[IPA] SID allocation using DNA plugin
Andrew Bartlett
abartlet at samba.org
Mon Oct 26 21:22:35 MDT 2009
On Mon, 2009-10-26 at 23:03 -0400, Endi Sukma Dewata wrote:
> Andrew,
>
> I have a question related to this proposal:
> http://www.freeipa.org/page/Samba_4_SID_Allocation_using_DNA_Plugin
>
> Please take a look at dsdb/samdb/ldb_modules/password_hash.c. During an add operation
> the password_hash module tries to extract the domain SID from the object SID.
>
> static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
> {
> ac->domain_sid = samdb_result_sid_prefix(ac, req->op.add.message, "objectSid");
> ret = build_domain_data_request(ac);
> }
>
> The domain SID will be used to create a search filter to find the domain object in the
> following method:
>
> static int build_domain_data_request(struct ph_context *ac)
> {
> attrs[] = { "pwdProperties", "pwdHistoryLength", NULL };
> ldb = ldb_module_get_ctx(ac->module);
>
> filter = talloc_asprintf(ac,
> "(objectSid=%s)",
> ldap_encode_ndr_dom_sid(ac, ac->domain_sid));
>
> return ldb_build_search_req(&ac->dom_req, ldb, ac,
> ldb_get_default_basedn(ldb),
> LDB_SCOPE_BASE,
> filter, attrs,
> NULL,
> ac, get_domain_data_callback,
> ac->req);
> }
>
> It seems like the use of search filter here is redundant because the base DN and
> the scope point to the domain object directly. Is it correct?
>
> If that's case can we use a NULL filter in this search, so we don't need the domain
> SID, meaning we don't need to check the objectSid in the previous method. This way
> the SID can be generated by the backend. Is this correct?
This is a reasonable assumption. We had in the past written parts of
Samba in a more generic way, trying to support the creation of multiple
domains in a single Samba server. We don't try this any more, and a
patch to remove this would be gladly accepted.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091027/391d72f7/attachment.pgp>
More information about the samba-technical
mailing list