summaryrefslogtreecommitdiff
path: root/source3/libads/ldap.c
AgeCommit message (Collapse)AuthorFilesLines
2003-01-02BIG patch...Andrew Bartlett1-2/+2
This patch makes Samba compile cleanly with -Wwrite-strings. - That is, all string literals are marked as 'const'. These strings are always read only, this just marks them as such for passing to other functions. What is most supprising is that I didn't need to change more than a few lines of code (all in 'net', which got a small cleanup of net.h and extern variables). The rest is just adding a lot of 'const'. As far as I can tell, I have not added any new warnings - apart from making all of tdbutil.c's function const (so they warn for adding that const string to struct). Andrew Bartlett (This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d)
2002-12-30Catching up with old patches. Add define for VERITAS quota support.Jeremy Allison1-0/+2
Check return in ldap. Jeremy. (This used to be commit e789edbb287319f52f49f2999917a610565144d9)
2002-12-20Forward port the change to talloc_init() to make all talloc contextsJeremy Allison1-7/+7
named. Ensure we can query them. Jeremy. (This used to be commit 842e08e52a665ae678eea239759bb2de1a0d7b33)
2002-12-13More printer publishing code.Jim McDonough1-0/+26
- Add published attribute to info2, needed for win clients to work properly - Return proper info on getprinter 7 This means you can now look at the sharing tab of a printer and get correct info about whether it is published or not, and change it. (This used to be commit adda04379ee46f105436262663652f3f576fa3cf)
2002-11-23[merge from APP_HEAD]Gerald Carter1-1/+2
90% fix for CR 1076. The password server parameter will no take things like password server = DC1 * which means to contact DC1 first and the go to auto lookup if it fails. jerry (This used to be commit c31a17889e3e4daf7c1e807038efc2c0fba78be3)
2002-11-15Include the hostname we are trying to match with $@, to allow easier debugging.Andrew Bartlett1-1/+1
(This used to be commit f5d8afc626b8f7792aa7dd7fa7082f55725b539c)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-18/+20
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a)
2002-11-06Merge of get_dc_list() api change. This was slightly more intrusiveTim Potter1-12/+7
than the version in APPLIANCE so watch out for boogs. (This used to be commit 1e054e3db654801fbb5580211529cdfdea9ed686)
2002-10-18Format objectGUIDs on ads dumps.Jim McDonough1-1/+18
(This used to be commit 7eaf7e7115c75e682b1b9368c6f28c60429885e5)
2002-10-04only set UF_USE_DES_KEY_ONLY if we are using krb5 libraries that can'tAndrew Tridgell1-3/+7
do type 23 (This used to be commit c0612272e8eea3d741854c0b4834bc687d787218)
2002-10-03.NET likes both forms of servicePrincipalName in the machine accountAndrew Tridgell1-1/+8
record (This used to be commit 8ff6d40d7fe4dc11e9ba194a55995c0926202df9)
2002-09-28Try to compile as much as possible with only ldap, but not kerberos.Andrew Bartlett1-32/+1
(This used to be commit 9615ab10c006d8027f6a8b7dd3770eb77304dbdc)
2002-09-28Add the beginings of sam_ads to the tree.Andrew Bartlett1-2/+41
This module, primarilly the work of "Stefan (metze) Metzmacher" <metze@metzemix.de>, uses the Active Directory schema to store the user/group/other information. I've been testing it against a real AD server, and it is intended to work with OpenLDAP as well. I've moved a few functions around in our other libads code, which has made it easier to tap into that existing code. Also, I've made some changes to the SAM interface, I hope there are not too many objections... To ensure we don't get silly bugs in the skel module, it is now in the default compile. This way you should not forget to update it :-) Andrew Bartlett (This used to be commit 24fb0cde2f0b657df1c99474cd694438c94a566e)
2002-09-27Move a number of ADS related functions out into utility libs, so that thingsAndrew Bartlett1-25/+74
like metze's sam_ads can also use them. Also add error checking etc to a few more functions. Andrew Bartlett (This used to be commit c864edf4fbf8a6c37888a14b861d7c12cf503d4f)
2002-09-27Some small cleanups to the libads code (mainly error checking), and give aAndrew Bartlett1-5/+22
sane prototype for the push_utf8_allocate code. Andrew Bartlett (This used to be commit ce00a3238ed8a82639c4d0ee3e960f7000b1a7b0)
2002-09-25Another patch from metze, towards his work on sam_ads.Andrew Bartlett1-1/+1
See mx-ldap.sf.net for his current progress. (This used to be commit 9c62d1312fdf0aa7b1978e8bbb56fc076ba7e9d0)
2002-09-17Add clock skew handling to our kerberos code. This allows us to cope withAndrew Tridgell1-12/+54
the DC being out of sync with the local machine. (This used to be commit 0d28d769472ea3b98ae4c8757093dfd4499f6dd1)
2002-09-06Patch from "Stefan (metze) Metzmacher" <metze@metzemix.de>Andrew Bartlett1-0/+2
to extend the ADS_STATUS system to include NTSTATUS, and to provide a better general infrustructure for his sam_ads work. I've also added some extra failure mode DEBUG()s to parts of the code. NOTE: The ADS_ERR_OK() macro is rather sensitive to braketing issues - without the final set of brakets, the test is essentially inverted - causing some intersting 'error = success' messages... Andrew Bartlett (This used to be commit 5b9a7ab901bc311f3ad08462a8a68d133c34a8b4)
2002-09-06Add some DEBUG()s to some libads failure modes.Andrew Bartlett1-1/+5
(This used to be commit ad3c8da13b9d510f78fd56364cd0987de88a9b9f)
2002-08-30convert the LDAP/SASL code to use GSS-SPNEGO if possibleAndrew Tridgell1-6/+1
we now do this: - look for suported SASL mechanisms on the LDAP server - choose GSS-SPNEGO if possible - within GSS-SPNEGO choose KRB5 if we can do a kinit - otherwise use NTLMSSP This change also means that we no longer rely on having a gssapi library to do ADS. todo: - add TLS/SSL support over LDAP - change to using LDAP/SSL for password change in ADS (This used to be commit b04e91f660d3b26d23044075d4a7e707eb41462d)
2002-08-20fix irix compile errors - cannot initialize array in declaration statementHerb Lewis1-2/+9
with non-const values - strsep not defined (This used to be commit a5c59b2cd10016ecbd931531602ad1cb3660bbf9)
2002-08-06when using netbios lookup methods make sure we try any BDCs even ifAndrew Tridgell1-9/+21
we get a response from WINS for a PDC, if the PDC isn't responding. (This used to be commit 57916316ffc70b0b6659f3ad9d14aad41fad4c71)
2002-08-06fixed a memory corruption bug in ads_try_dns()Andrew Tridgell1-3/+3
(This used to be commit 2ee0abb50f25e5a4529d8c9409c979a7a00e5984)
2002-08-05This fixes a number of ADS problems, particularly with netbioslessAndrew Tridgell1-57/+298
setups. - split up the ads structure into logical pieces. This makes it much easier to keep things like the authentication realm and the server realm separate (they can be different). - allow ads callers to specify that no sasl bind should be performed (used by "net ads info" for example) - fix an error with handing ADS_ERROR_SYSTEM() when errno is 0 - completely rewrote the code for finding the LDAP server. Now try DNS methods first, and try all DNS servers returned from the SRV DNS query, sorted by closeness to our interfaces (using the same sort code as we use in replies from WINS servers). This allows us to cope with ADS DCs that are down, and ensures we don't pick one that is on the other side of the country unless absolutely necessary. - recognise dnsRecords as binary when displaying them - cope with the realm not being configured in smb.conf (work it out from the LDAP server) - look at the trustDirection when looking up trusted domains and don't include trusts that trust our domains but we don't trust theirs. - use LDAP to query the alternate (netbios) name for a realm, and make sure that both and long and short forms of the name are accepted by winbindd. Use the short form by default for listing users/groups. - rescan the list of trusted domains every 5 minutes in case new trust relationships are added while winbindd is running - include transient trust relationships (ie. C trusts B, B trusts A, so C trusts A) in winbindd. - don't do a gratuituous node status lookup when finding an ADS DC (we don't need it and it could fail) - remove unused sid_to_distinguished_name function - make sure we find the allternate name of our primary domain when operating with a netbiosless ADS DC (using LDAP to do the lookup) - fixed the rpc trusted domain enumeration to support up to approx 2000 trusted domains (the old limit was 3) - use the IP for the remote_machine (%m) macro when the client doesn't supply us with a name via a netbios session request (eg. port 445) - if the client uses SPNEGO then use the machine name from the SPNEGO auth packet for remote_machine (%m) macro - add new 'net ads workgroup' command to find the netbios workgroup name for a realm (This used to be commit e358d7b24c86a46d8c361b9e32a25d4f71a6dc00)
2002-08-04Now that I got the function arguments sane, remove the silly (void **) castsAndrew Bartlett1-9/+9
from some of the callers. Andrew Bartlett (This used to be commit eb3354aa6c7293df9a728565a6774049b2e6d57f)
2002-07-20More fixes towards warnings on the IRIX compilerAndrew Bartlett1-2/+2
(and yes, some of these are real bugs) In particular, the samr code was doing an &foo of various types, to a function that assumed uint32. If time_t isn't 32 bits long, that broke. They are assignment compatible however, so use that and an intermediate variable. Andrew Bartlett (This used to be commit 30d0998c8c1a1d4de38ef0fbc83c2b763e05a3e6)
2002-07-12fix setting machine passwords in the case where a user account of theAndrew Tridgell1-1/+5
same name as the machine name exists. (we ended up setting the users password, not the machines password!) (This used to be commit fe1e6233c6f0a5654bcc3ab34f65bb570efc69b1)
2002-07-11this implements a completely new strategy for fetching groupAndrew Tridgell1-0/+35
membership from an ADS server. We now use a 'member' query on the group and do a separate call to convert the resulting distinguished name to a name, rid etc. This is *much* faster for very large numbers of groups (on a quantum test system with 10000 groups it drops the time from an hour to about 35 seconds). strangely enough, this actually *increases* the amount of ldap traffic, its just that the MS LDAP server answers these queries much faster. (This used to be commit 5538048e4f6dd224b2990f3c6a3e99fd07065f77)
2002-07-11this fixes the ads dump codeAndrew Tridgell1-3/+3
a char** isn't quite the same thing as a struct berval** :) (This used to be commit a92834ea9460bc49be99d6d5b0d41a817e6f0824)
2002-07-09make sure we disable referrals in all ldap searches - they are badlyAndrew Tridgell1-0/+3
broken (This used to be commit 022073d140bae960613127a6d9422e443a8098c6)
2002-07-01ads_mod_ber should be static, not publicAndrew Tridgell1-2/+2
this fixes the huge number of struct berval warnings on non-ads compiles (This used to be commit e7f588d8156856109623b5f5a3841c5d096b1185)
2002-06-28Const cleanup...should only be 2 warnings left from calling lib/util_str.cJim McDonough1-117/+158
str_list_copy(). Perhaps its proto should be fixed. (This used to be commit b81bc2b34b620c24a148435d9913bd1a1528c983)
2002-06-26Reduce compiler warnings.Jim McDonough1-28/+36
(This used to be commit b361089360068b91e9f4d221abdc3c8351596a7f)
2002-06-24Support utf8 on the wire for ads ldap. DN's are converted, as well as strings,Jim McDonough1-288/+244
though it is up to the calling function to decide whether values are strings or not. Attributes are not converted at this point, though support for it would be simple. I have tested it with users and groups using non-ascii chars, and if the check for alphanumeric user/domain names is removed form sesssetup.c, even a user with accented chars can connect, or even login (via winbind). I have also simplified the interfaces to ads_mod_*, though we will probably want to expand this by a few functions in the near future. We just had too many ways to do the same thing... (This used to be commit f924cb53580bc081ff34e45abba57629018c68d6)
2002-05-17This is meant to be accessed via the helper fn, not directly.Andrew Bartlett1-1/+1
(This used to be commit b84882a628b3f2f0890322f25694c1932aa3e5ec)
2002-04-19fixed trust relationships in ADS winbindd after breaking them with my BDC ↵Andrew Tridgell1-2/+6
changes ... (This used to be commit 8096032663690eafb6bb8b4f405d6231389d4f80)
2002-04-18fixed the fallback to a BDC for ADS connectionsAndrew Tridgell1-0/+24
(This used to be commit 3e58a1ee83ea0b4347ce24e566445cc6cb67bb3a)
2002-04-10A few more updates:Jim McDonough1-132/+348
- Add doxygen comments - remove server sort control (ms implementation was not reliable) - rename ads_do_search_all2() to ads_do_search_all_fn() (This used to be commit 7aa5fa617221019de0f4565d07842df72673e154)
2002-04-05Several updates to get server side sorting going:Jim McDonough1-26/+78
- Added sort control to ads_do_paged_search. It allows a char * to be passed as the sort key. If NULL, no sort is done. - fixed a bug in the processing of controls (loop wasn't incremented properly) - Added ads_do_search_all2, which funs a function that is passed in against each entry. No ldapmessage structures are returned. Allows results to be processed as the come in on each page. I'd like ads_do_search_all2 to replace ads_do_search_all, but there's some work to be done in winbindd_ads.c first. Also, perhaps now we can do async ldap searches? Allow us to process a page while the server retrieves the next one? (This used to be commit 95bec4c8bae0e29f816ec0751bf66404e1f2098e)
2002-04-04Try harder next time to not duplicate function...take ads_err2string backJim McDonough1-15/+0
out since it's already in ads_errstr() in ads_status.c (This used to be commit 0475126ffb69f0485fd31511cb13d98df74a8d5b)
2002-04-04Add ads_err2string() function for generating error strings from an ADS_STATUS.Jim McDonough1-0/+15
I've got the cases besides gssapi...anyone know how to get those? (This used to be commit c937e1352207ad90e8257ad6c9f8b7c9cf92030d)
2002-03-29Added ads_process_results(), which takes a function that is called for eachJim McDonough1-20/+73
entry returned from a search, and applies it to the results. Re-structured ads_dump to use this, plus changed the ber_free in ads_dump from (b,1) to (b,0), in accordance with openldap manpages. Also allows proper free of result using ldap_msgfree afterwards, so you can do something with the results after an ads_dump. (This used to be commit f01f02fc569b4f5101a37d3b493f2fe2d2b2677a)
2002-03-27Whoops, left the paged control not critical in the paged search...kind ofJim McDonough1-1/+1
defeats the purpose. (This used to be commit 71806c49b366faf2466eee7352c71fcdfefd8cc1)
2002-03-27Add server control to prevent referrals in paged searches. This keepsJim McDonough1-6/+18
the scope limited to the domain at hand, and also keeps the openldap libs happy, since they don't currently chase referrals and return server controls properly at the same time. (This used to be commit 2bebc8a391bd80bd0e5adbedb3757fb4279ec414)
2002-03-19added a ads_do_search_all() call, which is a more convenient interfaceAndrew Tridgell1-0/+42
to paged searches. This makes updating winbindd to used paged searches trivial. (This used to be commit 514c11b4e3fcc765a8087405333bd351c05c9e36)
2002-03-19fixed paged controls on my box. The problem seems to be incorrectAndrew Tridgell1-4/+21
referrals parsing in the openldap libs. By disabling referrals we get valid controls back and the cookies work. (This used to be commit 8bf487ddff240150d7a92aaa0f978dd30062c331)
2002-03-14This adds the Paged Result Control to ads searching. The new function, ↵Jim McDonough1-0/+79
ads_do_paged_search, is the same as ads_do_search, but it also contains a count of records returned in this page, and a cookie for resuming, to be passed back. The cookie must start off NULL, and when it returns as NULL, the search is done. (This used to be commit 9afba67f9a56699e34735e1e425f97b2464f2402)
2002-03-13detect SIZELIMIT_EXCEEDED in ldap queries and truncateAndrew Tridgell1-0/+4
the problem is, how the heck do we properly handle these? Jerry? It seems that the Win2000 ADS server only returns a max of 1000 records! (This used to be commit 93389647203395da0e894c2e57348081e755884a)
2002-03-11put in the ADS DNS hack, but commented outAndrew Tridgell1-0/+11
(This used to be commit 3396a671c59e6afe70a22ce64e4a9381b1d6fef8)
2002-03-10yipee! Finally put in the patch from Alexey KotovichAndrew Tridgell1-8/+121
<a.kotovich@sam-solutions.net> that adds the security decsriptor code for ADS workstation accounts thanks for your patience Cat, and thanks to Andrew Bartlett for extensive reviews and suggestions about this code. (This used to be commit 6891393b5db868246fe52ff62b3dc6aa5ca6f726)