From 9bcb656bba21eb1a27befe642051bf761ede6278 Mon Sep 17 00:00:00 2001
From: Matthias Dieter Wallnöfer <mdw@samba.org>
Date: Wed, 6 Oct 2010 19:30:56 +0200
Subject: s4:samldb LDB module - deny also the direct modification of
 "isCriticalSystemObject" on modify operations

---
 source4/dsdb/samdb/ldb_modules/samldb.c | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

(limited to 'source4/dsdb/samdb')

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 9fc3905332..ce17eecaf0 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1247,11 +1247,22 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 
 	ldb = ldb_module_get_ctx(module);
 
-	if (ldb_msg_find_element(req->op.mod.message, "sAMAccountType") != NULL) {
-		ldb_asprintf_errstring(ldb,
-			"sAMAccountType must not be specified!");
+	/* make sure that "sAMAccountType" is not specified */
+	el = ldb_msg_find_element(req->op.mod.message, "sAMAccountType");
+	if (el != NULL) {
+		ldb_set_errstring(ldb,
+			"samldb: sAMAccountType must not be specified!");
 		return LDB_ERR_UNWILLING_TO_PERFORM;
 	}
+	/* make sure that "isCriticalSystemObject" is not specified */
+	el = ldb_msg_find_element(req->op.mod.message, "isCriticalSystemObject");
+	if (el != NULL) {
+		if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID) == NULL) {
+			ldb_set_errstring(ldb,
+				"samldb: isCriticalSystemObject must not be specified!");
+			return LDB_ERR_UNWILLING_TO_PERFORM;
+		}
+	}
 
 	/* msDS-IntId is not allowed to be modified
 	 * except when modification comes from replication */
-- 
cgit