dsdb:objectclass: implement schemaUpgradeInProgress handling for systemFlags on add

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 6c9ffa66922617af14087893e5f6cea4b8e472a7..9e4ac17a0f6b24c273a9d49c5ded4932f96cedcf 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -407,6 +407,7 @@ static int objectclass_do_add(struct oc_context *ac)
 
        if (ac->schema != NULL) {
                unsigned int linkID = 0;
+               bool is_schema_update = false;
                /*
                 * Notice: by the normalization function call in "ldb_request()"
                 * case "LDB_ADD" we have always only *one* "objectClass"
@@ -586,6 +587,22 @@ static int objectclass_do_add(struct oc_context *ac)
                 * "attributeSchema" objects. So truncate if it does not fit. */
                if (ldb_attr_cmp(objectclass->lDAPDisplayName, "attributeSchema") == 0) {
                        systemFlags_allowed |= SYSTEM_FLAG_ATTR_IS_RDN;
+                       is_schema_update = true;
+               }
+
+               if (ldb_attr_cmp(objectclass->lDAPDisplayName, "classSchema") == 0) {
+                       is_schema_update = true;
+               }
+
+               if (is_schema_update) {
+                       is_schema_update = dsdb_schema_upgrade_in_progress(ldb);
+               }
+               if (is_schema_update) {
+                       /*
+                        * Allow everything if we're in schemaUpgradeInProgress
+                        * mode, but keep the SYSTEM_FLAG_ATTR_IS_RDN bit.
+                        */
+                       systemFlags_allowed |= ~SYSTEM_FLAG_ATTR_IS_RDN;
                }
 
                if (ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID) != NULL) {