1 files changed, 13 insertions, 1 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
index 042d26b981..5b76a0b946 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
@@ -180,7 +180,7 @@ static int attr_handler2(struct oc_context *ac)
 	}
 
 	/* Check if all specified attributes are valid in the given
-	 * objectclasses. */
+	 * objectclasses and if they meet additional schema restrictions. */
 	msg = ac->search_res->message;
 	for (i = 0; i < msg->num_elements; i++) {
 		attr = dsdb_attribute_by_lDAPDisplayName(ac->schema,
@@ -189,6 +189,18 @@ static int attr_handler2(struct oc_context *ac)
 			return LDB_ERR_OPERATIONS_ERROR;
 		}
 
+		/* Check if they're single-valued if this is requested */
+		if ((msg->elements[i].num_values > 1) && (attr->isSingleValued)) {
+			ldb_asprintf_errstring(ldb, "objectclass_attrs: attribute '%s' on entry '%s' is single-valued!",
+					       msg->elements[i].name,
+					       ldb_dn_get_linearized(msg->dn));
+			if (ac->req->operation == LDB_ADD) {
+				return LDB_ERR_CONSTRAINT_VIOLATION;
+			} else {
+				return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
+			}
+		}
+
 		/* We can use "str_list_check" with "strcmp" here since the
 		 * attribute informations from the schema are always equal
 		 * up-down-cased. */