From 72ca5c39c9a911791af3d0abb8a146093b5e3e67 Mon Sep 17 00:00:00 2001 From: Matthieu Patou Date: Wed, 8 Jun 2011 12:20:32 +0400 Subject: s4-dsdb: Use controls provided during the request while searching for object to delete If the parent request specify the show_deleted control we must use it in order to be able to see the deleted objects. Also we just allow to trusted connections with the system account to remove deleted objects, others receive an unwilling to perform. --- source4/dsdb/samdb/ldb_modules/objectclass.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'source4') diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c index fd39937bc9..7ae90d353a 100644 --- a/source4/dsdb/samdb/ldb_modules/objectclass.c +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c @@ -1419,6 +1419,7 @@ static int objectclass_delete(struct ldb_module *module, struct ldb_request *req { static const char * const attrs[] = { "nCName", "objectClass", "systemFlags", + "isDeleted", "isCriticalSystemObject", NULL }; struct ldb_context *ldb; struct ldb_request *search_req; @@ -1450,7 +1451,7 @@ static int objectclass_delete(struct ldb_module *module, struct ldb_request *req ret = ldb_build_search_req(&search_req, ldb, ac, req->op.del.dn, LDB_SCOPE_BASE, "(objectClass=*)", - attrs, NULL, + attrs, req->controls, ac, get_search_callback, req); LDB_REQ_SET_LOCATION(search_req); @@ -1505,6 +1506,17 @@ static int objectclass_do_delete(struct oc_context *ac) talloc_free(dn); } + /* Only trusted request from system account are allowed to delete + * deleted objects. + */ + if (ldb_msg_check_string_attribute(ac->search_res->message, "isDeleted", "TRUE") && + (ldb_req_is_untrusted(ac->req) || + !dsdb_module_am_system(ac->module))) { + ldb_asprintf_errstring(ldb, "Delete of '%s' failed", + ldb_dn_get_linearized(ac->req->op.del.dn)); + return LDB_ERR_UNWILLING_TO_PERFORM; + } + /* crossRef objects regarding config, schema and default domain NCs */ if (samdb_find_attribute(ldb, ac->search_res->message, "objectClass", "crossRef") != NULL) { -- cgit