s4:dsdb Don't allow creation of systemOnly objectclasses

(except as part of the provision, which specifies the 'relax' control)

Andrew Bartlett

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 6d22141a3beaae9b4c9a79f27890183cff061383..b3d54612dde9a15ddc7fad3872dded1b6d4242d8 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -561,6 +561,12 @@ static int objectclass_do_add(struct oc_context *ac)
                                        return LDB_ERR_NAMING_VIOLATION;
                                }
 
                                        return LDB_ERR_NAMING_VIOLATION;
                                }
 

+                               if (current->objectclass->systemOnly && !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) {
+                                       ldb_asprintf_errstring(ldb, "objectClass %s is systemOnly, rejecting creation of %s",
+                                                              current->objectclass->lDAPDisplayName, ldb_dn_get_linearized(msg->dn));
+                                       return LDB_ERR_UNWILLING_TO_PERFORM;
+                               }
+

                                if (!ldb_msg_find_element(msg, "objectCategory")) {
                                        value = talloc_strdup(msg, current->objectclass->defaultObjectCategory);
                                        if (value == NULL) {
                                if (!ldb_msg_find_element(msg, "objectCategory")) {
                                        value = talloc_strdup(msg, current->objectclass->defaultObjectCategory);
                                        if (value == NULL) {

diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 489985a22f3218f0e121ff6831832ec0cf791d46..74dd7e5bbb34517056cfe7be028d48e3659acc3a 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -476,10 +476,10 @@ static int replmd_add(struct ldb_module *module, struct ldb_request *req)
        char *time_str;
        int ret;
        uint32_t i, ni=0;
        char *time_str;
        int ret;
        uint32_t i, ni=0;

-       int allow_add_guid=0;
-       int remove_current_guid=0;
+       bool allow_add_guid = false;
+       bool remove_current_guid = false;

 
 

-        /* check if there's a show deleted control */
+        /* check if there's a show relax control (used by provision to say 'I know what I'm doing') */

         control = ldb_request_get_control(req, LDB_CONTROL_RELAX_OID);
        if (control) {
                allow_add_guid = 1;
         control = ldb_request_get_control(req, LDB_CONTROL_RELAX_OID);
        if (control) {
                allow_add_guid = 1;


@@ -526,7 +526,7 @@ static int replmd_add(struct ldb_module *module, struct ldb_request *req)
                        }
                        /* we remove this attribute as it can be a string and will not be treated 
                        correctly and then we will readd it latter on in the good format*/
                        }
                        /* we remove this attribute as it can be a string and will not be treated 
                        correctly and then we will readd it latter on in the good format*/

-                       remove_current_guid = 1;
+                       remove_current_guid = true;

                }
        } else {
                /* a new GUID */
                }
        } else {
                /* a new GUID */