From ccff8dff09aaae49359bfb087115ef17aec1307a Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 26 Sep 2011 15:51:05 -0700
Subject: [PATCH] dsdb: Do not allow modification of systemOnly attributes

---
 source4/dsdb/samdb/ldb_modules/objectclass_attrs.c |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
index 9893ada..2505378 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
@@ -205,6 +205,17 @@ static int attr_handler(struct oc_context *ac)
 			}
 		}
 
+		if ((attr->systemOnly) != 0 && !ldb_request_get_control(ac->req, LDB_CONTROL_RELAX_OID)) {
+			ldb_asprintf_errstring(ldb, "objectclass_attrs: attribute '%s' on entry '%s' is systemOnly!",
+					       msg->elements[i].name,
+					       ldb_dn_get_linearized(msg->dn));
+			if (ac->req->operation == LDB_ADD) {
+				return LDB_ERR_UNDEFINED_ATTRIBUTE_TYPE;
+			} else {
+				return LDB_ERR_CONSTRAINT_VIOLATION;
+			}
+		}
+
 		/* "dSHeuristics" syntax check */
 		if (ldb_attr_cmp(attr->lDAPDisplayName, "dSHeuristics") == 0) {
 			ret = oc_validate_dsheuristics(&(msg->elements[i]));
-- 
1.7.6.2