From 7f46a91e7764766460cb374b5cc65e769184d91f Mon Sep 17 00:00:00 2001
From: Matthias Dieter Wallnöfer <mdw@samba.org>
Date: Fri, 18 Jun 2010 21:10:19 +0200
Subject: s4:rootdse LDB module - protect add and delete operations on the
 rootdse entry

---
 source4/dsdb/samdb/ldb_modules/rootdse.c | 38 ++++++++++++++++++++++++++++----
 1 file changed, 34 insertions(+), 4 deletions(-)

diff --git a/source4/dsdb/samdb/ldb_modules/rootdse.c b/source4/dsdb/samdb/ldb_modules/rootdse.c
index d24ed42a38..7c1a4f4b8f 100644
--- a/source4/dsdb/samdb/ldb_modules/rootdse.c
+++ b/source4/dsdb/samdb/ldb_modules/rootdse.c
@@ -960,9 +960,24 @@ static int rootdse_schemaupdatenow(struct ldb_module *module, struct ldb_request
 	return ldb_module_done(req, NULL, NULL, ret);
 }
 
+static int rootdse_add(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ldb_context *ldb = ldb_module_get_ctx(module);
+
+	/*
+		If dn is not "" we should let it pass through
+	*/
+	if (!ldb_dn_is_null(req->op.add.message->dn)) {
+		return ldb_next_request(module, req);
+	}
+
+	ldb_set_errstring(ldb, "rootdse_add: you cannot add a new rootdse entry!");
+	return LDB_ERR_NAMING_VIOLATION;
+}
+
 static int rootdse_modify(struct ldb_module *module, struct ldb_request *req)
 {
-	struct ldb_context *ldb;
+	struct ldb_context *ldb = ldb_module_get_ctx(module);
 
 	/*
 		If dn is not "" we should let it pass through
@@ -971,8 +986,6 @@ static int rootdse_modify(struct ldb_module *module, struct ldb_request *req)
 		return ldb_next_request(module, req);
 	}
 
-	ldb = ldb_module_get_ctx(module);
-
 	/*
 		dn is empty so check for schemaUpdateNow attribute
 		"The type of modification and values specified in the LDAP modify operation do not matter." MSDN
@@ -989,10 +1002,27 @@ static int rootdse_modify(struct ldb_module *module, struct ldb_request *req)
 	return LDB_ERR_UNWILLING_TO_PERFORM;
 }
 
+static int rootdse_delete(struct ldb_module *module, struct ldb_request *req)
+{
+	struct ldb_context *ldb = ldb_module_get_ctx(module);
+
+	/*
+		If dn is not "" we should let it pass through
+	*/
+	if (!ldb_dn_is_null(req->op.del.dn)) {
+		return ldb_next_request(module, req);
+	}
+
+	ldb_set_errstring(ldb, "rootdse_remove: you cannot delete the rootdse entry!");
+	return LDB_ERR_NO_SUCH_OBJECT;
+}
+
 _PUBLIC_ const struct ldb_module_ops ldb_rootdse_module_ops = {
 	.name		= "rootdse",
 	.init_context   = rootdse_init,
 	.search         = rootdse_search,
 	.request	= rootdse_request,
-	.modify         = rootdse_modify
+	.add		= rootdse_add,
+	.modify         = rootdse_modify,
+	.del		= rootdse_delete
 };
-- 
cgit