[IPA] Attribute dereferencing & storing SID as string

Andrew Bartlett abartlet at samba.org
Thu Oct 22 20:32:37 MDT 2009


On Thu, 2009-10-22 at 20:47 -0400, Endi Sukma Dewata wrote:
> Andrew,
> 
> ----- "Andrew Bartlett" <abartlet at samba.org> wrote:
> 
> > I do wish we had a way to make the ldb_map code still handle this
> > mapping.  But for the small number of attributes here so far, I
> > suppose this is OK. 
> 
> > Yes, I think it is necessary - there is an assumption that attributes of
> > a particular name have a particular Syntax, and while it technicality
> > still matches, it's not what an application developer who happens to
> > encounter this on a Fedora DS system would expect. 
> > 
> > As such, please use SambaSID (and tell Samba4 not to generate an
> > objectSID attribute by making it a 'skip' attribute in the syntax map
> > file).
> 
> The problem with skipping objectSID is that there are some object classes
> that are using it. We need to replace the objectSID in those object
> classes to sambaSID.
> 
> Renaming objectSID to sambaSID works, it will replace the objectSID in
> the object classes as well, but then it will generate a sambaSID attribute
> that conflicts with Samba 3's schema.
> 
> I think what we need is the ability to rename an attribute but not generate
> the schema. Should we add another paramater in the mapping configuration?
> For example:
> 
> objectSid:sambaSID:skip

Frankly, that file needs to be rewritten to have a real config format
and grammar. 

That said, can't you do:

objectSid
objectSid:sambaSID?

I think that will do what we want (before someone reworks this mess)

> Also, renaming objectSID to sambaSID will affect the dereferencing module
> too since now it should look for sambaSID instead of objectSID.

This is the least of my worries.  If we want to make it configurable,
then we should somehow have the ldb_map module know how to handle the
dereference control.  We already have to rename for entryUUID anyway. 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091023/67278fd9/attachment.pgp>


More information about the samba-technical mailing list