s4:objectclass LDB module - deny the creation of "isCriticalSystemObject" entries

author Matthias Dieter Wallnöfer <mdw@samba.org>

Mon, 11 Oct 2010 16:41:05 +0000 (18:41 +0200)

committer Matthias Dieter Wallnöfer <mdw@samba.org>

Wed, 13 Oct 2010 13:35:21 +0000 (13:35 +0000)
author Matthias Dieter Wallnöfer <mdw@samba.org>
Mon, 11 Oct 2010 16:41:05 +0000 (18:41 +0200)
committer Matthias Dieter Wallnöfer <mdw@samba.org>
Wed, 13 Oct 2010 13:35:21 +0000 (13:35 +0000)
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c

index 940290bacecbbacc96a4324e75dff5ef379a978c..86708eb820dd9e939b7ec68433c6ff5592c2fd99 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -734,6 +734,15 @@ static int objectclass_do_add(struct oc_context *ac)
                                 return ret;
                         }
                 }
+
+               /* make sure that "isCriticalSystemObject" is not specified! */
+               el = ldb_msg_find_element(msg, "isCriticalSystemObject");
+               if ((el != NULL) &&
+                    !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) {
+                       ldb_set_errstring(ldb,
+                                         "objectclass: 'isCriticalSystemObject' must not be specified!");
+                       return LDB_ERR_UNWILLING_TO_PERFORM;
+               }
         }
  
         ret = ldb_msg_sanity_check(ldb, msg);
author	Matthias Dieter Wallnöfer <mdw@samba.org>
	Mon, 11 Oct 2010 16:41:05 +0000 (18:41 +0200)
committer	Matthias Dieter Wallnöfer <mdw@samba.org>
	Wed, 13 Oct 2010 13:35:21 +0000 (13:35 +0000)