subtree rename constraint checks
Matthias Dieter Wallnöfer
mdw at samba.org
Tue Apr 26 03:11:46 MDT 2011
Hi ekacnet,
I'm not confident in this patch. I think that each entry needs the
constraint checks since it has its own "systemFlags" attribute. Probably
just my limited move checks are wrong (this code part of the
subtree_rename LDB module):
> bool limited_move =
> systemFlags &
> SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE;
>
> if (limited_move) {
> dn1 = ldb_dn_copy(ac, olddn);
> if (dn1 == NULL) return ldb_oom(ldb);
> dn2 = ldb_dn_copy(ac, newdn);
> if (dn2 == NULL) return ldb_oom(ldb);
>
> limited_move &=
> ldb_dn_remove_child_components(dn1, 3);
> limited_move &=
> ldb_dn_remove_child_components(dn2, 3);
> limited_move &= ldb_dn_compare(dn1,
> dn2) == 0;
>
> talloc_free(dn1);
> talloc_free(dn2);
> }
>
> if (!limited_move) {
> ldb_asprintf_errstring(ldb,
>
> "subtree_rename: Cannot move %s to %s in config partition",
>
> ldb_dn_get_linearized(olddn), ldb_dn_get_linearized(newdn));
> return LDB_ERR_UNWILLING_TO_PERFORM;
> }
I will try to fix it.
Cheers,
Matthias
Matthieu Patou wrote:
> On 25/04/2011 18:30, Matthieu Patou wrote:
>> Hello Mathias,
>>
>> I'm asking some questions about the tests related to subtree_rename.c
>> module in samdb.
>>
>> Have you tested the case when
>> CN=A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=tld
>> is renamed but it has a subentry (ie. CN=NTDS
>> Settings,CN=A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=tld)
>>
>>
>> After reading MS-ADTS, I still don't have an idea of what is wrong,
>> but I'm pretty sure that something is wrong as when I try to move a
>> server from 1 site to another in Active Directory Sites and Services
>> (dssite.msc) I have an error and the error came from the DN move that
>> are triggered on the subentries while moving
>> CN=A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=tld
>> to CN=A,CN=Servers,CN=Test,CN=Sites,CN=Configuration,DC=domain,DC=tld.
>>
>> It's clear that something is wrong as in ADTS in chapter
>> 7.1.1.2.2.1.2.1 (Server Object) the system flags for it are: {
>> FLAG_CONFIG_ALLOW_RENAME | FLAG_CONFIG_ALLOW_LIMITED_MOVE |
>> FLAG_DISALLOW_MOVE_ON_DELETE }
>>
>> So the (limited) move o CN=A,CN=Servers, ... is authorized. The "NTDS
>> Settings" entry is a nTDSDSA Object described at 7.1.1.2.2.1.2.1.1
>> says systemFlags: {FLAG_DISALLOW_MOVE_ON_DELETE} so the way the code
>> is done we can never move nor rename a server object as its NTDS
>> subentry do not allow anything like this.
>>
>> My assumption is that the checks should be done only on the DN that
>> trigger the subtree rename and not on the subentry as they are not
>> really changed and DN should be dynamically calculated.
>>
> What about a patch like this ?
>> Matthieu.
>>
>>
>>
>>
>>
>
>
More information about the samba-technical
mailing list