+ as_system = ldb_request_get_control(ac->req, LDB_CONTROL_AS_SYSTEM_OID);
+ if (as_system != NULL) {
+ allowed = true;
+ }
+
+ provision = ldb_request_get_control(ac->req, LDB_CONTROL_PROVISION_OID);
+ if (provision != NULL) {
+ allowed = true;
+ }
+
+ sid_el = ldb_msg_find_element(ac->msg, "objectSid");
+
+ if (!allowed && sid_el == NULL) {
+ return dsdb_module_werror(ac->module,
+ LDB_ERR_OBJECT_CLASS_VIOLATION,
+ WERR_DS_MISSING_REQUIRED_ATT,
+ "objectSid missing on foreignSecurityPrincipal");
+ }
+
+ if (!allowed) {
+ return dsdb_module_werror(ac->module,
+ LDB_ERR_UNWILLING_TO_PERFORM,
+ WERR_DS_ILLEGAL_MOD_OPERATION,
+ "foreignSecurityPrincipal object not allowed");
+ }
+
+ if (sid_el != NULL) {
+ sid = samdb_result_dom_sid(ac->msg, ac->msg, "objectSid");
+ if (sid == NULL) {
+ ldb_set_errstring(ldb,
+ "samldb: invalid objectSid!");
+ return LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ }
+