s4-dsdb: catch duplicate matches in extended_dn_in

When searching using extended DNs, if there are multiple matches then
return an object not found error. This is needed for the case of a
duplicate objectSid, which happens for S-1-5-17

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>

1 files changed, 12 insertions, 0 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
index 3e2004d6f3e..e2bb0de0540 100644
--- a/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
+++ b/source4/dsdb/samdb/ldb_modules/extended_dn_in.c
@@ -103,6 +103,18 @@ static int extended_base_callback(struct ldb_request *req, struct ldb_reply *are
 
 	switch (ares->type) {
 	case LDB_REPLY_ENTRY:
+		if (ac->basedn) {
+			/* we have more than one match! This can
+			   happen as S-1-5-17 appears twice in a
+			   normal provision. We need to return
+			   NO_SUCH_OBJECT */
+			const char *str = talloc_asprintf(req, "Duplicate base-DN matches found for '%s'",
+							  ldb_dn_get_extended_linearized(req, ac->req->op.search.base, 1));
+			ldb_set_errstring(ldb_module_get_ctx(ac->module), str);
+			return ldb_module_done(ac->req, NULL, NULL,
+					       LDB_ERR_NO_SUCH_OBJECT);
+		}
+
 		if (!ac->wellknown_object) {
 			ac->basedn = talloc_steal(ac, ares->message->dn);
 			break;