Added a function to check if an attribute can belong to a filtered replica.

4 files changed, 130 insertions, 2 deletions

diff --git a/source4/dsdb/config.mk b/source4/dsdb/config.mk
index 4363399bc33..1ab0cb2102f 100644
--- a/source4/dsdb/config.mk
+++ b/source4/dsdb/config.mk
@@ -43,7 +43,8 @@ SAMDB_SCHEMA_OBJ_FILES = $(addprefix $(dsdbsrcdir)/schema/, \
 		schema_convert_to_ol.o \
 		schema_inferiors.o \
 		schema_prefixmap.o \
-		schema_info_attr.o)
+		schema_info_attr.o \
+		schema_filtered.o)
 
 $(eval $(call proto_header_template,$(dsdbsrcdir)/schema/proto.h,$(SAMDB_SCHEMA_OBJ_FILES:.o=.c)))
 # PUBLIC_HEADERS += dsdb/schema/schema.h
diff --git a/source4/dsdb/schema/schema_filtered.c b/source4/dsdb/schema/schema_filtered.c
new file mode 100644
index 00000000000..304160d4730
--- /dev/null
+++ b/source4/dsdb/schema/schema_filtered.c
@@ -0,0 +1,110 @@
+/* 
+   Unix SMB/CIFS mplementation.
+   API for determining af an attribute belongs to the filtered set.
+   
+   Copyright (C) Nadezhda Ivanova <nivanova@samba.org> 2010
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+   
+*/
+#include "includes.h"
+#include "dsdb/samdb/samdb.h"
+#include "dsdb/common/util.h"
+#include "lib/ldb/include/ldb_errors.h"
+#include "../lib/util/dlinklist.h"
+#include "param/param.h"
+
+const char *never_in_filtered_attrs[] = { "accountExpires",
+				     "codePage",
+				     "creationTime",
+				     "currentValue",
+				     "dBCSPwd",
+				     "dNSHostName",
+				     "displayName",
+				     "domainReplica",
+				     "fSMORoleOwner",
+				     "flatName",
+				     "initialAuthIncoming",
+				     "initialAuthOutgoing",
+				     "isCriticalSystemObject",
+				     "lmPwdHistory",
+				     "lockOutObservationWindow",
+				     "lockoutDuration",
+				     "lockoutTime",
+				     "logonHours",
+				     "maxPwdAge",
+				     "minPwdAge",
+				     "minPwdLength",
+				     "msDS-AdditionalDnsHostName",
+				     "msDS-AdditionalSamAccountName",
+				     "msDS-AllowedToDelegateTo",
+				     "msDS-AuthenticatedAtDC",
+				     "msDS-ExecuteScriptPassword",
+				     "msDS-KrbTgtLink",
+				     "msDS-SPNSuffixes",
+				     "msDS-SupportedEncryptionTypes",
+				     "msDS-TrustForestTrustInfo",
+				     "nETBIOSName",
+				     "nTMixedDomain",
+				     "notFiltlockoutThreshold",
+				     "ntPwdHistory",
+				     "operatingSystem",
+				     "operatingSystemServicePack",
+				     "operatingSystemVersion",
+				     "priorValue",
+				     "pwdHistoryLength",
+				     "pwdLastSet",
+				     "pwdProperties",
+				     "rid",
+				     "sIDHistory",
+				     "securityIdentifier",
+				     "servicePrincipalName",
+				     "supplementalCredentials",
+				     "trustAttributes",
+				     "trustAuthIncoming",
+				     "trustAuthOutgoing",
+				     "trustDirection",
+				     "trustParent",
+				     "trustPartner",
+				     "trustPosixOffset",
+				     "trustType",
+				     "unicodePwd"
+};
+
+/* returns true if the attribute can be in a filtered replica */
+
+bool dsdb_attribute_is_attr_in_filtered_replica(struct dsdb_attribute *attribute)
+{
+	int i, size = sizeof(never_in_filtered_attrs)/sizeof(char *);
+	if (attribute->systemOnly ||
+	    attribute->schemaFlagsEx & DS_FLAG_ATTR_IS_CRITICAL) {
+		return false;
+	}
+	if (attribute->systemFlags & (DS_FLAG_ATTR_NOT_REPLICATED |
+				      DS_FLAG_ATTR_REQ_PARTIAL_SET_MEMBER |
+				      DS_FLAG_ATTR_IS_CONSTRUCTED)) {
+		return false;
+	}
+
+	for (i=0; i < size; i++) {
+		if (strcmp(attribute->lDAPDisplayName, never_in_filtered_attrs[i]) == 0) {
+			return false;
+		}
+	}
+
+	if (attribute->searchFlags & SEARCH_FLAG_RODC_ATTRIBUTE) {
+		return false;
+	}
+	return true;
+}
diff --git a/source4/dsdb/wscript_build b/source4/dsdb/wscript_build
index dbe1f483a58..92f056197b3 100644
--- a/source4/dsdb/wscript_build
+++ b/source4/dsdb/wscript_build
@@ -18,7 +18,7 @@ bld.SAMBA_SUBSYSTEM('SAMDB_COMMON',
 
 
 bld.SAMBA_SUBSYSTEM('SAMDB_SCHEMA',
-	source='schema/schema_init.c schema/schema_set.c schema/schema_query.c schema/schema_syntax.c schema/schema_description.c schema/schema_convert_to_ol.c schema/schema_inferiors.c schema/schema_prefixmap.c schema/schema_info_attr.c',
+	source='schema/schema_init.c schema/schema_set.c schema/schema_query.c schema/schema_syntax.c schema/schema_description.c schema/schema_convert_to_ol.c schema/schema_inferiors.c schema/schema_prefixmap.c schema/schema_info_attr.c schema/schema_filtered.c',
 	autoproto='schema/proto.h',
 	deps='SAMDB_COMMON NDR_DRSUAPI NDR_DRSBLOBS LDBSAMBA tevent'
 	)
diff --git a/source4/torture/ldap/schema.c b/source4/torture/ldap/schema.c
index c9423409a86..af33de9d0a8 100644
--- a/source4/torture/ldap/schema.c
+++ b/source4/torture/ldap/schema.c
@@ -356,6 +356,22 @@ static bool test_dump_sorted_syntax(struct ldb_context *ldb, struct test_rootDSE
 	return true;
 }
 
+static bool test_dump_not_in_filtered_replica(struct ldb_context *ldb, struct test_rootDSE *root, struct dsdb_schema *schema)
+{
+	struct dsdb_attribute *a;
+	uint32_t a_i = 1;
+
+	d_printf("Dumping attributes not in filtered replica\n");
+
+	for (a=schema->attributes; a; a = a->next) {
+		if (!dsdb_attribute_is_attr_in_filtered_replica(a)) {
+			d_printf("attr[%4u]: '%s'\n", a_i++,
+				 a->lDAPDisplayName);
+		}
+	}
+	return true;
+}
+
 bool torture_ldap_schema(struct torture_context *torture)
 {
 	struct ldb_context *ldb;
@@ -384,6 +400,7 @@ bool torture_ldap_schema(struct torture_context *torture)
 	ret &= test_dump_partial(ldb, &rootDSE, schema);
 	ret &= test_dump_contructed(ldb, &rootDSE, schema);
 	ret &= test_dump_sorted_syntax(ldb, &rootDSE, schema);
+	ret &= test_dump_not_in_filtered_replica(ldb, &rootDSE, schema);
 
 failed:
 	return ret;