s4-dsdb: instanceType NC_HEAD is only allowed combined with WRITE for an originating...

As described in MS-ATDS 3.1.1.5.2.8.

Signed-off-by: Nadezhda Ivanova <nivanova@symas.com>
Reviewed-by:   Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date(master): Sun Nov  3 16:17:30 CET 2013 on sn-devel-104

diff --git a/source4/dsdb/samdb/ldb_modules/instancetype.c b/source4/dsdb/samdb/ldb_modules/instancetype.c
index 7bf95f3180c83952b559a73c5eccd008c151f835..c35f4b6a262309b91d5c04a5c83ba5452213d377 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/instancetype.c
+++ b/source4/dsdb/samdb/ldb_modules/instancetype.c
@@ -80,8 +80,7 @@ static int instancetype_add(struct ldb_module *module, struct ldb_request *req)
                         * "TYPE_WRITE" flag in order to succeed,
                         * unless this NC is not instantiated
                        */
-                       if (!(instanceType & INSTANCE_TYPE_UNINSTANT) &&
-                           !(instanceType & INSTANCE_TYPE_WRITE)) {
+                       if (!(instanceType & INSTANCE_TYPE_WRITE)) {
                                ldb_set_errstring(ldb, "instancetype: if TYPE_IS_NC_HEAD was set, then also TYPE_WRITE is requested!");
                                return LDB_ERR_UNWILLING_TO_PERFORM;
                        }

diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py
index 643830fed709efdb1384b4b9bedeada88c32b73e..f6b08e4cf3f8813581f5b0996c5cdb23e099b400 100755 (executable)
--- a/source4/dsdb/tests/python/ldap.py
+++ b/source4/dsdb/tests/python/ldap.py
@@ -667,7 +667,7 @@ class BasicTests(samba.tests.TestCase):
 
     def test_single_valued_attributes(self):
         """Test single-valued attributes"""
-        print "Test single-valued attributes"""
+        print "Test single-valued attributes"
 
         try:
             self.ldb.add({
@@ -767,7 +767,7 @@ class BasicTests(samba.tests.TestCase):
 
     def test_empty_messages(self):
         """Test empty messages"""
-        print "Test empty messages"""
+        print "Test empty messages"
 
         m = Message()
         m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
@@ -788,7 +788,7 @@ class BasicTests(samba.tests.TestCase):
 
     def test_empty_attributes(self):
         """Test empty attributes"""
-        print "Test empty attributes"""
+        print "Test empty attributes"
 
         m = Message()
         m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
@@ -900,6 +900,17 @@ class BasicTests(samba.tests.TestCase):
 
         delete_force(self.ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
 
+        #only write is allowed with NC_HEAD for originating updates
+        try:
+            self.ldb.add({
+                "dn": "cn=ldaptestuser2,cn=users," + self.base_dn,
+                "objectclass": "user",
+                "instanceType": "3" })
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+        delete_force(self.ldb, "cn=ldaptestuser2,cn=users," + self.base_dn)
+
     def test_distinguished_name(self):
         """Tests the 'distinguishedName' attribute"""
         print "Tests the 'distinguishedName' attribute"