From be091eddec3715c5807f03fdc3d83ffc5a857433 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 11 Nov 2011 16:43:18 +0100
Subject: s4:dsdb/schema_data: reject changes to schemaInfo,
 msDs-Schema-Extensions, msDS-IntId

As windows we return CONSTRAINT_VIOLATION now.

metze
---
 source4/dsdb/samdb/ldb_modules/schema_data.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

(limited to 'source4/dsdb/samdb')

diff --git a/source4/dsdb/samdb/ldb_modules/schema_data.c b/source4/dsdb/samdb/ldb_modules/schema_data.c
index 3d50d99ac2..acf8186fb1 100644
--- a/source4/dsdb/samdb/ldb_modules/schema_data.c
+++ b/source4/dsdb/samdb/ldb_modules/schema_data.c
@@ -275,6 +275,34 @@ static int schema_data_modify(struct ldb_module *module, struct ldb_request *req
 
 	cmp = ldb_dn_compare(req->op.mod.message->dn, schema->base_dn);
 	if (cmp == 0) {
+		static const char * const constrained_attrs[] = {
+			"schemaInfo",
+			"prefixMap",
+			"msDs-Schema-Extensions",
+			"msDS-IntId",
+			NULL
+		};
+		size_t i;
+		struct ldb_message_element *el;
+
+		if (ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID)) {
+			return ldb_next_request(module, req);
+		}
+
+		for (i=0; constrained_attrs[i]; i++) {
+			el = ldb_msg_find_element(req->op.mod.message,
+						  constrained_attrs[i]);
+			if (el == NULL) {
+				continue;
+			}
+
+			ldb_debug_set(ldb, LDB_DEBUG_ERROR,
+				      "schema_data_modify: reject update "
+				      "of attribute[%s]\n",
+				      constrained_attrs[i]);
+			return LDB_ERR_CONSTRAINT_VIOLATION;
+		}
+
 		return ldb_next_request(module, req);
 	}
 
-- 
cgit