s4:samldb LDB module - deny also the direct modification of "isCriticalSystemObject...

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index 9fc3905332e6a41181d9db2e2dc303102784f09c..ce17eecaf045cea1754db8cd85b75a245b0bba75 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -1247,11 +1247,22 @@ static int samldb_modify(struct ldb_module *module, struct ldb_request *req)
 
        ldb = ldb_module_get_ctx(module);
 
-       if (ldb_msg_find_element(req->op.mod.message, "sAMAccountType") != NULL) {
-               ldb_asprintf_errstring(ldb,
-                       "sAMAccountType must not be specified!");
+       /* make sure that "sAMAccountType" is not specified */
+       el = ldb_msg_find_element(req->op.mod.message, "sAMAccountType");
+       if (el != NULL) {
+               ldb_set_errstring(ldb,
+                       "samldb: sAMAccountType must not be specified!");
                return LDB_ERR_UNWILLING_TO_PERFORM;
        }
+       /* make sure that "isCriticalSystemObject" is not specified */
+       el = ldb_msg_find_element(req->op.mod.message, "isCriticalSystemObject");
+       if (el != NULL) {
+               if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID) == NULL) {
+                       ldb_set_errstring(ldb,
+                               "samldb: isCriticalSystemObject must not be specified!");
+                       return LDB_ERR_UNWILLING_TO_PERFORM;
+               }
+       }
 
        /* msDS-IntId is not allowed to be modified
         * except when modification comes from replication */