s4:objectguid/repl_meta_data LDB module - deny "objectGUID" updates

Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Mon Nov  8 10:36:50 UTC 2010 on sn-devel-104

diff --git a/source4/dsdb/samdb/ldb_modules/objectguid.c b/source4/dsdb/samdb/ldb_modules/objectguid.c
index f21660c4ae00ebcc19f57669ec4890a3584d8619..bc3260cf0d876d0853349036bede0458fa8c91df 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/objectguid.c
+++ b/source4/dsdb/samdb/ldb_modules/objectguid.c
@@ -185,6 +185,7 @@ static int objectguid_modify(struct ldb_module *module, struct ldb_request *req)
        struct ldb_context *ldb;
        struct ldb_request *down_req;
        struct ldb_message *msg;
+       struct ldb_message_element *el;
        int ret;
        time_t t = time(NULL);
        uint64_t seq_num;
@@ -199,6 +200,13 @@ static int objectguid_modify(struct ldb_module *module, struct ldb_request *req)
                return ldb_next_request(module, req);
        }
 
+       el = ldb_msg_find_element(req->op.mod.message, "objectGUID");
+       if (el != NULL) {
+               ldb_set_errstring(ldb,
+                                 "objectguid: objectGUID must not be specified!");
+               return LDB_ERR_CONSTRAINT_VIOLATION;
+       }
+
        ac = talloc(req, struct og_context);
        if (ac == NULL) {
                return ldb_oom(ldb);

diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 95cd0694fccfcdafdc94cfd26240f94b843f4810..7838b65fdfccebce45621c309917b58f18c5de59 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -2147,6 +2147,7 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
        struct loadparm_context *lp_ctx;
        char *referral;
        unsigned int functional_level;
+       const DATA_BLOB *guid_blob;
 
        /* do not manipulate our control entries */
        if (ldb_dn_is_special(req->op.mod.message->dn)) {
@@ -2166,6 +2167,14 @@ static int replmd_modify(struct ldb_module *module, struct ldb_request *req)
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
+       guid_blob = ldb_msg_find_ldb_val(req->op.mod.message, "objectGUID");
+       if ( guid_blob != NULL ) {
+               ldb_debug_set(ldb, LDB_DEBUG_ERROR,
+                             "replmd_modify: it's not allowed to change the objectGUID\n");
+               talloc_free(ac);
+               return LDB_ERR_CONSTRAINT_VIOLATION;
+       }
+
        /* we have to copy the message as the caller might have it as a const */
        msg = ldb_msg_copy_shallow(ac, req->op.mod.message);
        if (msg == NULL) {

diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py
index 26969cca3cad28d03a6792fb7975e71100a4725f..833e141b7def4ae6477dae211f792a1a97afa05f 100755 (executable)
--- a/source4/dsdb/tests/python/ldap.py
+++ b/source4/dsdb/tests/python/ldap.py
@@ -1324,6 +1324,18 @@ objectGUID: bd3480c9-58af-4cd8-92df-bc4a18b6e44d
         self.assertTrue("whenCreated" in res[0])
         self.assertTrue("whenChanged" in res[0])
 
+        # The objectGUID cannot directly be changed
+        try:
+            self.ldb.modify_ldif("""
+dn: cn=ldaptestcontainer,""" + self.base_dn + """
+changetype: modify
+replace: objectGUID
+objectGUID: bd3480c9-58af-4cd8-92df-bc4a18b6e44d
+""")
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
         self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn)
 
     def test_parentGUID(self):