From dcee196f3e5d5673282aaa19fbbb7696d2c1aa0a Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 24 Nov 2009 10:22:10 +1100
Subject: s4:operational LDB module - Prevent the modification of operational
 attributes

(merged by Andrew Bartlett)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/dsdb/samdb/ldb_modules/operational.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'source4/dsdb/samdb/ldb_modules')

diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index e48f91bac0..46d4745068 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -434,8 +434,24 @@ static int operational_init(struct ldb_module *ctx)
 	return LDB_SUCCESS;
 }
 
+static int operational_modify(struct ldb_module *module, struct ldb_request *req)
+{
+	unsigned int i;
+
+	for (i = 0; i < ARRAY_SIZE(search_sub); i++) {
+		if (ldb_msg_find_element(req->op.mod.message, search_sub[i].attr) != NULL) {
+			/* operational attributes cannot be changed! */
+			return LDB_ERR_CONSTRAINT_VIOLATION;
+		}
+	}
+
+	/* No operational attribute will be changed -> go on */
+	return ldb_next_request(module, req);
+}
+
 const struct ldb_module_ops ldb_operational_module_ops = {
 	.name              = "operational",
 	.search            = operational_search,
+	.modify            = operational_modify,
 	.init_context	   = operational_init
 };
-- 
cgit