From b6efbd5b4c5ba3a2e2040033b6b634d60ed2d3f5 Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Thu, 26 Nov 2009 10:54:20 +0100 Subject: s4:objectclass LDB module - Prevent write operations on constructed attributes --- source4/dsdb/samdb/ldb_modules/objectclass.c | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) (limited to 'source4/dsdb/samdb') diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index 53c1cc7574..82b8835b0b 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -366,9 +366,12 @@ static int fix_dn(TALLOC_CTX *mem_ctx, } /* Fix all attribute names to be in the correct case, and check they are all valid per the schema */ -static int fix_attributes(struct ldb_context *ldb, const struct dsdb_schema *schema, struct ldb_message *msg) +static int fix_check_attributes(struct ldb_context *ldb, + const struct dsdb_schema *schema, + struct ldb_message *msg, + enum ldb_request_type op) { - int i; + unsigned int i; for (i=0; i < msg->num_elements; i++) { const struct dsdb_attribute *attribute = dsdb_attribute_by_lDAPDisplayName(schema, msg->elements[i].name); /* Add in a very special case for 'clearTextPassword', @@ -382,6 +385,16 @@ static int fix_attributes(struct ldb_context *ldb, const struct dsdb_schema *sch } } else { msg->elements[i].name = attribute->lDAPDisplayName; + + /* We have to deny write operations on constructed attributes */ + if ((attribute->systemFlags & DS_FLAG_ATTR_IS_CONSTRUCTED) != 0) { + if (op == LDB_ADD) { + return LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE; + } else { + return LDB_ERR_CONSTRAINT_VIOLATION; + } + } + } } @@ -500,7 +513,7 @@ static int objectclass_do_add(struct oc_context *ac) } if (schema) { - ret = fix_attributes(ldb, schema, msg); + ret = fix_check_attributes(ldb, schema, msg, ac->req->operation); if (ret != LDB_SUCCESS) { talloc_free(mem_ctx); return ret; @@ -738,7 +751,7 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req return LDB_ERR_OPERATIONS_ERROR; } - ret = fix_attributes(ldb, schema, msg); + ret = fix_check_attributes(ldb, schema, msg, req->operation); if (ret != LDB_SUCCESS) { return ret; } @@ -775,7 +788,7 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req return LDB_ERR_OPERATIONS_ERROR; } - ret = fix_attributes(ldb, schema, msg); + ret = fix_check_attributes(ldb, schema, msg, req->operation); if (ret != LDB_SUCCESS) { talloc_free(mem_ctx); return ret; @@ -851,7 +864,7 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req return LDB_ERR_OPERATIONS_ERROR; } - ret = fix_attributes(ldb, schema, msg); + ret = fix_check_attributes(ldb, schema, msg, req->operation); if (ret != LDB_SUCCESS) { ldb_oom(ldb); return ret; -- cgit