msDS-isRODC implementation

Anatoliy Atanasov anatoliy.atanasov at postpath.com
Thu Apr 29 05:17:57 MDT 2010 

> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at samba.org]
> Sent: Thursday, April 29, 2010 13:58
> To: Anatoliy Atanasov
> Cc: samba-technical at samba.org
> Subject: RE: msDS-isRODC implementation
> 
> On Thu, 2010-04-29 at 13:29 +0300, Anatoliy Atanasov wrote:
> > > -----Original Message-----
> > > From: Andrew Bartlett [mailto:abartlet at samba.org]
> > > Sent: Thursday, April 29, 2010 13:22
> > > To: Anatoliy Atanasov
> > > Cc: samba-technical at samba.org
> > > Subject: Re: msDS-isRODC implementation
> > >
> > > On Thu, 2010-04-29 at 12:18 +0300, Anatoliy Atanasov wrote:
> > > > Hi Andrew,
> > > >
> > > > I pushed the implementation of msDS-isRODC here:
> > >
> http://git.samba.org/?p=anatoliy/anatoliy.git;a=shortlog;h=refs/heads/wip_
> > > msds_isrodc
> > > > Please take a look at construct_msds_isrodc_with_dn. There i get the
> > > objectCategory for the object for which i have to construct msDS-
> isRODC
> > > and then i do another search on the schema for the distinguishedName
> of
> > > the nTDSDSA class.
> > > > Is there a way to optimize the second read? Get the
> distinguishedName
> > > from schema cache, probably?
> > >
> > > Yes, you can look up the schema by objectCategory DN - just get the
> > > first component an use dsdb_class_by_cn()
> > Yeah, i used similarly dsdb_class_by_lDAPDisplayName but the
> > dsdb_class struct doesn't have distinguishedName attr in it. The
> > closes thing to DN is defaultObjectCategory, and at the end I need the
> > DN only.
> 
> For this, why not just look at the objectCategory, and do a strcmp on
> the first part of the DN.  If it is msDS-isRODC then you have answered
> your question.  What is the need to actually consult the schema?
>
>
> If you want the longer test for some reason, then the DN of the nTDSDSA
> schema class is CN=NTDS-DSA,<schema DN>. 
I read too much ms docs :), I'll do what sounds reasonable.

> > > If you also searched on objectCategory in the first search, then for
> > > that case you should be able to avoid the second search entirely for
> > > computer account objects.
> > How can I request objectClass and ObjectCategory at the same time, I
> thought in the search_sub struct in operational.c one can get only one
> attr per request, that is why I specified objectClass, so I can get it in
> the callback.
> 
> The operational code will currently allow you to ask for two attributes.
> It should take a list, but I never got around to making it general.  See
> "primaryGroupToken"
Thanks.
 
> Andrew Bartlett
> 
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Cisco Inc.

More information about the samba-technical mailing list