s4 upgradeprovision: Adapt the list of attribute modified
authorMatthieu Patou <mat@matws.net>
Sun, 11 Jul 2010 13:27:13 +0000 (17:27 +0400)
committerMatthieu Patou <mat@matws.net>
Tue, 13 Jul 2010 19:54:51 +0000 (23:54 +0400)
* isMemberOfPartialAttributeSet is now allowed to be deleted (on schema
 objects)
* attributeDisplayNames is now allowed to be added and modified (used on
  display specifiers)
* spnMapping is now allowed to be altered on Directory Service objects
* minPwdAge is now modified if the previous value was 0

We issue a clear information about the userControl attribute for
administrator to invite the user to modify himself the value.

source4/scripting/bin/upgradeprovision

index f073dbcad7ad2434d52b3499ce675a8fc8910b6c..deb50e36fbb26d5ca4f336f0c5583542bd22f652 100755 (executable)
@@ -105,7 +105,9 @@ hashOverwrittenAtt = {  "prefixMap": replace, "systemMayContain": replace,
                         "wellKnownObjects":replace, "privilege":never,
                         "defaultSecurityDescriptor": replace,
                         "rIDAvailablePool": never,
                         "wellKnownObjects":replace, "privilege":never,
                         "defaultSecurityDescriptor": replace,
                         "rIDAvailablePool": never,
-                        "defaultSecurityDescriptor": replace + add }
+                        "defaultSecurityDescriptor": replace + add,
+                        "isMemberOfPartialAttributeSet": delete,
+                        "attributeDisplayNames": replace + add}
 
 
 backlinked = []
 
 
 backlinked = []
@@ -287,7 +289,7 @@ def print_provision_key_parameters(names):
     message(GUESS, "domainlevel :" + str(names.domainlevel))
 
 
     message(GUESS, "domainlevel :" + str(names.domainlevel))
 
 
-def handle_special_case(att, delta, new, old, usn):
+def handle_special_case(att, delta, new, old, usn, basedn, aldb):
     """Define more complicate update rules for some attributes
 
     :param att: The attribute to be updated
     """Define more complicate update rules for some attributes
 
     :param att: The attribute to be updated
@@ -296,6 +298,8 @@ def handle_special_case(att, delta, new, old, usn):
     :param new: The reference object
     :param old: The Updated object
     :param usn: The highest usn modified by a previous (upgrade)provision
     :param new: The reference object
     :param old: The Updated object
     :param usn: The highest usn modified by a previous (upgrade)provision
+    :param basedn: The base DN of the provision
+    :param aldb: An ldb object used to build DN
     :return: True to indicate that the attribute should be kept, False for
              discarding it"""
 
     :return: True to indicate that the attribute should be kept, False for
              discarding it"""
 
@@ -304,6 +308,23 @@ def handle_special_case(att, delta, new, old, usn):
     # highest usn as otherwise the replPropertyMetaData will guide us more
     # correctly
     if usn is None:
     # highest usn as otherwise the replPropertyMetaData will guide us more
     # correctly
     if usn is None:
+        if (att == "sPNMappings" and flag == FLAG_MOD_REPLACE and
+            ldb.Dn(aldb, "CN=Directory Service,CN=Windows NT,"
+                        "CN=Services,CN=Configuration,%s" % basedn)
+                        == old[0].dn):
+            return True
+        if (att == "userAccountControl" and flag == FLAG_MOD_REPLACE and
+            ldb.Dn(aldb, "CN=Administrator,CN=Users,%s" % basedn)
+                        == old[0].dn):
+            message(SIMPLE, "We suggest that you change the userAccountControl"
+                            " for user Administrator from value %d to %d" %
+                            (int(str(old[0][att])), int(str(new[0][att]))))
+            return False
+        if (att == "minPwdAge" and flag == FLAG_MOD_REPLACE):
+            if (long(str(old[0][att])) == 0):
+                delta[att] = MessageElement(new[0][att], FLAG_MOD_REPLACE, att)
+            return True
+
         if (att == "member" and flag == FLAG_MOD_REPLACE):
             hash = {}
             newval = []
         if (att == "member" and flag == FLAG_MOD_REPLACE):
             hash = {}
             newval = []
@@ -825,7 +846,7 @@ def update_present(ref_samdb, samdb, basedn, listPresent, usns, invocationid):
                 # idea to change it
                     delta.remove(att)
                     continue
                 # idea to change it
                     delta.remove(att)
                     continue
-                if handle_special_case(att, delta, reference, current, usns):
+                if handle_special_case(att, delta, reference, current, usns, basedn, samdb):
                     # This attribute is "complicated" to handle and handling
                     # was done in handle_special_case
                     continue
                     # This attribute is "complicated" to handle and handling
                     # was done in handle_special_case
                     continue
@@ -883,7 +904,7 @@ def update_present(ref_samdb, samdb, basedn, listPresent, usns, invocationid):
                 if not hashOverwrittenAtt.has_key(att):
                     if msgElt.flags() != FLAG_MOD_ADD:
                         if not handle_special_case(att, delta, reference, current,
                 if not hashOverwrittenAtt.has_key(att):
                     if msgElt.flags() != FLAG_MOD_ADD:
                         if not handle_special_case(att, delta, reference, current,
-                                                    usns):
+                                                    usns, basedn, samdb):
                             if opts.debugchange or opts.debugall:
                                 try:
                                     dump_denied_change(dn, att,
                             if opts.debugchange or opts.debugall:
                                 try:
                                     dump_denied_change(dn, att,