[IPA] SID allocation using DNA plugin

Endi Sukma Dewata edewata at redhat.com
Mon Oct 26 21:03:28 MDT 2009


Andrew,

I have a question related to this proposal:
http://www.freeipa.org/page/Samba_4_SID_Allocation_using_DNA_Plugin

Please take a look at dsdb/samdb/ldb_modules/password_hash.c. During an add operation
the password_hash module tries to extract the domain SID from the object SID.

static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
{
	ac->domain_sid = samdb_result_sid_prefix(ac, req->op.add.message, "objectSid");
	ret = build_domain_data_request(ac);
}

The domain SID will be used to create a search filter to find the domain object in the
following method:

static int build_domain_data_request(struct ph_context *ac)
{
	attrs[] = { "pwdProperties", "pwdHistoryLength", NULL };
	ldb = ldb_module_get_ctx(ac->module);

	filter = talloc_asprintf(ac,
				 "(objectSid=%s)",
				 ldap_encode_ndr_dom_sid(ac, ac->domain_sid));

	return ldb_build_search_req(&ac->dom_req, ldb, ac,
				    ldb_get_default_basedn(ldb),
				    LDB_SCOPE_BASE,
				    filter, attrs,
				    NULL,
				    ac, get_domain_data_callback,
				    ac->req);
}

It seems like the use of search filter here is redundant because the base DN and
the scope point to the domain object directly. Is it correct?

If that's case can we use a NULL filter in this search, so we don't need the domain
SID, meaning we don't need to check the objectSid in the previous method. This way
the SID can be generated by the backend. Is this correct?

Thanks!

--
Endi S. Dewata


More information about the samba-technical mailing list