subtree rename constraint checks

Matthias Dieter Wallnöfer mdw at samba.org
Tue Apr 26 03:11:46 MDT 2011


Hi ekacnet,

I'm not confident in this patch. I think that each entry needs the 
constraint checks since it has its own "systemFlags" attribute. Probably 
just my limited move checks are wrong (this code part of the 
subtree_rename LDB module):
>                         bool limited_move =
>                                 systemFlags & 
> SYSTEM_FLAG_CONFIG_ALLOW_LIMITED_MOVE;
>
>                         if (limited_move) {
>                                 dn1 = ldb_dn_copy(ac, olddn);
>                                 if (dn1 == NULL) return ldb_oom(ldb);
>                                 dn2 = ldb_dn_copy(ac, newdn);
>                                 if (dn2 == NULL) return ldb_oom(ldb);
>
>                                 limited_move &= 
> ldb_dn_remove_child_components(dn1, 3);
>                                 limited_move &= 
> ldb_dn_remove_child_components(dn2, 3);
>                                 limited_move &= ldb_dn_compare(dn1, 
> dn2) == 0;
>
>                                 talloc_free(dn1);
>                                 talloc_free(dn2);
>                         }
>
>                         if (!limited_move) {
>                                 ldb_asprintf_errstring(ldb,
>                                                        
> "subtree_rename: Cannot move %s to %s in config partition",
>                                                        
> ldb_dn_get_linearized(olddn), ldb_dn_get_linearized(newdn));
>                                 return LDB_ERR_UNWILLING_TO_PERFORM;
>                         }

I will try to fix it.

Cheers,
Matthias


Matthieu Patou wrote:
> On 25/04/2011 18:30, Matthieu Patou wrote:
>> Hello Mathias,
>>
>> I'm asking some questions about the tests related to subtree_rename.c 
>> module in samdb.
>>
>> Have you tested the case when 
>> CN=A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=tld 
>> is renamed but it has a subentry (ie. CN=NTDS 
>> Settings,CN=A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=tld) 
>>
>>
>> After reading MS-ADTS, I still don't have an idea of what is wrong, 
>> but I'm pretty sure that something is wrong as when I try to move a 
>> server from 1 site to another in Active Directory Sites and Services 
>> (dssite.msc) I have an error and the error came from the DN move that 
>> are triggered on the subentries while moving 
>> CN=A,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=tld 
>> to CN=A,CN=Servers,CN=Test,CN=Sites,CN=Configuration,DC=domain,DC=tld.
>>
>> It's clear that something is wrong as in ADTS in chapter 
>> 7.1.1.2.2.1.2.1 (Server Object) the system flags for it are: { 
>> FLAG_CONFIG_ALLOW_RENAME | FLAG_CONFIG_ALLOW_LIMITED_MOVE |
>> FLAG_DISALLOW_MOVE_ON_DELETE }
>>
>> So the (limited) move o CN=A,CN=Servers, ... is authorized. The "NTDS 
>> Settings" entry is a nTDSDSA Object described at 7.1.1.2.2.1.2.1.1 
>> says systemFlags: {FLAG_DISALLOW_MOVE_ON_DELETE} so the way the code 
>> is done we can never move nor rename a server object as its NTDS 
>> subentry do not allow anything like this.
>>
>> My assumption is that the checks should be done only on the DN that 
>> trigger the subtree rename and not on the subentry as they are not 
>> really changed and DN should be dynamically calculated.
>>
> What about a patch like this ?
>> Matthieu.
>>
>>
>>
>>
>>
>
>



More information about the samba-technical mailing list