summaryrefslogtreecommitdiff
path: root/source3/passdb/pdb_ldap.c
AgeCommit message (Collapse)AuthorFilesLines
2004-01-06isolate ldap debug messages to the common smbldap_XXX() functionsGerald Carter1-3/+0
(This used to be commit 7d7a262f45182e67daecdca49df85445c2b9700a)
2003-12-26Check the return value of string_to_sid in a few more places. (ButAndrew Bartlett1-2/+10
string_to_sid also needs to be less permissive on what it thinks are valid sids...) Andrew Bartlett (This used to be commit 9080c30de8aa96ed3b9b121ca111f1632572754e)
2003-12-26Show the error message for failure to set the ldap password.Andrew Bartlett1-2/+8
(For 'ldap password sync = yes') Andrew Bartlett (This used to be commit 5b682aef678cc9ee135852d7ee6b8c159902fab7)
2003-12-04support munged dial for ldapsam; patch from Aurélien Degrémont; bug 800Gerald Carter1-3/+15
(This used to be commit 1c3c16abc94d197e69e3350de1e5cc1e99be4322)
2003-11-14fix more memory leaks in the LDAP backend code; patches from metzeGerald Carter1-22/+38
(This used to be commit e079c8842a24ff4f50483bea8ca6b11db4b2dc99)
2003-10-31Patch from Aurélien Degrémont <adegremont@idealx.com>. "entry" is dependentJeremy Allison1-2/+4
on "result", don't free result first. Jeremy. (This used to be commit c61a230c5ab7250c0812b422e0a533fbf5efbf17)
2003-10-30If nothing to do, return success. Fix from Aur?lien Degr?mont ↵Jeremy Allison1-1/+1
<adegremont@idealx.com> Jeremy. (This used to be commit aa668a0206b027923a333417309cb483c5a64265)
2003-10-22Put strcasecmp/strncasecmp on the banned list (except for needed callsJeremy Allison1-1/+1
in iconv.c and nsswitch/). Using them means you're not thinking about multibyte at all and I really want to discourage that. Jeremy. (This used to be commit d7e35dfb9283d560d0ed2ab231f36ed92767dace)
2003-10-02Make pdb_ldap.c compile with SUN iPlanet headers. Whether this works will beVolker Lendecke1-1/+1
tested soon, but this fix is somewhat obvious. Volker (This used to be commit 227882d6f79fb5909998996e1be08df723c49e8e)
2003-09-18The "unknown_5" 32 bit field in the user structs is actually 2 16-bitJeremy Allison1-1/+19
fields, bad_password_count and logon_count. Ensure this is stored/fetched in the various SAMs. As it replaces the unknown_5 field this fits exactly into the tdb SAM without any binary problems. It also is added to the LDAP SAM as two extra attributes. It breaks compatibility with the experimental SAMs xml and mysql. The maintainers of these SAMs must fix them so upgrades like this can be done transparently. I will insist on the "experimental" status until this is solved. Jeremy. (This used to be commit cd7bd8c2daff3293d48f3376a7c5a708a140fd94)
2003-09-11remove getpwnam() calls from init_sam_from_xxx().Gerald Carter1-32/+22
This means that %u & %g will no longer expand, but %U and %G still do. The payback is that winbindd local accounts for users work with 'wbinfo -u' when winbind is running on a PDC. (This used to be commit eb02fcf3c212eee1dc267959f23da5a26c1eac4f)
2003-09-10Fix a nasty mess, and also bug #296. passdb/pdb_ldap.c was not convertingJeremy Allison1-250/+219
to/from utf8 for some calls. The libads code gets this right. Wonder why the passdb code doesn't use it ? Jeremy. (This used to be commit 910d21d3164c2c64773031fddaad35ea88e72a04)
2003-08-27remove 'ldap trust ids' since there was no way for it to work nowGerald Carter1-0/+5
(This used to be commit 3724063f1518c25e33ba6b65cd3bb1e36cec51fa)
2003-08-15get rid of some sompiler warnings on IRIXHerb Lewis1-3/+2
(This used to be commit a6a39c61e8228c8b3b7552ab3c61ec3a6a639143)
2003-08-06fix bug #208; have to get the gid of the user's primary group for %GGerald Carter1-1/+10
(This used to be commit 575483a1efe18a90055490117ba6894512ae568a)
2003-07-23convert snprintf() calls using pstrings & fstringsGerald Carter1-14/+14
to pstr_sprintf() and fstr_sprintf() to try to standardize. lots of snprintf() calls were using len-1; some were using len. At least this helps to be consistent. (This used to be commit 9f835b85dd38cbe655eb19021ff763f31886ac00)
2003-07-22Fixup a bunch of printf-style functions and debugs to use unsigned long whenTim Potter1-12/+12
displaying pid_t, uid_t and gid_t values. This removes a whole lot of warnings on some of the 64-bit build farm machines as well as help us out when 64-bit uid/gid/pid values come along. (This used to be commit f93528ba007c8800a850678f35f499fb7360fb9a)
2003-07-18Fix two memleaks in pdb_ldap.c.Volker Lendecke1-1/+4
Whoever put the private.backend_private_data_free_fn thingy into SAM_ACCOUNT, could you please revisit my change to pdb_get_set.c and comment on my comment there? Thanks, Volker (This used to be commit 922ec277d1c80b5532f5cac0ee99ae7cd20f83f1)
2003-07-16Fix memleakVolker Lendecke1-1/+4
(This used to be commit 42a59d691019ee328920be25a1c505037f74151f)
2003-07-16typoVolker Lendecke1-1/+1
(This used to be commit 09e00970d4b3ec80467a4a292c39650d6c945847)
2003-07-15Fix memleaksVolker Lendecke1-1/+6
(This used to be commit 26134ac302f3296df6a65182f2585201a3ad833a)
2003-07-11moving more code around.Gerald Carter1-478/+11
* move rid allocation into IDMAP. See comments in _api_samr_create_user() * add winbind delete user/group functions I'm checking this in to sync up with everyone. But I'm going to split the add a separate winbindd_allocate_rid() function for systems that have an 'add user script' but need idmap to give them a RID. Life would be so much simplier without 'enable rid algorithm'. The current RID allocation is horrible due to this one fact. Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow. Nothing has changed in the way a samba domain is represented, stored, or search in the directory so things should be ok with previous installations. going to bed now. (This used to be commit 0463045cc7ff177fab44b25faffad5bf7140244d)
2003-07-07and so it begins....Gerald Carter1-2/+8
* remove idmap_XX_to_XX calls from smbd. Move back to the the winbind_XXX and local_XXX calls used in 2.2 * all uid/gid allocation must involve winbindd now * move flags field around in winbindd_request struct * add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id() to prevent automatic allocation for unknown SIDs * add 'winbind trusted domains only' parameter to force a domain member server to use matching users names from /etc/passwd for its domain (needed for domain member of a Samba domain) * rename 'idmap only' to 'enable rid algorithm' for better clarity (defaults to "yes") code has been tested on * domain member of native mode 2k domain * ads domain member of native mode 2k domain * domain member of NT4 domain * domain member of Samba domain * Samba PDC running winbindd with trusts Logons tested using 2k clients and smbclient as domain users and trusted users. Tested both 'winbind trusted domains only = [yes|no]' This will be a long week of changes. The next item on the list is winbindd_passdb.c & machine trust accounts not in /etc/passwd (done via winbindd_passdb) (This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)
2003-07-06Fix ldapsam_getsampwsid to correctly only say 'no such user' when indeed thereAndrew Bartlett1-13/+13
is no such user... Thanks to jerry for spotting this. Also clean up the function a bit, to avoid this happening again... Andrew Bartlett (This used to be commit d9a6859e2bd963f28cf3c3a62e483e868822597f)
2003-07-05Add some debug statments to our vampire code - try to make it easier to trackAndrew Bartlett1-7/+9
down failures. Add a 'auto-add on modify' feature to guestsam Fix some segfault bugs on no-op idmap modifications, and on new idmappings that do not have a DN to tack onto. Make the 'private data' a bit more robust. Andrew Bartlett (This used to be commit 6c48309cda9538da5a32f3d88a7bb9c413ae9e8e)
2003-07-05Fixes to our LDAP/vampire codepaths:Andrew Bartlett1-11/+27
- Try better to add the appropriate mapping between UID and SIDs, based on Get_Pwnam() - Look for previous users (lookup by SID) and correctly modify the existing entry in that case - Map the root user to the Admin SID as a 'well known user' - Save the LDAPMessage result on the SAM_ACCOUNT for use in the next 'update' call on that user. This means that VL's very nice work on atomic LDAP updates now really gets used properly! - This also means that we know the right DN to update, without the extra round-trips to the server. Andrew Bartlett (This used to be commit c7118cb31dac24db3b762fe68ce655b17ea102e0)
2003-07-04This patch cleans up some of our ldap code, for better behaviour:Andrew Bartlett1-387/+393
We now always read the Domain SID out of LDAP. If the local secrets.tdb is ever different to LDAP, it is overwritten out of LDAP. We also store the 'algorithmic rid base' into LDAP, and assert if it changes. (This ensures cross-host synchronisation, and allows for possible integration with idmap). If we fail to read/add the domain entry, we just fallback to the old behaviour. We always use an existing DN when adding IDMAP entries to LDAP, unless no suitable entry is available. This means that a user's posixAccount will have a SID added to it, or a user's sambaSamAccount will have a UID added. Where we cannot us an existing DN, we use 'sambaSid=S-x-y-z,....' as the DN. The code now allows modifications to the ID mapping in many cases. Likewise, we now check more carefully when adding new user entires to LDAP, to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount onto the idmap entry for that user, if it is already established (ensuring we do not duplicate sambaSid entries in the directory). The allocated UID code has been expanded to take into account the space between '1000 - algorithmic rid base'. This much better fits into what an NT4 does - allocating in the bottom part of the RID range. On the code cleanup side of things, we now share as much code as possible between idmap_ldap and pdb_ldap. We also no longer use the race-prone 'enumerate all users' method for finding the next RID to allocate. Instead, we just start at the bottom of the range, and increment again if the user already exists. The first time this is run, it may well take a long time, but next time will just be able to use the next Rid. Thanks to metze and AB for double-checking parts of this. Andrew Bartlett (This used to be commit 9c595c8c2327b92a86901d84c3f2c284dabd597e)
2003-06-25Patch to move functions directly from pdb_ldap.c into lib/smbldap.cAndrew Bartlett1-718/+8
The functions are unchanged. Next step is to make idmap_ldap use them. Andrew Bartlett (This used to be commit 57617a0f8c84f9ced4df2901811ce5a5a5ae005e)
2003-06-24Fix pdb_ldap segfaults, and wrong default values for ldapsam_compat.Andrew Bartlett1-4/+3
Reviewed by vl, metze. Andrew Bartlett (This used to be commit 9804ad458ad35c9ea7de3e2e86bf8b2f85ae6533)
2003-06-22Found out a good number of NT_STATUS_IS_ERR used the wrong way.Simo Sorce1-1/+1
As abartlet rememberd me NT_STATUS_IS_ERR != !NT_STATUS_IS_OK This patch will cure the problem. Working on this one I found 16 functions where I think NT_STATUS_IS_ERR() is used correctly, but I'm not 100% sure, coders should check the use of NT_STATUS_IS_ERR() in samba is ok now. Simo. (This used to be commit c501e84d412563eb3f674f76038ec48c2b458687)
2003-06-21This patch works towards to goal of common code shared between idmap_ldapAndrew Bartlett1-261/+359
and pdb_ldap. So far, it's just a function rename, so that the next patch can be a very simple matter of copying functions, without worrying about what changed in the process. Also removes the 'static' pointers for the rebind procedures, replacing them with a linked list of value/key lookups. (Only needed on older LDAP client libs) Andrew Bartlett (This used to be commit f93167a7e1c56157481a934d2225fe19786a3bff)
2003-06-18Ok, this patch removes the privilege stuff we had in, unused, for some time.Simo Sorce1-9/+6
The code was nice, but put in the wrong place (group mapping) and not supported by most of the code, thus useless. We will put back most of the code when our infrastructure will be changed so that privileges actually really make sense to be set. This is a first patch of a set to enhance all our mapping code cleaness and stability towards a sane next beta for 3.0 code base Simo. (This used to be commit e341e7c49f8c17a9ee30ca3fab3aa0397c1f0c7e)
2003-06-07Try to fix memory leaks found by valgrind in pdb_ldap code.Andrew Bartlett1-3/+3
Andrew Bartlett (This used to be commit decadfcc8205ed5611d74141e301569ef8b1d9f4)
2003-06-06support LDAP_EXOP_MODIFY_PASSWORD (not experiemental in OpenLDAP 2.1)Gerald Carter1-9/+21
(This used to be commit 50fdc938222112b5470d05d8cd15386bd0a112df)
2003-06-06* break out more common code used between pdb_ldap and idmap_ldapGerald Carter1-128/+36
* remove 'winbind uid' and 'winbind gid' parameters (replaced by current idmap parameter) * create the sambaUnixIdPool entries automatically in the 'ldap idmap suffix' * add new 'ldap idmap suffix' and 'ldap group suffix' parametrer * "idmap backend = ldap" now accepts 'ldap:ldap://server/' format (parameters are passed to idmap init() function (This used to be commit 1665926281ed2be3c5affca551c9d458d013fc7f)
2003-06-05working draft of the idmap_ldap code.Gerald Carter1-282/+3
Includes sambaUnixIdPool objectclass Still needs cleaning up wrt to name space. More changes to come, but at least we now have a a working distributed winbindd solution. (This used to be commit 824175854421f7c27d31ad673a8790dd018ae350)
2003-05-27cut-n-paste errorGerald Carter1-1/+1
(This used to be commit eb567e803e2da3ce11174812a5162642d8ef342b)
2003-05-27fix bug 118; replace hard coded 'next[User|Group]Rid' attribute namesGerald Carter1-6/+8
(This used to be commit f7ebb3c9e5d38d86d48459b7962a3da6d4900285)
2003-05-22fix bug #108; sambaSambaAccount string attributes are case insensitive; ↵Gerald Carter1-2/+5
don't try to change a string that only differs in case (This used to be commit 01ef08352007487040edefcc0b99ca79823cbddf)
2003-05-16Well spotted typo by Marco Berger <MARCOB@voelcker.com>Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit f16b0e025ea3112b4c231b67bc95f63418599f2e)
2003-05-16Fix from Alex Deiter <tiamat@komi.mts.ru>Simo Sorce1-1/+1
Reversed check. (This used to be commit 542ee1d3d6401c4d03770f07cfc907d016e166b4)
2003-05-14readding reverted changes during idmap merge (noticed by Andrew b.)Gerald Carter1-16/+33
(This used to be commit c6d836c61cb3e122dcc41b874ed5a03a130b6a4c)
2003-05-14fix group mapping in LDAP under new schemaGerald Carter1-35/+61
(This used to be commit 0714dda7cc4a1df73e1b9d11daae80a1f46583de)
2003-05-14*****LDAP schema changes*****Gerald Carter1-292/+802
New objectclass named sambaSamAccount which uses attribute prefaced with the phrase 'samba' to prevent future name clashes. Change in functionality of the 'ldap filter' parameter. This always defaults to "(uid=%u)" now and is and'd with the approriate objectclass depending on whether you are using ldapsam_compat or ldapsam conversion script for migrating from sambaAccount to sambaSamAccount will come next. (This used to be commit 998586e65271daa919e47e1206c0007454cbca66)
2003-05-14Fix pointer return bug in get_unix_attributes()Tim Potter1-1/+1
(This used to be commit 7aa54f0a7f3bcfb5d9560ca3bb88e1549b7ce421)
2003-05-14spellingTim Potter1-2/+2
(This used to be commit 1b4f904277b5e9331cdf4491163f856aa78d0453)
2003-05-12Fix obvious compiler warnings.Jeremy Allison1-1/+0
Jeremy. (This used to be commit 2a6d0c2481c3c34351e57c30a85004babdbf99b0)
2003-05-12And finally IDMAP in 3_0Simo Sorce1-114/+54
We really need idmap_ldap to have a good solution with ldapsam, porting it from the prvious code is beeing made, the code is really simple to do so I am confident it is not a problem to commit this code in. Not committing it would have been worst. I really would have been able to finish also the group code, maybe we can put it into a followin release after 3.0.0 even if it may be an upgrade problem. The code has been tested and seem to work right, more testing is needed for corner cases. Currently winbind pdc (working only for users and not for groups) is disabled as I was not able to make a complete group code replacement that works somewhat in a week (I have a complete patch, but there are bugs) Simo. (This used to be commit 0e58085978f984436815114a2ec347cf7899a89d)
2003-05-12fixing typos in debug statementsGerald Carter1-1/+1
(This used to be commit f59bcb51cfe4e268ba43245d401d212aefdf2b72)
2003-05-11As discussed on samba-technical - move to 'primaryGroupSid' insted ofAndrew Bartlett1-17/+45
primaryGroupID (rid). This is consistant with the move from 'rid' to ntSid for the primary user identifier. Also cope with legacy installations where primaryGroupID might have been stored as 0. Andrew Bartlett (This used to be commit 0e432817cb927b41af7b49fb0b5081ffdb46f85e)