass.c | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index fd39937bc9..7ae90d353a 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -1419,6 +1419,7 @@ static int objectclass_delete(struct ldb_module *module, struct ldb_request *req { static const char * const attrs[] = { "nCName", "objectClass", "systemFlags", + "isDeleted", "isCriticalSystemObject", NULL }; struct ldb_context *ldb; struct ldb_request *search_req; @@ -1450,7 +1451,7 @@ static int objectclass_delete(struct ldb_module *module, struct ldb_request *req ret = ldb_build_search_req(&search_req, ldb, ac, req->op.del.dn, LDB_SCOPE_BASE, "(objectClass=*)", - attrs, NULL, + attrs, req->controls, ac, get_search_callback, req); LDB_REQ_SET_LOCATION(search_req); @@ -1505,6 +1506,17 @@ static int objectclass_do_delete(struct oc_context *ac) talloc_free(dn); } + /* Only trusted request from system account are allowed to delete + * deleted objects. + */ + if (ldb_msg_check_string_attribute(ac->search_res->message, "isDeleted", "TRUE") && + (ldb_req_is_untrusted(ac->req) || + !dsdb_module_am_system(ac->module))) { + ldb_asprintf_errstring(ldb, "Delete of '%s' failed", + ldb_dn_get_linearized(ac->req->op.del.dn)); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + /* crossRef objects regarding config, schema and default domain NCs */ if (samdb_find_attribute(ldb, ac->search_res->message, "objectClass", "crossRef") != NULL) { |