[PATCH] Setting nTSecurityDescriptor via LDAP fails

[simo]

On Fri, 2009-03-20 at 16:16 +0100, Jelmer Vernooij wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Stefan (metze) Metzmacher wrote:
> > Jelmer Vernooij schrieb:
> >> Stefan (metze) Metzmacher wrote:>
> >>> why does PyObject_AsMessageElement() copy the string for one case but
> >>> not for the multiple value case.
> >> Good point; since we borrow the reference to the list, we don't need to
> >> do a dup there at all.
> >>
> >>> Also why doesn't it use a->syntax->ldif_read_fn() as
> >>> PyObject_FromLdbValue() also uses a->syntax->ldif_write_fn().
> >> PyObject_FromLdbValue() probably shouldn't be using
> >> a->syntax->ldif_write_fn().
> >>
> >>> I wonder why we only handle ldif correctly in samba.Ldb and not in
> >>> the LDB.Ldb class.
> >> LDB.Ldb doesn't load any of the Samba-specific code, including nt
> >> security descriptor handling.
> >>
> >> I'll have a look at Zahari's patches and these issues later today.
> > 
> > But I think LDB.Ldb should detect base64 and only accept valid LDIF.
> > And no hand made binary strings. Also a->syntax is a plain ldb feature.
> > only the implementations are samba specific.
> In that case, LDB itself should be doing that.
> 
> There's no reason for LDB/Python to behave differently here, and suffer
> a performance hit. Doing automatic conversions leads to all sorts of
> strange side-effects. What if you're trying to add a string to LDB that
> also happens to be valid base64 string?

Ldif has a clear syntax to indicate that the value is not to be taken as
is but it is a base64 encoded value.

value:: <base64>

note the double colon.

The attribute type should indicate how we treat that.

An Ldif file that passes in non-utf8 chars is not well-formed and should
be rejected.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>