[PATCH] samba-tool schema attribute query_oc
Alexander Bokovoy
ab at samba.org
Mon Apr 30 05:48:29 UTC 2018
On ma, 30 huhti 2018, William Brown via samba-technical wrote:
> Hi,
>
> This is (yet another) patch to samba-tool. It extends the (still under
> review) schema attribute command to allow querying "what objectclass
> *could* hold this attribute".
>
> It's really useful for things like "Hey I need to add the attribute
> userClass to my person. What auxillary objectClass do I need to add to
> my user to allow userClass to exist on it?"
Sounds useful, indeed.
A general comment: we need to do something with user-passed values used
to evaluate inside a filter. Right now there is no hardening, no LDAP
escaping, etc. It could be a security nightmare one day.
May be the command would be 'show_oc' rather than 'query_oc' as we have
already a 'show' command. Just to reduce number of alternate namings...
>
> Thanks for your time!
>
> William
> From df2ee62b9562a63633ce714bd4b14e0dbe0ee220 Mon Sep 17 00:00:00 2001
> From: William Brown <william at blackhats.net.au>
> Date: Sun, 29 Apr 2018 13:28:42 +1200
> Subject: [PATCH] python/samba/netcmd/schema.py: add schema query_oc for
> attribute
>
> Often administrators need to add a specific attribute to an object, but
> it may not be possible with the objectClasses present. This tool allows
> searching "what objectclasses must or may?" take an attribute to help hint
> to an administrator what objectclasses can be added to objects to achieve
> the changes they want.
>
> Signed-off-by: William Brown <william at blackhats.net.au>
> ---
> docs-xml/manpages/samba-tool.8.xml | 5 ++++
> python/samba/netcmd/schema.py | 50 +++++++++++++++++++++++++++++++++
> python/samba/tests/samba_tool/schema.py | 10 +++++++
> 3 files changed, 65 insertions(+)
>
> diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
> index 0466e125100..23b0b275a38 100644
> --- a/docs-xml/manpages/samba-tool.8.xml
> +++ b/docs-xml/manpages/samba-tool.8.xml
> @@ -727,6 +727,11 @@
> <para>Modify the behaviour of an attribute in schema.</para>
> </refsect3>
>
> +<refsect3>
> + <title>schema attribute query_oc <replaceable>attribute</replaceable> [options]</title>
> + <para>Search for objectclasses that MAY or MUST contain this attribute.</para>
> +</refsect3>
> +
> <refsect3>
> <title>schema attribute show <replaceable>attribute</replaceable> [options]</title>
> <para>Display an attribute schema definition.</para>
> diff --git a/python/samba/netcmd/schema.py b/python/samba/netcmd/schema.py
> index 71ec6b21061..daeb60aebff 100644
> --- a/python/samba/netcmd/schema.py
> +++ b/python/samba/netcmd/schema.py
> @@ -143,6 +143,53 @@ class cmd_schema_attribute_show(Command):
> user_ldif = samdb.write_ldif(msg, ldb.CHANGETYPE_NONE)
> self.outf.write(user_ldif)
>
> +class cmd_schema_attribute_query_oc(Command):
> + """Query what objectclasses MAY or MUST contain an attribute.
> +
> + This is useful to determine "if I need uid, what objectclasses could be
> + applied to achieve this."
> + """
> + synopsis = "%prog attribute [options]"
> +
> + takes_optiongroups = {
> + "sambaopts": options.SambaOptions,
> + "versionopts": options.VersionOptions,
> + "credopts": options.CredentialsOptions,
> + }
> +
> + takes_options = [
> + Option("-H", "--URL", help="LDB URL for database or target server",
> + type=str, metavar="URL", dest="H"),
> + ]
> +
> + takes_args = ["attribute"]
> +
> + def run(self, attribute, H=None, credopts=None, sambaopts=None, versionopts=None):
> + lp = sambaopts.get_loadparm()
> + creds = credopts.get_credentials(lp)
> +
> + samdb = SamDB(url=H, session_info=system_session(),
> + credentials=creds, lp=lp)
> +
> + schema_dn = samdb.schema_dn()
> +
> + may_filt = '(&(objectClass=classSchema)(|(mayContain={0})(systemMayContain={0})))'.format(attribute)
> + must_filt = '(&(objectClass=classSchema)(|(mustContain={0})(systemMustContain={0})))'.format(attribute)
> +
> + may_res = samdb.search(base=schema_dn, scope=ldb.SCOPE_SUBTREE,
> + expression=may_filt, attrs=['cn'])
> + must_res = samdb.search(base=schema_dn, scope=ldb.SCOPE_SUBTREE,
> + expression=must_filt, attrs=['cn'])
> +
> + self.outf.write('--- MAY contain ---\n')
> + for msg in may_res:
> + self.outf.write('%s\n' % msg['cn'][0])
> +
> + self.outf.write('--- MUST contain ---\n')
> + for msg in must_res:
> + self.outf.write('%s\n' % msg['cn'][0])
> +
> +
> class cmd_schema_objectclass_show(Command):
> """Show details about an objectClass from the schema.
>
> @@ -188,11 +235,14 @@ class cmd_schema_attribute(SuperCommand):
> subcommands = {}
> subcommands["modify"] = cmd_schema_attribute_modify()
> subcommands["show"] = cmd_schema_attribute_show()
> + subcommands["query_oc"] = cmd_schema_attribute_query_oc()
>
> class cmd_schema_objectclass(SuperCommand):
> """Query and manage objectclasses in the schema partition."""
> subcommands = {}
> subcommands["show"] = cmd_schema_objectclass_show()
> + # Is this needed? It's a focused show afterall ...
> + # subcommands["query_attr"] = cmd_schema_objectclass_query_attr()
>
> class cmd_schema(SuperCommand):
> """Schema querying and management."""
> diff --git a/python/samba/tests/samba_tool/schema.py b/python/samba/tests/samba_tool/schema.py
> index fdffe23b2b8..9a3f982f9d2 100644
> --- a/python/samba/tests/samba_tool/schema.py
> +++ b/python/samba/tests/samba_tool/schema.py
> @@ -51,6 +51,16 @@ class SchemaCmdTestCase(SambaToolCmdTest):
>
> self.assertCmdSuccess(result, out, err)
>
> + def test_query_oc_attribute(self):
> + """Tests that we can modify searchFlags of an attribute"""
> + (result, out, err) = self.runsubcmd("schema", "attribute",
> + "query_oc", "cn",
> + "-H", "ldap://%s" % os.environ["DC_SERVER"],
> + "-U%s%%%s" % (os.environ["DC_USERNAME"],
> + os.environ["DC_PASSWORD"]))
> +
> + self.assertCmdSuccess(result, out, err)
> +
> def test_display_objectclass(self):
> """Tests that we can display schema objectclasses"""
> (result, out, err) = self.runsubcmd("schema", "objectclass",
> --
> 2.14.3
>
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list