s4:dsdb/schema: add "dsdb:schema update allowed" option to enable schema updates

By default schema updates are not allowed anymore, as we don't have
complete validation code to prevent database corruption.

metze

source4/dsdb/schema/schema.h

@@ -237,6 +237,7 @@ struct dsdb_schema {
 
 	struct {
 		bool we_are_master;
+		bool update_allowed;
 		struct ldb_dn *master_dn;
 	} fsmo;
 

source4/dsdb/schema/schema_init.c

@@ -818,6 +818,7 @@ int dsdb_schema_from_ldb_results(TALLOC_CTX *mem_ctx, struct ldb_context *ldb,
 	const struct ldb_val *info_val;
 	struct ldb_val info_val_default;
 	struct dsdb_schema *schema;
+	struct loadparm_context *lp_ctx = NULL;
 	int ret;
 
 	schema = dsdb_new_schema(mem_ctx);
@@ -869,8 +870,20 @@ int dsdb_schema_from_ldb_results(TALLOC_CTX *mem_ctx, struct ldb_context *ldb,
 		schema->fsmo.we_are_master = false;
 	}
 
-	DEBUG(5, ("schema_fsmo_init: we are master: %s\n",
-		  (schema->fsmo.we_are_master?"yes":"no")));
+	lp_ctx = talloc_get_type(ldb_get_opaque(ldb, "loadparm"),
+						struct loadparm_context);
+	if (lp_ctx) {
+		bool allowed = lpcfg_parm_bool(lp_ctx, NULL,
+						"dsdb", "schema update allowed",
+						false);
+		schema->fsmo.update_allowed = allowed;
+	} else {
+		schema->fsmo.update_allowed = false;
+	}
+
+	DEBUG(5, ("schema_fsmo_init: we are master[%s] updates allowed[%s]\n",
+		  (schema->fsmo.we_are_master?"yes":"no"),
+		  (schema->fsmo.update_allowed?"yes":"no")));
 
 	*schema_out = schema;
 	return LDB_SUCCESS;

source4/dsdb/schema/schema_set.c

@@ -712,6 +712,7 @@ WERROR dsdb_set_schema_from_ldif(struct ldb_context *ldb,
 		goto nomem;
 	}
 	schema->fsmo.we_are_master = true;
+	schema->fsmo.update_allowed = true;
 	schema->fsmo.master_dn = ldb_dn_new(schema, ldb, "@PROVISION_SCHEMA_MASTER");
 	if (!schema->fsmo.master_dn) {
 		goto nomem;