[PATCH] test the effect of reordering ldb modify requests
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Thu Apr 18 03:05:09 UTC 2019
Most ldb/ldap requests are agnostic with respect to the ordering of
their elements, with the request type ("ADD", "DELETE", etc) serving
as brutal instructions for all elements. But MODIFY requests are
different; they are more like scripts, with each element having its
own fate. The order of operations *should* make a difference. It is
easy to imagine logical outcomes for any given sequence of adds,
deletes and modifies, but this is AD so we have to test.
The test that considers every ordering permutation for a modify
request, and compares the answers against ground-truth gathered from
Windows 2012R2. The answers it receives from Samba are compared to the
ground truth and any difference is a failure.
For example, here is one of the shorter tests, for an object that
happens to be a user with a telephone. Three modify elements are tried
in all the possible orders (of which there are 3 * 2 * 1 == 6). The
elements are:
mod_attrs = [("objectclass", "computer", FLAG_MOD_REPLACE),
("objectclass", "user", FLAG_MOD_DELETE),
("objectclass", "person", FLAG_MOD_DELETE)]
which have previously been run against Windows, with the answers
clustered by result, and serialised like so (in
source4/dsdb/tests/python/testdata/modify_order_objectclass.expected):
modify_order_objectclass
initial attrs:
objectclass: 'user'
otherTelephone: '123'
== result ===[ 2]=======================
objectClass: [b'organizationalPerson', b'person', b'top', b'user']
otherTelephone: [b'123']
-- operations ---------------------------
objectclass replace computer
objectclass delete user
objectclass delete person
----------------------------------
objectclass delete user
objectclass replace computer
objectclass delete person
----------------------------------
== result ===[ 4]=======================
ERR_OBJECT_CLASS_VIOLATION (65)
-- operations ---------------------------
objectclass replace computer
objectclass delete person
objectclass delete user
----------------------------------
objectclass delete user
objectclass delete person
objectclass replace computer
----------------------------------
objectclass delete person
objectclass replace computer
objectclass delete user
----------------------------------
objectclass delete person
objectclass delete user
objectclass replace computer
----------------------------------
What it says is the two combinations ending with "delete person"
resulted in no change, and the other four resulted in an
OBJECT_CLASS_VIOLATION.
Then when we run it against Samba, we get a different result:
modify_order_objectclass
initial attrs:
objectclass: 'user'
otherTelephone: '123'
== result ===[ 2]=======================
objectClass: [b'computer', b'organizationalPerson', b'person', b'top', b'user']
otherTelephone: [b'123']
-- operations ---------------------------
objectclass delete user
objectclass delete person
objectclass replace computer
----------------------------------
objectclass delete person
objectclass delete user
objectclass replace computer
----------------------------------
== result ===[ 2]=======================
objectClass: [b'organizationalPerson', b'person', b'top', b'user']
otherTelephone: [b'123']
-- operations ---------------------------
objectclass replace computer
objectclass delete user
objectclass delete person
----------------------------------
objectclass delete user
objectclass replace computer
objectclass delete person
----------------------------------
== result ===[ 2]=======================
ERR_OBJECT_CLASS_VIOLATION (65)
-- operations ---------------------------
objectclass replace computer
objectclass delete person
objectclass delete user
----------------------------------
objectclass delete person
objectclass replace computer
objectclass delete user
----------------------------------
So that is a fail. Also, something of a mystery.
There is a pipeline running at
https://gitlab.com/samba-team/devel/samba/pipelines/57346326
and an earlier version passed here:
https://gitlab.com/samba-team/devel/samba/pipelines/56713222
What got me into this is a very slim hope I have that modify requests
might be semantically stable under a stable sort on attribute name
(e.g. like mergesort rather than quicksort). That would mean
carLicense MOD_A
otherTelephone MOD_B
carLicense MOD_C
otherTelephone MOD_D
is the same as
carLicense MOD_A
carLicense MOD_C
otherTelephone MOD_B
otherTelephone MOD_D
because each attribute gets the same sequence of modifications in
order. I haven't yet disproven the theory, but I expect to.
When run as a normal user, none of these modifications ever succeed
against either Windows or Samba, but we see different error code biota
on each.
Altogether the 26 tests provide 8 knownfails.
cheers,
Douglas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: modify-reorder.patch
Type: text/x-patch
Size: 364592 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190418/e385524a/modify-reorder-0001.bin>
More information about the samba-technical
mailing list