Try to implement the right logic for systemFlags
authorAndrew Bartlett <abartlet@samba.org>
Mon, 8 Sep 2008 01:10:24 +0000 (11:10 +1000)
committerAndrew Bartlett <abartlet@samba.org>
Mon, 8 Sep 2008 01:10:24 +0000 (11:10 +1000)
The MS-ADTS document has quite detailed instrucitons on how these
flags should be processed.  This change also causes the correct
sign-wrapping to occour, as these are declared as signed integers.

Andrew Bartlett
(This used to be commit 5c3d237a6d721dc75166bdc5ac0c6e76a4495bf7)

source4/dsdb/samdb/ldb_modules/objectclass.c

index 4d4ef585cbb43bf6947ae49774420b90d003ee66..b048a8d8e1e2aa06a7fa05101f5db4fdea9cc84c 100644 (file)
@@ -534,6 +534,8 @@ static int objectclass_do_add(struct ldb_handle *h)
                        }
                        /* Last one is the critical one */
                        if (!current->next) {
                        }
                        /* Last one is the critical one */
                        if (!current->next) {
+                               struct ldb_message_element *el;
+                               int32_t systemFlags = 0;
                                if (!ldb_msg_find_element(msg, "objectCategory")) {
                                        ldb_msg_add_string(msg, "objectCategory", 
                                                           current->objectclass->defaultObjectCategory);
                                if (!ldb_msg_find_element(msg, "objectCategory")) {
                                        ldb_msg_add_string(msg, "objectCategory", 
                                                           current->objectclass->defaultObjectCategory);
@@ -548,6 +550,41 @@ static int objectclass_do_add(struct ldb_handle *h)
                                                ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd);
                                        }
                                }
                                                ldb_msg_add_steal_value(msg, "nTSecurityDescriptor", sd);
                                        }
                                }
+
+                               /* There are very special rules for systemFlags, see MS-ADTS 3.1.1.5.2.4 */
+                               el = ldb_msg_find_element(msg, "systemFlags");
+
+                               systemFlags = ldb_msg_find_attr_as_int(msg, "systemFlags", 0);
+
+                               if (el) {
+                                       /* Only these flags may be set by a client, but we can't tell between a client and our provision at this point */
+                                       /* systemFlags &= ( SYSTEM_FLAG_CONFIG_ALLOW_RENAME | SYSTEM_FLAG_CONFIG_ALLOW_MOVE | SYSTEM_FLAG_CONFIG_LIMITED_MOVE); */
+                                       ldb_msg_remove_element(msg, el);
+                               }
+                               
+                               /* This flag is only allowed on attributeSchema objects */
+                               if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, "attributeSchema") == 0) {
+                                       systemFlags &= ~SYSTEM_FLAG_ATTR_IS_RDN;
+                               }
+
+                               if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, "server") == 0) {
+                                       systemFlags |= (int32_t)(SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE | SYSTEM_FLAG_CONFIG_ALLOW_RENAME | SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE);
+                               } else if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, "site") == 0
+                                          || ldb_attr_cmp(current->objectclass->lDAPDisplayName, "serverContainer") == 0
+                                          || ldb_attr_cmp(current->objectclass->lDAPDisplayName, "ntDSDSA") == 0) {
+                                       systemFlags |= (int32_t)(SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE);
+
+                               } else if (ldb_attr_cmp(current->objectclass->lDAPDisplayName, "siteLink") == 0 
+                                          || ldb_attr_cmp(current->objectclass->lDAPDisplayName, "siteLinkBridge") == 0
+                                          || ldb_attr_cmp(current->objectclass->lDAPDisplayName, "nTDSConnection") == 0) {
+                                       systemFlags |= (int32_t)(SYSTEM_FLAG_CONFIG_ALLOW_RENAME);
+                               }
+
+                               /* TODO: If parent object is site or subnet, also add (SYSTEM_FLAG_CONFIG_ALLOW_RENAME) */
+
+                               if (el || systemFlags != 0) {
+                                       samdb_msg_add_int(ac->module->ldb, msg, msg, "systemFlags", systemFlags);
+                               }
                        }
                }
        }
                        }
                }
        }