summaryrefslogtreecommitdiff
path: root/source3/passdb/pdb_ldap.c
AgeCommit message (Collapse)AuthorFilesLines
2003-04-29Merge Samba 3.0 pdb_ldap from 3.0 into HEAD, so as to allow idra to continueAndrew Bartlett1-412/+1591
his IDMAP work. This version also works properly (the HEAD version had suffered from bitrot), and should be a good basis to change into the new IDMAP rules. It also includes UTF8 conversions. Included also are the schema changes, and a note about the now very old scripts in examples/LDAP (they don't work for this, or even the previous schema). Andrew Bartlett (This used to be commit 38a8f2b23a12f6a964d447f7904dd722a1ca046c)
2003-04-28Use NTSTATUS as return value for smb_register_*() functions and init_module()Jelmer Vernooij1-3/+2
function. Patch by metze with some minor modifications. (This used to be commit f4576757d1d52a8f1b96894c869bb76450003fd1)
2003-04-27prepare to get _nua out of the door (but back in from the window ;-)Simo Sorce1-25/+7
(This used to be commit 09eb02cba0747ae47aa4a76f4fac69af293a774a)
2003-04-16This code is no longer referenced - moved to the new libsmb/ldap.cAndrew Bartlett1-62/+0
Andrew Bartlett (This used to be commit c98bbc750773f7c49dbb1e69a5936f52416dd51c)
2003-04-09Fix double free on error and typoJelmer Vernooij1-2/+1
(This used to be commit 84b116f9c007c0f933af82462dff4324ffa53f0f)
2003-04-03The ldap idmap backend from Anthony Liguori (aliguori@us.ibm.com):Jim McDonough1-703/+94
This patch moves the ldap routines out of passdb into a generic library and implements an LDAP backend for IDMAP. THe backend can be enabled with "idmap backend = ldap" in smb.conf. THere are also schema changes to make sure to update teh ldap schema files. (This used to be commit 87c7c582c60521da3a93d997386fe79935012aea)
2003-04-02Fix a crash bug if LDAP doesn't fill in ld_error.Andrew Bartlett1-18/+18
Andrew Bartlett C VS: ---------------------------------------------------------------------- (This used to be commit d84a3fc522a588bdcd36cb86df304572947a456a)
2003-03-30This fixes group updates in LDAP the same way as user updatesVolker Lendecke1-77/+98
are handled, though we assume that always everything needs to be updated in LDAP. PDB_IS_* is not done yet for groups. Do we need it? Volker (This used to be commit 409a26282f8fcbd583a85df40c70b504eac26f6e)
2003-03-28Merge from HEAD - get better error strings from the ldap server in pdb_ldap.Andrew Bartlett1-11/+38
Andrew Bartlett (This used to be commit 5dc29b10b08658178133aee7b4c47197fadc533a)
2003-03-27This is no functional change. It just makes pdb_ldap.c a bitVolker Lendecke1-24/+50
easier to understand by moving the logic for init_ldap_from_sam and friends around. Volker (This used to be commit 124c80facba364033f72b20660f347390effba59)
2003-03-25Apply metze's change correctly this time. Playing 'patch' byVolker Lendecke1-6/+6
hand can be somewhat error-prone.. Volker (This used to be commit 12fabd07148c21f5481cb750f1cfdab2e8112e4b)
2003-03-23Implement abartlet's suggestion to add attribs to ldap if theyVolker Lendecke1-24/+30
are 'SET' when adding the account. I really don't like passing flags down to inner routines and complicated if/else conditions, but this time he might be right. ;-) Volker (This used to be commit 80d2578108da14f60133df3a308b867beb27e920)
2003-03-23This adds 'ldap delete dn' as the recommended parameterVolker Lendecke1-2/+2
for the 'ldap del only sam attr' functionality. So we are compatiple to the current SuSE patches as well as to TNG... ;-) Volker (This used to be commit 353309e2a3bc27e918bd0a6cf22833d57895fbc8)
2003-03-23Metzes change:Volker Lendecke1-4/+10
> Hi Volker, > > if 'displayName' is not available we should fallback to 'cn' for map->nt_name > 'cn' is used as unix group name by nss_ldap. > > and if nt_name is not available we should fail (so does this patch) Volker (This used to be commit 3a7d1e72e208b9609da4ff65d9fff9179799ecac)
2003-03-22Never touch complicated if/else/elsif structures :-)Volker Lendecke1-23/+27
This repairs domain join with fully existing wks-account which I broke with my last patch... Volker (This used to be commit 582a34efbe3c1570b852c93318ff6002954ddf6a)
2003-03-22This changes the way we do LDAP updates. We don't use LDAP_MOD_MODIFYVolker Lendecke1-121/+175
anymore, but instead look at what is currently stored in the database. Then we explicitly delete the existing attribute and add the new value if it is not NULL or "". This way we can handle appearing and disappearing attributes quite nicely. This currently breaks pdbedit -o, as this does not set the CHANGED flag on the SAM_ACCOUNT. Jelmer suggested that we set all the fields on CHANGED in context_add_sam_account. This sounds not too unreasonable. Volker (This used to be commit f7149cf500d2b10ee72163c018a39fdd192d7632)
2003-03-20Use True, not TRUE and False, not FALSEJelmer Vernooij1-1/+1
(This used to be commit 44e9bf88cc2bbb2aa34711354258c3abb319cb9b)
2003-03-20Merge Herb's change.Volker Lendecke1-1/+1
Volker (This used to be commit e8725913f9f174c03683a35bbce16ee33ab4c707)
2003-03-19Put in the new modules system. It's now used by passdb and rpc. I willJelmer Vernooij1-16/+4
put a doc about it in dev-doc later today. (This used to be commit af7bfee0c6902c07fdb8d3abccf4c8d6bab00b5a)
2003-03-19Add paramter 'ldap del only sam attr'.Volker Lendecke1-59/+97
This patch is heavily based on a patch by SuSE. Thanks to Guenther Deschner <gd@suse.de> for providing it. Volker (This used to be commit 5eaf9195eefda5ababba85cc0f6d581ff6f0f454)
2003-03-19Hey -- there is an error code NT_STATUS_CANNOT_DELETE :-)Volker Lendecke1-1/+1
(This used to be commit aa9b8382d38346cb3e94ddf2e7caf6d663034579)
2003-03-19If we fail, return an error code :-)Volker Lendecke1-0/+1
Volker (This used to be commit a5218499eb3f0a62cd663a06157591fbb0dfcbef)
2003-03-19Put group mapping into LDAP.Volker Lendecke1-1/+501
Volker (This used to be commit f0f1518fc450834725902e9cdf33fb8d35f99360)
2003-03-17Fix memory leak.Volker Lendecke1-0/+2
Volker (This used to be commit e8975d6e7bdcceb78a83a3446cf1430e1e3f1a72)
2003-02-22Remove 'unixsam' from the default passdb backends.Andrew Bartlett1-59/+0
The intention is to remove the muliple passdb backends, but we need the 'guest' account to always be there. If the admin adds the guest account to (say) LDAP, there will only be one backend required for operation. This helps remove some nasty behaviours with adding accounts to the system for both the RPC 'create user' and the SAMSYNC code. Users 'added' with an 'add user/machine' script won't magicly appear, and machine accounts 'pre-added' to unix, but not the smbpasswd file will not cause mayhem. This commit also implements somthing tridge discussed with me, the concept of 'default' passdb operation pointers - so that each backend does not need it's own stub funcitons wrapping the default tdb privilages/group mapping code. This also removes an implicit 'sid->name' and 'name->sid' mapping from our own local SID space, to winbind usernames. When adding mapping for NIS/LDAP non-sam users in future, we need to be careful. Andrew Bartlett (This used to be commit 6f32fa234961a525760a05418a08ec48d22d7617)
2003-02-01More ldap parinoia - if we ever get more than one result, bail. The order weAndrew Bartlett1-5/+23
get them in should be indeterminate, so just picking the first one would be bad... Andrew Bartlett (This used to be commit 21da8c3bb39c507eb90865549c3bb3538dcea138)
2003-02-01Always escape ldap filter strings. Escaping code was from pam_ldap, but I'm toAndrew Bartlett1-3/+19
blame for the realloc() stuff. Plus a couple of minor updates to libads. Andrew Bartlett (This used to be commit 34b2e558a4b3cfd753339bb228a9799e27ed8170)
2003-01-15initialize acct_ctrl before using itHerb Lewis1-2/+1
remove ldap_msgfree(result); as result is unitialized at this point (This used to be commit dc8882778694289ca461de57d443992f52ab7524)
2003-01-14Fix some debug lines, and add a bit more info to help track down ldapAndrew Bartlett1-8/+15
connectivity problems. Andrew Bartlett (This used to be commit 68de9a59203ed9778f11b78f233dc437b9dab55d)
2003-01-14clearer debug message when the user is already in the ldap dbAndrew Tridgell1-1/+2
(This used to be commit 31894ba0e5847eb934688598cd8d65bead23c58b)
2003-01-02BIG patch...Andrew Bartlett1-1/+1
This patch makes Samba compile cleanly with -Wwrite-strings. - That is, all string literals are marked as 'const'. These strings are always read only, this just marks them as such for passing to other functions. What is most supprising is that I didn't need to change more than a few lines of code (all in 'net', which got a small cleanup of net.h and extern variables). The rest is just adding a lot of 'const'. As far as I can tell, I have not added any new warnings - apart from making all of tdbutil.c's function const (so they warn for adding that const string to struct). Andrew Bartlett (This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d)
2002-12-03use FILE_MACRO instead of __FILE__Herb Lewis1-5/+5
use FUNCTION_MACRO instead of __FUNCTION_ (This used to be commit 243763d6eb107ab2444d81025232c8fe795baaf1)
2002-11-24Move from NT_STATUS_UNSUCCESSFUL to NT_STATUS_NO_SUCH_USER, and other slightlyAndrew Bartlett1-16/+21
more useful error codes. (This used to be commit 5b1185b4e8592e6bc1abe581950571e249c03a78)
2002-11-20fixed a number of places where we can try to free a wild pointer orAndrew Tridgell1-2/+14
look for the record count after an invalid search. This fixes a segv in ldapsam (This used to be commit d076823c73731a4c83f49a21f13360a38d54406e)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-4/+4
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a)
2002-11-08Make smbpasswd use the group mapping, and fix spelling in ldapsam.Andrew Bartlett1-14/+14
This gets user mangler for doamins working again. Andrew Bartlett (This used to be commit 205209f77f154a2a5d5f7a255194d7953860a4db)
2002-11-02Clean up this a little - add comments describing a bit of what is going onAndrew Bartlett1-5/+6
here. (This used to be commit 88455313f6551a75eff4df2f0ba91430948c1c78)
2002-11-02Add a 'ldap trust ids' option that lets pdb_ldap check for posixAccountAndrew Bartlett1-33/+92
attributes rather than calling getpwnam() on the user. This should help fix some of metze's performance issues - particularly on enumerations. There is a consequential change to the operation of 'non unix account's in LDAP - they are no longer restricted to being 'within' the NUA range, but will always be added to that range. Finally, there is the doco for this and the previous LDAP SSL changes. (This used to be commit 18abaeffda300074a507561d8372d5bfddc8fe50)
2002-11-02Return the result code, not false (0 == success) on error...Andrew Bartlett1-1/+1
(This used to be commit f91c363bc05d1c82ad8a99a5c0d59b46cf820aac)
2002-11-02Fixes for pdb_ldap:Andrew Bartlett1-111/+103
- Default is now for start-tls, on the ldap (not ldaps) port - We check for 'I am currently root' in the right place now, and don't accidentily use a cached connection. - We don't loop on failure to be root, or some other errors. - A bit cleaner error reporting for add/modify. - Both the OpenLDAP and manual URI parsing tested. Andrew Bartlett (This used to be commit cfa1e459d727764feddcfdd8c9c0404282e2d0e8)
2002-10-26One more step towards to better PDC.Andrew Bartlett1-208/+330
This patch, from "Stefan (metze) Metzmacher" <metze@metzemix.de> implements an LDAP connection cache. This removes the quite silly situation where every single passdb operation involved a new LDAP connection. The hope is that this will give us a decent performance boost in some usrmgr related activities, and in the sid->name/sid->uid code. The remaining things I think are 'todo' for pdb_ldap (in the near term) are: - intergrate volker's next_rid patch for NUA accounts, - add a 'trust ldap ids' option (remove Get_Pwnam() hit on enumerations). - put the group mapping actually into ldap - Schema fixes and do utf8 conversion - server failover (try a second server for the rebind on fail) - ensure we block between an 'add' and the ldap master replicating to our local slave (mezte found this issue, kills domain joins) Andrew Bartlett (This used to be commit 3418da16456511490beb0d1045fff24576b48273)
2002-10-21This moves the group mapping API into the passdb backend.Volker Lendecke1-1/+60
Currently this calls back to mapping.c, but we have the framework to get the information into LDAP and the passdb.tdb (should we? I think so..). This has received moderate testing with net rpc vampire and usrmgr. I found the add_groupmem segfault in add_aliasmem as well, but that will be another checkin. Volker (This used to be commit f30095852fea19421ac8e25dfe9c5cd4b2206f84)
2002-10-17Revert changesVolker Lendecke1-24/+22
(This used to be commit 84b62f6d96a77ccbc1b4475ab0780a4e4c9d4875)
2002-10-16No functional change. I'm trying to understand pdb_ldap.c andVolker Lendecke1-22/+24
found an unecessary parameter to ldapsam_search_one_user. Volker (This used to be commit a085670c7e3a0ca82df749592fd5c6a86def1d53)
2002-10-12Nice *big* patch from metze.Andrew Bartlett1-99/+161
The actual design change is relitivly small however: It all goes back to jerry's 'BOOL store', added to many of the elements in a SAM_ACCOUNT. This ensured that smb.conf defaults did not get 'fixed' into ldap. This was a great win for admins, and this patch follows in the same way. This patch extends the concept - we don't store values back into LDAP unless they have been changed. So if we read a value, but don't update it, or we read a value, find it's not there and use a default, we will not update ldap with that value. This reduced clutter in our LDAP DB, and makes it easier to change defaults later on. Metze's particular problem was that when we 'write back' an unchanged value, we would clear any muliple values in that feild. Now he can still have his mulitivalued 'uid' feild, without Samba changing it for *every* other operation. This also applies to many other attributes, and helps to eliminate a nasty race condition. (Time between get and set) This patch is big, and needs more testing, but metze has tested usrmgr, and I've fixed some pdbedit bugs, and tested domain joins, so it isn't compleatly flawed ;-). The same system will be introduced into the SAM code shortly, but this fixes bugs that people were coming across in production uses of Samba 3.0/HEAD, hence it's inclusion here. Andrew Bartlett (This used to be commit 7f237bde212eb188df84a5d8adb598a93fba8155)
2002-10-12We already set LDAPv3 at connect time, no need to set it again.Andrew Bartlett1-8/+0
(This used to be commit c8e32d485bf205b6965579f94063effd86777f3f)
2002-09-27Readd the 2.2 --with-ldapsam paramaters so as to allow a smooth upgrade path toAndrew Bartlett1-4/+19
a 3.0 based PDC. Change defaults to use SSL, so that this also matches. Andrew Bartlett (This used to be commit 36c2a3820faa1d90cd331881720be0e61ab93460)
2002-09-26move all the passdb internal interface to NTSTATUSSimo Sorce1-63/+70
only the interface has been fully moved to NTSTATUS not all the plugins make full use of it, but have been all converted. My testings passed completely, however a bit of more testing is welcome Simo. (This used to be commit 102a26e06591928a03b49cd312a65811ed46314f)
2002-09-25This patch from "Stefan (metze) Metzmacher" <metze@metzemix.de> cleans upAndrew Bartlett1-116/+175
pdb_ldap and adds a 'ldap passwd sync' option. The idea with this option is to do allow an ldap backend to do all the fancy password hashing etc - and to tell smbd no to try and double-up. Using 'ldap passwd sync = only' will do this, but is not recommended unless such a backend is in place... Running 'ldap passwd sync = yes' just gets you the same as doing 'pam passwd sync = yes' and having both PAM and pam_ldap correctly configured for 'magic root' behaviour, but only using ldap connection, and one set of credentials. This also gets us closer to allowing ldap to say 'password too short' etc, which might assist in maintaining a consistant password policy. Andrew Bartlett (This used to be commit f13e243f1a13d34ae057b40b01f561e8b95d4570)
2002-09-25If adding a user to ldap, make sure we have the 'account' structural class, orAndrew Bartlett1-0/+1
else we can't add to OpenLDAP 2.1 (This used to be commit d9a91a41441c156223760cb356fa997ea7bdbc1a)