From: Matthias Dieter Wallnöfer <mdw@samba.org>
Date: Tue, 26 Oct 2010 10:08:02 +0000 (+0200)
Subject: s4:samldb LDB module - enhance the "member"-check trigger
X-Git-Url: http://git.samba.org/?p=metze%2Fsamba%2Fwip.git;a=commitdiff_plain;h=802e3b4e1f2e0fdc7fc11ed7881dade261bfa34a

s4:samldb LDB module - enhance the "member"-check trigger

- Also multi-valued "member" attributes are allowed
- When you try to delete a member from a group which has it primary group set
  exactly to this group you get "UNWILLING_TO_PERFORM"
---

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 26022b7e3c42..924c05e25446 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1158,7 +1158,12 @@ static int samldb_member_check(struct samldb_ctx *ac)
 		}
 
 		if (ldb_dn_compare(group_dn, ac->msg->dn) == 0) {
-			return LDB_ERR_ENTRY_ALREADY_EXISTS;
+			if (LDB_FLAG_MOD_TYPE(el->flags)
+			    == LDB_FLAG_MOD_DELETE) {
+				return LDB_ERR_UNWILLING_TO_PERFORM;
+			} else {
+				return LDB_ERR_ENTRY_ALREADY_EXISTS;
+			}
 		}
 	}
 
@@ -1463,8 +1468,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 	}
 
 	el = ldb_msg_find_element(ac->msg, "member");
-	if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE)
-	    && el->num_values == 1) {
+	if (el != NULL) {
 		ret = samldb_member_check(ac);
 		if (ret != LDB_SUCCESS) {
 			return ret;