r23560: - Activate metze's schema modules (from metze's schema-loading-13 patch).

- samba3sam.js: rework the samba3sam test to not use objectCategory,
  as it's has special rules (dnsName a simple match)
- ldap.js: Test the ordering of the objectClass attributes for the baseDN
- schema_init.c: Load the mayContain and mustContain (and system...) attributes when
  reading the schema from ldb
- To make the schema load not suck in terms of performance, write the
  schema into a static global variable
- ldif_handlers.c: Match objectCategory for equality and canonicolisation
  based on the loaded schema, not simple tring manipuation
- ldb_msg.c: don't duplicate attributes when adding attributes to a list
- kludge_acl.c: return allowedAttributesEffective based on schema results
  and privilages

Andrew Bartlett
(This used to be commit dcff83ebe463bc7391841f55856d7915c204d000)

11 files changed, 264 insertions, 64 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
index ff0dd062fb..6b043aeb40 100644
--- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c
+++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
@@ -37,6 +37,7 @@
 #include "ldb/include/ldb_private.h"
 #include "auth/auth.h"
 #include "libcli/security/security.h"
+#include "dsdb/samdb/samdb.h"
 
 /* Kludge ACL rules:
  *
@@ -105,13 +106,74 @@ struct kludge_acl_context {
 	int (*up_callback)(struct ldb_context *, void *, struct ldb_reply *);
 
 	enum user_is user_type;
+	bool allowedAttributes;
+	bool allowedAttributesEffective;
+	const char **attrs;
 };
 
+/* read all objectClasses */
+
+static int kludge_acl_allowedAttributes(struct ldb_context *ldb, struct ldb_message *msg,
+							 const char *attrName) 
+{
+	struct ldb_message_element *oc_el = ldb_msg_find_element(msg, "objectClass");
+	struct ldb_message_element *allowedAttributes;
+	const struct dsdb_schema *schema = dsdb_get_schema(ldb);
+	const struct dsdb_class *class;
+	int i, j, ret;
+	ret = ldb_msg_add_empty(msg, attrName, 0, &allowedAttributes);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+	
+	for (i=0; i < oc_el->num_values; i++) {
+		class = dsdb_class_by_lDAPDisplayName(schema, (const char *)oc_el->values[i].data);
+		if (!class) {
+			/* We don't know this class?  what is going on? */
+			continue;
+		}
+		for (j=0; class->mayContain && class->mayContain[j]; j++) {
+			ldb_msg_add_string(msg, attrName, class->mayContain[j]);
+		}
+		for (j=0; class->mustContain && class->mustContain[j]; j++) {
+			ldb_msg_add_string(msg, attrName, class->mustContain[j]);
+		}
+		for (j=0; class->systemMayContain && class->systemMayContain[j]; j++) {
+			ldb_msg_add_string(msg, attrName, class->systemMayContain[j]);
+		}
+		for (j=0; class->systemMustContain && class->systemMustContain[j]; j++) {
+			ldb_msg_add_string(msg, attrName, class->systemMustContain[j]);
+		}
+	}
+		
+	if (allowedAttributes->num_values > 1) {
+		qsort(allowedAttributes->values, 
+		      allowedAttributes->num_values, 
+		      sizeof(*allowedAttributes->values),
+		      data_blob_cmp);
+	
+		for (i=1 ; i < allowedAttributes->num_values; i++) {
+			struct ldb_val *val1 = &allowedAttributes->values[i-1];
+			struct ldb_val *val2 = &allowedAttributes->values[i];
+			if (data_blob_cmp(val1, val2) == 0) {
+				memmove(val1, val2, (allowedAttributes->num_values - i) * sizeof( struct ldb_val)); 
+				allowedAttributes->num_values--;
+				i--;
+			}
+		}
+	}
+
+	return 0;
+
+}
+
+/* find all attributes allowed by all these objectClasses */
+
 static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
 {
 	struct kludge_acl_context *ac;
 	struct kludge_private_data *data;
-	int i;
+	int i, ret;
 
 	if (!context || !ares) {
 		ldb_set_errstring(ldb, "NULL Context or Result in callback");
@@ -121,12 +183,28 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld
 	ac = talloc_get_type(context, struct kludge_acl_context);
 	data = talloc_get_type(ac->module->private_data, struct kludge_private_data);
 
-	if (ares->type == LDB_REPLY_ENTRY
-	    && data && data->password_attrs) /* if we are not initialized just get through */
+	if (ares->type != LDB_REPLY_ENTRY) {
+		return ac->up_callback(ldb, ac->up_context, ares);
+	}
+
+	if (ac->allowedAttributes) {
+		ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributes");
+		if (ret != LDB_SUCCESS) {
+			return ret;
+		}
+	}
+
+	if (data && data->password_attrs) /* if we are not initialized just get through */
 	{
 		switch (ac->user_type) {
 		case SYSTEM:
 		case ADMINISTRATOR:
+			if (ac->allowedAttributesEffective) {
+				ret = kludge_acl_allowedAttributes(ldb, ares->message, "allowedAttributesEffective");
+				if (ret != LDB_SUCCESS) {
+					return ret;
+				}
+			}
 			break;
 		default:
 			/* remove password attributes */
@@ -136,6 +214,12 @@ static int kludge_acl_callback(struct ldb_context *ldb, void *context, struct ld
 		}
 	}
 
+	if ((ac->allowedAttributes || ac->allowedAttributesEffective) && 
+	    (!ldb_attr_in_list(ac->attrs, "objectClass") && 
+	     !ldb_attr_in_list(ac->attrs, "*"))) {
+		ldb_msg_remove_attr(ares->message, "objectClass");
+	}
+
 	return ac->up_callback(ldb, ac->up_context, ares);
 
 error:
@@ -163,6 +247,7 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
 	ac->up_context = req->context;
 	ac->up_callback = req->callback;
 	ac->user_type = what_is_user(module);
+	ac->attrs = req->op.search.attrs;
 
 	down_req = talloc_zero(req, struct ldb_request);
 	if (down_req == NULL) {
@@ -174,7 +259,15 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req)
 	down_req->op.search.scope = req->op.search.scope;
 	down_req->op.search.tree = req->op.search.tree;
 	down_req->op.search.attrs = req->op.search.attrs;
-	
+
+	ac->allowedAttributes = ldb_attr_in_list(req->op.search.attrs, "allowedAttributes");
+
+	ac->allowedAttributesEffective = ldb_attr_in_list(req->op.search.attrs, "allowedAttributesEffective");
+
+	if (ac->allowedAttributes || ac->allowedAttributesEffective) {
+		down_req->op.search.attrs
+			= ldb_attr_list_copy_add(down_req, down_req->op.search.attrs, "objectClass");
+	}
 
 	/*  FIXME: I hink we should copy the tree and keep the original
 	 *  unmodified. SSS */
diff --git a/source4/dsdb/samdb/ldb_modules/schema_fsmo.c b/source4/dsdb/samdb/ldb_modules/schema_fsmo.c
index eb5d7e8e8e..3df887acb6 100644
--- a/source4/dsdb/samdb/ldb_modules/schema_fsmo.c
+++ b/source4/dsdb/samdb/ldb_modules/schema_fsmo.c
@@ -54,6 +54,10 @@ static int schema_fsmo_init(struct ldb_module *module)
 		NULL
 	};
 
+	if (dsdb_get_schema(module->ldb)) {
+	  return ldb_next_init(module);
+	}
+
 	schema_dn = samdb_schema_dn(module->ldb);
 	if (!schema_dn) {
 		ldb_debug(module->ldb, LDB_DEBUG_WARNING,
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 2208bb9333..2ae0fe25ac 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -50,6 +50,7 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx,
 	if (!ldb) {
 		return NULL;
 	}
+	dsdb_make_schema_global(ldb);
 	return ldb;
 }
 
diff --git a/source4/dsdb/schema/schema_init.c b/source4/dsdb/schema/schema_init.c
index b609478f94..c7a7b59754 100644
--- a/source4/dsdb/schema/schema_init.c
+++ b/source4/dsdb/schema/schema_init.c
@@ -323,6 +323,34 @@ WERROR dsdb_map_int2oid(const struct dsdb_schema *schema, uint32_t in, TALLOC_CT
 	talloc_steal(mem_ctx, (p)->elem); \
 } while (0)
 
+#define GET_STRING_LIST_LDB(msg, attr, mem_ctx, p, elem, strict) do {	\
+	int get_string_list_counter;					\
+	struct ldb_message_element *get_string_list_el = ldb_msg_find_element(msg, attr); \
+	if (get_string_list_el == NULL) {				\
+		if (strict) {						\
+			d_printf("%s: %s == NULL\n", __location__, attr); \
+			return WERR_INVALID_PARAM;			\
+		} else {						\
+			(p)->elem = NULL;				\
+			break;						\
+		}							\
+	}								\
+	(p)->elem = talloc_array(mem_ctx, const char *, get_string_list_el->num_values + 1); \
+        for (get_string_list_counter=0;					\
+	     get_string_list_counter < get_string_list_el->num_values;	\
+	     get_string_list_counter++) {				\
+		(p)->elem[get_string_list_counter] = talloc_strndup((p)->elem, \
+								    (const char *)get_string_list_el->values[get_string_list_counter].data, \
+								    get_string_list_el->values[get_string_list_counter].length); \
+		if (!(p)->elem[get_string_list_counter]) {		\
+			d_printf("%s: talloc_strndup failed for %s\n", __location__, attr); \
+			return WERR_NOMEM;				\
+		}							\
+		(p)->elem[get_string_list_counter+1] = NULL;		\
+	}								\
+	talloc_steal(mem_ctx, (p)->elem);				\
+} while (0)
+
 #define GET_BOOL_LDB(msg, attr, p, elem, strict) do { \
 	const char *str; \
 	str = samdb_result_string(msg, attr, NULL);\
@@ -466,13 +494,14 @@ WERROR dsdb_class_from_ldb(const struct dsdb_schema *schema,
 
 	obj->systemAuxiliaryClass	= NULL;
 	obj->systemPossSuperiors	= NULL;
-	obj->systemMustContain		= NULL;
-	obj->systemMayContain		= NULL;
 
 	obj->auxiliaryClass		= NULL;
 	obj->possSuperiors		= NULL;
-	obj->mustContain		= NULL;
-	obj->mayContain			= NULL;
+
+	GET_STRING_LIST_LDB(msg, "systemMustContain", mem_ctx, obj, systemMustContain, False);
+	GET_STRING_LIST_LDB(msg, "systemMayContain", mem_ctx, obj, systemMayContain, False);
+	GET_STRING_LIST_LDB(msg, "mustContain", mem_ctx, obj, mustContain, False);
+	GET_STRING_LIST_LDB(msg, "mayContain", mem_ctx, obj, mayContain, False);
 
 	GET_STRING_LDB(msg, "defaultSecurityDescriptor", mem_ctx, obj, defaultSecurityDescriptor, False);
 
@@ -930,6 +959,23 @@ const struct dsdb_class *dsdb_class_by_lDAPDisplayName(const struct dsdb_schema
 	return NULL;
 }
 
+const struct dsdb_class *dsdb_class_by_cn(const struct dsdb_schema *schema,
+					  const char *cn)
+{
+	struct dsdb_class *cur;
+
+	if (!cn) return NULL;
+
+	/* TODO: add binary search */
+	for (cur = schema->classes; cur; cur = cur->next) {
+		if (strcasecmp(cur->cn, cn) != 0) continue;
+
+		return cur;
+	}
+
+	return NULL;
+}
+
 const char *dsdb_lDAPDisplayName_by_id(const struct dsdb_schema *schema,
 				       uint32_t id)
 {
@@ -964,6 +1010,22 @@ int dsdb_set_schema(struct ldb_context *ldb, struct dsdb_schema *schema)
 	return LDB_SUCCESS;
 }
 
+static struct dsdb_schema *global_schema;
+
+int dsdb_set_global_schema(struct ldb_context *ldb)
+{
+	int ret;
+	if (!global_schema) {
+	  return LDB_SUCCESS;
+	}
+	ret = ldb_set_opaque(ldb, "dsdb_schema", global_schema);
+	if (ret != LDB_SUCCESS) {
+		return ret;
+	}
+
+	return LDB_SUCCESS;
+}
+
 const struct dsdb_schema *dsdb_get_schema(struct ldb_context *ldb)
 {
 	const void *p;
@@ -983,6 +1045,26 @@ const struct dsdb_schema *dsdb_get_schema(struct ldb_context *ldb)
 	return schema;
 }
 
+void dsdb_make_schema_global(struct ldb_context *ldb)
+{
+	const void *p;
+	const struct dsdb_schema *schema;
+
+	/* see if we have a cached copy */
+	p = ldb_get_opaque(ldb, "dsdb_schema");
+	if (!p) {
+		return;
+	}
+
+	schema = talloc_get_type(p, struct dsdb_schema);
+	if (!schema) {
+		return;
+	}
+
+	talloc_steal(NULL, schema);
+	global_schema = schema;
+}
+
 WERROR dsdb_attach_schema_from_ldif_file(struct ldb_context *ldb, const char *pf, const char *df)
 {
 	struct ldb_ldif *ldif;
diff --git a/source4/lib/db_wrap.c b/source4/lib/db_wrap.c
index f884140d1c..e7d3388f72 100644
--- a/source4/lib/db_wrap.c
+++ b/source4/lib/db_wrap.c
@@ -35,6 +35,7 @@
 #include "lib/ldb/include/ldb_errors.h"
 #include "lib/ldb/samba/ldif_handlers.h"
 #include "db_wrap.h"
+#include "dsdb/samdb/samdb.h"
 
 static struct tdb_wrap *tdb_list;
 
@@ -126,6 +127,10 @@ struct ldb_context *ldb_wrap_connect(TALLOC_CTX *mem_ctx,
 		talloc_free(ldb);
 		return NULL;
 	}
+	
+	if (strcmp(lp_sam_url(), url) == 0) {
+		dsdb_set_global_schema(ldb);
+	}
 
 	ret = ldb_register_samba_handlers(ldb);
 	if (ret == -1) {
diff --git a/source4/lib/ldb/common/ldb_msg.c b/source4/lib/ldb/common/ldb_msg.c
index 1d02fb0f3e..d0dd252e47 100644
--- a/source4/lib/ldb/common/ldb_msg.c
+++ b/source4/lib/ldb/common/ldb_msg.c
@@ -666,7 +666,15 @@ const char **ldb_attr_list_copy_add(TALLOC_CTX *mem_ctx, const char * const *att
 {
 	const char **ret;
 	int i;
-	for (i=0;attrs[i];i++) /* noop */ ;
+	bool found = false;
+	for (i=0;attrs[i];i++) {
+		if (ldb_attr_cmp(attrs[i], new_attr) == 0) {
+			found = true;
+		}
+	}
+	if (found) {
+		return ldb_attr_list_copy(mem_ctx, attrs);
+	}
 	ret = talloc_array(mem_ctx, const char *, i+2);
 	if (ret == NULL) {
 		return NULL;
@@ -686,7 +694,7 @@ const char **ldb_attr_list_copy_add(TALLOC_CTX *mem_ctx, const char * const *att
 int ldb_attr_in_list(const char * const *attrs, const char *attr)
 {
 	int i;
-	for (i=0;attrs[i];i++) {
+	for (i=0;attrs && attrs[i];i++) {
 		if (ldb_attr_cmp(attrs[i], attr) == 0) {
 			return 1;
 		}
diff --git a/source4/lib/ldb/samba/ldif_handlers.c b/source4/lib/ldb/samba/ldif_handlers.c
index 44b956a8b6..e1691d0cb3 100644
--- a/source4/lib/ldb/samba/ldif_handlers.c
+++ b/source4/lib/ldb/samba/ldif_handlers.c
@@ -299,66 +299,53 @@ static int ldif_canonicalise_objectCategory(struct ldb_context *ldb, void *mem_c
 					    const struct ldb_val *in, struct ldb_val *out)
 {
 	struct ldb_dn *dn1 = NULL;
-	char *oc1, *oc2;
+	const struct dsdb_schema *schema = dsdb_get_schema(ldb);
+	const struct dsdb_class *class;
 
+	if (!schema) {
+		*out = data_blob_talloc(mem_ctx, in->data, in->length);
+		return LDB_SUCCESS;
+	}
 	dn1 = ldb_dn_new(mem_ctx, ldb, (char *)in->data);
 	if ( ! ldb_dn_validate(dn1)) {
-		oc1 = talloc_strndup(mem_ctx, (char *)in->data, in->length);
-	} else if (ldb_dn_get_comp_num(dn1) >= 1 && strcasecmp(ldb_dn_get_rdn_name(dn1), "cn") == 0) {
+		const char *lDAPDisplayName = talloc_strndup(mem_ctx, (char *)in->data, in->length);
+		class = dsdb_class_by_lDAPDisplayName(schema, lDAPDisplayName);
+		talloc_free(lDAPDisplayName);
+	} else if (ldb_dn_get_comp_num(dn1) >= 1 && ldb_attr_cmp(ldb_dn_get_rdn_name(dn1), "cn") == 0) {
 		const struct ldb_val *val = ldb_dn_get_rdn_val(dn1);
-		oc1 = talloc_strndup(mem_ctx, (char *)val->data, val->length);
+		const char *cn = talloc_strndup(mem_ctx, (char *)val->data, val->length);
+		class = dsdb_class_by_cn(schema, cn);
+		talloc_free(cn);
 	} else {
+		talloc_free(dn1);
 		return -1;
 	}
-
-	oc2 = ldb_casefold(ldb, mem_ctx, oc1);
-	out->data = (void *)oc2;
-	out->length = strlen(oc2);
-	talloc_free(oc1);
 	talloc_free(dn1);
-	return 0;
+
+	if (!class) {
+		return -1;
+	}
+	
+	*out = data_blob_string_const(talloc_strdup(mem_ctx, class->lDAPDisplayName));
+
+	return LDB_SUCCESS;
 }
 
 static int ldif_comparison_objectCategory(struct ldb_context *ldb, void *mem_ctx,
 					  const struct ldb_val *v1,
 					  const struct ldb_val *v2)
 {
-	struct ldb_dn *dn1 = NULL, *dn2 = NULL;
-	const char *oc1, *oc2;
 
-	dn1 = ldb_dn_new(mem_ctx, ldb, (char *)v1->data);
-	if ( ! ldb_dn_validate(dn1)) {
-		oc1 = talloc_strndup(mem_ctx, (char *)v1->data, v1->length);
-	} else if (ldb_dn_get_comp_num(dn1) >= 1 && strcasecmp(ldb_dn_get_rdn_name(dn1), "cn") == 0) {
-		const struct ldb_val *val = ldb_dn_get_rdn_val(dn1);
-		oc1 = talloc_strndup(mem_ctx, (char *)val->data, val->length);
-	} else {
-		oc1 = NULL;
-	}
+	int ret1, ret2;
+	struct ldb_val v1_canon, v2_canon;
+	ret1 = ldif_canonicalise_objectCategory(ldb, mem_ctx, v1, &v1_canon);
+	ret2 = ldif_canonicalise_objectCategory(ldb, mem_ctx, v2, &v2_canon);
 
-	dn2 = ldb_dn_new(mem_ctx, ldb, (char *)v2->data);
-	if ( ! ldb_dn_validate(dn2)) {
-		oc2 = talloc_strndup(mem_ctx, (char *)v2->data, v2->length);
-	} else if (ldb_dn_get_comp_num(dn2) >= 2 && strcasecmp(ldb_dn_get_rdn_name(dn2), "cn") == 0) {
-		const struct ldb_val *val = ldb_dn_get_rdn_val(dn2);
-		oc2 = talloc_strndup(mem_ctx, (char *)val->data, val->length);
+	if (ret1 == LDB_SUCCESS && ret2 == LDB_SUCCESS) {
+		return ldb_attr_cmp(v1_canon.data, v2_canon.data);
 	} else {
-		oc2 = NULL;
+		return strcasecmp(v1->data, v2->data);
 	}
-
-	oc1 = ldb_casefold(ldb, mem_ctx, oc1);
-	oc2 = ldb_casefold(ldb, mem_ctx, oc2);
-	if (!oc1 && oc2) {
-		return -1;
-	} 
-	if (oc1 && !oc2) {
-		return 1;
-	}	
-	if (!oc1 && !oc2) {
-		return -1;
-	}
-
-	return strcmp(oc1, oc2);
 }
 
 #define LDB_SYNTAX_SAMBA_SID			"LDB_SYNTAX_SAMBA_SID"
diff --git a/source4/scripting/libjs/provision.js b/source4/scripting/libjs/provision.js
index 9adcab2679..f94c34e932 100644
--- a/source4/scripting/libjs/provision.js
+++ b/source4/scripting/libjs/provision.js
@@ -611,7 +611,7 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
 	var modify_ok = setup_ldb_modify("provision_schema_basedn_modify.ldif", info, samdb);
 	if (!modify_ok) {
 		if (!add_ok) {
-			message("Failed to both add and modify schema dn: + samdb.errstring() + "\n");
+			message("Failed to both add and modify schema dn:" + samdb.errstring() + "\n");
 			message("Perhaps you need to run the provision script with the --ldap-base-dn option, and add this record to the backend manually\n"); 
 			assert(modify_ok);
 		}
@@ -744,7 +744,7 @@ function provision_schema(subobj, message, tmp_schema_path, paths)
 	var modify_ok = setup_ldb_modify("provision_schema_basedn_modify.ldif", info, samdb);
 	if (!modify_ok) {
 		if (!add_ok) {
-			message("Failed to both add and modify schema dn: + samdb.errstring() + "\n");
+			message("Failed to both add and modify schema dn: " + samdb.errstring() + "\n");
 			message("Perhaps you need to run the provision script with the --ldap-base-dn option, and add this record to the backend manually\n"); 
 			assert(modify_ok);
 		}
@@ -882,16 +882,18 @@ function provision_guess()
 					"extended_dn",
 					"asq",
 					"samldb",
-					"password_hash",
 					"operational",
 					"objectclass",
 					"rdn_name",
 					"show_deleted",
 					"partition");
 	subobj.MODULES_LIST = join(",", modules_list);
-	subobj.DOMAINDN_MOD = "objectguid";
-	subobj.CONFIGDN_MOD = "objectguid";
-	subobj.SCHEMADN_MOD = "objectguid";
+	subobj.DOMAINDN_MOD = "pdc_fsmo,password_hash";
+	subobj.CONFIGDN_MOD = "naming_fsmo";
+	subobj.SCHEMADN_MOD = "schema_fsmo";
+	subobj.DOMAINDN_MOD2 = ",objectguid";
+	subobj.CONFIGDN_MOD2 = ",objectguid";
+	subobj.SCHEMADN_MOD2 = ",objectguid";
 
 	subobj.EXTENSIBLEOBJECT = "# no objectClass: extensibleObject for local ldb";
 	subobj.ACI		= "# no aci for local ldb";
diff --git a/source4/setup/provision b/source4/setup/provision
index 3c5d31dc0f..9a67d06963 100755
--- a/source4/setup/provision
+++ b/source4/setup/provision
@@ -132,11 +132,11 @@ if (ldapbackend) {
 		subobj["LDAPMODULE"] = "entryUUID";
 	}
 	subobj["DOMAINDN_LDB"] = subobj["LDAPBACKEND"];
-	subobj["DOMAINDN_MOD"] = subobj["LDAPMODULE"] + ",paged_searches";
+	subobj["DOMAINDN_MOD2"] = subobj["LDAPMODULE"] + ",paged_searches";
 	subobj["CONFIGDN_LDB"] = subobj["LDAPBACKEND"];
-	subobj["CONFIGDN_MOD"] = subobj["LDAPMODULE"] + ",paged_searches";
+	subobj["CONFIGDN_MOD2"] = subobj["LDAPMODULE"] + ",paged_searches";
 	subobj["SCHEMADN_LDB"] = subobj["LDAPBACKEND"];
-	subobj["SCHEMADN_MOD"] = subobj["LDAPMODULE"] + ",paged_searches";
+	subobj["SCHEMADN_MOD2"] = subobj["LDAPMODULE"] + ",paged_searches";
 }
 
 if (!provision_validate(subobj, message)) {
diff --git a/source4/setup/provision_partitions.ldif b/source4/setup/provision_partitions.ldif
index 3800918bc1..c6107c6502 100644
--- a/source4/setup/provision_partitions.ldif
+++ b/source4/setup/provision_partitions.ldif
@@ -5,9 +5,9 @@ partition: ${DOMAINDN}:${DOMAINDN_LDB}
 replicateEntries: @SUBCLASSES
 replicateEntries: @ATTRIBUTES
 replicateEntries: @INDEXLIST
-modules:${SCHEMADN}:${SCHEMADN_MOD}
-modules:${CONFIGDN}:${CONFIGDN_MOD}
-modules:${DOMAINDN}:${DOMAINDN_MOD}
+modules:${SCHEMADN}:${SCHEMADN_MOD}${SCHEMADN_MOD2}
+modules:${CONFIGDN}:${CONFIGDN_MOD}${CONFIGDN_MOD2}
+modules:${DOMAINDN}:${DOMAINDN_MOD}${DOMAINDN_MOD2}
 
 dn: @MODULES
 @LIST: ${MODULES_LIST}
diff --git a/source4/setup/provision_schema_basedn_modify.ldif b/source4/setup/provision_schema_basedn_modify.ldif
index 1f188d0679..a222a654f7 100644
--- a/source4/setup/provision_schema_basedn_modify.ldif
+++ b/source4/setup/provision_schema_basedn_modify.ldif
@@ -23,3 +23,21 @@ fSMORoleOwner: CN=NTDS Settings,CN=${NETBIOSNAME},CN=Servers,CN=${DEFAULTSITE},C
 -
 replace: objectVersion
 objectVersion: 30
+-
+replace: prefixMap
+prefixMap:: QkRTRAAAAAAiAAAAAAACACIAAAAAAAAAAgAAAAQAAgABAAAAAgAAAAgAAgACAAAACA
+ AAAAwAAgADAAAACAAAABAAAgAEAAAACAAAABQAAgAFAAAACAAAABgAAgAGAAAACAAAABwAAgAHAAA
+ ACAAAACAAAgAIAAAAAgAAACQAAgAJAAAACAAAACgAAgAKAAAACAAAACwAAgATAAAACAAAADAAAgAU
+ AAAACAAAADQAAgAVAAAACQAAADgAAgAWAAAACQAAADwAAgAXAAAACgAAAEAAAgAYAAAAAgAAAEQAA
+ gAZAAAAAgAAAEgAAgAaAAAAAgAAAEwAAgALAAAACgAAAFAAAgAMAAAACQAAAFQAAgANAAAACgAAAF
+ gAAgAOAAAACQAAAFwAAgAPAAAACgAAAGAAAgAQAAAACQAAAGQAAgARAAAACQAAAGgAAgASAAAACgA
+ AAGwAAgAbAAAACQAAAHAAAgAcAAAACQAAAHQAAgAdAAAACAAAAHgAAgAeAAAACAAAAHwAAgAfAAAA
+ CQAAAIAAAgAgAAAACQAAAIQAAgAhAAAACQAAAIgAAgACAAAAVQQAAAIAAABVBgAACAAAACqGSIb3F
+ AECCAAAACqGSIb3FAEDCAAAAGCGSAFlAgIBCAAAAGCGSAFlAgIDCAAAAGCGSAFlAgEFCAAAAGCGSA
+ FlAgEEAgAAAFUFAAAIAAAAKoZIhvcUAQQIAAAAKoZIhvcUAQUIAAAACZImiZPyLGQIAAAAYIZIAYb
+ 4QgMJAAAACZImiZPyLGQBAAAACQAAAGCGSAGG+EIDAQAAAAoAAAAqhkiG9xQBBbZYAAACAAAAVRUA
+ AAIAAABVEgAAAgAAAFUUAAAKAAAAKoZIhvcUAQSCBAAACQAAACqGSIb3FAEFOAAAAAoAAAAqhkiG9
+ xQBBIIGAAAJAAAAKoZIhvcUAQU5AAAACgAAACqGSIb3FAEEggcAAAkAAAAqhkiG9xQBBToAAAAJAA
+ AAKoZIhvcUAQVJAAAACgAAACqGSIb3FAEEgjEAAAkAAAArBgEEAYs6ZXcAAAAJAAAAYIZIAYb4QgM
+ CAAAACAAAACsGAQQBgXoBCAAAACqGSIb3DQEJCQAAAAmSJomT8ixkBAAAAAkAAAArBgEEAbd9BAEA
+ AAAJAAAAKwYBBAG3fQQC