s4:samldb LDB module - enhance the "member"-check trigger

- Also multi-valued "member" attributes are allowed
- When you try to delete a member from a group which has it primary group set
  exactly to this group you get "UNWILLING_TO_PERFORM"

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 26022b7e3c428b050c8ffd9f390b5a933559e634..924c05e25446c94853654b8a039df1d60ee22b29 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1158,7 +1158,12 @@ static int samldb_member_check(struct samldb_ctx *ac)
                }
 
                if (ldb_dn_compare(group_dn, ac->msg->dn) == 0) {
-                       return LDB_ERR_ENTRY_ALREADY_EXISTS;
+                       if (LDB_FLAG_MOD_TYPE(el->flags)
+                           == LDB_FLAG_MOD_DELETE) {
+                               return LDB_ERR_UNWILLING_TO_PERFORM;
+                       } else {
+                               return LDB_ERR_ENTRY_ALREADY_EXISTS;
+                       }
                }
        }
 
@@ -1463,8 +1468,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
        }
 
        el = ldb_msg_find_element(ac->msg, "member");
-       if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE)
-           && el->num_values == 1) {
+       if (el != NULL) {
                ret = samldb_member_check(ac);
                if (ret != LDB_SUCCESS) {
                        return ret;