s4-rodc: fixed repsFrom store on RODC

We were disallowing repsFrom store as a RODC on the basis that it is a
write to the directory. It should be allowed, as its is a
non-replicated attribute.

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
index 45ef4d9961af4fa84af309b5e1e48f98b767f9a4..6ae8e928b0ec4dc0441536adc82a19a7e162ebff 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
@@ -1246,20 +1246,6 @@ static int replmd_update_rpmd(struct ldb_module *module,
                        return LDB_ERR_OPERATIONS_ERROR;
                }
 
-               /*we have elements that will be modified*/
-               if (msg->num_elements > 0) {
-                       /*if we are RODC and this is a DRSR update then its ok*/
-                       if (!ldb_request_get_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID)) {
-                               ret = samdb_rodc(ldb, &rodc);
-                               if (ret != LDB_SUCCESS) {
-                                       DEBUG(4, (__location__ ": unable to tell if we are an RODC\n"));
-                               } else if (rodc) {
-                                       ldb_asprintf_errstring(ldb, "RODC modify is forbidden\n");
-                                       return LDB_ERR_REFERRAL;
-                               }
-                       }
-               }
-
                for (i=0; i<msg->num_elements; i++) {
                        struct ldb_message_element *old_el;
                        old_el = ldb_msg_find_element(res->msgs[0], msg->elements[i].name);
@@ -1283,6 +1269,17 @@ static int replmd_update_rpmd(struct ldb_module *module,
                struct ldb_val *md_value;
                struct ldb_message_element *el;
 
+               /*if we are RODC and this is a DRSR update then its ok*/
+               if (!ldb_request_get_control(req, DSDB_CONTROL_REPLICATED_UPDATE_OID)) {
+                       ret = samdb_rodc(ldb, &rodc);
+                       if (ret != LDB_SUCCESS) {
+                               DEBUG(4, (__location__ ": unable to tell if we are an RODC\n"));
+                       } else if (rodc) {
+                               ldb_asprintf_errstring(ldb, "RODC modify is forbidden\n");
+                               return LDB_ERR_REFERRAL;
+                       }
+               }
+
                md_value = talloc(msg, struct ldb_val);
                if (md_value == NULL) {
                        ldb_oom(ldb);