From 4b97e7c8f20b125015417bcf440128f843ac648f Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Mon, 8 Nov 2010 10:16:45 +0100 Subject: s4:objectguid/repl_meta_data LDB module - deny "objectGUID" updates MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Autobuild-User: Matthias Dieter Wallnöfer Autobuild-Date: Mon Nov 8 10:36:50 UTC 2010 on sn-devel-104 --- source4/dsdb/samdb/ldb_modules/objectguid.c | 8 ++++++++ source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 9 +++++++++ source4/dsdb/tests/python/ldap.py | 12 ++++++++++++ 3 files changed, 29 insertions(+) (limited to 'source4') diff --git a/source4/dsdb/samdb/ldb_modules/objectguid.c b/source4/dsdb/samdb/ldb_modules/objectguid.c index f21660c4ae..bc3260cf0d 100644 --- a/source4/dsdb/samdb/ldb_modules/objectguid.c +++ b/source4/dsdb/samdb/ldb_modules/objectguid.c @@ -185,6 +185,7 @@ static int objectguid_modify(struct ldb_module *module, struct ldb_request *req) struct ldb_context *ldb; struct ldb_request *down_req; struct ldb_message *msg; + struct ldb_message_element *el; int ret; time_t t = time(NULL); uint64_t seq_num; @@ -199,6 +200,13 @@ static int objectguid_modify(struct ldb_module *module, struct ldb_request *req) return ldb_next_request(module, req); } + el = ldb_msg_find_element(req->op.mod.message, "objectGUID"); + if (el != NULL) { + ldb_set_errstring(ldb, + "objectguid: objectGUID must not be specified!"); + return LDB_ERR_CONSTRAINT_VIOLATION; + } + ac = talloc(req, struct og_context); if (ac == NULL) { return ldb_oom(ldb); diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c index 95cd0694fc..7838b65fdf 100644 --- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c +++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c @@ -2147,6 +2147,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req) struct loadparm_context *lp_ctx; char *referral; unsigned int functional_level; + const DATA_BLOB *guid_blob; /* do not manipulate our control entries */ if (ldb_dn_is_special(req->op.mod.message->dn)) { @@ -2166,6 +2167,14 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req) return LDB_ERR_OPERATIONS_ERROR; } + guid_blob = ldb_msg_find_ldb_val(req->op.mod.message, "objectGUID"); + if ( guid_blob != NULL ) { + ldb_debug_set(ldb, LDB_DEBUG_ERROR, + "replmd_modify: it's not allowed to change the objectGUID\n"); + talloc_free(ac); + return LDB_ERR_CONSTRAINT_VIOLATION; + } + /* we have to copy the message as the caller might have it as a const */ msg = ldb_msg_copy_shallow(ac, req->op.mod.message); if (msg == NULL) { diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py index 26969cca3c..833e141b7d 100755 --- a/source4/dsdb/tests/python/ldap.py +++ b/source4/dsdb/tests/python/ldap.py @@ -1324,6 +1324,18 @@ objectGUID: bd3480c9-58af-4cd8-92df-bc4a18b6e44d self.assertTrue("whenCreated" in res[0]) self.assertTrue("whenChanged" in res[0]) + # The objectGUID cannot directly be changed + try: + self.ldb.modify_ldif(""" +dn: cn=ldaptestcontainer,""" + self.base_dn + """ +changetype: modify +replace: objectGUID +objectGUID: bd3480c9-58af-4cd8-92df-bc4a18b6e44d +""") + self.fail() + except LdbError, (num, _): + self.assertEquals(num, ERR_CONSTRAINT_VIOLATION) + self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn) def test_parentGUID(self): -- cgit