[PATCH] samba-tool schema attribute query_oc

Alexander Bokovoy ab at samba.org
Mon Apr 30 05:48:29 UTC 2018


On ma, 30 huhti 2018, William Brown via samba-technical wrote:
> Hi,
> 
> This is (yet another) patch to samba-tool. It extends the (still under
> review) schema attribute command to allow querying "what objectclass
> *could* hold this attribute". 
> 
> It's really useful for things like "Hey I need to add the attribute
> userClass to my person. What auxillary objectClass do I need to add to
> my user to allow userClass to exist on it?"
Sounds useful, indeed.

A general comment: we need to do something with user-passed values used
to evaluate inside a filter. Right now there is no hardening, no LDAP
escaping, etc. It could be a security nightmare one day.

May be the command would be 'show_oc' rather than 'query_oc' as we have
already a 'show' command. Just to reduce number of alternate namings...

> 
> Thanks for your time!
> 
> William

> From df2ee62b9562a63633ce714bd4b14e0dbe0ee220 Mon Sep 17 00:00:00 2001
> From: William Brown <william at blackhats.net.au>
> Date: Sun, 29 Apr 2018 13:28:42 +1200
> Subject: [PATCH] python/samba/netcmd/schema.py: add schema query_oc for
>  attribute
> 
> Often administrators need to add a specific attribute to an object, but
> it may not be possible with the objectClasses present. This tool allows
> searching "what objectclasses must or may?" take an attribute to help hint
> to an administrator what objectclasses can be added to objects to achieve
> the changes they want.
> 
> Signed-off-by: William Brown <william at blackhats.net.au>
> ---
>  docs-xml/manpages/samba-tool.8.xml      |  5 ++++
>  python/samba/netcmd/schema.py           | 50 +++++++++++++++++++++++++++++++++
>  python/samba/tests/samba_tool/schema.py | 10 +++++++
>  3 files changed, 65 insertions(+)
> 
> diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
> index 0466e125100..23b0b275a38 100644
> --- a/docs-xml/manpages/samba-tool.8.xml
> +++ b/docs-xml/manpages/samba-tool.8.xml
> @@ -727,6 +727,11 @@
>  	<para>Modify the behaviour of an attribute in schema.</para>
>  </refsect3>
>  
> +<refsect3>
> +	<title>schema attribute query_oc <replaceable>attribute</replaceable> [options]</title>
> +	<para>Search for objectclasses that MAY or MUST contain this attribute.</para>
> +</refsect3>
> +
>  <refsect3>
>  	<title>schema attribute show <replaceable>attribute</replaceable> [options]</title>
>  	<para>Display an attribute schema definition.</para>
> diff --git a/python/samba/netcmd/schema.py b/python/samba/netcmd/schema.py
> index 71ec6b21061..daeb60aebff 100644
> --- a/python/samba/netcmd/schema.py
> +++ b/python/samba/netcmd/schema.py
> @@ -143,6 +143,53 @@ class cmd_schema_attribute_show(Command):
>              user_ldif = samdb.write_ldif(msg, ldb.CHANGETYPE_NONE)
>              self.outf.write(user_ldif)
>  
> +class cmd_schema_attribute_query_oc(Command):
> +    """Query what objectclasses MAY or MUST contain an attribute.
> +
> +    This is useful to determine "if I need uid, what objectclasses could be
> +    applied to achieve this."
> +    """
> +    synopsis = "%prog attribute [options]"
> +
> +    takes_optiongroups = {
> +        "sambaopts": options.SambaOptions,
> +        "versionopts": options.VersionOptions,
> +        "credopts": options.CredentialsOptions,
> +        }
> +
> +    takes_options = [
> +        Option("-H", "--URL", help="LDB URL for database or target server",
> +                type=str, metavar="URL", dest="H"),
> +        ]
> +
> +    takes_args = ["attribute"]
> +
> +    def run(self, attribute, H=None, credopts=None, sambaopts=None, versionopts=None):
> +        lp = sambaopts.get_loadparm()
> +        creds = credopts.get_credentials(lp)
> +
> +        samdb = SamDB(url=H, session_info=system_session(),
> +            credentials=creds, lp=lp)
> +
> +        schema_dn = samdb.schema_dn()
> +
> +        may_filt = '(&(objectClass=classSchema)(|(mayContain={0})(systemMayContain={0})))'.format(attribute)
> +        must_filt = '(&(objectClass=classSchema)(|(mustContain={0})(systemMustContain={0})))'.format(attribute)
> +
> +        may_res = samdb.search(base=schema_dn, scope=ldb.SCOPE_SUBTREE,
> +                           expression=may_filt, attrs=['cn'])
> +        must_res = samdb.search(base=schema_dn, scope=ldb.SCOPE_SUBTREE,
> +                           expression=must_filt, attrs=['cn'])
> +
> +        self.outf.write('--- MAY contain ---\n')
> +        for msg in may_res:
> +            self.outf.write('%s\n' % msg['cn'][0])
> +
> +        self.outf.write('--- MUST contain ---\n')
> +        for msg in must_res:
> +            self.outf.write('%s\n' % msg['cn'][0])
> +
> +
>  class cmd_schema_objectclass_show(Command):
>      """Show details about an objectClass from the schema.
>  
> @@ -188,11 +235,14 @@ class cmd_schema_attribute(SuperCommand):
>      subcommands = {}
>      subcommands["modify"] = cmd_schema_attribute_modify()
>      subcommands["show"] = cmd_schema_attribute_show()
> +    subcommands["query_oc"] = cmd_schema_attribute_query_oc()
>  
>  class cmd_schema_objectclass(SuperCommand):
>      """Query and manage objectclasses in the schema partition."""
>      subcommands = {}
>      subcommands["show"] = cmd_schema_objectclass_show()
> +    # Is this needed? It's a focused show afterall ...
> +    # subcommands["query_attr"] = cmd_schema_objectclass_query_attr()
>  
>  class cmd_schema(SuperCommand):
>      """Schema querying and management."""
> diff --git a/python/samba/tests/samba_tool/schema.py b/python/samba/tests/samba_tool/schema.py
> index fdffe23b2b8..9a3f982f9d2 100644
> --- a/python/samba/tests/samba_tool/schema.py
> +++ b/python/samba/tests/samba_tool/schema.py
> @@ -51,6 +51,16 @@ class SchemaCmdTestCase(SambaToolCmdTest):
>  
>          self.assertCmdSuccess(result, out, err)
>  
> +    def test_query_oc_attribute(self):
> +        """Tests that we can modify searchFlags of an attribute"""
> +        (result, out, err) = self.runsubcmd("schema", "attribute",
> +                              "query_oc", "cn",
> +                              "-H", "ldap://%s" % os.environ["DC_SERVER"],
> +                              "-U%s%%%s" % (os.environ["DC_USERNAME"],
> +                                            os.environ["DC_PASSWORD"]))
> +
> +        self.assertCmdSuccess(result, out, err)
> +
>      def test_display_objectclass(self):
>          """Tests that we can display schema objectclasses"""
>          (result, out, err) = self.runsubcmd("schema", "objectclass",
> -- 
> 2.14.3
> 


-- 
/ Alexander Bokovoy



More information about the samba-technical mailing list