s4: dSHeuristics syntax check

Matthias Dieter Wallnöfer mdw at samba.org
Thu Nov 11 02:35:00 MST 2010

I think I've worked it out - at the moment it's in autobuild. I hope 
that I've described all changes as clear as possible so it shouldn't be 
too hard to change something afterwards. Well it has been quite a bit of 
work since we've always assumed that "userPassword" is in any case 

Afterwards the next step would be to help me implementing the ASN1 
parser for the EXOP password control, so I could start to write a test.


Nadezhda Ivanova wrote:
> Hi Matthias,
> This is great! Let me know if there is anything I can help you with.
> Regards,
> Nadya
> On Wed, Nov 10, 2010 at 4:18 PM, Matthias Dieter Wallnöfer 
> <mdw at samba.org <mailto:mdw at samba.org>> wrote:
>     Hi Nadya,
>     I'm very close to enforce the "dSHeuristics" regarding the
>     "userPassword" attribute - but it will still take a bit to fix all
>     issues. Unfortunately we've worked with the assumption that
>     "userPassword" is always usable for changing passwords - which in
>     fact it isn't. Therefore some scripts need to be patched.
>     Greets,
>     Matthias
>     Nadezhda Ivanova wrote:
>         Ok, I will add a check on adds as well, although I am not sure
>         I can make a test for this that will pass against windows. As
>         for whether its a necessary feature, we definitely do not need
>         to take all the flags into account, but some of them make
>         sense and alter the behavior of the server, as in the case
>         with blocking anonymous connections and the password resets,
>         remember how these tests did not pass against windows until we
>         started playing with dSHeuristics? At the very least we should
>         not allow invalid data to be entered there.
>         Regards,
>         Nadya
>         On Wed, Nov 3, 2010 at 9:12 AM, Matthias Dieter Wallnöfer
>         <mdw at samba.org <mailto:mdw at samba.org> <mailto:mdw at samba.org
>         <mailto:mdw at samba.org>>> wrote:
>            Exactly, Andrew.
>            Better to test more than less. This 1.) prevents problems
>         when we
>            enforce more and more constraints, 2.) keeps our database as
>            consistent as possible.
>            Well the "dSHeuristics" implementation as such I don't find the
>            most needed feature - but well, if it's done correctly I'm fine
>            with it.
>            Greets,
>            Matthias
>            Andrew Bartlett wrote:
>                I still think we should do out best to always ensure we
>         always
>                validate
>                data entered into the directory.
>                Andrew Bartlett

More information about the samba-technical mailing list