From fedd4aa3cb7a0d4b895ec040d74cfbfbee42cac5 Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Tue, 19 Oct 2010 15:14:53 +0200 Subject: s4:objectclass_attrs LDB module - deny multi-valued replace requests This is the AD behaviour. But on attributes with the flag "FLAG_ATTR_REQ_PARTIAL_SET_MEMBER" it is allowed. --- source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'source4/dsdb/samdb/ldb_modules') diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c index 2024a33d55..b3f7048a39 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c @@ -139,6 +139,19 @@ static int attr_handler(struct oc_context *ac) } } + /* Multi-valued replace operations are generally denied but + * there do exist exceptions where attributes have the flag + * "FLAG_ATTR_REQ_PARTIAL_SET_MEMBER" set. */ + if ((ac->req->operation == LDB_MODIFY) && + (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) == LDB_FLAG_MOD_REPLACE) && + (msg->elements[i].num_values > 1) && + ((attr->systemFlags & DS_FLAG_ATTR_REQ_PARTIAL_SET_MEMBER) == 0)) { + ldb_asprintf_errstring(ldb, "objectclass_attrs: attribute '%s' on entry '%s' is replaced multi-valued!", + msg->elements[i].name, + ldb_dn_get_linearized(msg->dn)); + return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS; + } + /* Substitute the attribute name to match in case */ msg->elements[i].name = attr->lDAPDisplayName; } -- cgit