[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: How to obtain a 'version number' of an attributes
> On Tue, 2010-05-25 at 05:11 +0200, masarati@aero.polimi.it wrote:
>> > I've got a little challenge...
>> >
>> > there is an attribute in AD call msDS-KeyVersionNumber. In AD this
>> > operational attribute increments each time the unicodePwd attribute is
>> > updated. It is typically a small integer, being the number of times
>> > that the password has ever been changed.
>> >
>> > In Samba4, we maintain this by looking into our replication metadata
>> > (replPropertyMetaData), and returning a counter that is maintained
>> > there.
>> >
>> > I could maintain this manually from Samba's side (this is what we did
>> in
>> > the past), but I wanted to first check if there was something already
>> > stored that I could convert.
>>
>> If I understand correctly what you're asking for, modifications of the
>> unicodePwd attribute should be accompanied by modify:increment of a
>> counter. Something like:
>>
>> dn: cn=someone
>> changetype: modify
>> replace: unicodePwd
>> unicodePwd:: <some value>
>> -
>>
>> should be transformed into
>>
>> dn: cn=someone
>> changetype: modify
>> replace: unicodePwd
>> unicodePwd:: <some value>
>> -
>> increment: msDS-KeyVersionNumber
>> msDS-KeyVersionNumber: 1
>> -
>>
>> This way, the modification is atomic. As usual, this could be
>> accomplished by stacking an overlay that intercepts modifications to
>> specified attributes, like unicodePwd.
>>
>> Can you formalize this a little bit more?
>
> That's pretty much what I was looking for. The exact semantics don't
> matter too much, but this I need:
> - a 'small' monotonically increasing increasing integer
> - only increases for unicodePwd, not other updates.
> - always strictly related to the unicodePwd value it was incremented
> for (as it will be used as an abstract idenifier, along with the
> DN/samaccountname/etc to identify the secret unicodePwd value).
In contrib/slapd-modules/samba4/ there's now a vernum overlay (vernum.c,
*very* experimental) that:
- defines the attribute msDS-KeyVersionNumber (with some changes) as
( 1.2.840.113556.1.4.1782
NAME 'msDS-KeyVersionNumber'
DESC 'in the original specification the syntax is 2.5.5.9'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.27'
EQUALITY integerMatch
SINGLE-VALUE
USAGE dSAOperation
NO-USER-MODIFICATION )
I plan to define our own; name suggestions are welcome.
- expects 'unicodePwd' to be defined
- increments msDS-KeyVersionNumber any time unicodePwd is modified, or
creates it with value '0' if an entry is added with unicodePwd
- "sanitizes" the database at startup, by creating msDS-KeyVersionNumber
in existing entries that contain unicodePwd
I realize right now that it doesn't handle the case of a modify that
actually adds the unicodePwd attribute; I'll deal with this shortly.
I plan to make both attrs configurable, so it may be useful in other
cases. Right now all you need to do is instantiate the overlay
overlay vernum
and it'll use the default attrs.
p.