[PATCH] samba-tool schema attribute query_oc
William Brown
william at blackhats.net.au
Mon Apr 30 21:58:49 UTC 2018
On Mon, 2018-04-30 at 08:48 +0300, Alexander Bokovoy via samba-
technical wrote:
> On ma, 30 huhti 2018, William Brown via samba-technical wrote:
> > Hi,
> >
> > This is (yet another) patch to samba-tool. It extends the (still
> > under
> > review) schema attribute command to allow querying "what
> > objectclass
> > *could* hold this attribute".
> >
> > It's really useful for things like "Hey I need to add the attribute
> > userClass to my person. What auxillary objectClass do I need to add
> > to
> > my user to allow userClass to exist on it?"
>
> Sounds useful, indeed.
>
> A general comment: we need to do something with user-passed values
> used
> to evaluate inside a filter. Right now there is no hardening, no LDAP
> escaping, etc. It could be a security nightmare one day.
These seems to be the case all over the samdb api though. Today it's
"not too bad" because all these commands would (hopefully) only be run
interactively, not from a script. And even then, in this case you
probably can't do *too* much damage.
But the risk is there. I think that in the future I want to move the
logic of some of these operations out of the CLI where it currently is,
and move it to samdb.py. It would be there that we can do filter
templating and proper escaping of input.
We have an escaping mechanism built into the lib389 object mechanism
that does this already (because lib389 will end up in ipa/web apps I
expect), so this design already works in my experience. I'm hoping to
recreate a subset of this work in the samba project as in general it
would be excellent to be able to "expose" samdb as a more complete
object manipulation API than it currently is today.
I think in summary - It's in my mind, I just need to find the time to
do it. And as you know Alex, I have plenty of time at the moment ;)
>
> May be the command would be 'show_oc' rather than 'query_oc' as we
> have
> already a 'show' command. Just to reduce number of alternate
> namings...
The alternate naming helps autocomplete, and also makes the command
"unique". But I certainly also see your point to limit the "creep".
>
> >
> > Thanks for your time!
> >
> > William
> > From df2ee62b9562a63633ce714bd4b14e0dbe0ee220 Mon Sep 17 00:00:00
> > 2001
> > From: William Brown <william at blackhats.net.au>
> > Date: Sun, 29 Apr 2018 13:28:42 +1200
> > Subject: [PATCH] python/samba/netcmd/schema.py: add schema query_oc
> > for
> > attribute
> >
> > Often administrators need to add a specific attribute to an object,
> > but
> > it may not be possible with the objectClasses present. This tool
> > allows
> > searching "what objectclasses must or may?" take an attribute to
> > help hint
> > to an administrator what objectclasses can be added to objects to
> > achieve
> > the changes they want.
> >
> > Signed-off-by: William Brown <william at blackhats.net.au>
> > ---
> > docs-xml/manpages/samba-tool.8.xml | 5 ++++
> > python/samba/netcmd/schema.py | 50
> > +++++++++++++++++++++++++++++++++
> > python/samba/tests/samba_tool/schema.py | 10 +++++++
> > 3 files changed, 65 insertions(+)
> >
> > diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-
> > xml/manpages/samba-tool.8.xml
> > index 0466e125100..23b0b275a38 100644
> > --- a/docs-xml/manpages/samba-tool.8.xml
> > +++ b/docs-xml/manpages/samba-tool.8.xml
> > @@ -727,6 +727,11 @@
> > <para>Modify the behaviour of an attribute in
> > schema.</para>
> > </refsect3>
> >
> > +<refsect3>
> > + <title>schema attribute query_oc
> > <replaceable>attribute</replaceable> [options]</title>
> > + <para>Search for objectclasses that MAY or MUST contain
> > this attribute.</para>
> > +</refsect3>
> > +
> > <refsect3>
> > <title>schema attribute show
> > <replaceable>attribute</replaceable> [options]</title>
> > <para>Display an attribute schema definition.</para>
> > diff --git a/python/samba/netcmd/schema.py
> > b/python/samba/netcmd/schema.py
> > index 71ec6b21061..daeb60aebff 100644
> > --- a/python/samba/netcmd/schema.py
> > +++ b/python/samba/netcmd/schema.py
> > @@ -143,6 +143,53 @@ class cmd_schema_attribute_show(Command):
> > user_ldif = samdb.write_ldif(msg, ldb.CHANGETYPE_NONE)
> > self.outf.write(user_ldif)
> >
> > +class cmd_schema_attribute_query_oc(Command):
> > + """Query what objectclasses MAY or MUST contain an attribute.
> > +
> > + This is useful to determine "if I need uid, what objectclasses
> > could be
> > + applied to achieve this."
> > + """
> > + synopsis = "%prog attribute [options]"
> > +
> > + takes_optiongroups = {
> > + "sambaopts": options.SambaOptions,
> > + "versionopts": options.VersionOptions,
> > + "credopts": options.CredentialsOptions,
> > + }
> > +
> > + takes_options = [
> > + Option("-H", "--URL", help="LDB URL for database or target
> > server",
> > + type=str, metavar="URL", dest="H"),
> > + ]
> > +
> > + takes_args = ["attribute"]
> > +
> > + def run(self, attribute, H=None, credopts=None,
> > sambaopts=None, versionopts=None):
> > + lp = sambaopts.get_loadparm()
> > + creds = credopts.get_credentials(lp)
> > +
> > + samdb = SamDB(url=H, session_info=system_session(),
> > + credentials=creds, lp=lp)
> > +
> > + schema_dn = samdb.schema_dn()
> > +
> > + may_filt =
> > '(&(objectClass=classSchema)(|(mayContain={0})(systemMayContain={0}
> > )))'.format(attribute)
> > + must_filt =
> > '(&(objectClass=classSchema)(|(mustContain={0})(systemMustContain={
> > 0})))'.format(attribute)
> > +
> > + may_res = samdb.search(base=schema_dn,
> > scope=ldb.SCOPE_SUBTREE,
> > + expression=may_filt, attrs=['cn'])
> > + must_res = samdb.search(base=schema_dn,
> > scope=ldb.SCOPE_SUBTREE,
> > + expression=must_filt, attrs=['cn'])
> > +
> > + self.outf.write('--- MAY contain ---\n')
> > + for msg in may_res:
> > + self.outf.write('%s\n' % msg['cn'][0])
> > +
> > + self.outf.write('--- MUST contain ---\n')
> > + for msg in must_res:
> > + self.outf.write('%s\n' % msg['cn'][0])
> > +
> > +
> > class cmd_schema_objectclass_show(Command):
> > """Show details about an objectClass from the schema.
> >
> > @@ -188,11 +235,14 @@ class cmd_schema_attribute(SuperCommand):
> > subcommands = {}
> > subcommands["modify"] = cmd_schema_attribute_modify()
> > subcommands["show"] = cmd_schema_attribute_show()
> > + subcommands["query_oc"] = cmd_schema_attribute_query_oc()
> >
> > class cmd_schema_objectclass(SuperCommand):
> > """Query and manage objectclasses in the schema partition."""
> > subcommands = {}
> > subcommands["show"] = cmd_schema_objectclass_show()
> > + # Is this needed? It's a focused show afterall ...
> > + # subcommands["query_attr"] =
> > cmd_schema_objectclass_query_attr()
> >
> > class cmd_schema(SuperCommand):
> > """Schema querying and management."""
> > diff --git a/python/samba/tests/samba_tool/schema.py
> > b/python/samba/tests/samba_tool/schema.py
> > index fdffe23b2b8..9a3f982f9d2 100644
> > --- a/python/samba/tests/samba_tool/schema.py
> > +++ b/python/samba/tests/samba_tool/schema.py
> > @@ -51,6 +51,16 @@ class SchemaCmdTestCase(SambaToolCmdTest):
> >
> > self.assertCmdSuccess(result, out, err)
> >
> > + def test_query_oc_attribute(self):
> > + """Tests that we can modify searchFlags of an attribute"""
> > + (result, out, err) = self.runsubcmd("schema", "attribute",
> > + "query_oc", "cn",
> > + "-H", "ldap://%s" %
> > os.environ["DC_SERVER"],
> > + "-U%s%%%s" %
> > (os.environ["DC_USERNAME"],
> > + os.environ["DC_PASSWOR
> > D"]))
> > +
> > + self.assertCmdSuccess(result, out, err)
> > +
> > def test_display_objectclass(self):
> > """Tests that we can display schema objectclasses"""
> > (result, out, err) = self.runsubcmd("schema",
> > "objectclass",
> > --
> > 2.14.3
> >
>
>
More information about the samba-technical
mailing list