why does this patch use samdb_search_count()?

Andrew Bartlett abartlet at samba.org
Mon Nov 15 13:17:20 MST 2010 

On Mon, 2010-11-15 at 14:11 +0100, Matthias Dieter Wallnöfer wrote:
> The branch, master has been updated
>        via  16e73c6 s4:objectclass LDB module - implement the "objectClass" change restrictions on Windows 2000 forest function level
>       from  c3e24bb heimdal_base: Fix include path so heim_threads.h can be found.
> 
> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> 
> 
> - Log -----------------------------------------------------------------
> commit 16e73c68cb18fe428e83ee1b5ef9e17af743fae4
> Author: Matthias Dieter Wallnöfer <mdw at samba.org>
> Date:   Mon Nov 15 13:00:58 2010 +0100
> 
>     s4:objectclass LDB module - implement the "objectClass" change restrictions on Windows 2000 forest function level

Matthias,

It seems to me that this patch is trying to determine if one DN is
'under' another, but to do that is seems to be doing a
samdb_search_count().  This is quite an expensive call (compared with
say 'ldb_dn_compare_base()).  Why do does it need to search the database
here?

Also, there isn't a useful error message if this fails.  I would prefer
if it would set an error that we can trace back to this module.

Thanks,

> diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
> index e863d48..5e3226a 100644
> --- a/source4/dsdb/samdb/ldb_modules/objectclass.c
> +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
> @@ -840,6 +840,31 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req
>  		oc_changes = true;
>  	}
>  
> +	/* MS-ADTS 3.1.1.5.3.5 - on a forest level < 2003 we do allow updates
> +	 * only on application NCs - not on the standard DCs */
> +	if (oc_changes &&
> +	    (dsdb_forest_functional_level(ldb) < DS_DOMAIN_FUNCTION_2003)) {
> +		int cnt = samdb_search_count(ldb, ac,
> +					     ldb_get_default_basedn(ldb),
> +					     "(distinguishedName=%s)",
> +					     ldb_dn_get_linearized(req->op.mod.message->dn));
> +		if (cnt == 0) {
> +			cnt = samdb_search_count(ldb, ac,
> +						 ldb_get_config_basedn(ldb),
> +						 "(distinguishedName=%s)",
> +						 ldb_dn_get_linearized(req->op.mod.message->dn));
> +		}
> +		if (cnt == 0) {
> +			cnt = samdb_search_count(ldb, ac,
> +						 ldb_get_schema_basedn(ldb),
> +						 "(distinguishedName=%s)",
> +						 ldb_dn_get_linearized(req->op.mod.message->dn));
> +		}
> +		if (cnt != 0) {
> +			return LDB_ERR_UNWILLING_TO_PERFORM;
> +		}
> +	}
> +
>  	ret = ldb_build_mod_req(&down_req, ldb, ac,
>  				msg,
>  				req->controls, ac,
> 
> 

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101116/af98244e/attachment.pgp>

More information about the samba-technical mailing list