From 802e3b4e1f2e0fdc7fc11ed7881dade261bfa34a Mon Sep 17 00:00:00 2001
From: Matthias Dieter Wallnöfer <mdw@samba.org>
Date: Tue, 26 Oct 2010 12:08:02 +0200
Subject: s4:samldb LDB module - enhance the "member"-check trigger

- Also multi-valued "member" attributes are allowed
- When you try to delete a member from a group which has it primary group set
  exactly to this group you get "UNWILLING_TO_PERFORM"
---
 source4/dsdb/samdb/ldb_modules/samldb.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

(limited to 'source4/dsdb')

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 26022b7e3c..924c05e254 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1158,7 +1158,12 @@ static int samldb_member_check(struct samldb_ctx *ac)
 		}
 
 		if (ldb_dn_compare(group_dn, ac->msg->dn) == 0) {
-			return LDB_ERR_ENTRY_ALREADY_EXISTS;
+			if (LDB_FLAG_MOD_TYPE(el->flags)
+			    == LDB_FLAG_MOD_DELETE) {
+				return LDB_ERR_UNWILLING_TO_PERFORM;
+			} else {
+				return LDB_ERR_ENTRY_ALREADY_EXISTS;
+			}
 		}
 	}
 
@@ -1463,8 +1468,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 	}
 
 	el = ldb_msg_find_element(ac->msg, "member");
-	if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE)
-	    && el->num_values == 1) {
+	if (el != NULL) {
 		ret = samldb_member_check(ac);
 		if (ret != LDB_SUCCESS) {
 			return ret;
-- 
cgit