s4:dsdb/samldb: don't allow 'userParameters' to be modified over LDAP for now

For now it's safer to reject setting 'userParameters' via LDAP,
as we'll not provide the same behavior as a Windows Server.

If someone requires that feature please report this in the following
bug reports!

Bug: https://bugzilla.samba.org/show_bug.cgi?id=8077
Bug: https://bugzilla.samba.org/show_bug.cgi?id=10130

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul  9 11:07:51 CEST 2014 on sn-devel-104

(cherry picked from commit 04e9d020c97c2dcd360b1845907f4c396d5671dc)

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index ca553e615ce2474b05f0b7e927d84e7f7d2c5a74..2f8c5728fe4b64d42dcb4484ad632e55c56c07fa 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -2268,6 +2268,15 @@ static int samldb_add(struct ldb_module *module, struct ldb_request *req)
                return ldb_next_request(module, req);
        }
 
+       el = ldb_msg_find_element(req->op.add.message, "userParameters");
+       if (el != NULL && ldb_req_is_untrusted(req)) {
+               const char *reason = "samldb_add: "
+                       "setting userParameters is not supported over LDAP, "
+                       "see https://bugzilla.samba.org/show_bug.cgi?id=8077";
+               ldb_debug(ldb, LDB_DEBUG_WARNING, "%s", reason);
+               return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, reason);
+       }
+
        ac = samldb_ctx_init(module, req);
        if (ac == NULL) {
                return ldb_operr(ldb);
@@ -2407,6 +2416,15 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
                }
        }
 
+       el = ldb_msg_find_element(req->op.mod.message, "userParameters");
+       if (el != NULL && ldb_req_is_untrusted(req)) {
+               const char *reason = "samldb: "
+                       "setting userParameters is not supported over LDAP, "
+                       "see https://bugzilla.samba.org/show_bug.cgi?id=8077";
+               ldb_debug(ldb, LDB_DEBUG_WARNING, "%s", reason);
+               return ldb_error(ldb, LDB_ERR_CONSTRAINT_VIOLATION, reason);
+       }
+
        ac = samldb_ctx_init(module, req);
        if (ac == NULL) {
                return ldb_operr(ldb);