s4:objectclass LDB module - introduce allowed system flags restriction

Let us do the distinction by real use and provision by the RELAX flag

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 82c4144f228899e539e16059fbc7705d2f9ddb55..fa956269f49801aa8dfe825629377f94c348834d 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -696,13 +696,18 @@ static int objectclass_do_add(struct oc_context *ac)
 
                ldb_msg_remove_attr(msg, "systemFlags");
 
-               /* Only these flags may be set by a client, but we can't tell
-                * between a client and our provision at this point
-                * systemFlags &= ( SYSTEM_FLAG_CONFIG_ALLOW_RENAME | SYSTEM_FLAG_CONFIG_ALLOW_MOVE | SYSTEM_FLAG_CONFIG_LIMITED_MOVE);
-                */
+               /* Only the following flags may be set by a client */
+               if (ldb_request_get_control(ac->req,
+                                           LDB_CONTROL_RELAX_OID) == NULL) {
+                       systemFlags &= ( SYSTEM_FLAG_CONFIG_ALLOW_RENAME
+                                      | SYSTEM_FLAG_CONFIG_ALLOW_MOVE
+                                      | SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE
+                                      | SYSTEM_FLAG_ATTR_IS_RDN );
+               }
 
-               /* This flag is only allowed on attributeSchema objects */
-               if (ldb_attr_cmp(objectclass->lDAPDisplayName, "attributeSchema") == 0) {
+               /* But the last one ("ATTR_IS_RDN") is only allowed on
+                * "attributeSchema" objects. So truncate if it does not fit. */
+               if (ldb_attr_cmp(objectclass->lDAPDisplayName, "attributeSchema") != 0) {
                        systemFlags &= ~SYSTEM_FLAG_ATTR_IS_RDN;
                }