s4:objectclass LDB module - implement the "objectClass" change restrictions on Window...

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Mon Nov 15 13:10:05 UTC 2010 on sn-devel-104

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index e863d481a0bef629af15a44dd7689d8c053293fb..5e3226a037ff08291acee8de02bd4a8c3d98e201 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -840,6 +840,31 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req
                oc_changes = true;
        }
 
+       /* MS-ADTS 3.1.1.5.3.5 - on a forest level < 2003 we do allow updates
+        * only on application NCs - not on the standard DCs */
+       if (oc_changes &&
+           (dsdb_forest_functional_level(ldb) < DS_DOMAIN_FUNCTION_2003)) {
+               int cnt = samdb_search_count(ldb, ac,
+                                            ldb_get_default_basedn(ldb),
+                                            "(distinguishedName=%s)",
+                                            ldb_dn_get_linearized(req->op.mod.message->dn));
+               if (cnt == 0) {
+                       cnt = samdb_search_count(ldb, ac,
+                                                ldb_get_config_basedn(ldb),
+                                                "(distinguishedName=%s)",
+                                                ldb_dn_get_linearized(req->op.mod.message->dn));
+               }
+               if (cnt == 0) {
+                       cnt = samdb_search_count(ldb, ac,
+                                                ldb_get_schema_basedn(ldb),
+                                                "(distinguishedName=%s)",
+                                                ldb_dn_get_linearized(req->op.mod.message->dn));
+               }
+               if (cnt != 0) {
+                       return LDB_ERR_UNWILLING_TO_PERFORM;
+               }
+       }
+
        ret = ldb_build_mod_req(&down_req, ldb, ac,
                                msg,
                                req->controls, ac,