diff options
Diffstat (limited to 'source4/dsdb/samdb')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c index bd4e0be646..62bc9ae8b2 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c @@ -240,6 +240,10 @@ static int attr_handler2(struct oc_context *ac) struct ldb_message_element *oc_element; struct ldb_message *msg; const char **must_contain, **may_contain, **found_must_contain; + /* There exists a hardcoded delete-protected attributes list in AD */ + const char *del_prot_attributes[] = { "nTSecurityDescriptor", + "objectSid", "sAMAccountType", "sAMAccountName", "groupType", + "primaryGroupID", "userAccountControl", NULL }, **l; const struct dsdb_attribute *attr; unsigned int i; bool found; @@ -268,9 +272,23 @@ static int attr_handler2(struct oc_context *ac) return ldb_operr(ldb); } + /* Check the delete-protected attributes list */ + msg = ac->search_res->message; + for (l = del_prot_attributes; *l != NULL; l++) { + found = str_list_check_ci(must_contain, *l); + if (!found) { + found = str_list_check_ci(may_contain, *l); + } + if (found && (ldb_msg_find_element(msg, *l) == NULL)) { + ldb_asprintf_errstring(ldb, "objectclass_attrs: delete protected attribute '%s' on entry '%s' missing!", + *l, + ldb_dn_get_linearized(msg->dn)); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + } + /* Check if all specified attributes are valid in the given * objectclasses and if they meet additional schema restrictions. */ - msg = ac->search_res->message; for (i = 0; i < msg->num_elements; i++) { attr = dsdb_attribute_by_lDAPDisplayName(ac->schema, msg->elements[i].name); |