summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass.c31
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass_attrs.c30
2 files changed, 29 insertions, 32 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index b72b9bb8e7..39f456dcca 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -565,37 +565,6 @@ static int objectclass_do_add(struct oc_context *ac)
for (current = sorted; current; current = current->next) {
const char *objectclass_name = current->objectclass->lDAPDisplayName;
- /* LSA-specific objectclasses per default not
- * allowed to be created over LDAP, so we need
- * to tell if this connection is LDAP (ie
- * marked as untrusted), and if the client is
- * adding these particular objectClass values
- * we must reject */
-
- /* Hongwei Sun from Microsoft explians:
- The constraint in 3.1.1.5.2.2 MS-ADTS means that the TDO
- cannot be added through LDAP interface, instead it can only be
- created through LSA Policy API. This is also explained in
- 7.1.6.9.7 MS-ADTS as follows:
-
- "Despite being replicated normally between peer DCs in a domain,
- the process of creating or manipulating TDOs is specifically
- restricted to the LSA Policy APIs, as detailed in [MS-LSAD] section
- 3.1.1.5. Unlike other objects in the DS, TDOs may not be created or
- manipulated by client machines over the LDAPv3 transport."
- */
-
- if (ldb_req_is_untrusted(ac->req) &&
- ((strcasecmp(objectclass_name, "secret") == 0) ||
- (strcasecmp(objectclass_name, "trustedDomain") == 0))) {
- ldb_asprintf_errstring(ldb,
- "objectclass: object class '%s' is LSA-specific, rejecting creation of '%s' over LDAP!",
- objectclass_name,
- ldb_dn_get_linearized(msg->dn));
- talloc_free(mem_ctx);
- return LDB_ERR_UNWILLING_TO_PERFORM;
- }
-
ret = ldb_msg_add_string(msg, "objectClass", objectclass_name);
if (ret != LDB_SUCCESS) {
ldb_set_errstring(ldb,
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
index ba1f7abad1..e0efd4ccaf 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
@@ -217,7 +217,7 @@ static int attr_handler2(struct oc_context *ac)
return ldb_operr(ldb);
}
- /* We rely here on the preceding "objectclass" LDB module which did
+ /* We rely here on the preceeding "objectclass" LDB module which did
* already fix up the objectclass list (inheritance, order...). */
oc_element = ldb_msg_find_element(ac->search_res->message,
"objectClass");
@@ -225,6 +225,34 @@ static int attr_handler2(struct oc_context *ac)
return ldb_operr(ldb);
}
+ /* LSA-specific object classes are not allowed to be created over LDAP,
+ * so we need to tell if this connection is internal (trusted) or not
+ * (untrusted).
+ *
+ * Hongwei Sun from Microsoft explains:
+ * The constraint in 3.1.1.5.2.2 MS-ADTS means that LSA objects cannot
+ * be added or modified through the LDAP interface, instead they can
+ * only be handled through LSA Policy API. This is also explained in
+ * 7.1.6.9.7 MS-ADTS as follows:
+ * "Despite being replicated normally between peer DCs in a domain,
+ * the process of creating or manipulating TDOs is specifically
+ * restricted to the LSA Policy APIs, as detailed in [MS-LSAD] section
+ * 3.1.1.5. Unlike other objects in the DS, TDOs may not be created or
+ * manipulated by client machines over the LDAPv3 transport."
+ */
+ if (ldb_req_is_untrusted(ac->req)) {
+ for (i = 0; i < oc_element->num_values; i++) {
+ if ((strcmp((char *)oc_element->values[i].data,
+ "secret") == 0) ||
+ (strcmp((char *)oc_element->values[i].data,
+ "trustedDomain") == 0)) {
+ ldb_asprintf_errstring(ldb, "objectclass_attrs: LSA objectclasses (entry '%s') cannot be created or changed over LDAP!",
+ ldb_dn_get_linearized(ac->search_res->message->dn));
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ }
+ }
+
must_contain = dsdb_full_attribute_list(ac, ac->schema, oc_element,
DSDB_SCHEMA_ALL_MUST);
may_contain = dsdb_full_attribute_list(ac, ac->schema, oc_element,