summaryrefslogtreecommitdiff
path: root/source3/libads/ldap.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r21608: Fix a couple of memleaks in error code paths beforeJeremy Allison1-1/+2
Coverity finds them :-) Jeremy. (This used to be commit cbe725f1b09f3d0edbdf823e0862edf21e16d336)
2007-10-10r21606: Implement escaping function for ldap RDN valuesSimo Sorce1-2/+8
Fix escaping of DN components and filters around the code Add some notes to commandline help messages about how to pass DNs revert jra's "concistency" commit to nsswitch/winbindd_ads.c, as it was incorrect. The 2 functions use DNs in different ways. - lookup_usergroups_member() uses the DN in a search filter, and must use the filter escaping function to escape it Escaping filters that include escaped DNs ("\," becomes "\5c,") is the correct way to do it (tested against W2k3). - lookup_usergroups_memberof() instead uses the DN ultimately as a base dn. Both functions do NOT need any DN escaping function as DNs can't be reliably escaped when in a string form, intead each single RDN value must be escaped separately. DNs coming from other ldap calls (like ads_get_dn()), do not need escaping as they come already escaped on the wire and passed as is by the ldap libraries DN filtering has been tested. For example now it is possible to do something like: 'net ads add user joe#5' as now the '#' character is correctly escaped when building the DN, previously such a call failed with Invalid DN Syntax. Simo. (This used to be commit 5b4838f62ab1a92bfe02626ef40d7f94c2598322)
2007-10-10r21352: Let ads_upn_suffixes() return a pointer to an array of suffixes.Günther Deschner1-4/+4
Guenther (This used to be commit 7ad7847e5bbdd90fa6ae9ce91e5962f524ac2890)
2007-10-10r21349: Fix memleak in ads_upn_suffixes().Günther Deschner1-0/+3
Guenther (This used to be commit 8462f323cf86f90b1bdf14a3953c5a4bda1b9533)
2007-10-10r21021: Fix memleak.Günther Deschner1-0/+1
Guenther (This used to be commit 4e622572eb7939c6aa8e99fd9595bf28836bd5a3)
2007-10-10r20874: We need to distinguish client sitenames per realm. We were overwritingGünther Deschner1-4/+6
the stored client sitename with the sitename from each sucessfull CLDAP connection. Guenther (This used to be commit 6a13e878b5d299cb3b3d7cb33ee0d51089d9228d)
2007-10-10r20857: Silence gives assent :-). Checking in the fix forJeremy Allison1-2/+17
site support in a network where many DC's are down. I heard via Volker there is still a bug w.r.t the wrong site being chosen with trusted domains but we'll have to layer that fix on top of this. Gd - complain if this doesn't work for you. Jeremy. (This used to be commit 97e248f89ac6548274f03f2ae7583a255da5ddb3)
2007-10-10r20487: Remove the unused dn2ad_canonical() callGerald Carter1-18/+0
(This used to be commit 86e6ae6a9fe2a6fdaeeb503653a312662c7f50e9)
2007-10-10r19687: Fix uninitialized variables found by Coverity (and gcc -O1... ;-))Volker Lendecke1-1/+2
Volker (This used to be commit b7dc9b81696aa5434419c5378a47b41c6dee3dfa)
2007-10-10r19651: Fix interesting bug with the automatic site coverage in Active ↵Günther Deschner1-1/+25
Directory: When having DC-less sites, AD assigns DCs from other sites to that site that does not have it's own DC. The most reliable way for us to identify the nearest DC - in that and all other cases - is the closest_dc flag in the CLDAP reply. Guenther (This used to be commit ff004f7284cb047e738ba3d3ad6602e8aa84e883)
2007-10-10r19646: Fix memleak in the default_ou_string handling. Thanks to David HuGünther Deschner1-11/+37
<david.hu@hp.com>. Fixes #4212. Guenther (This used to be commit 4ec896cdbe441b17d91895a50ac9be61efe2f9c1)
2007-10-10r19528: Fix container handling for "net ads user" and "net ads group" functionsGünther Deschner1-1/+3
along with some memleaks. Guenther (This used to be commit 4bad52c5b3a983418d4216a2c3f5e04926e37e94)
2007-10-10r19526: Fix minor memleak.Günther Deschner1-0/+1
Guenther (This used to be commit 61ebedc82ee7d7a98e2a52b0677d723a801ab30f)
2007-10-10r19263: Be more accurate in telling what the sitename problem is in this DEBUGGünther Deschner1-1/+1
statement. Guenther (This used to be commit 62928734b820f512f940c1ed79048e14b322d060)
2007-10-10r18923: Fix more memleaks.Günther Deschner1-2/+11
Guenther (This used to be commit ecb632a1534d5178602b9143bb17712559fe2e4f)
2007-10-10r18902: Also dump mS-DS-CreatorSID.Günther Deschner1-0/+1
Guenther (This used to be commit e7cae9bbae2848ca1088a822883563062dd3f612)
2007-10-10r18663: Fix one more uuid -> GUID.Jeremy Allison1-1/+1
Jeremy. (This used to be commit e568271af2b5c20cff70b72b8ab4b1b704122b40)
2007-10-10r18552: Ensure the sitename matches before we SAF store a DC in ADS mode.Jeremy Allison1-4/+4
Jeremy. (This used to be commit 03e1078b459531af5a2336b584b3c886c5dd1e29)
2007-10-10r18480: Doh ! Double-free of hostnameDN.Jeremy Allison1-1/+0
Jeremy. (This used to be commit f8984fa8b706bb76559e447b30a201e1cc2871b6)
2007-10-10r18464: Solaris has LDAP_SCOPE_ONELEVEL. Linux seems to have it as well.Volker Lendecke1-5/+7
Fix a C++ compat warning. Volker (This used to be commit 351e583f66714562eca1f40429bfee70f06d281c)
2007-10-10r18453: Attempt to fix the non-ldap buildVolker Lendecke1-0/+4
(This used to be commit 86db85423027d34cb053fc068159ddd2226e90ec)
2007-10-10r18446: Add the ldap 'leave domain' code - call this asJeremy Allison1-0/+174
a non-fatal error path if the 'disable machine account' code succeeded. Jeremy. (This used to be commit f47bffa21ec1caf5ec3a6ec77af801df0b63d83a)
2007-10-10r18165: Fix memleaks.Günther Deschner1-2/+7
Guenther (This used to be commit 6f301b2dc3dd64b4396e1d0307b3d539bda67d45)
2007-10-10r18063: When we get a successful connection using ADS,Jeremy Allison1-1/+2
cache the SAF name under both the domain name and the realm name, as we could be looking up under both. Jerry please check. Jeremy. (This used to be commit 9d954d2deb46698b3834c7caf5ee0cfe628086b5)
2007-10-10r18019: Fix a C++ warnings: Don't use void * in libads/ for LDAPMessage anymore.Volker Lendecke1-88/+92
Compiled it on systems with and without LDAP, I hope it does not break the build farm too badly. If it does, I'll fix it tomorrow. Volker (This used to be commit b2ff9680ebe0979fbeef7f2dabc2e3f27c959d11)
2007-10-10r18015: Try and detect network failures immediately inJeremy Allison1-0/+20
set_dc_type_and_flags(). Fix problem when DC is down in ads_connect, where we fall back to NetBIOS and try exactly the same IP addresses we just put in the negative connection cache.... We can never succeed, so don't try lookups a second time. Jeremy. (This used to be commit 2d28f3e94a1a87bc9e9ed6630ef48b1ce17022e8)
2007-10-10r17994: Add debugs that showed me why my site code wasn'tJeremy Allison1-2/+7
working right. Don't update the server site when we have a client one... Jeremy. (This used to be commit 7acbcf9a6c71f8e7f9167880488613c930cef4d9)
2007-10-10r17946: Fix couple of typos...Jeremy Allison1-2/+2
Jeremy. (This used to be commit 638d53e2ad524dfe4666b79d36997dea8a44c8cd)
2007-10-10r17945: Store the server and client sitenames in the ADSJeremy Allison1-0/+32
struct so we can see when they match - only create the ugly krb5 hack when they do. Jeremy. (This used to be commit 9be4ecf24b6b5dacf4c2891bddb072fa7543753f)
2007-10-10r17943: The horror, the horror. Add KDC site support byJeremy Allison1-0/+1
writing out a custom krb5.conf file containing the KDC I need. This may suck.... Needs some testing :-). Jeremy. (This used to be commit d500e1f96d92dfcc6292c448d1b399195f762d89)
2007-10-10r17937: Move the saf_ cache into the tcp ad connection code.Jeremy Allison1-5/+5
Cause winbindd to set site support before doing the generic AD server lookup. Jeremy. (This used to be commit a9833941715472ece747bce69ef53ba8ad98d7a5)
2007-10-10r17928: Implement the basic store for CLDAP sitenameJeremy Allison1-0/+3
support when looking up DC's. On every CLDAP call store the returned client sitename (if present, delete store if not) in gencache with infinate timeout. On AD DNS DC lookup, try looking for sitename DC's first, only try generic if sitename DNS lookup failed. I still haven't figured out yet how to ensure we fetch the sitename with a CLDAP query before doing the generic DC list lookup. This code is difficult to understand. I'll do some experiments and backtraces tomorrow to try and work out where to force a CLDAP site query first. Jeremy. (This used to be commit ab3f0c5b1e9c5fd192c5514cbe9451b938f9cd5d)
2007-10-10r17901: Stanford checker fix. cookie here can't be null or we'dJeremy Allison1-1/+1
deref null. Make interface explicit. Jeremy. (This used to be commit 4e99606ec16b978a76219b5362a23a7b06ee5468)
2007-10-10r17881: Another microstep towards better error reporting: Make ↵Volker Lendecke1-8/+12
get_sorted_dc_list return NTSTATUS. If we want to differentiate different name resolution problems we might want to introduce yet another error class for Samba-internal errors. Things like no route to host to the WINS server, a DNS server explicitly said host not found etc might be worth passing up. Because we can not stash everything into the existing NT_STATUS codes, what about a Samba-specific error class like NT_STATUS_DOS and NT_STATUS_LDAP? Volker (This used to be commit 60a166f0347170dff38554bed46193ce1226c8c1)
2007-10-10r17798: Beginnings of a standalone libaddns library released underGerald Carter1-3/+3
the LGPL. Original code by Krishna Ganugapati <krishnag@centeris.com>. Additional work by me. It's still got some warts, but non-secure updates do currently work. There are at least four things left to really clean up. 1. Change the memory management to use talloc() rather than malloc() and cleanup the leaks. 2. Fix the error code reporting (see initial changes to dnserr.h) 3. Fix the secure updates 4. Define a public interface in addns.h 5. Move the code in libads/dns.c into the libaddns/ directory (and under the LGPL). A few notes: * Enable the new code by compiling with --with-dnsupdate * Also adds the command 'net ads dns register' * Requires -luuid (included in the e2fsprogs-devel package). * Has only been tested on Linux platforms so there may be portability issues. (This used to be commit 36f04674aeefd93c5a0408b8967dcd48b86fdbc1)
2007-10-10r17551: Move some DEBUG to d_printf in interactive functions and returnVolker Lendecke1-1/+1
NO_LOGON_SERVERS if no domain controller was found. Thanks to Michael Adam <ma@sernet.de>. Volker (This used to be commit d44599de3a61707a32851f37ddfb2425949622f8)
2007-10-10r17536: Add a debug message citing the reason why an LDAP connection failed, ↵Volker Lendecke1-0/+5
inspired by Christian M Ambach <CAMBACH1@de.ibm.com>. Volker (This used to be commit cf7c83d462dc766fa6f48728d0a4e8d534cc2bd4)
2007-10-10r17535: Reformatting, this had many tabs instead of ^$Volker Lendecke1-6/+6
(This used to be commit 0f483cf66c203d8590998b83cbeeb236ba06ab63)
2007-10-10r17089: Fix a possible null dereference and some memleaks.Volker Lendecke1-0/+1
Jerry, please check. Thanks, Volker (This used to be commit b87c4952216b6302b0e1f22689b5a36b6aa65349)
2007-10-10r16952: New derive DES salt code and Krb5 keytab generationGerald Carter1-70/+190
Major points of interest: * Figure the DES salt based on the domain functional level and UPN (if present and applicable) * Only deal with the DES-CBC-MD5, DES-CBC-CRC, and RC4-HMAC keys * Remove all the case permutations in the keytab entry generation (to be partially re-added only if necessary). * Generate keytab entries based on the existing SPN values in AD The resulting keytab looks like: ktutil: list -e slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 2 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 3 6 host/suse10.plainjoe.org@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 4 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 5 6 host/suse10@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 6 6 host/suse10@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) 7 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with CRC-32) 8 6 suse10$@COLOR.PLAINJOE.ORG (DES cbc mode with RSA-MD5) 9 6 suse10$@COLOR.PLAINJOE.ORG (ArcFour with HMAC/md5) The list entries are the two basic SPN values (host/NetBIOSName & host/dNSHostName) and the sAMAccountName value. The UPN will be added as well if the machine has one. This fixes 'kinit -k'. Tested keytab using mod_auth_krb and MIT's telnet. ads_verify_ticket() continues to work with RC4-HMAC and DES keys. (This used to be commit 6261dd3c67d10db6cfa2e77a8d304d3dce4050a4)
2007-10-10r16945: Sync trunk -> 3.0 for 3.0.24 code. Still needJeremy Allison1-4/+5
to do the upper layer directories but this is what everyone is waiting for.... Jeremy. (This used to be commit 9dafb7f48ca3e7af956b0a7d1720c2546fc4cfb8)
2007-10-10r16862: Reverting accidential changes in ads_try_connect() from previous commit.Günther Deschner1-2/+2
Guenther (This used to be commit 6257f9af93f2391940b2c60fe39c0bf106de15dd)
2007-10-10r16861: Fixing crash bug when passing no domain/realm name to the CLDAP request.Günther Deschner1-3/+4
Guenther (This used to be commit 863aeb621afa7dcec1bfef8e503ef8ed363e3742)
2007-10-10r16836: When receiving a CLDAP reply make sure that we always store the correctGünther Deschner1-1/+3
netbios domain name in server affinity cache. Guenther (This used to be commit 08958411eeff430fb523d9b73e0259d060bac17b)
2007-10-10r16685: Fix bug #3901 reported by jason@ncac.gwu.edu.Jeremy Allison1-7/+1
Jeremy. (This used to be commit d48655d9c0b31d15327655140c021de29873d2c5)
2007-10-10r16339: Fix Klocwork IDVolker Lendecke1-1/+7
277 278 (cmd_*) 485 487 488 (ldap.c) Volker (This used to be commit 5b1eba76b3ec5cb9b896a9a5641b4d83bdbdd4cf)
2007-10-10r16324: Klocwork #499. Allways check results from alloc.Jeremy Allison1-1/+19
Jeremy. (This used to be commit 2b69d436da7b2902ea419f3bcc45c7b5a5c571fb)
2007-10-10r16322: Klocwork #481., Don't deref null on malloc fail.Jeremy Allison1-2/+4
Jeremy. (This used to be commit dd31f3fc0e044fdae139aefcb21773249c30eb74)
2007-10-10r16190: Fix more memleaks.Günther Deschner1-1/+6
Guenther (This used to be commit dfebcc8e19bee06b7c03f88845314e9cfd6f398a)
2007-10-10r16117: Make winbindd work again in security=ads.Günther Deschner1-2/+6
We still used the old HOST/* UPN to get e.g. users, now we need samaccountname$@REA.LM. Guenther (This used to be commit f6516a799aec2db819f79b9a1e641637422a9b4c)