From 463d5f0afc5b378bf8143558b8b8f372680f9768 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Matthias=20Dieter=20Walln=C3=B6fer?= <mdw@samba.org>
Date: Tue, 11 May 2010 21:43:36 +0200
Subject: [PATCH] s4:samldb LDB module - deny delete operations on some
 important attributes

Add operations are denied since these are single-valued - only replace is
allowed.

This is only provisorily at the moment - we need to implement the triggers
specified in MS-ADTS.
---
 source4/dsdb/samdb/ldb_modules/samldb.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index a07dec961cd..d7ce48f758a 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1475,7 +1475,7 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 	/* TODO: do not modify original request, create a new one */
 
 	el = ldb_msg_find_element(req->op.mod.message, "groupType");
-	if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
+	if (el && (el->flags == LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
 		uint32_t group_type;
 
 		req->op.mod.message = msg = ldb_msg_copy_shallow(req,
@@ -1492,9 +1492,12 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 		el2 = ldb_msg_find_element(msg, "sAMAccountType");
 		el2->flags = LDB_FLAG_MOD_REPLACE;
 	}
+	if (el && (el->flags == LDB_FLAG_MOD_DELETE)) {
+		return LDB_ERR_UNWILLING_TO_PERFORM;
+	}
 
 	el = ldb_msg_find_element(req->op.mod.message, "primaryGroupID");
-	if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
+	if (el && (el->flags == LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
 		struct samldb_ctx *ac;
 
 		ac = samldb_ctx_init(module, req);
@@ -1506,9 +1509,12 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 
 		return samldb_prim_group_change(ac);
 	}
+	if (el && (el->flags == LDB_FLAG_MOD_DELETE)) {
+		return LDB_ERR_UNWILLING_TO_PERFORM;
+	}
 
 	el = ldb_msg_find_element(req->op.mod.message, "userAccountControl");
-	if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
+	if (el && (el->flags == LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
 		uint32_t user_account_control;
 
 		req->op.mod.message = msg = ldb_msg_copy_shallow(req,
@@ -1547,6 +1553,9 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 			}
 		}
 	}
+	if (el && (el->flags == LDB_FLAG_MOD_DELETE)) {
+		return LDB_ERR_UNWILLING_TO_PERFORM;
+	}
 
 	el = ldb_msg_find_element(req->op.mod.message, "member");
 	if (el && el->flags & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE) && el->num_values == 1) {
-- 
2.34.1