[PATCH] samba-tool schema attribute query_oc

Alexander Bokovoy ab at samba.org
Tue May 1 07:15:41 UTC 2018

On ti, 01 touko 2018, William Brown wrote:
> On Mon, 2018-04-30 at 08:48 +0300, Alexander Bokovoy via samba-
> technical wrote:
> > On ma, 30 huhti 2018, William Brown via samba-technical wrote:
> > > Hi,
> > > 
> > > This is (yet another) patch to samba-tool. It extends the (still
> > > under
> > > review) schema attribute command to allow querying "what
> > > objectclass
> > > *could* hold this attribute". 
> > > 
> > > It's really useful for things like "Hey I need to add the attribute
> > > userClass to my person. What auxillary objectClass do I need to add
> > > to
> > > my user to allow userClass to exist on it?"
> > 
> > Sounds useful, indeed.
> > 
> > A general comment: we need to do something with user-passed values
> > used
> > to evaluate inside a filter. Right now there is no hardening, no LDAP
> > escaping, etc. It could be a security nightmare one day.
> These seems to be the case all over the samdb api though. Today it's
> "not too bad" because all these commands would (hopefully) only be run
> interactively, not from a script. And even then, in this case you
> probably can't do *too* much damage.
> But the risk is there. I think that in the future I want to move the
> logic of some of these operations out of the CLI where it currently is,
> and move it to samdb.py. It would be there that we can do filter
> templating and proper escaping of input.
> We have an escaping mechanism built into the lib389 object mechanism
> that does this already (because lib389 will end up in ipa/web apps I
> expect), so this design already works in my experience. I'm hoping to
> recreate a subset of this work in the samba project as in general it
> would be excellent to be able to "expose" samdb as a more complete
> object manipulation API than it currently is today. 
> I think in summary - It's in my mind, I just need to find the time to
> do it. And as you know Alex, I have plenty of time at the moment ;) 
Could you please open a bug at bugzilla.samba.org so that it is not
forgotten from the perspective of a release management?

> > May be the command would be 'show_oc' rather than 'query_oc' as we
> > have
> > already a 'show' command. Just to reduce number of alternate
> > namings...
> The alternate naming helps autocomplete, and also makes the command
> "unique". But I certainly also see your point to limit the "creep".
Autocomplete works for multiple commands with a common prefix too, it is
not a problem. I do want to reduce this 'leakage' for non-native
speakers, though.

/ Alexander Bokovoy

More information about the samba-technical mailing list