[SAMBA4] Schema objectGUID causing a problem with OpenLDAP backend

Andrew Bartlett abartlet at samba.org
Wed Nov 18 01:32:46 MST 2009 

On Wed, 2009-11-18 at 02:51 -0500, Endi Sukma Dewata wrote:
> Andrew,
> 
> ----- "Andrew Bartlett" <abartlet at samba.org> wrote:
> 
> > > I think the reason was that the relax control was intended for the LDB
> > > modules, not for the LDAP backend. Should we now create a distinction
> > > between relax controls intended for LDB vs. backend? Or should we always
> > > send it to the backend?
> > 
> > If that's what it does, it's not the intention.  I had intended to send
> > it with no data.
> > 
> > Perhaps we have the OID wrong. 
> 
> The OID in both Samba and OpenLDAP is defined as 1.3.6.1.4.1.4203.666.5.12:
> 
> http://gitweb.samba.org/?p=samba.git;a=blob;f=source4/lib/ldb/include/ldb.h;h=2d42596ec6c115de2a89d38e74ef29bd66e8b0ec;hb=HEAD
> http://www.openldap.org/devel/cvsweb.cgi/~checkout~/include/ldap.h?rev=1.312.2.23&hideattic=1&sortbydate=0
> 
> In the ldap_encode_control() the code checks if the encoding function is not
> defined it's not going to encode the control, so it does not send the control
> at all to the backend.

Ahh.  That's a bug. 

> for (i = 0; handlers[i].oid != NULL; i++) {
>     if (strcmp(handlers[i].oid, ctrl->oid) == 0) {
>         if (!handlers[i].encode) {
>             if (ctrl->critical) {
>                 return false;
>             } else {
>                 /* not encoding this control */
>                 return true;
>             }
>         }
>         if (!handlers[i].encode(mem_ctx, ctrl->data, &value)) {
>             return false;
>         }
>         break;
>     }
> }
> 
> According to the draft (http://tools.ietf.org/html/draft-zeilenga-ldap-relax-03)
> the controlValue should actually be empty.
> 
> I think the question is whether we need to distinguish the relax control intended
> for LDB vs. the backend. Maybe we could use the controlValue to distinguish them,
> if it contains any data then it's for LDB, otherwise it's for the backend. If it's
> for LDB we skip it, otherwise we encode it. Another way is to use a different OID.
> 
> What do you think?

I see no reason to distinguish between the two, we should just send it,
with no data (as required by the RFC) to both.  It's not marked as
critical, so the tdb backend will ignore it (the repl_meta_data module
does honour it however).  

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091118/4fac7120/attachment.pgp>

More information about the samba-technical mailing list