[PATCH] samba-tool schema attribute query

Post by William Brown via samba-technical
Hi,
This is (yet another) patch to samba-tool. It extends the (still under
review) schema attribute command to allow querying "what objectclass
*could* hold this attribute".
It's really useful for things like "Hey I need to add the attribute
userClass to my person. What auxillary objectClass do I need to add to
my user to allow userClass to exist on it?"

Sounds useful, indeed.

A general comment: we need to do something with user-passed values used
to evaluate inside a filter. Right now there is no hardening, no LDAP
escaping, etc. It could be a security nightmare one day.

May be the command would be 'show_oc' rather than 'query_oc' as we have
already a 'show' command. Just to reduce number of alternate namings...

Post by William Brown via samba-technical
Thanks for your time!
William
From df2ee62b9562a63633ce714bd4b14e0dbe0ee220 Mon Sep 17 00:00:00 2001
Date: Sun, 29 Apr 2018 13:28:42 +1200
Subject: [PATCH] python/samba/netcmd/schema.py: add schema query_oc for
attribute
Often administrators need to add a specific attribute to an object, but
it may not be possible with the objectClasses present. This tool allows
searching "what objectclasses must or may?" take an attribute to help hint
to an administrator what objectclasses can be added to objects to achieve
the changes they want.
---
docs-xml/manpages/samba-tool.8.xml | 5 ++++
python/samba/netcmd/schema.py | 50 +++++++++++++++++++++++++++++++++
python/samba/tests/samba_tool/schema.py | 10 +++++++
3 files changed, 65 insertions(+)
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 0466e125100..23b0b275a38 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -727,6 +727,11 @@
<para>Modify the behaviour of an attribute in schema.</para>
</refsect3>
+<refsect3>
+ <title>schema attribute query_oc <replaceable>attribute</replaceable> [options]</title>
+ <para>Search for objectclasses that MAY or MUST contain this attribute.</para>
+</refsect3>
+
<refsect3>
<title>schema attribute show <replaceable>attribute</replaceable> [options]</title>
<para>Display an attribute schema definition.</para>
diff --git a/python/samba/netcmd/schema.py b/python/samba/netcmd/schema.py
index 71ec6b21061..daeb60aebff 100644
--- a/python/samba/netcmd/schema.py
+++ b/python/samba/netcmd/schema.py
user_ldif = samdb.write_ldif(msg, ldb.CHANGETYPE_NONE)
self.outf.write(user_ldif)
+ """Query what objectclasses MAY or MUST contain an attribute.
+
+ This is useful to determine "if I need uid, what objectclasses could be
+ applied to achieve this."
+ """
+ synopsis = "%prog attribute [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "versionopts": options.VersionOptions,
+ "credopts": options.CredentialsOptions,
+ }
+
+ takes_options = [
+ Option("-H", "--URL", help="LDB URL for database or target server",
+ type=str, metavar="URL", dest="H"),
+ ]
+
+ takes_args = ["attribute"]
+
+ lp = sambaopts.get_loadparm()
+ creds = credopts.get_credentials(lp)
+
+ samdb = SamDB(url=H, session_info=system_session(),
+ credentials=creds, lp=lp)
+
+ schema_dn = samdb.schema_dn()
+
+ may_filt = '(&(objectClass=classSchema)(|(mayContain={0})(systemMayContain={0})))'.format(attribute)
+ must_filt = '(&(objectClass=classSchema)(|(mustContain={0})(systemMustContain={0})))'.format(attribute)
+
+ may_res = samdb.search(base=schema_dn, scope=ldb.SCOPE_SUBTREE,
+ expression=may_filt, attrs=['cn'])
+ must_res = samdb.search(base=schema_dn, scope=ldb.SCOPE_SUBTREE,
+ expression=must_filt, attrs=['cn'])
+
+ self.outf.write('--- MAY contain ---\n')
+ self.outf.write('%s\n' % msg['cn'][0])
+
+ self.outf.write('--- MUST contain ---\n')
+ self.outf.write('%s\n' % msg['cn'][0])
+
+
"""Show details about an objectClass from the schema.
subcommands = {}
subcommands["modify"] = cmd_schema_attribute_modify()
subcommands["show"] = cmd_schema_attribute_show()
+ subcommands["query_oc"] = cmd_schema_attribute_query_oc()
"""Query and manage objectclasses in the schema partition."""
subcommands = {}
subcommands["show"] = cmd_schema_objectclass_show()
+ # Is this needed? It's a focused show afterall ...
+ # subcommands["query_attr"] = cmd_schema_objectclass_query_attr()
"""Schema querying and management."""
diff --git a/python/samba/tests/samba_tool/schema.py b/python/samba/tests/samba_tool/schema.py
index fdffe23b2b8..9a3f982f9d2 100644
--- a/python/samba/tests/samba_tool/schema.py
+++ b/python/samba/tests/samba_tool/schema.py
self.assertCmdSuccess(result, out, err)
+ """Tests that we can modify searchFlags of an attribute"""
+ (result, out, err) = self.runsubcmd("schema", "attribute",
+ "query_oc", "cn",
+ "-H", "ldap://%s" % os.environ["DC_SERVER"],
+ "-U%s%%%s" % (os.environ["DC_USERNAME"],
+ os.environ["DC_PASSWORD"]))
+
+ self.assertCmdSuccess(result, out, err)
+
"""Tests that we can display schema objectclasses"""
(result, out, err) = self.runsubcmd("schema", "objectclass",
--
2.14.3

--
/ Alexander Bokovoy

William Brown via samba-technical

2018-04-30 21:58:49 UTC

On Mon, 2018-04-30 at 08:48 +0300, Alexander Bokovoy via samba-

Post by William Brown via samba-technical
Hi,
This is (yet another) patch to samba-tool. It extends the (still under
review) schema attribute command to allow querying "what
objectclass
*could* hold this attribute".
It's really useful for things like "Hey I need to add the attribute
userClass to my person. What auxillary objectClass do I need to add to
my user to allow userClass to exist on it?"

These seems to be the case all over the samdb api though. Today it's
"not too bad" because all these commands would (hopefully) only be run
interactively, not from a script. And even then, in this case you
probably can't do *too* much damage.

But the risk is there. I think that in the future I want to move the
logic of some of these operations out of the CLI where it currently is,
and move it to samdb.py. It would be there that we can do filter
templating and proper escaping of input.

We have an escaping mechanism built into the lib389 object mechanism
that does this already (because lib389 will end up in ipa/web apps I
expect), so this design already works in my experience. I'm hoping to
recreate a subset of this work in the samba project as in general it
would be excellent to be able to "expose" samdb as a more complete
object manipulation API than it currently is today.

I think in summary - It's in my mind, I just need to find the time to
do it. And as you know Alex, I have plenty of time at the moment ;)

Post by Alexander Bokovoy via samba-technical
May be the command would be 'show_oc' rather than 'query_oc' as we have
already a 'show' command. Just to reduce number of alternate
namings...

The alternate naming helps autocomplete, and also makes the command
"unique". But I certainly also see your point to limit the "creep".

Post by William Brown via samba-technical
Thanks for your time!
William
From df2ee62b9562a63633ce714bd4b14e0dbe0ee220 Mon Sep 17 00:00:00 2001
Date: Sun, 29 Apr 2018 13:28:42 +1200
Subject: [PATCH] python/samba/netcmd/schema.py: add schema query_oc for
attribute
Often administrators need to add a specific attribute to an object, but
it may not be possible with the objectClasses present. This tool allows
searching "what objectclasses must or may?" take an attribute to help hint
to an administrator what objectclasses can be added to objects to achieve
the changes they want.
---
docs-xml/manpages/samba-tool.8.xml | 5 ++++
python/samba/netcmd/schema.py | 50
+++++++++++++++++++++++++++++++++
python/samba/tests/samba_tool/schema.py | 10 +++++++
3 files changed, 65 insertions(+)
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-
xml/manpages/samba-tool.8.xml
index 0466e125100..23b0b275a38 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -727,6 +727,11 @@
<para>Modify the behaviour of an attribute in
schema.</para>
</refsect3>
+<refsect3>
+ <title>schema attribute query_oc
<replaceable>attribute</replaceable> [options]</title>
+ <para>Search for objectclasses that MAY or MUST contain
this attribute.</para>
+</refsect3>
+
<refsect3>
<title>schema attribute show
<replaceable>attribute</replaceable> [options]</title>
<para>Display an attribute schema definition.</para>
diff --git a/python/samba/netcmd/schema.py
b/python/samba/netcmd/schema.py
index 71ec6b21061..daeb60aebff 100644
--- a/python/samba/netcmd/schema.py
+++ b/python/samba/netcmd/schema.py
user_ldif = samdb.write_ldif(msg, ldb.CHANGETYPE_NONE)
self.outf.write(user_ldif)
+ """Query what objectclasses MAY or MUST contain an attribute.
+
+ This is useful to determine "if I need uid, what objectclasses could be
+ applied to achieve this."
+ """
+ synopsis = "%prog attribute [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "versionopts": options.VersionOptions,
+ "credopts": options.CredentialsOptions,
+ }
+
+ takes_options = [
+ Option("-H", "--URL", help="LDB URL for database or target server",
+ type=str, metavar="URL", dest="H"),
+ ]
+
+ takes_args = ["attribute"]
+
+ def run(self, attribute, H=None, credopts=None,
+ lp = sambaopts.get_loadparm()
+ creds = credopts.get_credentials(lp)
+
+ samdb = SamDB(url=H, session_info=system_session(),
+ credentials=creds, lp=lp)
+
+ schema_dn = samdb.schema_dn()
+
+ may_filt =
'(&(objectClass=classSchema)(|(mayContain={0})(systemMayContain={0}
)))'.format(attribute)
+ must_filt =
'(&(objectClass=classSchema)(|(mustContain={0})(systemMustContain={
0})))'.format(attribute)
+
+ may_res = samdb.search(base=schema_dn,
scope=ldb.SCOPE_SUBTREE,
+ expression=may_filt, attrs=['cn'])
+ must_res = samdb.search(base=schema_dn,
scope=ldb.SCOPE_SUBTREE,
+ expression=must_filt, attrs=['cn'])
+
+ self.outf.write('--- MAY contain ---\n')
+ self.outf.write('%s\n' % msg['cn'][0])
+
+ self.outf.write('--- MUST contain ---\n')
+ self.outf.write('%s\n' % msg['cn'][0])
+
+
"""Show details about an objectClass from the schema.
subcommands = {}
subcommands["modify"] = cmd_schema_attribute_modify()
subcommands["show"] = cmd_schema_attribute_show()
+ subcommands["query_oc"] = cmd_schema_attribute_query_oc()
"""Query and manage objectclasses in the schema partition."""
subcommands = {}
subcommands["show"] = cmd_schema_objectclass_show()
+ # Is this needed? It's a focused show afterall ...
+ # subcommands["query_attr"] =
cmd_schema_objectclass_query_attr()
"""Schema querying and management."""
diff --git a/python/samba/tests/samba_tool/schema.py
b/python/samba/tests/samba_tool/schema.py
index fdffe23b2b8..9a3f982f9d2 100644
--- a/python/samba/tests/samba_tool/schema.py
+++ b/python/samba/tests/samba_tool/schema.py
self.assertCmdSuccess(result, out, err)
+ """Tests that we can modify searchFlags of an attribute"""
+ (result, out, err) = self.runsubcmd("schema", "attribute",
+ "query_oc", "cn",
+ "-H", "ldap://%s" %
os.environ["DC_SERVER"],
+ "-U%s%%%s" %
(os.environ["DC_USERNAME"],
+ os.environ["DC_PASSWOR
D"]))
+
+ self.assertCmdSuccess(result, out, err)
+
"""Tests that we can display schema objectclasses"""
(result, out, err) = self.runsubcmd("schema",
"objectclass",
--
2.14.3

William Brown via samba-technical

2018-04-30 23:08:06 UTC

Post by Alexander Bokovoy via samba-technical
May be the command would be 'show_oc' rather than 'query_oc' as we have
already a 'show' command. Just to reduce number of alternate
namings...

The alternate naming helps autocomplete, and also makes the command
"unique". But I certainly also see your point to limit the "creep".

Ohh if I wasn't clear. I think the current name is good, but I can
change if it we really insist.

So perhaps review it as it is now?

Thanks!

William

Alexander Bokovoy via samba-technical

2018-05-01 07:16:28 UTC

Post by Alexander Bokovoy via samba-technical
May be the command would be 'show_oc' rather than 'query_oc' as we have
already a 'show' command. Just to reduce number of alternate namings...

The alternate naming helps autocomplete, and also makes the command
"unique". But I certainly also see your point to limit the "creep".

Ohh if I wasn't clear. I think the current name is good, but I can
change if it we really insist.

I'd like it changed, yes.

--
/ Alexander Bokovoy

William Brown via samba-technical

2018-05-01 22:18:39 UTC

Post by Alexander Bokovoy via samba-technical
May be the command would be 'show_oc' rather than 'query_oc' as
we
have
already a 'show' command. Just to reduce number of alternate namings...

The alternate naming helps autocomplete, and also makes the command
"unique". But I certainly also see your point to limit the
"creep".

Ohh if I wasn't clear. I think the current name is good, but I can
change if it we really insist.

I'd like it changed, yes.

Done! I have changed this for you and rerun the tests to assert it
worked.

Attaching the full patch series again so that it's easy to apply them
in order. I'll ask Andrew Bartlett to review these today also.

Thanks so much for your time Alex!

PS: these can also be found at:
https://github.com/Firstyear/samba/tree/configure

William

Alexander Bokovoy via samba-technical

2018-05-02 07:25:15 UTC

Post by Alexander Bokovoy via samba-technical
May be the command would be 'show_oc' rather than 'query_oc' as
we
have
already a 'show' command. Just to reduce number of alternate namings...

The alternate naming helps autocomplete, and also makes the command
"unique". But I certainly also see your point to limit the "creep".

Ohh if I wasn't clear. I think the current name is good, but I can
change if it we really insist.

I'd like it changed, yes.

Done! I have changed this for you and rerun the tests to assert it
worked.
Attaching the full patch series again so that it's easy to apply them
in order. I'll ask Andrew Bartlett to review these today also.
Thanks so much for your time Alex!
https://github.com/Firstyear/samba/tree/configure

These patches look good now. RB+ from my side.

Andrew, are you going to review them as well?

--
/ Alexander Bokovoy

Stefan Metzmacher via samba-technical

2018-05-02 11:19:25 UTC

Post by Alexander Bokovoy via samba-technical
May be the command would be 'show_oc' rather than 'query_oc' as
we
have
already a 'show' command. Just to reduce number of alternate namings...

The alternate naming helps autocomplete, and also makes the command
"unique". But I certainly also see your point to limit the
"creep".

Ohh if I wasn't clear. I think the current name is good, but I can
change if it we really insist.

I'd like it changed, yes.

Done! I have changed this for you and rerun the tests to assert it
worked.
Attaching the full patch series again so that it's easy to apply them
in order. I'll ask Andrew Bartlett to review these today also.
Thanks so much for your time Alex!
https://github.com/Firstyear/samba/tree/configure

These patches look good now. RB+ from my side.
Andrew, are you going to review them as well?

Just a very high level commend:

'samba-tool schema attribute show_oc <attribute>' looks very strance
with the '_oc'.

I'd prefer something like:
'samba-tool schema attribute objectclasses <attribute>'

metze

William Brown via samba-technical

2018-05-02 21:32:16 UTC

Post by Stefan Metzmacher via samba-technical

On Wed, 2018-05-02 at 13:19 +0200, Stefan Metzmacher via samba-

Post by Alexander Bokovoy via samba-technical
May be the command would be 'show_oc' rather than
'query_oc' as
we
have
already a 'show' command. Just to reduce number of
alternate
namings...

The alternate naming helps autocomplete, and also makes the command
"unique". But I certainly also see your point to limit the "creep".

Ohh if I wasn't clear. I think the current name is good, but I can
change if it we really insist.

I'd like it changed, yes.

Done! I have changed this for you and rerun the tests to assert it
worked.
Attaching the full patch series again so that it's easy to apply them
in order. I'll ask Andrew Bartlett to review these today also.
Thanks so much for your time Alex!
https://github.com/Firstyear/samba/tree/configure

These patches look good now. RB+ from my side.
Andrew, are you going to review them as well?

'samba-tool schema attribute show_oc <attribute>' looks very strance
with the '_oc'.
'samba-tool schema attribute objectclasses <attribute>'
metze

As a native speaker, this comment doesn't sit well with me. The command
needs a verb to indicate the action.

Right now you have as an example:

samba-tool schema attribute show <attribute>
<noun> <noun> <noun> <verb> <noun>

So at least there is some idea of "I'm going to VERB a NOUN which is a
subset of NOUN, NOUN". IE "I'm going to SHOW a UID which is a subset of
ATTRIBUTE, SCHEMA".

So for this to make sense a verb has to exist.

When I read "schema attribute objectclasses <attribute>", because they
are all noun's I don't know what action will occur.

So this is why I think query or show are important to retain in this
context - I would be open to:

show_oc
show_classes
show_objectclasses
query_oc
query_classes
query_objectclasses

Hope that helps!

Thanks,

William

William Brown via samba-technical

2018-05-14 03:02:23 UTC

On Wed, 2018-05-02 at 10:18 +1200, William Brown via samba-technical

0x1: create an equality index for this attribute.
+ 0x2: create a container index for this attribute (ie OU).
+ 0x4: specify that this attribute is a member of the ambiguous
name
+ resolution set.
+ 0x8: indicate that the value of this attribute should be
preserved when
+ the object is converted to a tombstone (deleted).
+ 0x10: hint to clients that this attribute should be copied.
+ 0x20: create a tuple index for this attribute. This is used in
substring
+ queries.
+ 0x40: create a browsing index for this attribute. VLV searches
require this.
+ 0x80: indicate that the attribute is confidental and requires
special access
+ checks.
+ 0x100: indicate that changes to this value should NOT be
audited.
+ 0x200: indicate that this value should not be replicated to
RODCs.
+ 0x400: indicate to the DC to perform extra link tracking.
+ 0x800: indicate that this attribute should only be displayed
when the search
+ scope of the query is SCOPE_BASE or a single object
result.
+ 0x1000: indicate that this attribute is a partition secret and
requires
+ special access checks.

I think we should ensure the flags are modified by string (eg fI, not
by integer (so we don't have magic int values in scripts that will be
written around this) and just support the values that Samba supports
for now.
# ADTS: 2.2.9
# bit positions as labeled in the docs
bitFields["searchflags"] = {
'fATTINDEX': 31, # IX
'fPDNTATTINDEX': 30, # PI
'fANR': 29, # AR
'fPRESERVEONDELETE': 28, # PR
'fCOPY': 27, # CP
'fTUPLEINDEX': 26, # TP
'fSUBTREEATTINDEX': 25, # ST
'fCONFIDENTIAL': 24, # CF
'fNEVERVALUEAUDIT': 23, # NV
'fRODCAttribute': 22, # RO
# missing in ADTS but required by LDIF
'fRODCFilteredAttribute': 22, # RO ?
'fCONFIDENTAIL': 24, # typo
'fRODCFILTEREDATTRIBUTE': 22 # case
}
The rest looks quite useful and reasonable, but I need to look over
it
again more carefully.

So that section you mention is documentation, not code. To be sure of
what you are asking:

Do you want the documentation updated to match the bit positions?

Or are you asking that the command take the "named bit location" and
then OR's the result to create the schema behaviour value? IE:

/usr/local/samba/bin/samba-tool schema attribute modify --
searchflags="fATTINDEX,fSUBTREEATTINDEX,fCONFIDENTIAL"

I suspect this is your request, but I want to be sure,

Thanks,

William

Andrew Bartlett via samba-technical

2018-05-14 03:09:00 UTC

Post by William Brown via samba-technical
So that section you mention is documentation, not code. To be sure of
Do you want the documentation updated to match the bit positions?
Or are you asking that the command take the "named bit location" and

Yes.

Post by William Brown via samba-technical
/usr/local/samba/bin/samba-tool schema attribute modify --
searchflags="fATTINDEX,fSUBTREEATTINDEX,fCONFIDENTIAL"
I suspect this is your request, but I want to be sure,

Correct, something like that.

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba

William Brown via samba-technical

2018-05-14 04:03:57 UTC

Yes.

Correct, something like that.
Andrew Bartlett

Thanks mate! I've done exactly this. The changes are in 0005-python-
samba-netcmd-schema.py-add-schema-query-and-m.patch

You'll also note I've updated the test cases to check for invalid
flags, wrong capitialisation, the --help is updated, and two extra
flags are added to ms_schema.

Once again, the 6 patches attached (sorry, I forgot the trick you
showed me to get these into a single file)

Thank you,

William

Andrew Bartlett via samba-technical

2018-05-14 04:14:59 UTC

On Mon, 2018-05-14 at 14:03 +1000, William Brown via samba-technical

Yes.

Correct, something like that.
Andrew Bartlett

Thanks mate! I've done exactly this. The changes are in 0005-python-
samba-netcmd-schema.py-add-schema-query-and-m.patch
You'll also note I've updated the test cases to check for invalid
flags, wrong capitialisation, the --help is updated, and two extra
flags are added to ms_schema.
Once again, the 6 patches attached (sorry, I forgot the trick you
showed me to get these into a single file)

--stdout.

The other thing I requested previously is to trim the list down to (or
at the very least mark) those flags we in Samba actually honour. For
example, we always do a one-level index, so that flag is never used.

Also, on the show command, do the reverse mapping back to the string
flags.

Finally, you seem to be looking for ldb.get_schema_basedn() with your
patch to samdb.py.

Thanks,

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba

William Brown via samba-technical

2018-05-14 05:18:50 UTC

Post by Andrew Bartlett via samba-technical
On Mon, 2018-05-14 at 14:03 +1000, William Brown via samba-technical

Post by William Brown via samba-technical
So that section you mention is documentation, not code. To be
sure
of
Do you want the documentation updated to match the bit
positions?
Or are you asking that the command take the "named bit
location"
and

Yes.

Correct, something like that.
Andrew Bartlett

Thanks mate! I've done exactly this. The changes are in 0005-
python-
samba-netcmd-schema.py-add-schema-query-and-m.patch
You'll also note I've updated the test cases to check for invalid
flags, wrong capitialisation, the --help is updated, and two extra
flags are added to ms_schema.
Once again, the 6 patches attached (sorry, I forgot the trick you
showed me to get these into a single file)

Which flag is this specifically? Really we need all the flags there
because if we get the schema from an MSADDC we'll need to know how to
translate it ...

Post by Andrew Bartlett via samba-technical
Also, on the show command, do the reverse mapping back to the string
flags.

That's quite a bit more invasive, but can be done.

Post by Andrew Bartlett via samba-technical
Finally, you seem to be looking for ldb.get_schema_basedn() with your
patch to samdb.py.

Ahhhhhh okay. I'll check this and update soon.

Thanks!

Alexander Bokovoy via samba-technical

2018-05-14 06:32:48 UTC

Post by Andrew Bartlett via samba-technical
On Mon, 2018-05-14 at 14:03 +1000, William Brown via samba-technical

Post by William Brown via samba-technical
So that section you mention is documentation, not code. To be
sure
of
Do you want the documentation updated to match the bit
positions?
Or are you asking that the command take the "named bit
location"
and

Yes.

Correct, something like that.
Andrew Bartlett

Thanks mate! I've done exactly this. The changes are in 0005-
python-
samba-netcmd-schema.py-add-schema-query-and-m.patch
You'll also note I've updated the test cases to check for invalid
flags, wrong capitialisation, the --help is updated, and two extra
flags are added to ms_schema.
Once again, the 6 patches attached (sorry, I forgot the trick you
showed me to get these into a single file)

Which flag is this specifically? Really we need all the flags there
because if we get the schema from an MSADDC we'll need to know how to
translate it ...

I am actually not sure we should be adding all case variants there. Why
not to use something like str.upper() on the input before checking if
the flag exists in the name-to-bit dictionary? And use uppercased
versions in the dictionary. Or the low-cased ones, doesn't matter.

I can understand adding typo-ed versions there, though.

--
/ Alexander Bokovoy

William Brown via samba-technical

2018-05-14 06:37:12 UTC

Post by Andrew Bartlett via samba-technical
On Mon, 2018-05-14 at 14:03 +1000, William Brown via samba-technical

Post by William Brown via samba-technical
So that section you mention is documentation, not code. To be
sure
of
Do you want the documentation updated to match the bit
positions?
Or are you asking that the command take the "named bit
location"
and

Yes.

Correct, something like that.
Andrew Bartlett

Thanks mate! I've done exactly this. The changes are in 0005-
python-
samba-netcmd-schema.py-add-schema-query-and-m.patch
You'll also note I've updated the test cases to check for invalid
flags, wrong capitialisation, the --help is updated, and two extra
flags are added to ms_schema.
Once again, the 6 patches attached (sorry, I forgot the trick you
showed me to get these into a single file)

Which flag is this specifically? Really we need all the flags there
because if we get the schema from an MSADDC we'll need to know how to
translate it ...

I am actually not sure we should be adding all case variants there. Why
not to use something like str.upper() on the input before checking if
the flag exists in the name-to-bit dictionary? And use uppercased
versions in the dictionary. Or the low-cased ones, doesn't matter.
I can understand adding typo-ed versions there, though.

They existed before my patch, I just re-arranged then to bit order. I only added two new bit locations.

Hope that explains the change a bit better

Post by Alexander Bokovoy via samba-technical
--
/ Alexander Bokovoy

Alexander Bokovoy via samba-technical

2018-05-14 06:52:46 UTC

Post by Andrew Bartlett via samba-technical
On Mon, 2018-05-14 at 14:03 +1000, William Brown via samba-technical

Post by William Brown via samba-technical
So that section you mention is documentation, not code. To be
sure
of
Do you want the documentation updated to match the bit
positions?
Or are you asking that the command take the "named bit
location"
and

Yes.

Correct, something like that.
Andrew Bartlett

Thanks mate! I've done exactly this. The changes are in 0005-
python-
samba-netcmd-schema.py-add-schema-query-and-m.patch
You'll also note I've updated the test cases to check for invalid
flags, wrong capitialisation, the --help is updated, and two extra
flags are added to ms_schema.
Once again, the 6 patches attached (sorry, I forgot the trick you
showed me to get these into a single file)

Which flag is this specifically? Really we need all the flags there
because if we get the schema from an MSADDC we'll need to know how to
translate it ...

I am actually not sure we should be adding all case variants there. Why
not to use something like str.upper() on the input before checking if
the flag exists in the name-to-bit dictionary? And use uppercased
versions in the dictionary. Or the low-cased ones, doesn't matter.
I can understand adding typo-ed versions there, though.

They existed before my patch, I just re-arranged then to bit order. I only added two new bit locations.
Hope that explains the change a bit better

Yes, I understand that. May be you would add another patch in the
patchset that transforms the resulting dictionary look up?

--
/ Alexander Bokovoy

Andrew Bartlett via samba-technical

2018-05-14 08:31:21 UTC

Post by Andrew Bartlett via samba-technical
On Mon, 2018-05-14 at 14:03 +1000, William Brown via samba-technical

Post by William Brown via samba-technical
Thanks mate! I've done exactly this. The changes are in 0005-
python-
samba-netcmd-schema.py-add-schema-query-and-m.patch
You'll also note I've updated the test cases to check for invalid
flags, wrong capitialisation, the --help is updated, and two extra
flags are added to ms_schema.
Once again, the 6 patches attached (sorry, I forgot the trick you
showed me to get these into a single file)

Which flag is this specifically? Really we need all the flags there
because if we get the schema from an MSADDC we'll need to know how to
translate it ...

I'm concerned that having a tool that sets options that Samba just
doesn't honour would be misleading. We should make clear which options
we don't support.

Post by Andrew Bartlett via samba-technical
Also, on the show command, do the reverse mapping back to the string
flags.

That's quite a bit more invasive, but can be done.

Most mortals don't do hex bitmasks in their heads nearly as well as a
computer can :-)

For both get and set, unknown flags can still be represented in hex,
but I don't fancy the support enquiries about flags our tools support
but our server ignores.

Post by Andrew Bartlett via samba-technical
Finally, you seem to be looking for ldb.get_schema_basedn() with your
patch to samdb.py.

Ahhhhhh okay. I'll check this and update soon.

Thanks,

Andrew Bartlett

--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba

William Brown via samba-technical

2018-05-16 09:14:43 UTC

On Mon, 2018-05-14 at 20:31 +1200, Andrew Bartlett via samba-technical

Post by Andrew Bartlett via samba-technical
On Mon, 2018-05-14 at 14:03 +1000, William Brown via samba-
technical

Which flag is this specifically? Really we need all the flags there
because if we get the schema from an MSADDC we'll need to know how to
translate it ...

I'm concerned that having a tool that sets options that Samba just
doesn't honour would be misleading. We should make clear which options
we don't support.

Yes, but a windows DC in a domain/forest might support them ...

Better so just document they don't do anything but leave them defined
because they may be in schema and need display.

Post by Andrew Bartlett via samba-technical
Also, on the show command, do the reverse mapping back to the string
flags.

That's quite a bit more invasive, but can be done.

Most mortals don't do hex bitmasks in their heads nearly as well as a
computer can :-)

WHAT! This is crazy talk, I thought everyone could just read hex at
birth :) (joking)

It's more that I want the patchesto be "finished" I don't like adding
more and more to them. But I can also see that "doing it right" is your
intent here, so I'm happy to do this.

Post by Andrew Bartlett via samba-technical
For both get and set, unknown flags can still be represented in hex,
but I don't fancy the support enquiries about flags our tools support
but our server ignores.

Post by Andrew Bartlett via samba-technical
Finally, you seem to be looking for ldb.get_schema_basedn() with your
patch to samdb.py.

Ahhhhhh okay. I'll check this and update soon.

Thanks,
Andrew Bartlett

Alexander Bokovoy via samba-technical

2018-05-01 07:15:41 UTC

Post by William Brown via samba-technical
On Mon, 2018-04-30 at 08:48 +0300, Alexander Bokovoy via samba-

Post by William Brown via samba-technical
Hi,
This is (yet another) patch to samba-tool. It extends the (still under
review) schema attribute command to allow querying "what
objectclass
*could* hold this attribute".
It's really useful for things like "Hey I need to add the attribute
userClass to my person. What auxillary objectClass do I need to add to
my user to allow userClass to exist on it?"

These seems to be the case all over the samdb api though. Today it's
"not too bad" because all these commands would (hopefully) only be run
interactively, not from a script. And even then, in this case you
probably can't do *too* much damage.
But the risk is there. I think that in the future I want to move the
logic of some of these operations out of the CLI where it currently is,
and move it to samdb.py. It would be there that we can do filter
templating and proper escaping of input.
We have an escaping mechanism built into the lib389 object mechanism
that does this already (because lib389 will end up in ipa/web apps I
expect), so this design already works in my experience. I'm hoping to
recreate a subset of this work in the samba project as in general it
would be excellent to be able to "expose" samdb as a more complete
object manipulation API than it currently is today.
I think in summary - It's in my mind, I just need to find the time to
do it. And as you know Alex, I have plenty of time at the moment ;)

Could you please open a bug at bugzilla.samba.org so that it is not
forgotten from the perspective of a release management?