[PATCH] Setting nTSecurityDescriptor via LDAP fails

Jelmer Vernooij jelmer at samba.org
Fri Mar 20 15:36:52 GMT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

simo wrote:
> On Fri, 2009-03-20 at 16:16 +0100, Jelmer Vernooij wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Stefan (metze) Metzmacher wrote:
>>> Jelmer Vernooij schrieb:
>>>> Stefan (metze) Metzmacher wrote:>
>>>>> why does PyObject_AsMessageElement() copy the string for one case but
>>>>> not for the multiple value case.
>>>> Good point; since we borrow the reference to the list, we don't need to
>>>> do a dup there at all.
>>>>
>>>>> Also why doesn't it use a->syntax->ldif_read_fn() as
>>>>> PyObject_FromLdbValue() also uses a->syntax->ldif_write_fn().
>>>> PyObject_FromLdbValue() probably shouldn't be using
>>>> a->syntax->ldif_write_fn().
>>>>
>>>>> I wonder why we only handle ldif correctly in samba.Ldb and not in
>>>>> the LDB.Ldb class.
>>>> LDB.Ldb doesn't load any of the Samba-specific code, including nt
>>>> security descriptor handling.
>>>>
>>>> I'll have a look at Zahari's patches and these issues later today.
>>> But I think LDB.Ldb should detect base64 and only accept valid LDIF.
>>> And no hand made binary strings. Also a->syntax is a plain ldb feature.
>>> only the implementations are samba specific.
>> In that case, LDB itself should be doing that.
>>
>> There's no reason for LDB/Python to behave differently here, and suffer
>> a performance hit. Doing automatic conversions leads to all sorts of
>> strange side-effects. What if you're trying to add a string to LDB that
>> also happens to be valid base64 string?
> 
> Ldif has a clear syntax to indicate that the value is not to be taken as
> is but it is a base64 encoded value.
> 
> value:: <base64>
> 
> note the double colon.
> 
> The attribute type should indicate how we treat that.
> 
> An Ldif file that passes in non-utf8 chars is not well-formed and should
> be rejected.

We're not talking about what happens when parsing LDIF here. We're
talking about what happens if you run the following python code:

ldb.add({"dn": "dc=foo", "bla": var})

I think if var is a string object in python (which can contain \0
characters) it should just be converted to a ldb_val struct. If the user
has base64 encoded data they want to store in LDB, they should do the
conversion to binary data by themselves (base64.b64decode). LDIF doesn't
come into play here.

Cheers,

Jelmer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iJwEAQECAAYFAknDuAkACgkQDLQl4QYPZuXNxAP+Lmd0XcrdJy2DMWV+UlUeQY/r
Oz3wHy77hWt5/QRxaVwzl/h6Vg0Ixm9BbrgCx/RMOEnU96aLsMzvc8Ff4a7T8+64
Hp3iaP02/PazBCni8gbgZ/zpbKdH0cs5oK7GNhUQ0MNvaV7xrdqVQ5VCEF5v9EdK
pRQuB2oQhKPt9EkrosA=
=3Zcp
-----END PGP SIGNATURE-----


More information about the samba-technical mailing list