why does this patch use samdb_search_count()?

Matthias Dieter Wallnöfer mdw at samba.org
Mon Nov 15 13:53:50 MST 2010 

Andrew,

"ldb_dn_base_compare" doesn't work in this case. An example: assume the 
default basedn as "dc=example,dc=com" and a certain application basedn 
as "cn=ForestDnsZones,dc=example,dc=com". Now we do have 
"cn=Infrastructure,cn=ForestDnsZones,dc=example,dc=com" where the object 
classes should be changed. Well, on "ldb_dn_base_compare" it matches 
with the application basedn *but also* with the default basedn which it 
shouldn't. Since the object clearly isn't located in the default basedn 
partition.
The rule says "objectClass" changes allowed on application partitions 
but not on the standard ones (default, configuration, schema).

So, do you know a better way than "samdb_search_count"? I'm open for 
improvements.

Greets,
Matthias

Andrew Bartlett wrote:
> On Mon, 2010-11-15 at 14:11 +0100, Matthias Dieter Wallnöfer wrote:
>    
>> The branch, master has been updated
>>         via  16e73c6 s4:objectclass LDB module - implement the "objectClass" change restrictions on Windows 2000 forest function level
>>        from  c3e24bb heimdal_base: Fix include path so heim_threads.h can be found.
>>
>> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
>>
>>
>> - Log -----------------------------------------------------------------
>> commit 16e73c68cb18fe428e83ee1b5ef9e17af743fae4
>> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
>> Date:   Mon Nov 15 13:00:58 2010 +0100
>>
>>      s4:objectclass LDB module - implement the "objectClass" change restrictions on Windows 2000 forest function level
>>      
> Matthias,
>
> It seems to me that this patch is trying to determine if one DN is
> 'under' another, but to do that is seems to be doing a
> samdb_search_count().  This is quite an expensive call (compared with
> say 'ldb_dn_compare_base()).  Why do does it need to search the database
> here?
>
> Also, there isn't a useful error message if this fails.  I would prefer
> if it would set an error that we can trace back to this module.
>
> Thanks,
>
>    
>> diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c b/source4/dsdb/samdb/ldb_modules/objectclass.c
>> index e863d48..5e3226a 100644
>> --- a/source4/dsdb/samdb/ldb_modules/objectclass.c
>> +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
>> @@ -840,6 +840,31 @@ static int objectclass_modify(struct ldb_module *module, struct ldb_request *req
>>   		oc_changes = true;
>>   	}
>>
>> +	/* MS-ADTS 3.1.1.5.3.5 - on a forest level<  2003 we do allow updates
>> +	 * only on application NCs - not on the standard DCs */
>> +	if (oc_changes&&
>> +	    (dsdb_forest_functional_level(ldb)<  DS_DOMAIN_FUNCTION_2003)) {
>> +		int cnt = samdb_search_count(ldb, ac,
>> +					     ldb_get_default_basedn(ldb),
>> +					     "(distinguishedName=%s)",
>> +					     ldb_dn_get_linearized(req->op.mod.message->dn));
>> +		if (cnt == 0) {
>> +			cnt = samdb_search_count(ldb, ac,
>> +						 ldb_get_config_basedn(ldb),
>> +						 "(distinguishedName=%s)",
>> +						 ldb_dn_get_linearized(req->op.mod.message->dn));
>> +		}
>> +		if (cnt == 0) {
>> +			cnt = samdb_search_count(ldb, ac,
>> +						 ldb_get_schema_basedn(ldb),
>> +						 "(distinguishedName=%s)",
>> +						 ldb_dn_get_linearized(req->op.mod.message->dn));
>> +		}
>> +		if (cnt != 0) {
>> +			return LDB_ERR_UNWILLING_TO_PERFORM;
>> +		}
>> +	}
>> +
>>   	ret = ldb_build_mod_req(&down_req, ldb, ac,
>>   				msg,
>>   				req->controls, ac,
>>
>>
>>      
>

More information about the samba-technical mailing list