From ace6f52d57e40d3e198f844fd3f2f35392ffc620 Mon Sep 17 00:00:00 2001
From: Matthias Dieter Wallnöfer <mdw@samba.org>
Date: Thu, 5 Aug 2010 21:01:38 +0200
Subject: s4:objectclass LDB module - "add operation" - deny multiple
 "objectclass" message elements

Requested by MS-ADTS 3.1.1.5.2.2
---
 source4/dsdb/samdb/ldb_modules/objectclass.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

(limited to 'source4')

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index a3fa39e80a..59f6cb0191 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -509,17 +509,26 @@ static int objectclass_do_add(struct oc_context *ac)
 			return ret;
 		}
 		
-		ldb_msg_remove_attr(msg, "objectClass");
+		ldb_msg_remove_element(msg, objectclass_element);
+
+		/* Well, now we shouldn't find any additional "objectClass"
+		 * message element (required by the AD specification). */
+		objectclass_element = ldb_msg_find_element(msg, "objectClass");
+		if (objectclass_element != NULL) {
+			ldb_asprintf_errstring(ldb, "objectclass: Cannot add %s, only one 'objectclass' attribute specification is allowed!",
+					       ldb_dn_get_linearized(msg->dn));
+			talloc_free(mem_ctx);
+			return LDB_ERR_OBJECT_CLASS_VIOLATION;
+		}
+
+		/* We must completely replace the existing objectClass entry,
+		 * because we need it sorted. */
 		ret = ldb_msg_add_empty(msg, "objectClass", 0, NULL);
-		
 		if (ret != LDB_SUCCESS) {
 			talloc_free(mem_ctx);
 			return ret;
 		}
 
-		/* We must completely replace the existing objectClass entry,
-		 * because we need it sorted */
-
 		/* Move from the linked list back into an ldb msg */
 		for (current = sorted; current; current = current->next) {
 			value = talloc_strdup(msg, current->objectclass->lDAPDisplayName);
-- 
cgit