replaced and deprecated attribute in schema

Matthieu Patou mat+Informatique.Samba at matws.net
Mon Sep 14 14:22:18 MDT 2009


On 09/14/2009 09:47 PM, Andrew Bartlett wrote:
> On Mon, 2009-09-14 at 19:27 +0400, Matthieu Patou wrote:
>    
>> On 09/14/2009 05:12 PM, Andrew Bartlett wrote:
>>      
>>> On Sun, 2009-09-13 at 14:08 +0400, Matthieu Patou wrote:
>>>
>>>        
>>>> Hi andrew,
>>>>
>>>> While doing stuff on the upgradeprovision script I found some attributes
>>>> that disappear or that are changed:
>>>>
>>>> prefixMap
>>>>
>>>>          
>> For this it's quite difficult to say as the content is in binary format
>>      
> Binary formats need be no barrier any more.  use the --show-binary
> option to ldbsearch!
>    
old value:
prefixMap: 
0:2.5.4;1:2.5.6;2:1.2.840.113556.1.2;3:1.2.840.113556.1.3;4:2.16.84
  0.1.101.2.2.1;5:2.16.840.1.101.2.2.3;6:2.16.840.1.101.2.1.5;7:2.16.840.1.101.
  2.1.4;8:2.5.5;9:1.2.840.113556.1.4;10:1.2.840.113556.1.5;19:0.9.2342.19200300
  .100;20:2.16.840.1.113730.3;21:0.9.2342.19200300.100.1;22:2.16.840.1.113730.3
  .1;23:1.2.840.113556.1.5.7000;24:2.5.21;25:2.5.18;26:2.5.20;11:1.2.840.113556
  .1.4.260;12:1.2.840.113556.1.5.56;13:1.2.840.113556.1.4.262;14:1.2.840.113556
  .1.5.57;15:1.2.840.113556.1.4.263;16:1.2.840.113556.1.5.58;17:1.2.840.113556.
  1.5.73;18:1.2.840.113556.1.4.305;27:1.3.6.1.4.1.1466.101.119;28:2.16.840.1.11
  3730.3.2;29:1.3.6.1.4.1.250.1;30:1.2.840.113549.1.9;31:0.9.2342.19200300.100.
  4;32:1.3.6.1.4.1.7165.4.1;33:1.3.6.1.4.1.7165.4.2
new value
prefixMap: 
0:2.5.4;1:2.5.6;2:1.2.840.113556.1.2;3:1.2.840.113556.1.3;4:2.16.84
  0.1.101.2.2.1;5:2.16.840.1.101.2.2.3;6:2.16.840.1.101.2.1.5;7:2.16.840.1.101.
  2.1.4;8:2.5.5;9:1.2.840.113556.1.4;10:1.2.840.113556.1.5;19:0.9.2342.19200300
  .100;20:2.16.840.1.113730.3;21:0.9.2342.19200300.100.1;22:2.16.840.1.113730.3
  .1;23:1.2.840.113556.1.5.7000;24:2.5.21;25:2.5.18;26:2.5.20;11:1.2.840.113556
  .1.4.260;12:1.2.840.113556.1.5.56;13:1.2.840.113556.1.4.262;14:1.2.840.113556
  .1.5.57;15:1.2.840.113556.1.4.263;16:1.2.840.113556.1.5.58;17:1.2.840.113556.
  1.5.73;18:1.2.840.113556.1.4.305;27:1.3.6.1.4.1.1466.101.119;28:2.16.840.1.11
  3730.3.2;29:1.3.6.1.4.1.250.1;30:1.2.840.113549.1.9;31:0.9.2342.19200300.100.
  4;32:1.2.840.113556.1.6.23;33:1.2.840.113556.1.6.18.1;34:1.2.840.113556.1.6.1
  8.2;35:1.2.840.113556.1.6.13.3;36:1.2.840.113556.1.6.13.4;37:1.3.6.1.1.1.1;38
  :1.3.6.1.1.1.2;39:1.3.6.1.4.1.7165.4.1;40:1.3.6.1.4.1.7165.4.2

>> ... but as my previous provision was lacking lots of new attributes and
>> class this seems quite logical ... to be updated (example of
>> attributeID: 1.3.6.1.1.1.1.24)
>>      
>>>> defaultSecurityDescriptor
>>>>
>>>>          
>> Default security descriptor for
>> CN=User,CN=Schema,CN=Configuration,DC=smb4,DC=tst has changed
>> Default security descriptor for
>> CN=Domain-DNS,CN=Schema,CN=Configuration,DC=smb4,DC=tst has changed
>> Default security descriptor for
>> CN=Sam-Domain,CN=Schema,CN=Configuration,DC=smb4,DC=tst has changed
>>
>>      
>>>> mayContain
>>>>
>>>>          
>> Example of change:
>> dn= CN=Mail-Recipient,CN=Schema,CN=Configuration,DC=smb4,DC=tst
>> old 0 : userSMIMECertificate
>> old 0 : secretary
>> old 0 : msExchLabeledURI
>> old 0 : msExchAssistantName
>> old 0 : labeledURI
>> new 0 : msDS-PhoneticDisplayName
>> new 0 : userSMIMECertificate
>> new 0 : secretary
>> new 0 : msExchLabeledURI
>> new 0 : msExchAssistantName
>> new 0 : labeledURI
>>
>> userSMIMECertificate was added ...
>>
>>      
>>>> systemFlags
>>>>
>>>>          
>> Modified
>> dn= CN=User-SMIME-Certificate,CN=Schema,CN=Configuration,DC=smb4,DC=tst
>> old 0 : 0
>> new 0 : 16
>> or removed:
>> dn= CN=departmentNumber,CN=Schema,CN=Configuration,DC=smb4,DC=tst
>> old 0 : 0
>>
>>
>>
>>      
>>>> /lags
>>>>
>>>>          
>> dn= CN=msNPAllowDialin,CN=Schema,CN=Configuration,DC=smb4,DC=tst searchFlags
>> old 0 : 0
>> new 0 : 16
>>
>>      
>>>> systemMayContain
>>>>
>>>>          
>> dn= CN=ms-DS-Az-Scope,CN=Schema,CN=Configuration,DC=smb4,DC=tst
>> old 0 : msDS-AzApplicationData
>> old 0 : description
>> new 0 : msDS-AzGenericData
>> new 0 : msDS-AzObjectGuid
>> new 0 : msDS-AzApplicationData
>> new 0 : description
>>
>>
>>      
>>>> systemOnly
>>>>
>>>>          
>> Only 1 change like this
>> dn= CN=Schema-Flags-Ex,CN=Schema,CN=Configuration,DC=smb4,DC=tst
>> old 0 : FALSE
>> new 0 : TRUE
>>
>>      
>>>> defaultObjectCategory
>>>>
>>>>          
>>>
>>>        
>> Only 1 change like this
>> dn= CN=Samba4-Local-Domain,CN=Schema,CN=Configuration,DC=smb4,DC=tst
>> old 0 : CN=Builtin-Domain,CN=Schema,CN=Configuration,DC=smb4,DC=tst
>> new 0 : CN=Samba4-Local-Domain,CN=Schema,CN=Configuration,DC=smb4,DC=tst
>>      
> I should really remove Samba4-Local-Domain.  It's not a problem, but
> it's not standard and there isn't really a very good excuse for it.
>
>    
>>> What changes here?
>>>
>>>
>>>        
>>>> possibleInferiors
>>>>
>>>>          
>>> This is now calculated at runtime.
>>>
>>>
>>>        
>>>> rangeUpper
>>>>
>>>>          
>> Only 1 change like this.
>> dn= CN=Title,CN=Schema,CN=Configuration,DC=smb4,DC=tst rangeUpper with
>> flag 2 is not allowed to be changed/removed, I discard this change ...
>> old 0 : 64
>> new 0 : 128
>>      
> This is probably just due to the schema changing.
>
>    
>>> For which attribute is this missing?  It may be a bug in the schema MS
>>> has provided to us.
>>>
>>>
>>>        
>>>> adminDisplayName
>>>> adminDescription
>>>>
>>>>          
>>> This is a bug in ms_schema.py or the supplied text-file schemas from MS.
>>> We must investigate if they are always equal to the displayName and
>>> description, and then provide a default mapping of one to the other in
>>> that script.
>>>
>>>
>>>        
>> adminDisplayName
>> dn= CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=smb4,DC=tst
>> old 0 : x500uniqueIdentifier
>> adminDescription
>> dn= CN=x500uniqueIdentifier,CN=Schema,CN=Configuration,DC=smb4,DC=tst
>> old 0 : Used to distinguish between objects when a distinguished name
>> has been reused.  This is a different attribute type from both the "uid"
>> and "uniqueIdentifier" types.
>>
>>
>>      
>>>> For the first part I'm quite ok to change or removed them but for the
>>>> second as I don't know the use or the previous use of this attributes I
>>>> am a bit more reluctant to authorize the script to replace or remove
>>>> them.
>>>>
>>>>          
>>> Indeed, and I'm glad you checked.
>>>
>>>        
>> In fact it looks that most of this change are due to a better source of
>> information for generating the schema.
>> Matthieu.
>>      
> Good
Well at the end the question remains: is it ok and safe to replace noted 
attributes ? what about adminDisplayName and adminDescription which 
seems the less legitimates changes ? (well it seems its just related to 
schema attributes and the value is the same as the cn so they can be 
generated ....).

Matthieu.



More information about the samba-technical mailing list