summaryrefslogtreecommitdiffstats
path: root/source4/dsdb/samdb
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2011-11-11 14:51:32 +0100
committerStefan Metzmacher <metze@samba.org>2011-11-15 09:46:29 +0100
commit76b99bb379f2372903288c680e9b9abf85b02e09 (patch)
tree66e4e61e58f70e5d27c23c76e977e2d508498dcc /source4/dsdb/samdb
parent6d3558a8f6f157f5b4232388d675d9353a115632 (diff)
downloadsamba-76b99bb379f2372903288c680e9b9abf85b02e09.tar.gz
samba-76b99bb379f2372903288c680e9b9abf85b02e09.tar.xz
samba-76b99bb379f2372903288c680e9b9abf85b02e09.zip
s4:dsdb/schema_data: make sure we only allow objects one level below the schema base
The objectclass module should also check for this, but make sure we also reject it on things like provision. metze
Diffstat (limited to 'source4/dsdb/samdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/schema_data.c34
1 files changed, 33 insertions, 1 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/schema_data.c b/source4/dsdb/samdb/ldb_modules/schema_data.c
index eeb7c46a08..a2f2267d43 100644
--- a/source4/dsdb/samdb/ldb_modules/schema_data.c
+++ b/source4/dsdb/samdb/ldb_modules/schema_data.c
@@ -139,8 +139,10 @@ static int schema_data_add(struct ldb_module *module, struct ldb_request *req)
const struct ldb_val *governsID = NULL;
const char *oid_attr = NULL;
const char *oid = NULL;
+ struct ldb_dn *parent_dn = NULL;
+ int cmp;
WERROR status;
- bool rodc;
+ bool rodc = false;
int ret;
ldb = ldb_module_get_ctx(module);
@@ -160,6 +162,12 @@ static int schema_data_add(struct ldb_module *module, struct ldb_request *req)
return ldb_next_request(module, req);
}
+ if (schema->base_dn == NULL) {
+ ldb_debug_set(ldb, LDB_DEBUG_FATAL,
+ "schema_data_add: base_dn NULL\n");
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
ret = samdb_rodc(ldb, &rodc);
if (ret != LDB_SUCCESS) {
DEBUG(4, (__location__ ": unable to tell if we are an RODC \n"));
@@ -171,6 +179,30 @@ static int schema_data_add(struct ldb_module *module, struct ldb_request *req)
return LDB_ERR_UNWILLING_TO_PERFORM;
}
+ if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID)) {
+ /*
+ * the provision code needs to create
+ * the schema root object.
+ */
+ cmp = ldb_dn_compare(req->op.add.message->dn, schema->base_dn);
+ if (cmp == 0) {
+ return ldb_next_request(module, req);
+ }
+ }
+
+ parent_dn = ldb_dn_get_parent(req, req->op.add.message->dn);
+ if (!parent_dn) {
+ return ldb_oom(ldb);
+ }
+
+ cmp = ldb_dn_compare(parent_dn, schema->base_dn);
+ if (cmp != 0) {
+ ldb_debug_set(ldb, LDB_DEBUG_ERROR,
+ "schema_data_add: no direct child :%s\n",
+ ldb_dn_get_linearized(req->op.add.message->dn));
+ return LDB_ERR_UNWILLING_TO_PERFORM;
+ }
+
attributeID = ldb_msg_find_ldb_val(req->op.add.message, "attributeID");
governsID = ldb_msg_find_ldb_val(req->op.add.message, "governsID");