s4-schema: Constraints on msDS-IntId attribute

This attribute can not be modified on existing schema object.

msDS-IntId is not allowed during attribute creation also.

Signed-off-by: Andrew Tridgell <tridge@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/schema_data.c b/source4/dsdb/samdb/ldb_modules/schema_data.c
index dfb322225ae98d45335be2f50ef33eae573b4aff..cc609581e4d3144f64b02bfabd76ddd0bb66de9f 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/schema_data.c
+++ b/source4/dsdb/samdb/ldb_modules/schema_data.c
@@ -169,6 +169,11 @@ static int schema_data_add(struct ldb_module *module, struct ldb_request *req)
        governsID = ldb_msg_find_ldb_val(req->op.add.message, "governsID");
 
        if (attributeID) {
+               /* Sanity check for not allowed attributes */
+               if (ldb_msg_find_ldb_val(req->op.add.message, "msDS-IntId")) {
+                       return LDB_ERR_UNWILLING_TO_PERFORM;
+               }
+
                oid_attr = "attributeID";
                oid = talloc_strndup(req, (const char *)attributeID->data, attributeID->length);
        } else if (governsID) {
@@ -204,6 +209,27 @@ static int schema_data_add(struct ldb_module *module, struct ldb_request *req)
        return ldb_next_request(module, req);
 }
 
+static int schema_data_modify(struct ldb_module *module, struct ldb_request *req)
+{
+       /* special objects should always go through */
+       if (ldb_dn_is_special(req->op.mod.message->dn)) {
+               return ldb_next_request(module, req);
+       }
+
+       /* replicated update should always go through */
+       if (ldb_request_get_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID)) {
+               return ldb_next_request(module, req);
+       }
+
+       /* msDS-IntId is not allowed to be modified */
+       if (ldb_msg_find_ldb_val(req->op.mod.message, "msDS-IntId")) {
+               return LDB_ERR_CONSTRAINT_VIOLATION;
+       }
+
+       /* go on with the call chain */
+       return ldb_next_request(module, req);
+}
+
 static int generate_objectClasses(struct ldb_context *ldb, struct ldb_message *msg,
                                  const struct dsdb_schema *schema) 
 {
@@ -459,5 +485,6 @@ _PUBLIC_ const struct ldb_module_ops ldb_schema_data_module_ops = {
        .name           = "schema_data",
        .init_context   = schema_data_init,
        .add            = schema_data_add,
+       .modify         = schema_data_modify,
        .search         = schema_data_search
 };