diff options
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass.c | 18 | ||||
-rwxr-xr-x | source4/dsdb/tests/python/ldap.py | 13 |
2 files changed, 29 insertions, 2 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index 2e95eb5e91..d2b4f10838 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -1082,12 +1082,26 @@ static int objectclass_do_mod(struct oc_context *ac) break; } + /* Only one "objectclass" attribute change element per modify request + * allowed! */ + for (i = 0; i < ac->req->op.mod.message->num_elements; i++) { + if (ldb_attr_cmp(ac->req->op.mod.message->elements[i].name, + "objectClass") != 0) continue; + + if (ldb_msg_element_compare(&ac->req->op.mod.message->elements[i], + oc_el_change) != 0) { + ldb_set_errstring(ldb, + "objectclass: only one 'objectClass' attribute change per modify request allowed!"); + talloc_free(mem_ctx); + return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS; + } + } + ret = ldb_msg_add_empty(msg, "objectClass", LDB_FLAG_MOD_REPLACE, &oc_el_change); if (ret != LDB_SUCCESS) { - ldb_oom(ldb); talloc_free(mem_ctx); - return ret; + return ldb_oom(ldb); } /* Move from the linked list back into an ldb msg */ diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py index 26a0d720c5..0ac57d5247 100755 --- a/source4/dsdb/tests/python/ldap.py +++ b/source4/dsdb/tests/python/ldap.py @@ -310,6 +310,19 @@ class BasicTests(unittest.TestCase): except LdbError, (num, _): self.assertEquals(num, ERR_OBJECT_CLASS_VIOLATION) + # More than one change operation is not allowed + m = Message() + m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) + m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_DELETE, + "objectClass") + m["objectClass"] = MessageElement("bootableDevice", FLAG_MOD_ADD, + "objectClass") + try: + ldb.modify(m) + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS) + # We cannot remove all object classes by an empty replace m = Message() m.dn = Dn(ldb, "cn=ldaptestuser,cn=users," + self.base_dn) |