s4:objectclass_attrs LDB module - move the single-valued attribute check into this module

Andrew Bartlett abartlet at samba.org
Tue Jun 8 22:29:18 MDT 2010 

On Mon, 2010-06-07 at 14:31 -0500, Matthias Dieter Wallnöfer wrote:
> The branch, master has been updated
>        via  99c9e35... ldb:pyldb.c - we cannot use "ldb_dn_compare" if both message DNs are NULL in "py_ldb_msg_compare"
>        via  0c3dfd7... s4 python: add more unit tests to verify the compare tests
>        via  1949864... s4:objectclass_attrs LDB module - move the single-valued attribute check into this module
>        via  a75d271... s4:rdn_name LDB module - move the "distinguishedName" write prevent check here
>       from  9a747d5... s3:auth add hooks to indicate if signing or sealing is desired with NTLMSSP
> 
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master

Matthias,

So often I've replied to your commits to point out what things you have
missed, or that I wish I had seen things before, so I wanted to change
the tone a little:

Thank you for all your hard, detailed work to improve the quality of our
LDAP server.  As we are now a read-write replica with Windows, it's
critical that we hold clients to the same standards a Windows server
would.  Otherwise, we have a real risk that we may allow a poorly
written client to corrupt the replicated database. 

Your work here is of great value, and is much appreciated.  I look
forward to continuing to work with you as we refine this area.  

> commit 1949864417f3d10fb8996df7db259649eb777271
> Author: Matthias Dieter Wallnöfer <mdw at samba.org>
> Date:   Mon Jun 7 20:46:59 2010 +0200
> 
>     s4:objectclass_attrs LDB module - move the single-valued attribute check into this module
>     
>     It seems to me more consistent (and also to keep the same behaviour on all
>     backends).
>     
>     Also the DRS hack should therefore not be needed anymore since the
>     "repl_meta_data" module launches requests behind "objectclass_attrs".
> 
> commit a75d271373dbbff973544865c2c9715510d67669
> Author: Matthias Dieter Wallnöfer <mdw at samba.org>
> Date:   Mon Jun 7 20:31:22 2010 +0200
> 
>     s4:rdn_name LDB module - move the "distinguishedName" write prevent check here
>     
>     In my eyes it fits better here than in the TDB backend code.

BTW, I think both of these changes are good.  The single-value check was
added to ldb_tdb when I was working with Microsoft to pass their LDAP
testsuite, as were the DN changes.  It is nice to move these back to the
Samba-specific code, as only the Samba schema code could enable it
anyway. 

We may need to rework some of this in the future (I'm a little worried
about the performance impact of a read after every write), but this work
and the test-suites you have written with it form a great basis to build
consistency. 

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100609/2599fcbc/attachment.pgp>

More information about the samba-technical mailing list