static int objectclass_delete(struct ldb_module *module, struct ldb_request *req)
{
static const char * const attrs[] = { "nCName", "objectClass",
- "systemFlags", NULL };
+ "systemFlags",
+ "isCriticalSystemObject", NULL };
struct ldb_context *ldb;
struct ldb_request *search_req;
struct oc_context *ac;
struct ldb_context *ldb;
struct ldb_dn *dn;
int32_t systemFlags;
+ bool isCriticalSystemObject;
int ret;
ldb = ldb_module_get_ctx(ac->module);
return LDB_ERR_UNWILLING_TO_PERFORM;
}
+ /* isCriticalSystemObject - but this only applies on tree delete
+ * operations - MS-ADTS 3.1.1.5.5.7.2 */
+ if (ldb_request_get_control(ac->req, LDB_CONTROL_TREE_DELETE_OID) != NULL) {
+ isCriticalSystemObject = ldb_msg_find_attr_as_bool(ac->search_res->message,
+ "isCriticalSystemObject", false);
+ if (isCriticalSystemObject) {
+ ldb_asprintf_errstring(ldb,
+ "objectclass: Cannot tree-delete %s, it's a critical system object!",
+ ldb_dn_get_linearized(ac->req->op.del.dn));
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+ }
+
return ldb_next_request(ac->module, ac->req);
}
attrs=["dsServiceName", "dNSHostName"])
self.assertEquals(len(res), 1)
+ # Delete failing since DC's nTDSDSA object is protected
try:
ldb.delete(res[0]["dsServiceName"][0])
self.fail()
expression="(&(objectClass=computer)(dNSHostName=" + res[0]["dNSHostName"][0] + "))")
self.assertEquals(len(res), 1)
+ # Deletes failing since DC's rIDSet object is protected
try:
ldb.delete(res[0]["rIDSetReferences"][0])
self.fail()
except LdbError, (num, _):
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+ # Deletes failing since three main crossRef objects are protected
+
try:
ldb.delete("cn=Enterprise Schema,cn=Partitions," + self.configuration_dn)
self.fail()
except LdbError, (num, _):
self.assertEquals(num, ERR_NOT_ALLOWED_ON_NON_LEAF)
- # Performs some "systemFlags" testing
-
# Delete failing since "SYSTEM_FLAG_DISALLOW_DELETE"
try:
ldb.delete("CN=Users," + self.base_dn)
except LdbError, (num, _):
self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+ # Tree-delete failing since "isCriticalSystemObject"
+ try:
+ ldb.delete("CN=Computers," + self.base_dn, ["tree_delete:1"])
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
def test_all(self):
"""Basic delete tests"""