Created attachment 6949 [details] possible start of a patch The attached patch attempts to prevent the modification of systemOnly attributes. The problem is that we rely on this at the moment (internal callers are not marked to indicate that this modification is safe/permitted). When all the callers are fixed (preferably with some per-attribute flag) then something like this needs to be committed.
BTW, this is MS-ATDS 3.1.1.5.3.2 Contraints (modify operation)
Andrew, can you have a look at this again?
What was wrong with this patch ? at 10 000ft it looks like going in the right direction.
Is this a blocker for 4.1.0 or 4.2?
(In reply to comment #4) > Is this a blocker for 4.1.0 or 4.2? Comment from Metze: https://bugzilla.samba.org/show_bug.cgi?id=8487 (We should not allow the modification of systemOnly attributes) has a patches that needs verification and maybe a bit more work. We may be able to move this to 4.2 if it requires a lot of work.
Don't block 4.1.0, this is not a regression compared to 4.0.x
Any news on this one?
Is this a showstopper for 4.2.0?
I guess this will be fixed in 4.7 by commit c4aa78ba875f3a9ca4e586823ce63826da8daa90 Author: Garming Sam <garming@catalyst.net.nz> AuthorDate: Tue Mar 7 12:30:09 2017 +1300 Commit: Andrew Bartlett <abartlet@samba.org> CommitDate: Mon Mar 13 05:10:12 2017 +0100 objectclass_attrs: Restrict systemOnly attributes This allows restriction of auditing attributes from being wiped. Modifications of the RID Set must be done as SYSTEM. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>