Pseudobacklinks in samba4

Andrew Bartlett abartlet at
Sun May 22 23:13:54 MDT 2011

On Mon, 2011-05-23 at 00:05 +0400, Matthieu Patou wrote:
> Hello,
> I just pushed in my repo at 
> Pseudo backlinks are a way to do fake linked attributes on attribute 
> with a DN like syntax but that are not linked attribute.
> The main interest of this is that if the DN pointed by this attribute 
> change then thanks to the pseudobacklink we will be able to change the 
> value in the attribute as well.
> This can be very useful when removing a DC or when changing the site of 
> a DC and surely in other case that we don't envision yet.
> I tried to be very cautious on this patches (as usual) but a small 
> review wouldn't hurt I think !

s4-dsdb: do not allow search on @ attributes and don't return them;a=commitdiff;h=23bf142dfde77429180f6cbd193b6faa2cbb05ec

This is O(n^3) and not safe, as far as I can see it.  

If you used ldb_msg_remove_element() you could make it only O(n^2) and
potentially safe (knowing to repeat the index each time you remove it,
due to the internal memmove()).

We do need to move to a 'mark as deleted' scheme here, as this is one of
our nastiest little traps in the ldb API, but for now you have to work
around it. 

s4-dsdb: Add a warning about dsdb_module_rename that locks if olddn ==

Is this bug new, or exposed by your tests, or?  We should not use FIXME
as a bug tracking system, but actually fix the code if at all possible,
otherwise error out early. 

s4-dsdb: In rootdse module, catch rename on any DN that has an impact on
our NTDS Setting dn;a=commitdiff;h=e78335ce0184b5fdd6f313a6b95b00f242fab83f

We should more dynamically determine this, I think, perhaps based on a
stored GUID (which should not change).  We have gradually moved from
having static strings in @ROOTDSE to dynamic lookup, and this is just
another step in that direction. 

(this also applies to all the other changes that modify @ROOTDSE). 

Let me know if you need any more clarification on these comments, and
thanks for all your hard work on this, we had left this important detail
to one side for too long. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list