IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
It was reported by aatanasov that we kept around one whole schema per
modification made. This does not fix that, but I hope moves us closer
to a fix
The most important part of the fix is that:
- if (schema_out != schema_in) {
- talloc_unlink(schema_in, ldb);
- }
was the wrong way around. This is now handled in the schema_set calls.
Andrew Bartlett
Especially the "free"s after "ldb_msg_diff" are very important since the diff
message is allocated on the long-living LDB context.
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
The problem here is that if the schema has been modified on the source
domain, there may be attributes that appear over DRS with 0 values (to
indicate that any existing values on the target should be deleted).
This would confuse the previous version of this macro.
Andrew Bartlett
O(n) search for dsdb_attribute by msDS-IntId value was
replaced by binary-search in ordered index.
I've choosen the approach of separate index on msDS-IntId values
as I think it is more clear what we are searching for.
And it should little bit faster as we can clearly determine
in which index to perform the search based on ATTID value -
ATTIDs based on prefixMap and ATTIDs based on msDS-IntId
are in separate ranges.
Other way to implement this index was to merge msDS-IntId values
in attributeID_id index.
This led me to a shorted but not so obvious implementation.
This allows the prefixMap from a DRS server to be used when loading
the schema from the local files. This helps us then import other
schema with this map in place.
Andrew Bartlett
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
The change here is to try and convert a per the previous rules, but if
we don't know a particular OID as a attributeID, then store it as an
OID (for example). This allows known values to be converted as
before, but still copes with unknown values.
Andrew Bartlett
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
This works on the assumption that the schema partition can only
contain schema objects.
We may need to pass down some kind of 'relax' to the DRS -> LDB
conversion code, so that it allows incomplete conversions, so that we
don't fail if a new attribute is present, and we can't decode it.
This would then be resolved the second time we do the conversion.
Andrew Bartlett
Signed-off-by: Kamen Mazdrashki <kamenim@samba.org>
Error checking is simplified and my leave leeks.
I did it this way to make code more readable, and if we
get error in those lines, it will be WERR_NOMEM in which
case we are in a much deeper troubles than delayed freeing
of few bytes.
This reverts commit 8149094edd.
Windows implementation does not set schemaInfo attribute value
until first Schema update request.
This way, newly provisioned forest returns no schemaInfo value.
I think it won't be bad for us to have this value preset, but
I want to mimic Win AD behavior as close as possible.
The use of 'replace' is enough to wipe out the old value, whatever it
is, we don't need to set 'permissive modify' too.
Additionally, this seems to be causing trouble for the OpenLDAP backend
Andrew Bartlett
ldb_msg preparation is moved into separate function
so that it can be used for implementing schemaInfo
updates both on module stack (dsdb_module_... functions)
and directly on ldb_context
This commit reworks Samba4's schema loading code to detect when it
needs to reload the schema. This is done by watching the @REPLCHANGED
special DN.
The reload happens by means of a callback, which is only set when the
schema is loaded from the ldb - not when loaded from an LDIF file or
DRS.
We also rework the global schema handling - instead of storing the
pointer to the global schema in each ldb, we store a flag indicating
that the global schema should be returned at run time. This makes it
much easier to switch to a new global schema.
Andrew Bartlett
This choses an appropriate talloc context to attach the schema too,
long enough lived to ensure it does not go away before the operation
compleates.
Andrew Bartlett
When specified, we talloc_reference onto this context to ensure that
pointers found in it are valid for the life of the objects they are
placed into. (Such as the string form of LDAP attributes).
Andrew Bartlett
Counters which are used in the way "for (i = 0; array[i] != NULL; i++)" I
modified to "unsigned" since for sure we don't want to have negative array
indexes there.
Counters which are used in the way "for (i = 0; array[i] != NULL; i++)" I
modified to "unsigned" since for sure we don't want to have negative array
indexes there.
There were many counter variables typed "uint32_t". This isn't fully correct
since those count LDB objects. The amount is saved in a "num_*" variable which
is "unsigned" without a bitlength specification. Therefore change also these
counters to be plain "unsigned".
ldb_dn_extended_filter() removes all but the listed components,
I didn't noticed that when writting the code.
Doing a ldb_dn_remove_extended_components(dn2) is wrong.
This was hidden by some bugs in the ldb_dn code.
metze
This is a very heavy weight way of checking this syntax,
but it's very complex and using the existing function
should be ok for now. We can optimize it later.
metze
When we get one we haven't seen before, we can work out the right type
automatically in most cases.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
According to http://msdn.microsoft.com/en-us/library/cc223224%28PROT.13%29.aspx
some Attributes OIDs may not use prefixMap.
Setting ATTID in Schema Cache here should work, although
this code snippet should be moved in separate function.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Test was implemented as a test fixture so that setup/teardown
occurs only once.
This should impact test performace as long as provision_get_schema()
is a slow function (especially when debugging)
This makes these full extended DNs, so we set the right values into
the database, even before we actually set the schema objects
themselves.
Andrew Bartlett
The load of defaultObjectCategory as an extended DN means we need to
use the common parsing functions I just split out, rather than the
GET_DS_DN macro.
The objectGUIDs are loaded so that we can create the extended DN when
we load from LDIF (and are loaded for the other cases for
consistency).
Also adapt callers to API changes needed for common parsing code
Andrew Bartlett
This should make it easier to call this function from the DRS schema
load code, rather than duplicate it.
(we may do the same with other functions in future).
Andrew Bartlett
I've left out those for which I could not find an expected value in my
default Windows 2003 server's database, and the values that rely on
the current prefix map at the time.
Andrew Bartlett
This converts the code from using the binary DN code in ldb_dn to
using a special Samba-specfic wrapper around ldb_dn.
We also use the dsdb_dn code for DN+Binary and DN+String comparisons
(changed from treating them as Binary blobs)
Andrew Bartlett
TODO: this function may be refactored further.
Actually we don't need to look up for the OID supplied,
but just call sdb_schema_pfm_make_attid() - it will
search for the OID anyway and add it if necessary
Signed-off-by: Stefan Metzmacher <metze@samba.org>
"partial drsuapi_prefixMap" is a prefix map without last entry
being special - i.e. map that does not contains schema_info entry.
Test for dsdb_schema_pfm_from_drsuapi_pfm() were also extended to
cover both 'full' and 'partial' map conversion.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
dsdb_schema_pfm_contains_drsuapi_pfm() is part of reimplemented
prefixMap interface.
This name was choosen to clearly show, that this a week verification
in case we want to determine if remote schema is changed.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
dsdb_get_oid_mappings_drsuapi() just need to call
dsdb_drsuapi_pfm_from_schema_pfm() to get filled-in DRSUAPI
prefixMap.
Perhaps it won't be bad to rename this function to have
more expressive name in the future
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Also, dsdb_load_oid_mappings_drsuapi() was reimplemented to use
dsdb_schema_pfm_from_drsuapi_pfm() function to load
drsuapi_prefixMap into schema->prefixmap
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Along with this, dsdb_schema_pfm_contains_drsuapi_pfm()
function is implemented to replace previous implementation
for dsdb_verify_oid_mappings_drsuapi().
Name of the function clearly implies how week this verification is,
as currently it is used to indicate "Schema modified on remote"
condition.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
At this point, support for checks on LDAP add, delete, rename and modify.
Old kludge_acl is still there to handle the searches.
This module is synchronous as the async version was impossible to debug,
will be converted to async after some user testing.
Currenly those tests cover only the main part of the interface,
i.e. dsdb_schema_pfm_new(), dsdb_schema_pfm_make_attid()
and dsdb_schema_pfm_oid_from_attid()
The biggest change is that 'oid' field is transmited in binary format.
Also the field name is changed to 'binary_oid' so that
field format to be clear for callers.
After those changes, Samba4 should work the way it works before -
i.e. no added value here but we should not fail when
partial-oid is part of prefixMap transmited from Win server.
Also, thre is a bug in this patch - partial-binary-OIDs are
not handled correctly. Partial-binary-OIDs received during
replication will be encoded, but not handled correctly.
This avoids using an ldb_search(), which would run from the top of the
module stack. This will help us load the schema before the partitions
are initialised.
Andrew Bartlett
AD has the concept of a DN prefixed with B:NN:XXXXXX: that contains a
binary blob. We need to support those in order to give correctly
formatted binary blobs for things like wellKnownObjects
This implementation is not ideal, as it allows for binary blobs on all
DNs, whereas it should only allow them on those with a syntax of
2.5.5.7. We should clean this up in the future, but meanwhile this
implementation at least gets us a working DC join of w2k8 to s4.
This patch also uses a static function for marking DNs as invalid,
which is very useful when debugging this code, as you can break on it
in gdb.
We were trying to encode strings like 'top' as integers, without first
looking them up in our schema. We need special handling for all the
attributes that contain attributeID_id or governsID_id fields that
should be translated first before encoding.
This replace the dsdb_syntax_FOOBAR_ldb_to_drsuapi function,
which was left as a TODO code. Implementation in both added functions
is completely identical and probably should differ in the future.
This changes dsdb_write_prefixes_from_schema_to_ldb() to use an
internal talloc hirarchy, so we can safely give it a NULL context from
the python.
It also fixes manual construction of the ldb_message - we now use the
right helper functions.
Andrew Bartlett
The aim is to create a function that is more easily wrapped for
python, so that we can write the updated prefixMap in an upgrade
script.
Andrew Bartlett
The problem is that samdb_result_string() and
ldb_msg_find_attr_as_string() both simply cast the string, rather than
ensuring the return value is NULL terminated. This may be best
regarded as a flaw in LDB, but fixing it there is going to be more
difficult.
Andrew Bartlett
This allows us to load the schema against one ldb context, but apply
it to another. This will be useful in the provision script, as we
need the schema before we start the LDAP server backend.
Adnrew Bartlett
Before this change, the first opener of the sam ldb context would
become the owner of the global schema, then the autofree context got a
reference to the schema. Any subsequent opens of the sam ldb also got
a reference. This meant that the talloc hierarchy was inconsistent
between the first sam ldb open and subsequent opens. With this change
the autofree context becomes the owner of the global schema, and all
ldb contexts get a reference.
This removes a number of cases where we did a cast into a const char *
of an ldb_val. While convention is to alway have an extra \0 at
data[length] in the ldb_val, this is not required, and does not occour
at least on build farm host 'svart'.
Andrew Bartlett
Using ldb unique indexes for samAccountName doesn't work with DRS as
the other DC may send us a deleted record (tombstone record), which
has the same samAccountName as an existing record. That would then
create two records in the same partition with the same samAccountName.
So we needed to put back the logic in samldb.c which explicitly
checked whether a samAccountName already exists on add
The previous code incorrectly assumed that attributes such as
subClassOf come over the wire as strings. In fact they come over as 32
bit integers which refer to goversIDs. We have to post-process these
as it sometimes happens that a governsID comes over the wire before
the record that defines what it means.
- LDB handles now all 32-bit integer attributes correctly (also with overflows)
according to the schema
- LDAP backends handle the attributes "groupType", "userAccountControl" and
"sAMAccountType" correctly. This handling doesn't yet use the schema but
the conversion file "simple_ldap.map.c" which contains them hardcoded.
Did also a refactoring of the conversion function there.
- Bug #6136 should be gone
This is all working towards supporting the full WSPP schema without a
major performance penalty.
We now use binary searches when looking up classes and attributes. We
also avoid the loop loading the attributes into ldb, by adding a hook
to override the ldb attribute search function in a module. The
attributes can thus be loaded once, and then saved as part of the
global schema.
Also added support for a few more key attribute syntaxes, as needed
for the full schema.
This search uses the index, and is not recursive, so should avoid the
major performance problem with the current sorted schema load.
The ad2oLschema code (recently moved to provision-backend) no longer
needs the schema to be sorted.
Andrew Bartlett
This avoids the need to assume that the schema is sorted on load,
which happens more often and is a major performace issue in the
Samba4's use of ldb.
Andrew Bartlett
This removes a level of indirection via external binaries in the
provision-backend code, and also makes better use of our internal code
for loading schema from an LDIF file.
Remaining to do: Sort the output again, as the load from LDIF is
unsorted (also needed because the normal LDB load from sorted input is too slow
anyway, and is only needed here).
Andrew Bartlett
A dITConentRules attribute (unlike objectClasses) must not contain a
'SUP'.
The ADSI layer in Windows would download the whole schema, and
validate it. Thanks to the team at Microsoft for very long debugging
session to find this.
Andrew Bartlett
I think it is just too complex and error prone to init and cancel
transactions during the module init code. Instead, this isn't prone
to races as it will always achieve a steady state (eventually), and
most cases will never do the write.
Andrew Bartlett
(This used to be commit d60977cc7f)
(It instead ensured that only 'top' had a SUP keyword)
This clearly shows that 937b466266 was
not a full or correct fix, but despite this I can no longer reproduce
the issue. Further investigation is required.
Andrew Bartlett
(This used to be commit 95a9e9b6b8)
This bug is entitled 'Schema patch breaks interoperability with
Microsoft MMC consoles.', and it does so very spectacularly.
The issue is that we would include an entry:
objectClasses: ( 2.5.6.0 NAME 'top' SUP top ABSTRACT..
The MMC Active Directory Users and Computers snap in presumably
objected to the 'loop' this would present. The fixed entry is:
objectClasses: ( 2.5.6.0 NAME 'top' ABSTRACT
Thanks to Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de> for his
persistance in getting me to look at this.
Andrew Bartlett
(This used to be commit 937b466266)
Something in the search stack adds a distinguisedName record, which
isn't in the message we generate. So we compare, fail and rewrite the
record - every time ldb starts up...
Andrew Bartlett
(This used to be commit 44775d1ed4)
This ensures that a rudementary schema is always present (for
bootstrapping), and that the indexes are maintained equal to the
schema (rather than hard-coded).
Andrew Bartlett
(This used to be commit 747d683b0d)
This includes additional Samba-specific syntaxes made available from
the ldif_handlers code.
This commit also changes some table to use #defines, to ensure
consistancy in other parts of the code.
Andrew Bartlett
(This used to be commit e26a5efd9a)
This merges the table once found in the oLschema2ldif tool (and moved
many times) with the table used for DRSUAPI.
The OpenLDAP schema map has been updated, to ensure that despite a
number of attributes being declared as OIDs, they are actually used as
strings (as they are actually LDAP class/attribute names).
Andrew Bartlett
(This used to be commit 61f2958c84)
This reads the schema from the in-memory structure, when the magic
attributes are requested. The code is a modified version of that used
in the ad2oLschema tool (now shared).
The schema_fsmo module handles the insertion of the generated result.
As such, this commit also removes these entries from the setup/schema.ldif
Metze's previous stub of this functionality is also removed.
Andrew Bartlett
(This used to be commit c7c32ec7b4)
This will allow the kludge_acl and schema code to leverage the same
work. (We might even get schema validation soon! :-)
Andrew Bartlett
(This used to be commit cecd04ce1f)
LDB does not know about nor process the AD schema, so it makes no
sense to have this tool there. I've been changing it anyway, to use a
common schema manipulation library, and will enhance these links in
the future.
Andrew Bartlett
(This used to be commit c7704805b9)
This implements the logic in the schema_fsmo_add() function,
but it only calls a dummy dsdb_create_prefix_mapping() yet.
metze
(This used to be commit 9018b85e83)
To make Samba4, using the python provision system, pass this test
required some major rework. Untested code is broken code, and some of
the refactoring for a seperate provision test (which also now passes)
broke things.
Similarly, the iconv work has compiled, but these codepaths have never
been run (NULL pointer de-reference).
In working to use a local, rather than global, loadparm context, and
to support using a target directory, a few things needed to be
reworked, particularly around path handling.
Andrew Bartlett
(This used to be commit 1169e8d7be)
(I presume this has resulted from the global variable elimination)
Perhaps the iconv handle argument to ndr_push_struct needs to be
marked as 'not NULL' or similar?
Andrew Bartlett
(This used to be commit e8081333b8)
