ldb:rdn_name: reject 'distinguishedName' depending of the MOD flags

This is what Windows 2008 R2 returns:

LDB_MOD_ADD     => LDB_ERR_UNWILLING_TO_PERFORM
LDB_MOD_REPLACE => LDB_ERR_CONSTRAINT_VIOLATION
LDB_MOD_DEL     => LDB_ERR_UNWILLING_TO_PERFORM

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d2ff474766ebb104309bf1e801c54ce0f8ea0a64)

diff --git a/ldb/modules/rdn_name.c b/ldb/modules/rdn_name.c
index 50b63aee133cf3cbb142f8fe57e18e227761ea00..f44ea71f660c4e34335c25e4570e9ce42059cb3b 100644 (file)
--- a/ldb/modules/rdn_name.c
+++ b/ldb/modules/rdn_name.c
@@ -371,6 +371,7 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req)
 {
        struct ldb_context *ldb;
        const struct ldb_val *rdn_val_p;
+       struct ldb_message_element *e = NULL;
 
        ldb = ldb_module_get_ctx(module);
 
@@ -389,10 +390,15 @@ static int rdn_name_modify(struct ldb_module *module, struct ldb_request *req)
                return LDB_ERR_INVALID_DN_SYNTAX;
        }
 
-       if (ldb_msg_find_element(req->op.mod.message, "distinguishedName")) {
+       e = ldb_msg_find_element(req->op.mod.message, "distinguishedName");
+       if (e != NULL) {
                ldb_asprintf_errstring(ldb, "Modify of 'distinguishedName' on %s not permitted, must use 'rename' operation instead",
                                       ldb_dn_get_linearized(req->op.mod.message->dn));
-               return LDB_ERR_CONSTRAINT_VIOLATION;
+               if (e->flags == LDB_FLAG_MOD_REPLACE) {
+                       return LDB_ERR_CONSTRAINT_VIOLATION;
+               } else {
+                       return LDB_ERR_UNWILLING_TO_PERFORM;
+               }
        }
 
        if (ldb_msg_find_element(req->op.mod.message, "name")) {