[IPA] Attribute Linking and Indexing

Andrew Bartlett abartlet at samba.org
Mon Oct 19 20:38:53 MDT 2009

On Mon, 2009-10-19 at 15:01 -0400, Endi Sukma Dewata wrote:
> Andrew and Matthias,
> Thanks for applying the patches. I've run quicktest with the latest revision.
> With the default backend & FDS backend, the test completed with 6 failures.
> However, there is an OpenLDAP-specific issue.
> With OpenLDAP backend the provisioning failed because of invalid DN format
> on wellKnownObjects and msDS-HasInstantiatedNCs attributes. If I comment out
> those attributes the provisioning will complete but the test will produce a
> lot of errors. I checked the OpenLDAP schema generated by the provisioning
> tool, these attributes are using octet string syntax. Anybody familiar with
> OpenLDAP? Thanks!
> These are the offending entries:
> replace: wellKnownObjects
> wellKnownObjects: B:32:6227f0af1fc2410d8e3bb10615bb5b0f:CN=NTDS Quotas,DC=SAMBA,DC=EXAMPLE,DC=COM
> wellKnownObjects: B:32:f4be92a4c777485e878e9421d53087db:CN=Microsoft,CN=Program Data,DC=SAMBA,DC=EXAMPLE,DC=COM
> wellKnownObjects: B:32:09460c08ae1e4a4ea0f64aee7daa1e5a:CN=Program Data,DC=SAMBA,DC=EXAMPLE,DC=COM
> wellKnownObjects: B:32:22b70c67d56e4efb91e9300fca3dc1aa:CN=ForeignSecurityPrincipals,DC=SAMBA,DC=EXAMPLE,DC=COM
> wellKnownObjects: B:32:18e2ea80684f11d2b9aa00c04f79f805:CN=Deleted Objects,DC=SAMBA,DC=EXAMPLE,DC=COM
> wellKnownObjects: B:32:2fbac1870ade11d297c400c04fd8d5cd:CN=Infrastructure,DC=SAMBA,DC=EXAMPLE,DC=COM
> wellKnownObjects: B:32:ab8153b7768811d1aded00c04fd8d5cd:CN=LostAndFound,DC=SAMBA,DC=EXAMPLE,DC=COM
> wellKnownObjects: B:32:ab1d30f3768811d1aded00c04fd8d5cd:CN=System,DC=SAMBA,DC=EXAMPLE,DC=COM
> wellKnownObjects: B:32:a361b2ffffd211d1aa4b00c04fd7d83a:OU=Domain Controllers,DC=SAMBA,DC=EXAMPLE,DC=COM
> wellKnownObjects: B:32:aa312825768811d1aded00c04fd8d5cd:CN=Computers,DC=SAMBA,DC=EXAMPLE,DC=COM
> wellKnownObjects: B:32:a9d1ca15768811d1aded00c04fd8d5cd:CN=Users,DC=SAMBA,DC=EXAMPLE,DC=COM

Yeah, the problem here is due to the mapping of attribute types.  These
are attributes of DN+Binary syntax, and that creates challenges.  If one
of these were ever to be renamed, then we should update the DN component
of these values.  They should also in other ways be treated like a DN. 

But telling FDS and OpenLDAP that these are a DN triggers the
(legitimate) input validation.  So we must either define a new type in
both backends, so punt it back to a directory string...

(BTW, Samba4 on ldb doesn't even handle the update of these links after
rename, but it should)

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091020/df2d2244/attachment.pgp>

More information about the samba-technical mailing list