linked attributes, DRS and abusing the ldb modules API

Andrew Bartlett abartlet at samba.org
Wed Aug 26 02:56:14 MDT 2009 

On Wed, 2009-08-26 at 17:52 +1000, tridge at samba.org wrote:
> Hi Metze,
> 
> I've been looking at supporting linked attributes in the
> repl_meta_data module. The test I've been using is to add/remove a
> couple of users from a global group on a W2K3 system, with DRS pull
> replication happening to a S4 DC.
> 
> As it stands in the tree now, the DRS pull does pull across the modify
> request for the 'member' attribute of the group, and this gets applies
> correctly, but the memberOf linked attributes don't get updated. The
> reason they don't get updated is that the linked_attributes module
> comes before the repl_meta_data module in the module list (as the
> repl_meta_data module gets pulled in as part of the partition module).
> 
> So to make this work, we have a few choices:
> 
>  1) we could reproduce the linked_attributes logic in the
>     repl_meta_data module. I'm guessing that is what your 'todo' in
>     dsdb_extended_replicated_objects_commit() impled?
> 
>  2) we could call into the linked_attributes module from the
>     repl_meta_data module, letting the linked_attributes module do its
>     work as usual when it gets a modify request on an attribute that
>     is linked

The problem with this is that it fails across module boundaries.  The
repl_meta_data module operates after the partitions module, so I'm
worried what happens to a link that crosses the partitions.

>  3) we could change the module ordering
> 
> I've written a quick patch that implements (2). What do you think
> about this approach? The patch is below.
> 
> Note in particular the line:
> 
> 		if (ldb_load_modules_list(ldb, module_list, module->next, &ac->module->next) != LDB_SUCCESS) {
> 
> which is an approach I don't think we've used before, but does offer a
> way to re-use modules in a fairly clean fashion. For now it assumes
> the modules don't need initialisation, but that could be fixed.
> 
> The patch works in the sense that the member/memberOf attributes get
> correctly updated by a DRS pull, although we do generate a warning as
> we get some spurious updates to the memberOf linked attribute target,
> which are then discarded (which turns out to do the right thing).

It's an interesting hack.  We also have to get in some of the other
modules, like the extended DN storage stuff.   

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090826/2d0ac7e8/attachment.pgp>

More information about the samba-technical mailing list