[PATCH] samba-tool schema attribute query_oc

Andrew Bartlett abartlet at samba.org
Tue May 8 22:40:01 UTC 2018

Taking a look over this for the first time, I noticed this:

On Wed, 2018-05-02 at 10:18 +1200, William Brown via samba-technical
> 0x1: create an equality index for this attribute.
> +    0x2: create a container index for this attribute (ie OU).
> +    0x4: specify that this attribute is a member of the ambiguous name
> +         resolution set.
> +    0x8: indicate that the value of this attribute should be preserved when
> +         the object is converted to a tombstone (deleted).
> +    0x10: hint to clients that this attribute should be copied.
> +    0x20: create a tuple index for this attribute. This is used in substring
> +          queries.
> +    0x40: create a browsing index for this attribute. VLV searches require this.
> +    0x80: indicate that the attribute is confidental and requires special access
> +          checks.
> +    0x100: indicate that changes to this value should NOT be audited.
> +    0x200: indicate that this value should not be replicated to RODCs.
> +    0x400: indicate to the DC to perform extra link tracking.
> +    0x800: indicate that this attribute should only be displayed when the search
> +           scope of the query is SCOPE_BASE or a single object result.
> +    0x1000: indicate that this attribute is a partition secret and requires
> +            special access checks.

I think we should ensure the flags are modified by string (eg fI, not
by integer (so we don't have magic int values in scripts that will be
written around this) and just support the values that Samba supports
for now. 

Please use these names from python/samba/ms_schema.py:

# ADTS: 2.2.9
# bit positions as labeled in the docs
bitFields["searchflags"] = {
    'fATTINDEX': 31,         # IX
    'fPDNTATTINDEX': 30,     # PI
    'fANR': 29,  # AR
    'fPRESERVEONDELETE': 28,         # PR
    'fCOPY': 27,     # CP
    'fTUPLEINDEX': 26,       # TP
    'fCONFIDENTIAL': 24,     # CF
    'fRODCAttribute': 22,    # RO

    # missing in ADTS but required by LDIF
    'fRODCFilteredAttribute': 22,    # RO ?
    'fCONFIDENTAIL': 24, # typo

The rest looks quite useful and reasonable, but I need to look over it
again more carefully.


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

More information about the samba-technical mailing list