summaryrefslogtreecommitdiff
path: root/source3/lib/smbldap.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).Günther Deschner1-1/+87
Does automated migration from account_policy.tdb v1 and v2 and offers a pdbedit-Migration interface. Jerry, please feel free to revert that if you have other plans. Guenther (This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5)
2007-10-10r4840: * Add more generic root-dse inspection function to check for givenGünther Deschner1-0/+101
controls or extensions. * Check and remember if ldapsam's LDAP Server support paged results (in preparation of adding async paged-results to set|get|end-sampwent in ldapsam). Guenther (This used to be commit ced58bd8849cdef78513674dff1b1ec331945aa9)
2007-10-10r4736: small set of merges from rtunk to minimize the diffsGerald Carter1-1/+1
(This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
2007-10-10r4289: Close LDAP-Connection before retrying to open a new connection in theGünther Deschner1-0/+1
retry-loop. This fixes a deadlock-situation when ldapsam is used with the ldapi interface: getpeername won't fail while trying to detect dead connections on unix domain sockets. When the ldapi-connection was closed server-side (due to OpenLDAP's idletimeout) we *never* got a new LDAP connection. Guenther (This used to be commit ac8032bacff10451fa03f155d43f0d20389512fa)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-13/+12
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3563: During a typical logon a modern workstation makes a lot of anonymous ↵Volker Lendecke1-0/+4
session setups on its way to open a pipe. This gets rid of many round-trips to the LDAP server during logon by setting up the server_info_guest once and not asking the LDAP server and nss every time. Make sure that the ldap connection is reopened in the child. (I did not look at the sql backends.) Volker (This used to be commit 3298f6105e6a88c9390cac02245c8f2eee1e5046)
2007-10-10r2729: Fix ldapsam_compat homeDrive. Thanks to jason@env.leeds.ac.ukVolker Lendecke1-1/+1
Volker (This used to be commit ef057e9534cc3713d3bcd7427cf34c74f7e3ea13)
2007-10-10r2444: Based on jmcd's patch, implement special lists for the ldap user ↵Volker Lendecke1-0/+48
attributes to delete. Richard, IMHO this is the better solution to the problem you currently have. Please review. Thanks, Volker (This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
2007-10-10r2258: Attempt to fix Bug 1715. Not sure if all of ldapsam_compat works now, ↵Volker Lendecke1-0/+7
but this definitely fixes two segfaults. Volker (This used to be commit 270740189995c56c4d0341aeded364efffec86f2)
2007-10-10r1810: Patch from Richard Renard <rrenard@idealx.com> to storeJeremy Allison1-0/+1
logon hours attributes in an LDAP database. Jeremy. (This used to be commit dac72638fb3a05e805136698e0ad0612620ac8af)
2007-10-10r1588: This is one of the more pathetic patches I ever checked in. Many hours ofVolker Lendecke1-95/+72
coding have passed, but I could not find a way to get the OpenLDAP libraries to reliably time out on any of the queries we make, *and* get correct error returns. No, async calls and ldap_result does NOT work, or I was simply too stupid to correctly interpret the OpenLDAP manpage and source. We can not allow to hang indefinitely in an ldap query, especially not for winbindd. "ldap timeout" now specifies the overall timeout for the complete operation, that's why I increased that to 15 seconds. Volker (This used to be commit 269f0750872e5f8757e0a9667e007a0410319fcd)
2007-10-10r1392: Added password history code to tdbsam backend. Not yet tested (ie. mayJeremy Allison1-1/+1
core dump) but compiles and links correctly. I will run the full set of tests on the ldap sam and the tdb sam for password history tomorrow. Jeremy. (This used to be commit ac846420d0ef2c60d2dc71319b24401c73699249)
2007-10-10r1388: Adding password history code for ldap backend, based on a patch fromJeremy Allison1-13/+11
"Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2007-10-10r1325: Always use GetTimeOfDay() (wrapper). Ensure ldap replicationJeremy Allison1-12/+11
sleep time is not more than 5 seconds. Should fix issue reported by Chris Garrigues <cwg@deepeddy.com>. Jeremy. (This used to be commit fbc06831d3a7e8645409158ee1ae1f9f192913a7)
2007-10-10r1317: Patch from Joe Meadows "Joe Meadows" <jameadows@webopolis.com> toJeremy Allison1-1/+1
add a timeout to the ldap open calls. New parameter, ldap timeout added. Jeremy. (This used to be commit e5b3094c4cc75eb07f667dd1aeb73921ed7366ac)
2007-10-10r116: volker's patch for local group and group nestingGerald Carter1-0/+2
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2007-10-10r53: Remove modifyTimestamp from list of our attributes. We just check it forJim McDonough1-1/+0
cache entry time comparisons in password lockout. Fixes problems where pdb_ldap tries to delete the operational attribute modifyTimestamp when deleting a user account. (This used to be commit 5ebcb9081e435d54c39d4d3a1ef1d7b651ccb53f)
2004-03-18Password lockout for LDAP backend. Caches autolock flag, bad count, andJim McDonough1-0/+2
bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-11Restore the contract on all convert_stringXX() interfaces. Add a ↵Jeremy Allison1-1/+1
"allow_bad_conv" boolean parameter that allows broken iconv conversions to work. Gets rid of the nasty errno checks in mangle_hash2 and check_path_syntax and allows correct return code checking. Jeremy. (This used to be commit 7b96765c23637613f079d37566d95d5edd511f05)
2004-03-11Get MungedDial actually working with full TS strings in it for pdb_ldap.Jim McDonough1-4/+13
I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)
2004-03-07Fix typo.Tim Potter1-1/+1
(This used to be commit e6e8b59f53d5ac618dcec13a46c356f0abe5950a)
2004-02-23Janitor for tpot...bugzilla #1098, msleep already exists on aixJim McDonough1-2/+2
(This used to be commit 4319df7fdc2d878c509381923cc1db4d731620ba)
2004-02-23Add bad password count/time attributesJim McDonough1-0/+2
(This used to be commit 003318939f7e476f5f2a5f345e8a81a228fc89a7)
2004-02-08Another static function.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 128c328ddbc9f2283badde95ce743e696f94f6a4)
2004-01-25Fix removal of attributes in LDAP - we would not actually remove the oldAndrew Bartlett1-16/+16
value in the previous code. Andrew Bartlett (This used to be commit c97d3eb1622ee25c24b0cd81b65ec7d4b854e604)
2004-01-06isolate ldap debug messages to the common smbldap_XXX() functionsGerald Carter1-4/+9
(This used to be commit 7d7a262f45182e67daecdca49df85445c2b9700a)
2003-12-31auth/auth_util.c:Andrew Bartlett1-1/+1
- Fill in the 'backup' idea of a domain, if the DC didn't supply one. This doesn't seem to occour in reality, hence why we missed the typo. lib/charcnv.c: lib/smbldap.c: libads/ldap.c: libsmb/libsmbclient.c: printing/nt_printing.c: - all the callers to pull_utf8_allocate() pass a char ** as the first parammeter, so don't make them all cast it to a void ** nsswitch/winbind_util.c: - Allow for a more 'correct' view of when usernames should be qualified in winbindd. If we are a PDC, or have 'winbind trusted domains only', then for the authentication returns stip the domain portion. - Fix valgrind warning about use of free()ed name when looking up our local domain. lp_workgroup() is maniplated inside a procedure that uses it's former value. Instead, use the fact that our local domain is always the first in the list. Andrew Bartlett (This used to be commit 494781f628683d6e68e8ba21ae54f738727e8c21)
2003-12-26Based on patch by Petri Asikainen <paca@sci.fi> fix bug #387 and #330.Andrew Bartlett1-14/+15
This patch will change order how attributes are modified from: add, delete to: delete, add This is needed to update single valued attributes in Novell NDS and should not harm anyone else. (This used to be commit fabf80169079483a1378aa0177d8d8335bd98bb3)
2003-12-25ldap rebind sleep -> ldap replication sleepAndrew Bartlett1-1/+1
While writing documentation for metze's patch, it became clear that this is a better name. Andrew Bartlett (This used to be commit 6f828ff3d3622c56ee732b976e7ab90b7897a8d3)
2003-12-25This is metze's LDAP rebind sleep patch:Volker Lendecke1-0/+28
When smb.conf tells us to write to a read-only LDAP replica and we are redirected by the LDAP server, the replication might take some seconds, especially over slow links. This patch delays the next read after a rebind for 'ldap rebind sleep' milliseconds. Metze, thanks for your patience. Volker (This used to be commit 63ffa770b67d700f138d19b4982da152f57674fc)
2003-12-25Fix our parsing of the LDAP url. We get around it as all decent systems seemVolker Lendecke1-1/+1
to have ldap_initialize. Thanks to abartlet for the fix (and the bug in the first place ;-)) Volker (This used to be commit 17473a65eb119ca2240b40a8c029d9a499cde177)
2003-12-04support munged dial for ldapsam; patch from Aurélien Degrémont; bug 800Gerald Carter1-0/+1
(This used to be commit 1c3c16abc94d197e69e3350de1e5cc1e99be4322)
2003-10-29Fixes to check for wraps which could cause coredumps.Jeremy Allison1-0/+1
Jeremy. (This used to be commit ad06edd1bb58cc5e2c38a364b1af96a933b770af)
2003-10-22Put strcasecmp/strncasecmp on the banned list (except for needed callsJeremy Allison1-2/+2
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at all and I really want to discourage that. Jeremy. (This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
2003-09-15This ldap_value_free() looks like it was part of Jeremy's recent rampageTim Potter1-2/+0
so I'm putting it back in. (This used to be commit ec49fc8ab73b26f86da155475df90843650f0e63)
2003-09-15I think this is a bugfix that somehow was dropped from the 3.0 tree.Tim Potter1-0/+2
(This used to be commit 299eb0abd36072af51cbcb761fa9fb6a77584585)
2003-09-10Still on my mb rampage. Ensure smbldap_make_mod() correctly detects oldJeremy Allison1-15/+13
values. Jeremy. (This used to be commit 41e4479aa9f186d68300086984d6f4c8f9fd2a27)
2003-09-10Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not convertingJeremy Allison1-0/+20
to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-08-132 fixesGerald Carter1-0/+27
* bug #280 (my fault) - initialize sambaNextUserRid and sambaNextGroupRid * Unix users shared vis LDAP or NIS between a samba domain member of a Samba domain are not seen as domain users on the member servers. not as local users. (This used to be commit a030fa373aefde8628def54ca8152f237a0467dc)
2003-07-23convert snprintf() calls using pstrings & fstringsGerald Carter1-2/+2
to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-17Disconnect an idle LDAP connection after 150 seconds.Volker Lendecke1-1/+43
Not strictly a bugfix, but it should considerably reduce the load we put on LDAP servers given that at least nss_ldap on Linux keeps a connection open. And it should also stress our reconnect-code a bit more ;-) Thanks to metze for this! Volker (This used to be commit e68d8eabeb9c64dc45d057619f9b3dd0cd507444)
2003-07-15Fix memleakVolker Lendecke1-1/+3
(This used to be commit 6770d69942a8841fb25448a8a238af7987ec860c)
2003-07-11moving more code around.Gerald Carter1-0/+148
* move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-07and so it begins....Gerald Carter1-1/+1
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-05Fixes to our LDAP/vampire codepaths:Andrew Bartlett1-0/+4
- Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-04This patch cleans up some of our ldap code, for better behaviour:Andrew Bartlett1-1/+37
We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-06-25Patch to move functions directly from pdb_ldap.c into lib/smbldap.cAndrew Bartlett1-4/+729
The functions are unchanged. Next step is to make idmap_ldap use them. Andrew Bartlett (This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
2003-06-21This patch works towards to goal of common code shared between idmap_ldapAndrew Bartlett1-1/+2
and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-06* break out more common code used between pdb_ldap and idmap_ldapGerald Carter1-6/+93
* remove 'winbind uid' and 'winbind gid' parameters (replaced by current idmap parameter) * create the sambaUnixIdPool entries automatically in the 'ldap idmap suffix' * add new 'ldap idmap suffix' and 'ldap group suffix' parametrer * "idmap backend = ldap" now accepts 'ldap:ldap://server/' format (parameters are passed to idmap init() function (This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
2003-06-05working draft of the idmap_ldap code.Gerald Carter1-0/+259
Includes sambaUnixIdPool objectclass Still needs cleaning up wrt to name space. More changes to come, but at least we now have a a working distributed winbindd solution. (This used to be commit 824175854421f7c27d31ad673a8790dd018ae350)