s4:dsdb/schema: add "dsdb:schema update allowed" option to enable schema updates

By default schema updates are not allowed anymore, as we don't have
complete validation code to prevent database corruption.

metze

1 files changed, 15 insertions, 2 deletions

diff --git a/source4/dsdb/schema/schema_init.c b/source4/dsdb/schema/schema_init.c
index 0a9dedff8ad..a4c29f1aa54 100644
--- a/source4/dsdb/schema/schema_init.c
+++ b/source4/dsdb/schema/schema_init.c
@@ -818,6 +818,7 @@ int dsdb_schema_from_ldb_results(TALLOC_CTX *mem_ctx, struct ldb_context *ldb,
 	const struct ldb_val *info_val;
 	struct ldb_val info_val_default;
 	struct dsdb_schema *schema;
+	struct loadparm_context *lp_ctx = NULL;
 	int ret;
 
 	schema = dsdb_new_schema(mem_ctx);
@@ -869,8 +870,20 @@ int dsdb_schema_from_ldb_results(TALLOC_CTX *mem_ctx, struct ldb_context *ldb,
 		schema->fsmo.we_are_master = false;
 	}
 
-	DEBUG(5, ("schema_fsmo_init: we are master: %s\n",
-		  (schema->fsmo.we_are_master?"yes":"no")));
+	lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
+						struct loadparm_context);
+	if (lp_ctx) {
+		bool allowed = lpcfg_parm_bool(lp_ctx, NULL,
+						"dsdb", "schema update allowed",
+						false);
+		schema->fsmo.update_allowed = allowed;
+	} else {
+		schema->fsmo.update_allowed = false;
+	}
+
+	DEBUG(5, ("schema_fsmo_init: we are master[%s] updates allowed[%s]\n",
+		  (schema->fsmo.we_are_master?"yes":"no"),
+		  (schema->fsmo.update_allowed?"yes":"no")));
 
 	*schema_out = schema;
 	return LDB_SUCCESS;