[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Thu Oct 24 11:08:05 UTC 2019


The branch, master has been updated
       via  d0f566c4ad3 s4:dirsync: fix interaction of dirsync and extended_dn controls
       via  6d43d82b49c s4:tests/dirsync: add tests for dirsync with extended_dn
      from  9471508391f s3: remove now unneeded call to cmdline_messaging_context()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit d0f566c4ad32d69a1cf896e2dde56fc2489bb7fc
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Oct 4 14:57:40 2019 +0200

    s4:dirsync: fix interaction of dirsync and extended_dn controls
    
    Azure AD connect reports discovery errors:
      reference-value-not-ldap-conformant
    for attributes member and manager.
    The key is that it sends the LDAP_SERVER_EXTENDED_DN_OID without
    an ExtendedDNRequestValue blob, which means the flag value should
    be treated as 0 and the HEX string format should be used.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14153
    RN: Prevent azure ad connect from reporting discovery errors:
    reference-value-not-ldap-conformant
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Thu Oct 24 11:06:58 UTC 2019 on sn-devel-184

commit 6d43d82b49c8cd47da2f1489fe8b52d5a873a19c
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Oct 22 12:12:32 2019 +0200

    s4:tests/dirsync: add tests for dirsync with extended_dn
    
    This demonstrates a problems that the extended_dn returned
    by the dirsync module always uses the SDDL format for GUID/SID
    components.
    
    Azure AD connect reports discovery errors:
      reference-value-not-ldap-conformant
    for attributes member and manager.
    The key is that it sends the LDAP_SERVER_EXTENDED_DN_OID without
    an ExtendedDNRequestValue blob, which means the flag value should
    be treated as 0 and the HEX string format should be used.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14153
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 source4/dsdb/samdb/ldb_modules/dirsync.c | 21 ++++++++++++++++++---
 source4/dsdb/tests/python/dirsync.py     | 31 +++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+), 3 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source4/dsdb/samdb/ldb_modules/dirsync.c b/source4/dsdb/samdb/ldb_modules/dirsync.c
index 60e8eae4642..87da4a6a0ec 100644
--- a/source4/dsdb/samdb/ldb_modules/dirsync.c
+++ b/source4/dsdb/samdb/ldb_modules/dirsync.c
@@ -51,6 +51,7 @@ struct dirsync_context {
 	uint64_t fromreqUSN;
 	uint32_t cursor_size;
 	bool noextended;
+	int extended_type;
 	bool linkIncrVal;
 	bool localonly;
 	bool partial;
@@ -481,7 +482,8 @@ skip:
 				}
 
 				ldb_dn_extended_filter(dn->dn, myaccept);
-				dn_ln = ldb_dn_get_extended_linearized(dn, dn->dn, 1);
+				dn_ln = dsdb_dn_get_extended_linearized(dn, dn,
+							dsc->extended_type);
 				if (dn_ln == NULL)
 				{
 					talloc_free(dn);
@@ -998,6 +1000,7 @@ static int dirsync_ldb_search(struct ldb_module *module, struct ldb_request *req
 	struct ldb_control *control;
 	struct ldb_result *acl_res;
 	struct ldb_dirsync_control *dirsync_ctl;
+	struct ldb_control *extended = NULL;
 	struct ldb_request *down_req;
 	struct dirsync_context *dsc;
 	struct ldb_context *ldb;
@@ -1014,7 +1017,7 @@ static int dirsync_ldb_search(struct ldb_module *module, struct ldb_request *req
 	}
 
 	/*
-	 * check if there's an extended dn control
+	 * check if there's a dirsync control
 	 */
 	control = ldb_request_get_control(req, LDB_CONTROL_DIRSYNC_OID);
 	if (control == NULL) {
@@ -1229,7 +1232,19 @@ static int dirsync_ldb_search(struct ldb_module *module, struct ldb_request *req
 		dsc->nbDefaultAttrs = 3;
 	}
 
-	if (!ldb_request_get_control(req, LDB_CONTROL_EXTENDED_DN_OID)) {
+	/* check if there's an extended dn control */
+	extended = ldb_request_get_control(req, LDB_CONTROL_EXTENDED_DN_OID);
+	if (extended != NULL) {
+		struct ldb_extended_dn_control *extended_ctrl = NULL;
+
+		if (extended->data != NULL) {
+			extended_ctrl = talloc_get_type(extended->data,
+						struct ldb_extended_dn_control);
+		}
+		if (extended_ctrl != NULL) {
+			dsc->extended_type = extended_ctrl->type;
+		}
+	} else {
 		ret = ldb_request_add_control(req, LDB_CONTROL_EXTENDED_DN_OID, false, NULL);
 		if (ret != LDB_SUCCESS) {
 			return ret;
diff --git a/source4/dsdb/tests/python/dirsync.py b/source4/dsdb/tests/python/dirsync.py
index 8b46357c670..405980455b7 100755
--- a/source4/dsdb/tests/python/dirsync.py
+++ b/source4/dsdb/tests/python/dirsync.py
@@ -655,6 +655,37 @@ class ExtendedDirsyncTests(SimpleDirsyncTests):
         self.assertEqual(res[0].get("member;range=1-1"), None)
         self.assertEqual(len(res[0].get("member;range=0-0")), 2)
 
+    def test_dirsync_extended_dn(self):
+        """Check that dirsync works together with the extended_dn control"""
+        # Let's search for members
+        self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass)
+        res = self.ldb_simple.search(self.base_dn,
+                                     expression="(name=Administrators)",
+                                     controls=["dirsync:1:1:1"])
+
+        self.assertTrue(len(res[0].get("member")) > 0)
+        size = len(res[0].get("member"))
+
+        resEX1 = self.ldb_simple.search(self.base_dn,
+                                        expression="(name=Administrators)",
+                                        controls=["dirsync:1:1:1","extended_dn:1:1"])
+        self.assertTrue(len(resEX1[0].get("member")) > 0)
+        sizeEX1 = len(resEX1[0].get("member"))
+        self.assertEqual(sizeEX1, size)
+        self.assertIn(res[0]["member"][0], resEX1[0]["member"][0])
+        self.assertIn(b"<GUID=", resEX1[0]["member"][0])
+        self.assertIn(b">;<SID=S-1-5-21-", resEX1[0]["member"][0])
+
+        resEX0 = self.ldb_simple.search(self.base_dn,
+                                        expression="(name=Administrators)",
+                                        controls=["dirsync:1:1:1","extended_dn:1:0"])
+        self.assertTrue(len(resEX0[0].get("member")) > 0)
+        sizeEX0 = len(resEX0[0].get("member"))
+        self.assertEqual(sizeEX0, size)
+        self.assertIn(res[0]["member"][0], resEX0[0]["member"][0])
+        self.assertIn(b"<GUID=", resEX0[0]["member"][0])
+        self.assertIn(b">;<SID=010500000000000515", resEX0[0]["member"][0])
+
     def test_dirsync_deleted_items(self):
         """Check that dirsync returnd deleted objects too"""
         # Let's create an OU


-- 
Samba Shared Repository



More information about the samba-cvs mailing list