[IPA] Samba storing extended DN in Fedora DS
Endi Sukma Dewata
edewata at redhat.com
Fri Oct 2 13:50:54 MDT 2009
Hi Andrew,
I'm trying to get Samba working with the soon-to-be-released DS 1.2.3.
The new DS imposes a stricter schema checking which causes a problem
during provisioning:
Failed to apply linked attribute change 'LDAP error 21
LDAP_INVALID_ATTRIBUTE_SYNTAX - <memberOf: value #0 invalid per syntax
> <>' dn: CN=Administrator,CN=Users,DC=samba,DC=example,DC=com
changetype: modify
add: memberOf
memberOf: <GUID=cf7c7df9-aed5-11de-b258-ad016abdf0a2>;<SID=S-1-5-21-2567418026
-1981856597-2036233384-519>;CN=Enterprise Admins,CN=Users,DC=samba,DC=example
,DC=com
-
It appears that the linked_attributes LDB module in sam.ldb is trying to create
a backlink by storing an extended DN in a memberOf attribute which uses a DN
syntax (1.3.6.1.4.1.1466.115.121.1.12). In the older DS version this still
works, but the new DS version no longer accepts it.
See source4/dsdb/samdb/ldb_modules/linked_attributes.c line 1119 and 1121:
ret_el->values[0] = data_blob_string_const(
ldb_dn_get_extended_linearized(new_msg, ac->add_dn, 1));
If I change it to use the regular DN at least the provisioning would complete:
ret_el->values[0] = data_blob_string_const(
ldb_dn_get_linearized(ac->add_dn));
The problem doesn't happen with the default TDB backend. The problem also
doesn't happen with OpenLDAP backend because OpenLDAP doesn't use this module.
What should be the right behavior? Can a backlink work with just a regular DN?
Should the linked_attributes be modified to use a regular DN? Or should the
syntax be changed to something else? Thanks!
--
Endi S. Dewata
More information about the samba-technical
mailing list