From 3411e71c76dd01ae505c0c87fa43b794e63c4091 Mon Sep 17 00:00:00 2001
From: Matthias Dieter Wallnöfer <mdw@samba.org>
Date: Wed, 13 Oct 2010 17:06:28 +0200
Subject: s4:samldb LDB module - deny creation of temporary duplicate accounts

---
 source4/dsdb/samdb/ldb_modules/samldb.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index c31e1ad4bf..4d7b8a1b6d 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -830,6 +830,12 @@ static int samldb_objectclass_trigger(struct samldb_ctx *ac)
 			/* Step 1.3: "userAccountControl" -> "sAMAccountType" mapping */
 			user_account_control = strtoul((const char *)el->values[0].data,
 						       NULL, 0);
+
+			/* Temporary duplicate accounts aren't allowed */
+			if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) {
+				return LDB_ERR_OTHER;
+			}
+
 			account_type = ds_uf2atype(user_account_control);
 			if (account_type == 0) {
 				ldb_set_errstring(ldb, "samldb: Unrecognized account type!");
@@ -1386,6 +1392,12 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 
 		user_account_control = strtoul((const char *)el->values[0].data,
 			NULL, 0);
+
+		/* Temporary duplicate accounts aren't allowed */
+		if ((user_account_control & UF_TEMP_DUPLICATE_ACCOUNT) != 0) {
+			return LDB_ERR_OTHER;
+		}
+
 		account_type = ds_uf2atype(user_account_control);
 		if (account_type == 0) {
 			ldb_set_errstring(ldb, "samldb: Unrecognized account type!");
-- 
cgit