dsdb: Ensure that a DN (now) pointing at a deleted object counts for objectclass...

Add the 'reveal_internals' controls when performing objectclass-based
checks of mandatory attributes. This prevents the extended_dn DSDB
module from suppressing attributes that point to deleted (i.e.
non-existent/expunged) objects.

This ensures that, when modifying an object (and often not even
touching the mandatory attribute) that the fact that an attribute is a
DN, and the DN target is deleted, that the schema check will still pass.

Otherwise a fromServer pointing at a dead server can cause failures,
i.e. you can't modify the affected object at all, because the DSDB
thinks a mandatory attribute is missing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13621

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

diff --git a/selftest/knownfail.d/attr_from_server b/selftest/knownfail.d/attr_from_server
deleted file mode 100644 (file)
index fd4f6b9..0000000
--- a/selftest/knownfail.d/attr_from_server
+++ /dev/null
@@ -1,5 +0,0 @@
-# test currently fails because once we have a fromServer attribute that points
-# to a non-existent object, the extended_dn DSDB module then suppresses that
-# attribute, which means the object is missing a mandatory attribute, thus
-# invalidating the schema 
-^samba4.tests.attr_from_server.python\(ad_dc_ntvfs\).__main__.FromServerAttrTest.test_dangling_server_attr\(ad_dc_ntvfs:local\)

diff --git a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
index cfacaf56420a3ae2981992ba820d8928ac576610..67c93ca08d8e2449008f7cd4d2cad41ce875b8ab 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
+++ b/source4/dsdb/samdb/ldb_modules/objectclass_attrs.c
@@ -617,6 +617,17 @@ static int oc_op_callback(struct ldb_request *req, struct ldb_reply *ares)
                return ldb_module_done(ac->req, NULL, NULL, ret);
        }
 
+       /*
+        * This ensures we see if there was a DN, that pointed at an
+        * object that is now deleted, that we still consider the
+        * schema check to have passed
+        */
+       ret = ldb_request_add_control(search_req, LDB_CONTROL_REVEAL_INTERNALS,
+                                     false, NULL);
+       if (ret != LDB_SUCCESS) {
+               return ldb_module_done(ac->req, NULL, NULL, ret);
+       }
+
        ret = ldb_next_request(ac->module, search_req);
        if (ret != LDB_SUCCESS) {
                return ldb_module_done(ac->req, NULL, NULL, ret);