[SCM] Samba Shared Repository - branch master updated

Matthias Dieter Wallnöfer mdw at samba.org
Sun Aug 1 10:53:27 MDT 2010


The branch, master has been updated
       via  3f2a8d5... s4:urgent_replication.py test - adapt the test for the harder delete restrictions
       via  ea5c404... s4:ldap.py - perform tests on the additional delete constraint checks
       via  316eda1... s4:objectclass LDB module - implement additional delete constraint checks
      from  c59ab01... s3: Fix an uninitialized variable

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 3f2a8d508123550c7fd4c7d29ab7d53f24a61629
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Sun Aug 1 17:44:50 2010 +0200

    s4:urgent_replication.py test - adapt the test for the harder delete restrictions
    
    Otherwise we are not able to delete the "test crossRef" object which points
    to the default NC anymore.

commit ea5c40428f7e195f9db1efbd320969184bda6593
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Sun Aug 1 13:09:46 2010 +0200

    s4:ldap.py - perform tests on the additional delete constraint checks

commit 316eda12068af4f059a082d0a9299d8fdb02d602
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date:   Sun Aug 1 12:50:56 2010 +0200

    s4:objectclass LDB module - implement additional delete constraint checks
    
    MS-ADTS 3.1.1.5.5.3

-----------------------------------------------------------------------

Summary of changes:
 source4/dsdb/samdb/ldb_modules/objectclass.c    |   50 +++++++++++++++++++++-
 source4/dsdb/tests/python/ldap.py               |   42 +++++++++++++++++--
 source4/dsdb/tests/python/urgent_replication.py |    2 +-
 3 files changed, 86 insertions(+), 8 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
index 5883d5c..b71f91f 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
@@ -1238,7 +1238,8 @@ static int objectclass_do_delete(struct oc_context *ac);
 
 static int objectclass_delete(struct ldb_module *module, struct ldb_request *req)
 {
-	static const char * const attrs[] = { "systemFlags", NULL };
+	static const char * const attrs[] = { "nCName", "objectClass",
+					      "systemFlags", NULL };
 	struct ldb_context *ldb;
 	struct ldb_request *search_req;
 	struct oc_context *ac;
@@ -1253,7 +1254,7 @@ static int objectclass_delete(struct ldb_module *module, struct ldb_request *req
 		return ldb_next_request(module, req);
 	}
 
-	/* Bypass the "systemFlags" checks when we do have the "RELAX" control
+	/* Bypass the constraint checks when we do have the "RELAX" control
 	 * set. */
 	if (ldb_request_get_control(req, LDB_CONTROL_RELAX_OID) != NULL) {
 		return ldb_next_request(module, req);
@@ -1265,7 +1266,7 @@ static int objectclass_delete(struct ldb_module *module, struct ldb_request *req
 	}
 
 	/* this looks up the entry object for fetching some important
-	 * informations (systemFlags...) */
+	 * informations (object classes, system flags...) */
 	ret = ldb_build_search_req(&search_req, ldb,
 				   ac, req->op.del.dn, LDB_SCOPE_BASE,
 				   "(objectClass=*)",
@@ -1284,7 +1285,9 @@ static int objectclass_delete(struct ldb_module *module, struct ldb_request *req
 static int objectclass_do_delete(struct oc_context *ac)
 {
 	struct ldb_context *ldb;
+	struct ldb_dn *dn;
 	int32_t systemFlags;
+	int ret;
 
 	ldb = ldb_module_get_ctx(ac->module);
 
@@ -1296,6 +1299,47 @@ static int objectclass_do_delete(struct oc_context *ac)
 		return LDB_ERR_NO_SUCH_OBJECT;
 	}
 
+	/* DC's ntDSDSA object */
+	if (ldb_dn_compare(ac->req->op.del.dn, samdb_ntds_settings_dn(ldb)) == 0) {
+		ldb_asprintf_errstring(ldb, "objectclass: Cannot delete %s, it's the DC's ntDSDSA object!",
+				       ldb_dn_get_linearized(ac->req->op.del.dn));
+		return LDB_ERR_UNWILLING_TO_PERFORM;
+	}
+
+	/* DC's rIDSet object */
+	ret = samdb_rid_set_dn(ldb, ac, &dn);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	if (ldb_dn_compare(ac->req->op.del.dn, dn) == 0) {
+		talloc_free(dn);
+		ldb_asprintf_errstring(ldb, "objectclass: Cannot delete %s, it's the DC's rIDSet object!",
+				       ldb_dn_get_linearized(ac->req->op.del.dn));
+		return LDB_ERR_UNWILLING_TO_PERFORM;
+	}
+
+	talloc_free(dn);
+
+	/* crossRef objects regarding config, schema and default domain NCs */
+	if (samdb_find_attribute(ldb, ac->search_res->message, "objectClass",
+				 "crossRef") != NULL) {
+		dn = ldb_msg_find_attr_as_dn(ldb, ac, ac->search_res->message,
+					     "nCName");
+		if ((ldb_dn_compare(dn, ldb_get_default_basedn(ldb)) == 0) ||
+		    (ldb_dn_compare(dn, ldb_get_config_basedn(ldb)) == 0) ||
+		    (ldb_dn_compare(dn, ldb_get_schema_basedn(ldb)) == 0)) {
+			talloc_free(dn);
+
+			ldb_asprintf_errstring(ldb, "objectclass: Cannot delete %s, it's a crossRef object to the three main partitions!",
+					       ldb_dn_get_linearized(ac->req->op.del.dn));
+			return LDB_ERR_UNWILLING_TO_PERFORM;
+		}
+		talloc_free(dn);
+	}
+
+	/* systemFlags */
+
 	systemFlags = ldb_msg_find_attr_as_int(ac->search_res->message,
 					       "systemFlags", 0);
 	if ((systemFlags & SYSTEM_FLAG_DISALLOW_DELETE) != 0) {
diff --git a/source4/dsdb/tests/python/ldap.py b/source4/dsdb/tests/python/ldap.py
index b48ee26..ea0aa3a 100755
--- a/source4/dsdb/tests/python/ldap.py
+++ b/source4/dsdb/tests/python/ldap.py
@@ -1569,10 +1569,9 @@ objectClass: container
         self.assertEquals(len(res), 1)
         self.assertTrue("subScheamSubEntry" not in res[0])
 
-    def test_subtree_delete(self):
-        """Tests subtree deletes"""
-
-        print "Test subtree deletes"""
+    def test_delete(self):
+        """Tests the delete operation"""
+        print "Tests the delete operations"""
 
         ldb.add({
             "dn": "cn=ldaptestcontainer," + self.base_dn,
@@ -1615,6 +1614,41 @@ objectClass: container
         self.delete_force(self.ldb, "cn=entry2,cn=ldaptestcontainer," + self.base_dn)
         self.delete_force(self.ldb, "cn=ldaptestcontainer," + self.base_dn)
 
+        # Performs some protected object delete testing
+
+        res = ldb.search(base="", expression="", scope=SCOPE_BASE,
+                         attrs=["dsServiceName", "dNSHostName"])
+        self.assertEquals(len(res), 1)
+
+        try:
+            ldb.delete(res[0]["dsServiceName"][0])
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+        res = ldb.search(self.base_dn, scope=SCOPE_SUBTREE,
+                         attrs=["rIDSetReferences"],
+                         expression="(&(objectClass=computer)(dNSHostName=" + res[0]["dNSHostName"][0] + "))")
+        self.assertEquals(len(res), 1)
+
+        try:
+            ldb.delete(res[0]["rIDSetReferences"][0])
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+        try:
+            ldb.delete("cn=Enterprise Schema,cn=Partitions," + self.configuration_dn)
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
+        try:
+            ldb.delete("cn=Enterprise Configuration,cn=Partitions," + self.configuration_dn)
+            self.fail()
+        except LdbError, (num, _):
+            self.assertEquals(num, ERR_UNWILLING_TO_PERFORM)
+
         # Performs some "systemFlags" testing
 
         # Delete failing since "SYSTEM_FLAG_DISALLOW_DELETE"
diff --git a/source4/dsdb/tests/python/urgent_replication.py b/source4/dsdb/tests/python/urgent_replication.py
index 092466d..42f3cd0 100755
--- a/source4/dsdb/tests/python/urgent_replication.py
+++ b/source4/dsdb/tests/python/urgent_replication.py
@@ -43,7 +43,7 @@ class UrgentReplicationTests(samba.tests.TestCase):
 
     def delete_force(self, ldb, dn):
         try:
-            ldb.delete(dn)
+            ldb.delete(dn, ["relax:0"])
         except LdbError, (num, _):
             self.assertEquals(num, ERR_NO_SUCH_OBJECT)
 


-- 
Samba Shared Repository


More information about the samba-cvs mailing list