[IPA] Attribute dereferencing & storing SID as string

Andrew Bartlett abartlet at samba.org
Wed Oct 21 18:00:41 MDT 2009 

On Wed, 2009-10-21 at 19:38 -0400, Endi Sukma Dewata wrote:
> Andrew,
> 
> Please review the attached patches:
> 
> The first one fixes the attribute dereferencing for FDS because
> it requires different handling than OpenLDAP:
> http://www.freeipa.org/page/Samba_4_Attribute_Dereferencing
> Please let me know if this is the right way to fix it.

I do wish we had a way to make the ldb_map code still handle this
mapping.  But for the small number of attributes here so far, I suppose
this is OK. 

> The second one changes the storage format for SID in FDS from
> binary to string (we've discussed this before):
> http://www.freeipa.org/page/Samba_4_Storing_SID_in_String_Format
> The patch doesn't include changing the schema, do you think it's
> necessary? Currently it works using octet string syntax.

Yes, I think it is necessary - there is an assumption that attributes of
a particular name have a particular Syntax, and while it technicality
still matches, it's not what an application developer who happens to
encounter this on a Fedora DS system would expect. 

As such, please use SambaSID (and tell Samba4 not to generate an
objectSID attribute by making it a 'skip' attribute in the syntax map
file). 

> Both of these are prerequisites for utilizing the DNA plugin to
> generate SID (we also have discussed this before):
> http://www.freeipa.org/page/Samba_4_SID_Allocation_using_DNA_Plugin
> I don't have the patch for this yet.
> 
> I have run the quicktest using the default backend and FDS backend
> and they completed successfully. The OpenLDAP test failed because
> of the problem we discussed in the other thread.

I'll fix that shortly. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091022/6f3b176e/attachment.pgp>

More information about the samba-technical mailing list