s4:ldb Don't allow modifcation of distinguishedName

diff --git a/source4/lib/ldb/ldb_tdb/ldb_tdb.c b/source4/lib/ldb/ldb_tdb/ldb_tdb.c
index 55acb6132d8f241de83bbb3bbc931b98e1d8f5fc..7427b9816323e9a9981e538dfa3e9626bf2adcec 100644 (file)
--- a/source4/lib/ldb/ldb_tdb/ldb_tdb.c
+++ b/source4/lib/ldb/ldb_tdb/ldb_tdb.c
@@ -621,8 +621,14 @@ int ltdb_modify_internal(struct ldb_module *module,
                struct ldb_val *vals;
                const char *dn;
                const struct ldb_schema_attribute *a = ldb_schema_attribute_by_name(ldb, el->name);
                struct ldb_val *vals;
                const char *dn;
                const struct ldb_schema_attribute *a = ldb_schema_attribute_by_name(ldb, el->name);

-               switch (msg->elements[i].flags & LDB_FLAG_MOD_MASK) {

 
 

+               if (ldb_attr_cmp(el->name, "distinguishedName") == 0) {
+                       ldb_asprintf_errstring(ldb, "it is not permitted to perform a modify on distinguishedName (use rename instead): %s",
+                                              ldb_dn_get_linearized(msg->dn));
+                       return LDB_ERR_UNWILLING_TO_PERFORM;
+               }
+
+               switch (msg->elements[i].flags & LDB_FLAG_MOD_MASK) {

                case LDB_FLAG_MOD_ADD:
                        
                        /* add this element to the message. fail if it
                case LDB_FLAG_MOD_ADD:
                        
                        /* add this element to the message. fail if it