s4-dsdb: catch duplicate matches in extended_dn_in
authorAndrew Tridgell <tridge@samba.org>
Wed, 22 Jun 2011 07:05:08 +0000 (17:05 +1000)
committerAndrew Tridgell <tridge@samba.org>
Wed, 22 Jun 2011 09:16:26 +0000 (11:16 +0200)
When searching using extended DNs, if there are multiple matches then
return an object not found error. This is needed for the case of a
duplicate objectSid, which happens for S-1-5-17

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

source4/dsdb/samdb/ldb_modules/extended_dn_in.c

index 3e2004d6f3eab6c31a26152ced08c1291e6d342c..e2bb0de0540a03b9fb56eeea41b8fbfb4b35273f 100644 (file)
@@ -103,6 +103,18 @@ static int extended_base_callback(struct ldb_request *req, struct ldb_reply *are
 
        switch (ares->type) {
        case LDB_REPLY_ENTRY:
+               if (ac->basedn) {
+                       /* we have more than one match! This can
+                          happen as S-1-5-17 appears twice in a
+                          normal provision. We need to return
+                          NO_SUCH_OBJECT */
+                       const char *str = talloc_asprintf(req, "Duplicate base-DN matches found for '%s'",
+                                                         ldb_dn_get_extended_linearized(req, ac->req->op.search.base, 1));
+                       ldb_set_errstring(ldb_module_get_ctx(ac->module), str);
+                       return ldb_module_done(ac->req, NULL, NULL,
+                                              LDB_ERR_NO_SUCH_OBJECT);
+               }
+
                if (!ac->wellknown_object) {
                        ac->basedn = talloc_steal(ac, ares->message->dn);
                        break;