[SAMBA4] Schema objectGUID causing a problem with OpenLDAP backend

Endi Sukma Dewata edewata at redhat.com
Wed Nov 18 00:51:40 MST 2009


----- "Andrew Bartlett" <abartlet at samba.org> wrote:

> > I think the reason was that the relax control was intended for the LDB
> > modules, not for the LDAP backend. Should we now create a distinction
> > between relax controls intended for LDB vs. backend? Or should we always
> > send it to the backend?
> If that's what it does, it's not the intention.  I had intended to send
> it with no data.
> Perhaps we have the OID wrong. 

The OID in both Samba and OpenLDAP is defined as


In the ldap_encode_control() the code checks if the encoding function is not
defined it's not going to encode the control, so it does not send the control
at all to the backend.

for (i = 0; handlers[i].oid != NULL; i++) {
    if (strcmp(handlers[i].oid, ctrl->oid) == 0) {
        if (!handlers[i].encode) {
            if (ctrl->critical) {
                return false;
            } else {
                /* not encoding this control */
                return true;
        if (!handlers[i].encode(mem_ctx, ctrl->data, &value)) {
            return false;

According to the draft (http://tools.ietf.org/html/draft-zeilenga-ldap-relax-03)
the controlValue should actually be empty.

I think the question is whether we need to distinguish the relax control intended
for LDB vs. the backend. Maybe we could use the controlValue to distinguish them,
if it contains any data then it's for LDB, otherwise it's for the backend. If it's
for LDB we skip it, otherwise we encode it. Another way is to use a different OID.

What do you think?

Endi S. Dewata

More information about the samba-technical mailing list