s4:dsdb Don't allow creation of systemOnly objectclasses

[ira/wip.git] / source4 / dsdb / samdb / ldb_modules / objectclass.c

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 6d22141a3beaae9b4c9a79f27890183cff061383..b3d54612dde9a15ddc7fad3872dded1b6d4242d8 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -561,6 +561,12 @@ static int objectclass_do_add(struct oc_context *ac)
                                        return LDB_ERR_NAMING_VIOLATION;
                                }
 
+                               if (current->objectclass->systemOnly && !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) {
+                                       ldb_asprintf_errstring(ldb, "objectClass %s is systemOnly, rejecting creation of %s",
+                                                              current->objectclass->lDAPDisplayName, ldb_dn_get_linearized(msg->dn));
+                                       return LDB_ERR_UNWILLING_TO_PERFORM;
+                               }
+
                                if (!ldb_msg_find_element(msg, "objectCategory")) {
                                        value = talloc_strdup(msg, current->objectclass->defaultObjectCategory);
                                        if (value == NULL) {