[PATCHES] bug #8620

Andrew Bartlett abartlet at samba.org
Sun Nov 11 15:53:55 MST 2012

On Sun, 2012-11-11 at 23:12 +0100, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> here're some patches which let us protect attrobutes which are marked
> as confidential in the schema.
> Can you push them to master and upload them to
> https://bugzilla.samba.org/show_bug.cgi?id=8620

These look good, and for that reason they are on their way to autobuild.
Some improvements to consider if you are able however:

We have a better way of doing the 'never match this attribute' thing now
- instead of kludgeACLRedatectAttribute (a nasty hack of mine) we now
have SAMBA_LDAP_MATCH_ALWAYS_FALSE as an extended match rule.

See source4/dsdb/samdb/ldb_modules/extended_dn_in.c for how it is used.

For 's4:dsdb/acl: only give administrators access to attributes marked
as confidential (bug #8620)' I'm wondering if you considered instead of
duplicating the confidential attribute list, instead just looking up the
schema at runtime for the bit flag?

That is, walk the list of returned attributes, removing them if they
matched?  I'm not sure it's a win, but I wanted to raise the suggestion.

(Many of these things would be more efficient if we had a schema pointer
on each ldb_msg_element). 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list