The branch, master has been updated
via c3fa990 s4:ldap.py - prove the denied multi-valued replace requests
via fedd4aa s4:objectclass_attrs LDB module - deny multi-valued replace
requests
via 6e407a3 s4:provision_*_references.ldif - "add" and do not "replace"
the "wellKnownObjects"
from e24cd13 s4:samldb LDB module - fix indentations
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit c3fa990f216e68a4b36d064f8a34e93d951b9201
Author: Matthias Dieter Wallnöfer <[email protected]>
Date: Sun Oct 24 21:32:30 2010 +0200
s4:ldap.py - prove the denied multi-valued replace requests
Autobuild-User: Matthias Dieter Wallnöfer <[email protected]>
Autobuild-Date: Mon Oct 25 11:49:19 UTC 2010 on sn-devel-104
commit fedd4aa3cb7a0d4b895ec040d74cfbfbee42cac5
Author: Matthias Dieter Wallnöfer <[email protected]>
Date: Tue Oct 19 15:14:53 2010 +0200
s4:objectclass_attrs LDB module - deny multi-valued replace requests
This is the AD behaviour. But on attributes with the flag
"FLAG_ATTR_REQ_PARTIAL_SET_MEMBER" it is allowed.
commit 6e407a3c1c7166801bcec364186c487c27b18550
Author: Matthias Dieter Wallnöfer <[email protected]>
Date: Mon Oct 25 11:28:09 2010 +0200
s4:provision_*_references.ldif - "add" and do not "replace" the
"wellKnownObjects"
This is the correct AD operation in this case. Multi-valued replaces are
generally denied most of the time.
-----------------------------------------------------------------------
Summary of changes:
source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 13 +++++++
source4/dsdb/tests/python/ldap.py | 36 ++++++++++----------
source4/setup/provision_basedn_references.ldif | 2 +-
.../setup/provision_configuration_references.ldif | 2 +-
4 files changed, 33 insertions(+), 20 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
index 2024a33..b3f7048 100644
--- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
@@ -139,6 +139,19 @@ static int attr_handler(struct oc_context *ac)
}
}
+ /* Multi-valued replace operations are generally denied but
+ * there do exist exceptions where attributes have the flag
+ * "FLAG_ATTR_REQ_PARTIAL_SET_MEMBER" set. */
+ if ((ac->req->operation == LDB_MODIFY) &&
+ (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) ==
LDB_FLAG_MOD_REPLACE) &&
+ (msg->elements[i].num_values > 1) &&
+ ((attr->systemFlags & DS_FLAG_ATTR_REQ_PARTIAL_SET_MEMBER)
== 0)) {
+ ldb_asprintf_errstring(ldb, "objectclass_attrs:
attribute '%s' on entry '%s' is replaced multi-valued!",
+ msg->elements[i].name,
+ ldb_dn_get_linearized(msg->dn));
+ return LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS;
+ }
+
/* Substitute the attribute name to match in case */
msg->elements[i].name = attr->lDAPDisplayName;
}
diff --git a/source4/dsdb/tests/python/ldap.py
b/source4/dsdb/tests/python/ldap.py
index c02f567..a7e718e 100755
--- a/source4/dsdb/tests/python/ldap.py
+++ b/source4/dsdb/tests/python/ldap.py
@@ -613,15 +613,15 @@ class BasicTests(unittest.TestCase):
"objectclass": "group",
"description": ["desc1", "desc2"]})
-# m = Message()
-# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-# m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
-# "description")
-# try:
-# ldb.modify(m)
-# self.fail()
-# except LdbError, (num, _):
-# self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
+ "description")
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
m = Message()
m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
@@ -655,15 +655,15 @@ class BasicTests(unittest.TestCase):
"description")
ldb.modify(m)
-# m = Message()
-# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
-# m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
-# "description")
-# try:
-# ldb.modify(m)
-# self.fail()
-# except LdbError, (num, _):
-# self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
+ m = Message()
+ m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
+ m["description"] = MessageElement(["desc1","desc2"], FLAG_MOD_REPLACE,
+ "description")
+ try:
+ ldb.modify(m)
+ self.fail()
+ except LdbError, (num, _):
+ self.assertEquals(num, ERR_ATTRIBUTE_OR_VALUE_EXISTS)
# m = Message()
# m.dn = Dn(ldb, "cn=ldaptestgroup,cn=users," + self.base_dn)
diff --git a/source4/setup/provision_basedn_references.ldif
b/source4/setup/provision_basedn_references.ldif
index a71c11c..188982a 100644
--- a/source4/setup/provision_basedn_references.ldif
+++ b/source4/setup/provision_basedn_references.ldif
@@ -7,7 +7,7 @@ changetype: modify
replace: rIDManagerReference
rIDManagerReference: CN=RID Manager$,CN=System,${DOMAINDN}
-
-replace: wellKnownObjects
+add: wellKnownObjects
wellKnownObjects: B:32:6227f0af1fc2410d8e3bb10615bb5b0f:CN=NTDS
Quotas,${DOMAINDN}
wellKnownObjects:
B:32:f4be92a4c777485e878e9421d53087db:CN=Microsoft,CN=Program Data,${DOMAINDN}
wellKnownObjects: B:32:09460c08ae1e4a4ea0f64aee7daa1e5a:CN=Program
Data,${DOMAINDN}
diff --git a/source4/setup/provision_configuration_references.ldif
b/source4/setup/provision_configuration_references.ldif
index 6e31fb7..febe436 100644
--- a/source4/setup/provision_configuration_references.ldif
+++ b/source4/setup/provision_configuration_references.ldif
@@ -8,7 +8,7 @@ changetype: modify
replace: subRefs
subRefs: ${SCHEMADN}
-
-replace: wellKnownObjects
+add: wellKnownObjects
wellKnownObjects: B:32:6227f0af1fc2410d8e3bb10615bb5b0f:CN=NTDS
Quotas,${CONFIGDN}
wellKnownObjects:
B:32:ab8153b7768811d1aded00c04fd8d5cd:CN=LostAndFoundConfig,${CONFIGDN}
wellKnownObjects: B:32:18e2ea80684f11d2b9aa00c04f79f805:CN=Deleted
Objects,${CONFIGDN}
--
Samba Shared Repository
