s4: dSHeuristics syntax check

[Nadezhda Ivanova]

Hi Andrew,
I am only checking modifies because this is an attribute of the Directory
Service object, of which we only have one per forest I think, and by default
this attribute is missing. It seems an overkill to check every time when
adding an object if we have dsHeurisrics, as it is very unlikely that we
will be adding a second Directory Service object. It is no problem to check
adds as well, but I think it will just be overhead.  The tenthChar is as
documented in MS-ADTS, it and all the other character positions are defined
in flags.h.

Regards,
Nadya

On Tue, Nov 2, 2010 at 10:15 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Tue, 2010-11-02 at 16:38 +0200, Nadezhda Ivanova wrote:
> > Hi Matthias and team,
> > I implemented checking of the restrictions on dSHeuristics attribute, as
> > described in MS-ADTS 7.1.1.2.4.1.2, because it is being used in the
> aclread
> > module, and we should probably start to actually pay attention to its
> > settings in other places as well, such as accepting userPassword
> attribute
> > ot accepting a password reset over non-secure connection. I put the check
> in
> > objectclass_attrs, as this is the place where we generally check
> attribute
> > syntax, but if you have any objections or suggestions let me know.
> > Here are the patches:
> > Tests:
> >
> http://gitweb.samba.org/?p=nivanova/samba.git;a=commit;h=9c5490c9298aa29d9deb76702f21dd8f0d5b9902
> > Implementation:
> >
> http://gitweb.samba.org/?p=nivanova/samba.git;a=commit;h=d274e17fba5b5d047904595ae505339b8bd1176f
>
> Why do you only check modifies?  Also, the macros for '10th char' seem
> weird, but I presume they are already defined somewhere for some other
> purpose.  Otherwise, this looks good!
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/<http://samba.org/%7Eabartlet/>
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Cisco Inc.
>