s4:objectclass_attrs LDB module - deny multi-valued replace requests

This is the AD behaviour. But on attributes with the flag
"FLAG_ATTR_REQ_PARTIAL_SET_MEMBER" it is allowed.

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
index 2024a33d5558f81a0ddd56db16424fef8469dd4f..b3f7048a39045e76d33d4e676c6f5b3c227fb346 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
@@ -139,6 +139,19 @@ static int attr_handler(struct oc_context *ac)
                        }
                }
 
+               /* Multi-valued replace operations are generally denied but
+                * there do exist exceptions where attributes have the flag
+                * "FLAG_ATTR_REQ_PARTIAL_SET_MEMBER" set. */
+               if ((ac->req->operation == LDB_MODIFY) &&
+                   (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) == LDB_FLAG_MOD_REPLACE) &&
+                   (msg->elements[i].num_values > 1) &&
+                   ((attr->systemFlags & DS_FLAG_ATTR_REQ_PARTIAL_SET_MEMBER) == 0)) {
+                       ldb_asprintf_errstring(ldb, "objectclass_attrs: attribute '%s' on entry '%s' is replaced multi-valued!",
+                                              msg->elements[i].name,
+                                              ldb_dn_get_linearized(msg->dn));
+                       return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
+               }
+
                /* Substitute the attribute name to match in case */
                msg->elements[i].name = attr->lDAPDisplayName;
        }