[PATCH] s4-drs: Delete RODC filtered attributes from objects

[Andrew Bartlett]

On Fri, 2010-03-12 at 15:42 +0200, Anatoliy Atanasov wrote:
> > Hi Fernando,
> > 
> >  > In this patch, if there is an update on an attributeSchema object such
> >  > that it become part of the RODC filtered set, then we delete the
> >  > values of that attribute from any object which contains it.
> > 
> > I think this isn't the right approach.
> > 
> > When a DC is a RODC, then when it replicates from another DC, it gets
> > a subset of the attributes. So there is no need for it to delete
> > attributes. The reason it gets a subset is that a RODC is not trusted
> > to hold all attributes, so they will never be sent by the other DC.
> > 
> > I think these are the logical changes we need to support RODC
> > operation:
> > 
> >  1) when we are a RODC we should refuse changes to the directory. This
> >  would happen in repl_meta_data.c module. I think the logical place
> >  for this check is in replmd_update_rpmd_element()
> I am on it, I was wondering where this check should happen, I though about ldap_server/ldap_backend.c because as far as I know the LDAP request goes thru there first.

No, we should deny the updates at the point tridge indicated.  It is
important to deny all updates - imagine if we accepted writes over SAMR,
but not LDAP?

Denying writes on the RODC is however only a courtesy.  Clients should
know not to write to an RODC in the first place.  (The few writes that
clients are permitted to do are forwarded directly to a writeable DC). 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100313/af9058df/attachment.pgp>