From 70cc9fd5c62f385d6e94380597f02da80cea3649 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Thu, 22 Apr 2010 13:32:55 +1000 Subject: s4-dsdb: moved rodc schema validation to samldb.c This means we are only doing the checks for schema changes Pair-Programmed-With: Andrew Bartlett --- source4/dsdb/samdb/ldb_modules/objectclass.c | 33 ------------------------- source4/dsdb/samdb/ldb_modules/samldb.c | 37 ++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 33 deletions(-) (limited to 'source4/dsdb') diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index e51038d06f..329bd81ae3 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -378,27 +378,6 @@ static int fix_check_attributes(struct ldb_context *ldb, return LDB_SUCCESS; } -/* - * return true if msg carries an attributeSchema that is intended to be RODC - * filtered but is also a system-critical attribute. - */ -static bool check_rodc_critical_attribute(struct ldb_message *msg) -{ - uint32_t schemaFlagsEx, searchFlags, rodc_filtered_flags; - - schemaFlagsEx = ldb_msg_find_attr_as_uint(msg, "schemaFlagsEx", 0); - searchFlags = ldb_msg_find_attr_as_uint(msg, "searchFlags", 0); - rodc_filtered_flags = (SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL); - - if ((schemaFlagsEx & SCHEMA_FLAG_ATTR_IS_CRITICAL) && - ((searchFlags & rodc_filtered_flags) == rodc_filtered_flags)) { - return true; - } else { - return false; - } -} - - static int objectclass_do_add(struct oc_context *ac); static int objectclass_add(struct ldb_module *module, struct ldb_request *req) @@ -425,12 +404,6 @@ static int objectclass_add(struct ldb_module *module, struct ldb_request *req) return LDB_ERR_OBJECT_CLASS_VIOLATION; } - /* do not allow to mark an attributeSchema as RODC filtered if it - * is system-critical */ - if (check_rodc_critical_attribute(req->op.add.message)) { - return LDB_ERR_UNWILLING_TO_PERFORM; - } - ac = oc_init_context(module, req); if (ac == NULL) { return LDB_ERR_OPERATIONS_ERROR; @@ -749,12 +722,6 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req return LDB_ERR_UNWILLING_TO_PERFORM; } - /* do not allow to mark an attributeSchema as RODC filtered if it - * is system-critical */ - if (check_rodc_critical_attribute(req->op.mod.message)) { - return LDB_ERR_UNWILLING_TO_PERFORM; - } - ac = oc_init_context(module, req); if (ac == NULL) { ldb_oom(ldb); diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c index c3a95f1618..375b624e79 100644 --- a/source4/dsdb/samdb/ldb_modules/samldb.c +++ b/source4/dsdb/samdb/ldb_modules/samldb.c @@ -826,6 +826,26 @@ static int samldb_add_entry(struct samldb_ctx *ac) return ldb_next_request(ac->module, req); } +/* + * return true if msg carries an attributeSchema that is intended to be RODC + * filtered but is also a system-critical attribute. + */ +static bool check_rodc_critical_attribute(struct ldb_message *msg) +{ + uint32_t schemaFlagsEx, searchFlags, rodc_filtered_flags; + + schemaFlagsEx = ldb_msg_find_attr_as_uint(msg, "schemaFlagsEx", 0); + searchFlags = ldb_msg_find_attr_as_uint(msg, "searchFlags", 0); + rodc_filtered_flags = (SEARCH_FLAG_RODC_ATTRIBUTE | SEARCH_FLAG_CONFIDENTIAL); + + if ((schemaFlagsEx & SCHEMA_FLAG_ATTR_IS_CRITICAL) && + ((searchFlags & rodc_filtered_flags) == rodc_filtered_flags)) { + return true; + } else { + return false; + } +} + static int samldb_fill_object(struct samldb_ctx *ac, const char *type) { @@ -885,6 +905,15 @@ static int samldb_fill_object(struct samldb_ctx *ac, const char *type) "rdnAttId", "cn"); if (ret != LDB_SUCCESS) return ret; + /* do not allow to mark an attributeSchema as RODC filtered if it + * is system-critical */ + if (check_rodc_critical_attribute(ac->msg)) { + ldb_asprintf_errstring(ldb, "Refusing schema add of %s - cannot combine critical class with RODC filtering", + ldb_dn_get_linearized(ac->msg->dn)); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + + rdn_value = ldb_dn_get_rdn_val(ac->msg->dn); if (!ldb_msg_find_element(ac->msg, "lDAPDisplayName")) { /* the RDN has prefix "CN" */ @@ -932,6 +961,14 @@ static int samldb_fill_object(struct samldb_ctx *ac, const char *type) } } + /* do not allow to mark an attributeSchema as RODC filtered if it + * is system-critical */ + if (check_rodc_critical_attribute(ac->msg)) { + ldb_asprintf_errstring(ldb, "Refusing schema add of %s - cannot combine critical attribute with RODC filtering", + ldb_dn_get_linearized(ac->msg->dn)); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + ret = samdb_find_or_add_attribute(ldb, ac->msg, "isSingleValued", "FALSE"); if (ret != LDB_SUCCESS) return ret; -- cgit