[PATCH] samba-tool schema attribute query_oc
Alexander Bokovoy
ab at samba.org
Tue May 1 07:15:41 UTC 2018
On ti, 01 touko 2018, William Brown wrote:
> On Mon, 2018-04-30 at 08:48 +0300, Alexander Bokovoy via samba-
> technical wrote:
> > On ma, 30 huhti 2018, William Brown via samba-technical wrote:
> > > Hi,
> > >
> > > This is (yet another) patch to samba-tool. It extends the (still
> > > under
> > > review) schema attribute command to allow querying "what
> > > objectclass
> > > *could* hold this attribute".
> > >
> > > It's really useful for things like "Hey I need to add the attribute
> > > userClass to my person. What auxillary objectClass do I need to add
> > > to
> > > my user to allow userClass to exist on it?"
> >
> > Sounds useful, indeed.
> >
> > A general comment: we need to do something with user-passed values
> > used
> > to evaluate inside a filter. Right now there is no hardening, no LDAP
> > escaping, etc. It could be a security nightmare one day.
>
> These seems to be the case all over the samdb api though. Today it's
> "not too bad" because all these commands would (hopefully) only be run
> interactively, not from a script. And even then, in this case you
> probably can't do *too* much damage.
>
> But the risk is there. I think that in the future I want to move the
> logic of some of these operations out of the CLI where it currently is,
> and move it to samdb.py. It would be there that we can do filter
> templating and proper escaping of input.
>
> We have an escaping mechanism built into the lib389 object mechanism
> that does this already (because lib389 will end up in ipa/web apps I
> expect), so this design already works in my experience. I'm hoping to
> recreate a subset of this work in the samba project as in general it
> would be excellent to be able to "expose" samdb as a more complete
> object manipulation API than it currently is today.
>
> I think in summary - It's in my mind, I just need to find the time to
> do it. And as you know Alex, I have plenty of time at the moment ;)
Could you please open a bug at bugzilla.samba.org so that it is not
forgotten from the perspective of a release management?
> > May be the command would be 'show_oc' rather than 'query_oc' as we
> > have
> > already a 'show' command. Just to reduce number of alternate
> > namings...
>
> The alternate naming helps autocomplete, and also makes the command
> "unique". But I certainly also see your point to limit the "creep".
Autocomplete works for multiple commands with a common prefix too, it is
not a problem. I do want to reduce this 'leakage' for non-native
speakers, though.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list