[PATCH] samba-tool schema attribute query_oc
William Brown
william at blackhats.net.au
Fri May 18 06:45:42 UTC 2018
On Fri, 2018-05-18 at 18:39 +1200, Andrew Bartlett wrote:
> On Fri, 2018-05-18 at 16:32 +1000, William Brown wrote:
> > >
> > > > > Also, on the show command, do the reverse mapping back to the
> > > > > string
> > > > > flags.
> > > >
> > > > That's quite a bit more invasive, but can be done.
> > >
> > > Most mortals don't do hex bitmasks in their heads nearly as well
> > > as a
> > > computer can :-)
> > >
> > > For both get and set, unknown flags can still be represented in
> > > hex,
> > > but I don't fancy the support enquiries about flags our tools
> > > support
> > > but our server ignores.
> > >
> >
> > Hey mate,
> >
> > I've decided not to do this. I think it's extremely complicated,
> > and
> > can not be done cleanly.
> >
> > This stems from two issues.
> >
> > First we could make the change in write_ldif, but then we need a
> > way in
> > reading an ldif to transform these flags back into an int. Not
> > nice,
> > and also really hacking in write_ldif.
> >
> > We could parse each msg element, and print them all, but then we
> > are
> > basically re-writing write-ldif but in python as we need to
> > understand
> > all the binary decode cases so we can do ndr_unpack etc. Again, a
> > huge
> > amount of effort, and really not nice.
>
> You can just push a string value or set of string values back into
> the
> ldb message and then print it. It isn't read-only.
So get the flags, change them, then push to write_ldif? This seems too
easy ;)
>
> > Another other solution is "use write_ldif and then string
> > manipulate
> > the output". This is the cleanest solution, and that says something
> > given how absolutely hacky it is. Either we'd replace the values in
> > the
> > string output, or add "another attribute" like searchFlagsDecoded:
> > and
> > put the values in that. But this is just as horrible.
> >
> > The last option (which I think is actually the best) is a patch to
> > LDB
> > to support generating these flags to the actual object itself so
> > you
> > can just see them with plain ldapsearch. Then we don't need special
> > handling in the cli at all, and any ldap viewer will see these
> > flags.
> > But that's also the most controversial change too :)
>
> We do that for plenty of other attributes. See lib/ldb-
> samba/ldif_handlers.c
Yes, but we'd be adding an attr that's "not in schema" technically. I
think your solution above is better.
>
> > Today, having something to show schema is already 100x better than
> > we
> > were a month ago. Even if it's not perfect doing the decode, it's
> > still
> > a huge jump. So that's why I'm not going to implement this (today).
> > I'm
> > happy to leave it in my mind and come back to it when we have a
> > proper,
> > clean way to do this.
> >
> > > > >
> > > > > Finally, you seem to be looking for ldb.get_schema_basedn()
> > > > > with
> > > > > your
> > > > > patch to samdb.py.
> > > >
> > > > Ahhhhhh okay. I'll check this and update soon.
> > > >
> >
> > Fixed,
> >
> > Updated patches attached.
>
> Before I look at these again, can you push them to some kind of CI,
> either github or gitlab?
Sure, will do. I've been careful to run make test with these, but CI is
good too :)
>
> Thanks,
>
> Andrew Bartlett
>
More information about the samba-technical
mailing list