summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb
diff options
context:
space:
mode:
Diffstat (limited to 'source4/dsdb/samdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/objectclass.c17
1 files changed, 16 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 86708eb820..02c3e4680f 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -1348,7 +1348,8 @@ static int objectclass_do_delete(struct oc_context *ac);
static int objectclass_delete(struct ldb_module *module, struct ldb_request *req)
{
static const char * const attrs[] = { "nCName", "objectClass",
- "systemFlags", NULL };
+ "systemFlags",
+ "isCriticalSystemObject", NULL };
struct ldb_context *ldb;
struct ldb_request *search_req;
struct oc_context *ac;
@@ -1397,6 +1398,7 @@ static int objectclass_do_delete(struct oc_context *ac)
struct ldb_context *ldb;
struct ldb_dn *dn;
int32_t systemFlags;
+ bool isCriticalSystemObject;
int ret;
ldb = ldb_module_get_ctx(ac->module);
@@ -1466,6 +1468,19 @@ static int objectclass_do_delete(struct oc_context *ac)
return LDB_ERR_UNWILLING_TO_PERFORM;
}
+ /* isCriticalSystemObject - but this only applies on tree delete
+ * operations - MS-ADTS 3.1.1.5.5.7.2 */
+ if (ldb_request_get_control(ac->req, LDB_CONTROL_TREE_DELETE_OID) != NULL) {
+ isCriticalSystemObject = ldb_msg_find_attr_as_bool(ac->search_res->message,
+ "isCriticalSystemObject", false);
+ if (isCriticalSystemObject) {
+ ldb_asprintf_errstring(ldb,
+ "objectclass: Cannot tree-delete %s, it's a critical system object!",
+ ldb_dn_get_linearized(ac->req->op.del.dn));
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ }
+
return ldb_next_request(ac->module, ac->req);
}