msDS-isRODC implementation

Andrew Bartlett abartlet at samba.org
Thu Apr 29 04:58:23 MDT 2010 

On Thu, 2010-04-29 at 13:29 +0300, Anatoliy Atanasov wrote:
> > -----Original Message-----
> > From: Andrew Bartlett [mailto:abartlet at samba.org]
> > Sent: Thursday, April 29, 2010 13:22
> > To: Anatoliy Atanasov
> > Cc: samba-technical at samba.org
> > Subject: Re: msDS-isRODC implementation
> > 
> > On Thu, 2010-04-29 at 12:18 +0300, Anatoliy Atanasov wrote:
> > > Hi Andrew,
> > >
> > > I pushed the implementation of msDS-isRODC here:
> > http://git.samba.org/?p=anatoliy/anatoliy.git;a=shortlog;h=refs/heads/wip_
> > msds_isrodc
> > > Please take a look at construct_msds_isrodc_with_dn. There i get the
> > objectCategory for the object for which i have to construct msDS-isRODC
> > and then i do another search on the schema for the distinguishedName of
> > the nTDSDSA class.
> > > Is there a way to optimize the second read? Get the distinguishedName
> > from schema cache, probably?
> > 
> > Yes, you can look up the schema by objectCategory DN - just get the
> > first component an use dsdb_class_by_cn()
> Yeah, i used similarly dsdb_class_by_lDAPDisplayName but the
> dsdb_class struct doesn't have distinguishedName attr in it. The
> closes thing to DN is defaultObjectCategory, and at the end I need the
> DN only.

For this, why not just look at the objectCategory, and do a strcmp on
the first part of the DN.  If it is msDS-isRODC then you have answered
your question.  What is the need to actually consult the schema?

If you want the longer test for some reason, then the DN of the nTDSDSA
schema class is CN=NTDS-DSA,<schema DN>.  

> > If you also searched on objectCategory in the first search, then for
> > that case you should be able to avoid the second search entirely for
> > computer account objects.
> How can I request objectClass and ObjectCategory at the same time, I thought in the search_sub struct in operational.c one can get only one attr per request, that is why I specified objectClass, so I can get it in the callback.

The operational code will currently allow you to ask for two attributes.
It should take a list, but I never got around to making it general.  See
"primaryGroupToken"

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100429/36760af5/attachment.pgp>

More information about the samba-technical mailing list