[SCM] Samba Shared Repository - branch master updated
Matthias Dieter Wallnöfer
mdw at samba.org
Tue Jan 5 12:52:13 MST 2010
The branch, master has been updated
via a08a0ff... s4:SAMLDB LDB module - Fix trailing whitespaces
via 77ce33c... s4:SAMLDB LDB module - Rework to allow checks for wrong "defaultObjectCategory" attributes
via c051008... s4:schema_load.c - Typo
via bbf9885... s4:ldap_schema.py - add an additional check for validity of "defaultObjectCategory"
via d8ca002... s4:ldap_schema.py - Move generated attributes check
from d06fb8e0.. s3: List trusted domains from wcache when domain is offline.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a08a0ffd37cbf0c87c054a499f549d74598e2db4
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Sun Jan 3 21:47:36 2010 +0100
s4:SAMLDB LDB module - Fix trailing whitespaces
commit 77ce33c419dc000362a2c532e5c7afc1a013c731
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Sun Jan 3 20:36:09 2010 +0100
s4:SAMLDB LDB module - Rework to allow checks for wrong "defaultObjectCategory" attributes
This allows a stricter check for "defaultObjectCategory" attributes which is
performed when the "relax" control isn't specified.
Additional note: As the added comment points out this isn't complete.
And I personally think that moving this at some point to the "objectclass"
module is a better idea to make this fully work (since there we have direct
access to the schema). If someone has a good idea how to do this please inform
me.
Anyway, the SAMLDB module does require some restructure since at the moment it's
very overloaded and therefore a bit a mess. In the meantime I started to work
on a new approach to realise it in a better way.
commit c051008540dd381bb79e39a0c9b6db6aa99a3a6e
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Sun Jan 3 19:54:53 2010 +0100
s4:schema_load.c - Typo
commit bbf988501352801f88c714a67e5ab2b9d19a7af1
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Sun Jan 3 19:53:01 2010 +0100
s4:ldap_schema.py - add an additional check for validity of "defaultObjectCategory"
commit d8ca002a8c7b56712aeaadc19885f70d762ac059
Author: Matthias Dieter Wallnöfer <mwallnoefer at yahoo.de>
Date: Sun Jan 3 19:43:52 2010 +0100
s4:ldap_schema.py - Move generated attributes check
Make more clear that they're created before the "schemaUpdateNow".
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/samldb.c | 180 ++++++++++++++++----------
source4/dsdb/samdb/ldb_modules/schema_load.c | 2 +-
source4/lib/ldb/tests/python/ldap_schema.py | 55 ++++++--
3 files changed, 154 insertions(+), 83 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index fc286c4..17a99c7 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -9,12 +9,12 @@
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -333,37 +333,37 @@ static int samldb_check_samAccountName_callback(struct ldb_request *req,
{
struct samldb_ctx *ac;
int ret;
-
+
ac = talloc_get_type(req->context, struct samldb_ctx);
-
+
if (ares->error != LDB_SUCCESS) {
return ldb_module_done(ac->req, ares->controls,
ares->response, ares->error);
}
-
+
switch (ares->type) {
- case LDB_REPLY_ENTRY:
+ case LDB_REPLY_ENTRY:
/* if we get an entry it means this samAccountName
* already exists */
return ldb_module_done(ac->req, NULL, NULL,
LDB_ERR_ENTRY_ALREADY_EXISTS);
-
+
case LDB_REPLY_REFERRAL:
/* this should not happen */
return ldb_module_done(ac->req, NULL, NULL,
LDB_ERR_OPERATIONS_ERROR);
-
+
case LDB_REPLY_DONE:
/* not found, go on */
talloc_free(ares);
ret = samldb_next_step(ac);
break;
}
-
+
if (ret != LDB_SUCCESS) {
return ldb_module_done(ac->req, NULL, NULL, ret);
}
-
+
return LDB_SUCCESS;
}
@@ -374,16 +374,16 @@ static int samldb_check_samAccountName(struct samldb_ctx *ac)
const char *name;
char *filter;
int ret;
-
+
ldb = ldb_module_get_ctx(ac->module);
-
+
if (ldb_msg_find_element(ac->msg, "samAccountName") == NULL) {
ret = samldb_generate_samAccountName(ac->msg);
if (ret != LDB_SUCCESS) {
return ret;
}
}
-
+
name = ldb_msg_find_attr_as_string(ac->msg, "samAccountName", NULL);
if (name == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
@@ -393,7 +393,7 @@ static int samldb_check_samAccountName(struct samldb_ctx *ac)
if (filter == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
-
+
ret = ldb_build_search_req(&req, ldb, ac,
ac->domain_dn, LDB_SCOPE_SUBTREE,
filter, NULL,
@@ -569,7 +569,7 @@ static int samldb_get_sid_domain(struct samldb_ctx *ac)
/* get the domain component part of the provided SID */
ac->domain_sid->num_auths--;
- filter = talloc_asprintf(ac,
+ filter = talloc_asprintf(ac,
"(&(objectSid=%s)"
"(|(objectClass=domain)"
"(objectClass=builtinDomain)))",
@@ -713,7 +713,7 @@ static int samldb_check_primaryGroupID_2(struct samldb_ctx *ac)
struct ldb_context *ldb;
ldb = ldb_module_get_ctx(ac->module);
ldb_asprintf_errstring(ldb,
- "Failed to find group sid %s!",
+ "Failed to find group sid %s!",
dom_sid_string(ac->sid, ac->sid));
return LDB_ERR_UNWILLING_TO_PERFORM;
}
@@ -918,36 +918,33 @@ done:
static int samldb_set_defaultObjectCategory(struct samldb_ctx *ac)
{
+ struct ldb_context *ldb;
+ struct ldb_message *msg;
+ struct ldb_request *req;
int ret;
- if (ac->dn) {
- struct ldb_request *req;
- struct ldb_context *ldb;
- struct ldb_message *msg = ldb_msg_new(ac);
-
- msg->dn = ac->dn;
-
- ldb_msg_add_empty(msg, "defaultObjectCategory", LDB_FLAG_MOD_REPLACE, NULL);
-
- ldb_msg_add_steal_string(msg, "defaultObjectCategory", ldb_dn_alloc_linearized(msg, ac->dn));
-
- ldb = ldb_module_get_ctx(ac->module);
- ret = ldb_build_mod_req(&req, ldb, ac,
- msg, NULL,
- ac, samldb_set_defaultObjectCategory_callback,
- ac->req);
- if (ret != LDB_SUCCESS) {
- return ret;
- }
+ ldb = ldb_module_get_ctx(ac->module);
- return ldb_next_request(ac->module, req);
- }
+ /* (Re)set the default object category to have it set to the DN in the
+ * storage format */
+ msg = ldb_msg_new(ac);
+ msg->dn = ac->msg->dn;
+ ldb_msg_add_empty(msg, "defaultObjectCategory",
+ LDB_FLAG_MOD_REPLACE, NULL);
+ ldb_msg_add_steal_string(msg, "defaultObjectCategory",
+ ldb_dn_alloc_linearized(msg, ac->dn));
- ret = samldb_next_step(ac);
+ ret = ldb_build_mod_req(&req, ldb, ac,
+ msg, NULL,
+ ac,
+ samldb_set_defaultObjectCategory_callback,
+ ac->req);
if (ret != LDB_SUCCESS) {
- return ldb_module_done(ac->req, NULL, NULL, ret);
+ talloc_free(msg);
+ return ret;
}
- return ret;
+
+ return ldb_next_request(ac->module, req);
}
/*
@@ -955,14 +952,35 @@ static int samldb_set_defaultObjectCategory(struct samldb_ctx *ac)
*/
static int samldb_find_for_defaultObjectCategory_callback(struct ldb_request *req,
- struct ldb_reply *ares)
+ struct ldb_reply *ares)
{
+ struct ldb_context *ldb;
struct samldb_ctx *ac;
int ret;
ac = talloc_get_type(req->context, struct samldb_ctx);
+ ldb = ldb_module_get_ctx(ac->module);
+ if (!ares) {
+ ret = LDB_ERR_OPERATIONS_ERROR;
+ goto done;
+ }
if (ares->error != LDB_SUCCESS) {
+ if (ares->error == LDB_ERR_NO_SUCH_OBJECT) {
+ if (ldb_request_get_control(ac->req,
+ LDB_CONTROL_RELAX_OID) != NULL) {
+ /* Don't be pricky when the DN doesn't exist */
+ /* if we have the RELAX control specified */
+ ac->dn = req->op.search.base;
+ return samldb_next_step(ac);
+ } else {
+ ldb_set_errstring(ldb,
+ "samldb_find_defaultObjectCategory: "
+ "Invalid DN for 'defaultObjectCategory'!");
+ ares->error = LDB_ERR_CONSTRAINT_VIOLATION;
+ }
+ }
+
return ldb_module_done(ac->req, ares->controls,
ares->response, ares->error);
}
@@ -970,22 +988,33 @@ static int samldb_find_for_defaultObjectCategory_callback(struct ldb_request *re
switch (ares->type) {
case LDB_REPLY_ENTRY:
ac->dn = talloc_steal(ac, ares->message->dn);
+
+ ret = LDB_SUCCESS;
break;
+
case LDB_REPLY_REFERRAL:
/* this should not happen */
- return ldb_module_done(ac->req, NULL, NULL,
- LDB_ERR_OPERATIONS_ERROR);
+ talloc_free(ares);
+ ret = LDB_ERR_OPERATIONS_ERROR;
+ break;
case LDB_REPLY_DONE:
- /* found or not found, go on */
talloc_free(ares);
- ret = samldb_next_step(ac);
- if (ret != LDB_SUCCESS) {
- return ldb_module_done(ac->req, NULL, NULL, ret);
+
+ if (ac->dn != NULL) {
+ /* when found go on */
+ ret = samldb_next_step(ac);
+ } else {
+ ret = LDB_ERR_OPERATIONS_ERROR;
}
break;
}
+done:
+ if (ret != LDB_SUCCESS) {
+ return ldb_module_done(ac->req, NULL, NULL, ret);
+ }
+
return LDB_SUCCESS;
}
@@ -993,38 +1022,55 @@ static int samldb_find_for_defaultObjectCategory(struct samldb_ctx *ac)
{
struct ldb_context *ldb;
struct ldb_request *req;
- int ret;
static const char *no_attrs[] = { NULL };
+ int ret;
+ const struct ldb_val *val;
+ struct ldb_dn *def_obj_cat_dn;
ldb = ldb_module_get_ctx(ac->module);
ac->dn = NULL;
- if (ldb_msg_find_element(ac->msg, "defaultObjectCategory") == NULL) {
- ret = ldb_build_search_req(&req, ldb, ac,
- ac->msg->dn, LDB_SCOPE_BASE,
- "objectClass=classSchema", no_attrs,
- NULL,
- ac, samldb_find_for_defaultObjectCategory_callback,
- ac->req);
- if (ret != LDB_SUCCESS) {
- return ret;
- }
- ret = dsdb_request_add_controls(ac->module, req, DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT);
- if (ret != LDB_SUCCESS) {
- return ret;
+ val = ldb_msg_find_ldb_val(ac->msg, "defaultObjectCategory");
+ if (val != NULL) {
+ /* "defaultObjectCategory" has been set by the caller. Do some
+ * checks for consistency.
+ * NOTE: The real constraint check (that 'defaultObjectCategory'
+ * is the DN of the new objectclass or any parent of it) is
+ * still incomplete.
+ * For now we say that 'defaultObjectCategory' is valid if it
+ * exists and it is of objectclass "classSchema". */
+ def_obj_cat_dn = ldb_dn_from_ldb_val(ac, ldb, val);
+ if (def_obj_cat_dn == NULL) {
+ ldb_set_errstring(ldb,
+ "samldb_find_defaultObjectCategory: Invalid DN "
+ "for 'defaultObjectCategory'!");
+ return LDB_ERR_CONSTRAINT_VIOLATION;
}
- return ldb_next_request(ac->module, req);
+ } else {
+ /* "defaultObjectCategory" has not been set by the caller. Use
+ * the entry DN for it. */
+ def_obj_cat_dn = ac->msg->dn;
}
- ret = samldb_next_step(ac);
+ ret = ldb_build_search_req(&req, ldb, ac,
+ def_obj_cat_dn, LDB_SCOPE_BASE,
+ "objectClass=classSchema", no_attrs,
+ NULL,
+ ac, samldb_find_for_defaultObjectCategory_callback,
+ ac->req);
if (ret != LDB_SUCCESS) {
- return ldb_module_done(ac->req, NULL, NULL, ret);
+ return ret;
}
- return ret;
-}
+ ret = dsdb_request_add_controls(ac->module, req,
+ DSDB_SEARCH_SHOW_DN_IN_STORAGE_FORMAT);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+ return ldb_next_request(ac->module, req);
+}
/*
@@ -1377,7 +1423,7 @@ static int samldb_foreign_notice_sid(struct samldb_ctx *ac)
}
- filter = talloc_asprintf(ac,
+ filter = talloc_asprintf(ac,
"(&(objectSid=%s)"
"(|(objectClass=domain)"
"(objectClass=builtinDomain)))",
diff --git a/source4/dsdb/samdb/ldb_modules/schema_load.c b/source4/dsdb/samdb/ldb_modules/schema_load.c
index c7cd76a..c72911f 100644
--- a/source4/dsdb/samdb/ldb_modules/schema_load.c
+++ b/source4/dsdb/samdb/ldb_modules/schema_load.c
@@ -102,7 +102,7 @@ static int dsdb_schema_from_schema_dn(TALLOC_CTX *mem_ctx, struct ldb_module *mo
"(objectClass=classSchema)");
if (ret != LDB_SUCCESS) {
ldb_asprintf_errstring(ldb,
- "dsdb_schema: failed to search attributeSchema objects: %s",
+ "dsdb_schema: failed to search classSchema objects: %s",
ldb_errstring(ldb));
goto failed;
}
diff --git a/source4/lib/ldb/tests/python/ldap_schema.py b/source4/lib/ldb/tests/python/ldap_schema.py
index 0a31db8..9e54732 100755
--- a/source4/lib/ldb/tests/python/ldap_schema.py
+++ b/source4/lib/ldb/tests/python/ldap_schema.py
@@ -132,9 +132,41 @@ systemOnly: FALSE
"""
self.ldb.add_ldif(ldif)
+ # Search for created attribute
+ res = []
+ res = self.ldb.search("cn=%s,%s" % (attr_name, self.schema_dn), scope=SCOPE_BASE, attrs=["*"])
+ self.assertEquals(len(res), 1)
+ self.assertEquals(res[0]["lDAPDisplayName"][0], attr_ldap_display_name)
+ self.assertTrue("schemaIDGUID" in res[0])
+
class_name = "test-Class" + time.strftime("%s", time.gmtime())
class_ldap_display_name = class_name.replace("-", "")
+ # First try to create a class with a wrong "defaultObjectCategory"
+ ldif = """
+dn: CN=%s,%s""" % (class_name, self.schema_dn) + """
+objectClass: top
+objectClass: classSchema
+defaultObjectCategory: CN=_
+adminDescription: """ + class_name + """
+adminDisplayName: """ + class_name + """
+cn: """ + class_name + """
+governsId: 1.2.840.""" + str(random.randint(1,100000)) + """.1.5.9939
+instanceType: 4
+objectClassCategory: 1
+subClassOf: organizationalPerson
+systemFlags: 16
+rDNAttID: cn
+systemMustContain: cn
+systemMustContain: """ + attr_ldap_display_name + """
+systemOnly: FALSE
+"""
+ try:
+ self.ldb.add_ldif(ldif)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
+
ldif = """
dn: CN=%s,%s""" % (class_name, self.schema_dn) + """
objectClass: top
@@ -154,6 +186,14 @@ systemOnly: FALSE
"""
self.ldb.add_ldif(ldif)
+ # Search for created objectclass
+ res = []
+ res = self.ldb.search("cn=%s,%s" % (class_name, self.schema_dn), scope=SCOPE_BASE, attrs=["*"])
+ self.assertEquals(len(res), 1)
+ self.assertEquals(res[0]["lDAPDisplayName"][0], class_ldap_display_name)
+ self.assertEquals(res[0]["defaultObjectCategory"][0], res[0]["distinguishedName"][0])
+ self.assertTrue("schemaIDGUID" in res[0])
+
ldif = """
dn:
changetype: modify
@@ -179,21 +219,6 @@ name: """ + object_name + """
"""
self.ldb.add_ldif(ldif)
- # Search for created attribute
- res = []
- res = self.ldb.search("cn=%s,%s" % (attr_name, self.schema_dn), scope=SCOPE_BASE, attrs=["*"])
- self.assertEquals(len(res), 1)
- self.assertEquals(res[0]["lDAPDisplayName"][0], attr_ldap_display_name)
- self.assertTrue("schemaIDGUID" in res[0])
-
- # Search for created objectclass
- res = []
- res = self.ldb.search("cn=%s,%s" % (class_name, self.schema_dn), scope=SCOPE_BASE, attrs=["*"])
- self.assertEquals(len(res), 1)
- self.assertEquals(res[0]["lDAPDisplayName"][0], class_ldap_display_name)
- self.assertEquals(res[0]["defaultObjectCategory"][0], res[0]["distinguishedName"][0])
- self.assertTrue("schemaIDGUID" in res[0])
-
# Search for created object
res = []
res = self.ldb.search("cn=%s,cn=Users,%s" % (object_name, self.base_dn), scope=SCOPE_BASE, attrs=["*"])
--
Samba Shared Repository
More information about the samba-cvs
mailing list