s4:dsdb - make the RELAX control private

This makes our LDAP much more secure and less error-prone.

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Oct 16 19:43:36 UTC 2010 on sn-devel-104

diff --git a/source4/lib/ldb/include/ldb.h b/source4/lib/ldb/include/ldb.h
index 7f4752e252fadbb1c2551341920e9dafdecbf6fa..d346b0f2d44b1b3e150aab7a84a121540fd244ff 100644 (file)
--- a/source4/lib/ldb/include/ldb.h
+++ b/source4/lib/ldb/include/ldb.h
@@ -510,6 +510,12 @@ typedef int (*ldb_qsort_cmp_fn_t) (void *v1, void *v2, void *opaque);
 */
 #define LDB_CONTROL_AS_SYSTEM_OID "1.3.6.1.4.1.7165.4.3.7"
 
+/**
+   LDB_CONTROL_RELAX_OID relaxes some of the AD constraints to allow some
+   special operations - should be used carefully!
+*/
+#define LDB_CONTROL_RELAX_OID "1.3.6.1.4.1.4203.666.5.12"
+
 /* AD controls */
 
 /**
@@ -667,14 +673,6 @@ typedef int (*ldb_qsort_cmp_fn_t) (void *v1, void *v2, void *opaque);
 
 /* Other standardised controls */
 
-/**
-   OID for the allowing client to request temporary relaxed
-   enforcement of constraints of the x.500 model.
-
-   \sa <a href="http://opends.dev.java.net/public/standards/draft-zeilenga-ldap-managedit.txt">draft managedit</a>.
-*/
-#define LDB_CONTROL_RELAX_OID "1.3.6.1.4.1.4203.666.5.12"
-
 /*
    OID for LDAP Extended Operation PASSWORD_CHANGE.
 

diff --git a/source4/libcli/ldap/ldap_controls.c b/source4/libcli/ldap/ldap_controls.c
index 8cc0a61cb31ccd85ba4397947a12ff6a863dadfd..37ade5b299c9b6d211ad30d08ba186b16e0ca882 100644 (file)
--- a/source4/libcli/ldap/ldap_controls.c
+++ b/source4/libcli/ldap/ldap_controls.c
@@ -1156,9 +1156,10 @@ static const struct ldap_control_handler ldap_known_controls[] = {
        { LDB_CONTROL_PERMISSIVE_MODIFY_OID, decode_flag_request, encode_flag_request },
        { LDB_CONTROL_SERVER_LAZY_COMMIT, decode_flag_request, encode_flag_request },
        { LDB_CONTROL_RODC_DCPROMO_OID, decode_flag_request, encode_flag_request },
-       { LDB_CONTROL_RELAX_OID, decode_flag_request, encode_flag_request },
        { DSDB_OPENLDAP_DEREFERENCE_CONTROL, decode_openldap_dereference, encode_openldap_dereference },
 
+/* LDB_CONTROL_RELAX_OID is internal only, and has no network representation */
+       { LDB_CONTROL_RELAX_OID, NULL, NULL },
 /* DSDB_CONTROL_CURRENT_PARTITION_OID is internal only, and has no network representation */
        { DSDB_CONTROL_CURRENT_PARTITION_OID, NULL, NULL },
 /* DSDB_CONTROL_REPLICATED_UPDATE_OID is internal only, and has no network representation */