LDAP: profilePath and smbHome macro expansion

Mon Oct 29 04:22:02 GMT 2001

Ignacio Coupeau wrote:
> 
> Code CVS (SAMBA_2_2 20011027 12:47 GMT+2)
> 
> I think that in the
>         passdb/pdb_ldap.c
>                 |
>                 pdb_getsampw*()
>                    |
>                    init_sam_from_ldap()
> 
> a call to the
>         lib/substitute.c
>                 |
>                 standard_sub_basic()
> 
> should be necessary for "%N" or "%L" macro expansion as in the
> passdb/pdb_tdb.c or in the passdb/pdb_smbpasswd.c.
> 
> I think after ldap get_single_attribute no macro expansion is performed:
> 
>   get_single_attribute(ldap_struct, entry, "profilePath",profile_path);
>   DEBUG(5,("profilePath is set to %s\n",profile_path));
>         if (!*profile_path) {
>                 pstrcpy(profile_path, lp_logon_path());
>                 DEBUG(5,("profilePath fell back to %s\n",profile_path));
>         }
> + standard_sub_basic(profile_path);

I've just been looking at the code in HEAD, and have committed the
opposite fix.

It just does not make any sense to do macro expansions on passdb
results.

While very neat, there are certain consequences, depending on how the
system is implemented.

Currently, we read an entire record, use it, modify it (for a change of
password or the like) and write back the entire record (at least in TDB,
I haven't looked at LDAP that closely).  

The problem occurs here: We have a the string, now macro expanded ready
for use.  Then we store the changes to that object - the macros is still
expanded, and there is no way to tell that there ever was a macro there
in the first place.

This is double trouble if you consider PDC->BDC replication over NT
protocols, as these values *must* be in fully expanded form - what the
heck will NT do with the macros?

As such I have just removed the references to macro expansion in the
other passdb modules - they it simply cannot be done properly in the
current code.

The 'macro expansion' in pdb_smbpasswd is a little different - it is
never stored, as the values all come from lp_ functions.

As far as I can see the best that can be done is to use the 'default if
not present' feature (as this can get a macro-containing value, and
can't be written back into the database) and to expand the macros at
storage time.  My recent changes make smbpasswd -a store correctly
expanded macros for new records.

Just my two cents worth,  

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Samba Team member, Build Farm maintainer        abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net