[PATCH] s4-drs: Delete RODC filtered attributes from objects
Stefan (metze) Metzmacher
metze at samba.org
Fri Mar 12 07:40:04 MST 2010
Hi Fernando,
>> When a DC is a RODC, then when it replicates from another DC, it gets
>> a subset of the attributes. So there is no need for it to delete
>> attributes. The reason it gets a subset is that a RODC is not trusted
>> to hold all attributes, so they will never be sent by the other DC.
>
> I think that I got a little confused now ... In my W2K8<->W2K8 tests,
> I saw the same attributeSchema objects when I made a ldbsearch both to
> my DC or to my RODC (so it seemed to me that the attributeSchema
> objects were replicated indeed ...) but the question that comes to me
> now is: Is it possible that the RODC "forwards" the ldbsearch to a DC,
> which really replies it? (so what I saw was a ldbsearch from the DC
> instead of RODC?).
>
> Actually, in this first patch, I was trying to handle the following
> situation (not so usual, but that may happen and is related to the
> manually set of a RODC filtered attribute on a DC that I was studying
> ...): Firstly, suppose you set an attributeSchema (any attribute you
> want ...) to be RODC filtered (like in
> http://technet.microsoft.com/en-us/library/cc772331(WS.10).aspx), but
> also suppose that you already have some objects whose contain values
> for that attribute and those objects are already replicated to your
> RODC; After that, the attributeSchema that you've changed is
> replicated to your RODC (at least that was what happened during my
> W2K8<->W2K8 tests ... (it should not happen?) ); When it happens,
> such attribute's value vanish from those objects whose had it and were
> stored in the RODC.
I think the schema partition is replicated completely to a RODC,
there's really nothing secret. So all attributeSchema and classSchema
objects are there, they only hold the definition of the attributes/classes.
What gets filtered are the instances of the attributes. E.g.
object cn=foo,dc=domain has and attributes mySecretAttributes
with value "don't tell anyone". Then the RODC won't get this
attribute and its value.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100312/a769ca71/attachment.pgp>
More information about the samba-technical
mailing list