summaryrefslogtreecommitdiff
path: root/source3/passdb/pdb_ldap.c
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r6445: Make us survive the PARANOID_MALLOC_CHECKER. Should we enable that forVolker Lendecke1-2/+2
--enable-developer=yes? Volker (This used to be commit 61d40ac60dd9c8c9bbcf92e4fc57fe1d706bc721)
2007-10-10r6421: use add machine script when creating a user (ACB_NORMAL)Gerald Carter1-1/+2
who has a name ending in '$' (usrmgr.exe does this for domain trusts (that's was jfm's original comment I think). avoid an assert() call in libldap. (This used to be commit 0ac57ae94202190ddbe538f7180a0443463b48cf)
2007-10-10r6367: Slim down pdb_interface.c a bit. next_entry and search_end are functionVolker Lendecke1-9/+9
pointers now. Yes, Jeremy, this is about re-inventing C++... :-) Volker (This used to be commit a831e54738c7854e68c696e9cbb132c012ff223c)
2007-10-10r6351: This is quite a large and intrusive patch, but there are not many ↵Volker Lendecke1-0/+469
pieces that can be taken out of it, so I decided to commit this in one lump. It changes the passdb enumerating functions to use ldap paged results where possible. In particular the samr calls querydispinfo, enumdomusers and friends have undergone significant internal changes. I have tested this extensively with rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will follow later. The code is based on a first implementation by Günther Deschner, but has evolved quite a bit since then. Volker (This used to be commit f0bb44ac58e190e19eb4e92928979b0446e611c9)
2007-10-10r6263: Get rid of generate_wellknown_sids, they are const static and ↵Volker Lendecke1-2/+0
initializable statically. Volker (This used to be commit 3493d9f383567d286e69c0e60c0708ed400a04d9)
2007-10-10r6225: get rid of warnings from my compiler about nested externsHerb Lewis1-1/+2
(This used to be commit efea76ac71412f8622cd233912309e91b9ea52da)
2007-10-10r6080: Port some of the non-critical changes from HEAD to 3_0. The main one ↵Volker Lendecke1-16/+15
is the change in pdb_enum_alias_memberships to match samr.idl a bit closer. Volker (This used to be commit 3a6786516957d9f67af6d53a3167c88aa272972f)
2007-10-10r5965: Apply Volker's patch for "ldapsam trusted = yes" for ↵Jim McDonough1-15/+229
samr_lookup_rids. Gives us again up to ~6x improvement on group membership lookups. (This used to be commit e2117bcb09cbd21df3b6621c2794a006418c1d9e)
2007-10-10r5957: BUGS 2478, 2093: compiler warning patches from Jason MaderGerald Carter1-6/+7
(This used to be commit b0f43460822eb5175c854959181de05307d73415)
2007-10-10r5927: Fix ldapsam trusted enum_group_members. We were searching in the userJim McDonough1-1/+1
suffix instead of the group suffix. Thanks to John Janosik (jpjanosi@us.ibm.com). (This used to be commit bf3ce651ff3f654938bc98c604ad56214760a05e)
2007-10-10r5708: BUG 2424: patch from Vince Brimhall <vbrimhall@novell.com> to ensure ↵Gerald Carter1-5/+5
that uidNumber and gidNumber use match the rfc2307 schema (This used to be commit c1727dc9e01f960c1eedf023b4de49ad6f418b18)
2007-10-10r5655: Added support for Novell NDS universal password. Code donated byJeremy Allison1-55/+81
Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to use Samba conventions. Vince - thanks a *lot* for this code - please test to make sure I haven't messed anything up. Jeremy. (This used to be commit 6f5ea963abe8e19d17a1803d4bedd9d87a317e58)
2007-10-10r5481: Fix a memleakVolker Lendecke1-0/+2
(This used to be commit 36bcfc5dae99868fc94ca01f902fec3d19926f5e)
2007-10-10r5467: Optimize _samr_query_groupmem with LDAP backend for large domains.Volker Lendecke1-0/+208
Could someone else please look at this patch, verifying that I did not break the ldapsam:trusted = False fallback to the old behaviour? It works fine for me, but you never know. You're certainly free to review the new code as well :-) Thanks, Volker (This used to be commit e1c3ca182b299dc65da1fa39aadb69876b5e16b8)
2007-10-10r5428: Apply some const. LDAP attribs should now be declared const char ↵Volker Lendecke1-21/+22
*attr[]. This gives some new warnings in smbldap.c, but a the callers are cleaned up. Volker (This used to be commit 543799fc0ddc3176469acc1fab7093c41556d403)
2007-10-10r5349: After talking with Jerry, reverted the addition of account policies toGünther Deschner1-252/+3
passdb in 3_0 (they are still in trunk). Guenther (This used to be commit fdf9bdbbac1d8d4f3b3e1fc7e49c1e659b9301b1)
2007-10-10r5166: From James Peach - remove minor C99-isms.Jeremy Allison1-6/+12
Jeremy. (This used to be commit 54ac409d4fd3b6e8e2bd338dabed446a92507811)
2007-10-10r4994: Patch from abartlet:Günther Deschner1-13/+26
When migrating account policies to ldapsam, handle the fact that an admin might have changed the default location of the sambaDomain-object after installation. Guenther (This used to be commit 78c3c7127444b8f9959f4d6ce9e540271869d70f)
2007-10-10r4926: Use LDAP_SCOPE_ONELEVEL instead of OpenLDAP's LDAP_SCOPE_ONE-scope.Günther Deschner1-2/+2
Guenther (This used to be commit eee0bd806b4fd4558f9c48c09f7e85274e2b807f)
2007-10-10r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).Günther Deschner1-3/+245
Does automated migration from account_policy.tdb v1 and v2 and offers a pdbedit-Migration interface. Jerry, please feel free to revert that if you have other plans. Guenther (This used to be commit 75af83dfcd8ef365b4b1180453060ae5176389f5)
2007-10-10r4860: fix silly limitation in ldapsam and tdbsam. Expand variables in the ↵Gerald Carter1-6/+11
profile path, logon home and logon script values (This used to be commit 504ea4ac68f47b71542a88b17cbb6b546e1cb881)
2007-10-10r4851: Preleminary fix for ldapsam_enum_group_memberships whenGünther Deschner1-3/+3
ldapsam:trusted=True. Don't bail out when ldap-search returns pure posixgroups (w.o. samba group-mapping). This way those unix-memberships do not appear in user and nt user token. Volker, could you please look over that one? Guenther (This used to be commit 853a8b7f1c0b00b2e4433d1281f3c9bfcaf980a6)
2007-10-10r4847: Hand over a acb_mask to pdb_setsampwent in load_sampwd_entries().Günther Deschner1-8/+23
This allows the ldap-backend to search much more effeciently. Machines will be searched in the ldap_machine_suffix and users in the ldap_users_suffix. (Note that we already use the ldap_group_suffix in ldapsam_setsamgrent for quite some time). Using the specific ldap-bases becomes notably important in large domains: On my testmachine "net rpc trustdom list" has to search through 40k accounts just to list 3 interdomain-trust-accounts, similiar effects show up the non-user query_dispinfo-calls, etc. Also renamed all_machines to only_machines in load_sampwd_entries() since that reflects better what is really meant. Guenther (This used to be commit 6394257cc721ca739bda0e320375f04506913533)
2007-10-10r4840: * Add more generic root-dse inspection function to check for givenGünther Deschner1-58/+1
controls or extensions. * Check and remember if ldapsam's LDAP Server support paged results (in preparation of adding async paged-results to set|get|end-sampwent in ldapsam). Guenther (This used to be commit ced58bd8849cdef78513674dff1b1ec331945aa9)
2007-10-10r4736: small set of merges from rtunk to minimize the diffsGerald Carter1-1/+1
(This used to be commit 4b351f2fcc365a7b7f8c22b5139c299aa54c9458)
2007-10-10r4088: Get medieval on our ass about malloc.... :-). Take control of all our ↵Jeremy Allison1-5/+5
allocation functions so we can funnel through some well known functions. Should help greatly with malloc checking. HEAD patch to follow. Jeremy. (This used to be commit 620f2e608f70ba92f032720c031283d295c5c06a)
2007-10-10r3883: Fix error return -- thanks to rsharpeVolker Lendecke1-1/+1
(This used to be commit 2d952c86c7e92fff48b4773ab46987d905b214cc)
2007-10-10r3871: Fix memleakVolker Lendecke1-1/+3
(This used to be commit dbfdde5f63f34fbe4ba1d794fcfc120178ff039a)
2007-10-10r3705: Nobody has commented, so I'll take this as an ack...Volker Lendecke1-0/+108
abartlet, I'd like to ask you to take a severe look at this! We have solved the problem to find the global groups a user is in twice: Once in auth_util.c and another time for the corresponding samr call. The attached patch unifies these and sends them through the passdb backend (new function pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further optimize the corresponding call if the samba and posix accounts are unified by issuing a specialized ldap query. The parameter to activate this ldapsam behaviour is ldapsam:trusted = yes Volker (This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)
2007-10-10r3628: A typo and a compile-warning.Günther Deschner1-1/+1
Guenther (This used to be commit 906d5f88aabf091ee273e0ed9c3d2947b22c5390)
2007-10-10r3566: Completely replace the queryuseraliases call. The previous ↵Volker Lendecke1-38/+40
implementation does not exactly match what you would expect. XP workstations during login actually do this, so we should better become a bit more correct. The LDAP query issued is not really fully optimal, but it is a lot faster and more correct than what was there before. The change in passdb.h makes it possible that queryuseraliases is done with a single ldap query. Volker (This used to be commit 2508d4ed1e16c268fc9f3676b0c6a122e070f93d)
2007-10-10r2923: Fix some obvious copy/paste leftover debug-messages.Günther Deschner1-8/+8
Guenther (This used to be commit 94f48d06c774eb137fef70063e6f29e5d5a6ba9d)
2007-10-10r2819: Make 'password history'-behaviour in ldapsam more consistent.Günther Deschner1-0/+3
Currently we cannot store more then 15 password history entries (windows NT4 allows to store 24) in ldapsam. When choosing more then "15" with pdbedit -P "password history", we fail to initialize the password history upon password change and overwrite the history, effectively using a password history of "1". We do already decrease any history-policy larger then 15 to 15 while storing the password history list attribute in ldap. Guenther (This used to be commit a4b47e71475a06c2e2287613b00648c5f53ae52c)
2007-10-10r2752: Fix the paranoia-check to ensure the ldap-attribute and theGünther Deschner1-1/+1
smb.conf-parameter for samba's "algorithmic rid base" in ldapsam are identical. It tried to get the value of LDAP_ATTR_ALGORITHMIC_RID_BASE via get_userattr_key2string() for a very long time now. This just can not work because LDAP_ATTR_ALGORITHMIC_RID_BASE is neither in attrib_map_v22 nor in attrib_map_v30. Instead, get it directly from dominfo_attr_list. Ldapsam will now correctly refuse to initialize when admins tried manually to have differing values for "algorithmic rid base" in ldap and smb.conf. idmap_ldap is another story... Guenther (This used to be commit c5b8bc6c2e9a3f789f41742438b31152721c0bf4)
2007-10-10r2619: Only issue the ldap extended password change operation if the ldap serverVolker Lendecke1-0/+75
supports it. This might be a fix for bugs 1823 and 1545, notifying both. Also ignore object class violation errors from the extended operation. We don't have the userPassword field in sambaSamAccount, and if we have such broken setup with user in /etc/passwd and only samba attribs in ldap, we fail this :-) Volker (This used to be commit a32ea3bc881f516fb733cb4767ae5cf22d658b12)
2007-10-10r2479: Stop attribute "modifyTimestamp" from being deleted.Jeremy Allison1-0/+5
Jeremy. (This used to be commit 0351bf8b03306246efc17e532ebe78ecdafb645d)
2007-10-10r2444: Based on jmcd's patch, implement special lists for the ldap user ↵Volker Lendecke1-6/+27
attributes to delete. Richard, IMHO this is the better solution to the problem you currently have. Please review. Thanks, Volker (This used to be commit 6957d6a8921fbd97747258249d99b505a79cfcb4)
2007-10-10r2374: Fix from Vince Brimhall vbrimhall@novell.com forJeremy Allison1-1/+6
ldapsam_compat. Be robust against NULL attributes. Jeremy. (This used to be commit 727fc341b578577c112e97b0ef6f4c7f8bd15f66)
2007-10-10r1810: Patch from Richard Renard <rrenard@idealx.com> to storeJeremy Allison1-2/+21
logon hours attributes in an LDAP database. Jeremy. (This used to be commit dac72638fb3a05e805136698e0ad0612620ac8af)
2007-10-10r1733: Fix hashed password history for LDAP backends.Jeremy Allison1-10/+26
Jeremy. (This used to be commit a1bb6fbbe4d1618b5e02a3e7ee456247364bac66)
2007-10-10r1388: Adding password history code for ldap backend, based on a patch fromJeremy Allison1-8/+64
"Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to linearised pstring due to ordering issues. A few other changes to fix race conditions. I will add the tdb backend code next. This code compiles but has not yet been tested with password history policy set to greater than zero. Targeted for 3.0.6. Jeremy. (This used to be commit dd54b2a3c45e202e504ad69d170eb798da4e6fc9)
2007-10-10r1108: Index: pdb_ldap.cVolker Lendecke1-0/+15
=================================================================== --- pdb_ldap.c (revision 1095) +++ pdb_ldap.c (working copy) @@ -1134,6 +1134,19 @@ return NT_STATUS_OK; } +static void append_attr(char ***attr_list, const char *new_attr) +{ + int i; + + for (i=0; (*attr_list)[i] != NULL; i++) + ; + + (*attr_list) = Realloc((*attr_list), sizeof(**attr_list) * (i+2)); + SMB_ASSERT((*attr_list) != NULL); + (*attr_list)[i] = strdup(new_attr); + (*attr_list)[i+1] = NULL; +} + /********************************************************************** Get SAM_ACCOUNT entry from LDAP by username. *********************************************************************/ @@ -1149,6 +1162,7 @@ int rc; attr_list = get_userattr_list( ldap_state->schema_ver ); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_name(ldap_state, sname, &result, attr_list); free_attr_list( attr_list ); @@ -1194,6 +1208,7 @@ switch ( ldap_state->schema_ver ) { case SCHEMAVER_SAMBASAMACCOUNT: attr_list = get_userattr_list(ldap_state->schema_ver); + append_attr(&attr_list, MODIFY_TIMESTAMP_STRING); rc = ldapsam_search_suffix_by_sid(ldap_state, sid, result, attr_list); free_attr_list( attr_list ); Index: login_cache.c =================================================================== --- login_cache.c (revision 1095) +++ login_cache.c (working copy) @@ -95,10 +95,13 @@ &entry->bad_password_count, &entry->bad_password_time) == -1) { DEBUG(7, ("No cache entry found\n")); + SAFE_FREE(entry); SAFE_FREE(databuf.dptr); return NULL; } + SAFE_FREE(databuf.dptr); + DEBUG(5, ("Found login cache entry: timestamp %12u, flags 0x%x, count %d, time %12u\n", (unsigned int)entry->entry_timestamp, entry->acct_ctrl, entry->bad_password_count, (unsigned int)entry->bad_password_time)); (This used to be commit c0bf8425f4b9ee30ffc878704bde980d8c51ed05)
2007-10-10r910: Fix for bug #1385 found by Jason Mader <jason@ncac.gwu.edu>.Jeremy Allison1-3/+7
Don't use non-consts in a structure initialization. Jeremy. (This used to be commit 455ed258b3457ad5b7d3dad14b64781ab98f00dc)
2007-10-10r116: volker's patch for local group and group nestingGerald Carter1-2/+286
(This used to be commit b393469d9581f20e4d4c52633b952ee984cca36f)
2007-10-10r53: Remove modifyTimestamp from list of our attributes. We just check it forJim McDonough1-5/+4
cache entry time comparisons in password lockout. Fixes problems where pdb_ldap tries to delete the operational attribute modifyTimestamp when deleting a user account. (This used to be commit 5ebcb9081e435d54c39d4d3a1ef1d7b651ccb53f)
2004-03-31Remove some unused codeVolker Lendecke1-22/+0
(This used to be commit 2b757b6adf0b4e5c799cc8943e8fd96cc94c24bc)
2004-03-25Use timegm, or our already existing replacement instead of timezone, asJim McDonough1-1/+1
some platforms (FreeBSD in this case) don't define timezone according to posix. This is what I wanted to do anyway. Spotted by Andrzej Tobola <san@iem.pw.edu.pl> (This used to be commit bc13e35db0b8b265f87553d4df1c7326710cb3fa)
2004-03-19Fix gcc warnings. Fix mkproto with new type.Jeremy Allison1-10/+11
Jeremy. (This used to be commit 00fa66df3edeb92ec5efd49bd61f98691e74877a)
2004-03-18Password lockout for LDAP backend. Caches autolock flag, bad count, andJim McDonough1-1/+120
bad time locally, updating the directory only for hitting the policy limit or resetting. This needed to be done at the passdb level rather than auth, because some of the functions need to be supported from tools such as pdbedit. It was done at the LDAP backend level instead of generically after discussion, because of the complexity of inserting it at a higher level. The login cache read/write/delete is outside of the ldap backend, so it could easily be called by other backends. tdbsam won't call it for obvious reasons, and authors of other backends need to decide if they want to implement it. (This used to be commit 2a679cbc87a2a9111e9e6cdebbb62dec0ab3a0c0)
2004-03-11Get MungedDial actually working with full TS strings in it for pdb_ldap.Jim McDonough1-35/+35
I know this isn't pretty, but neither was our assumption that all strings from the directory fit inside a pstring. There was no way this worked before will all versions of usrmgr (for example, the only version of mine that has the TS Confic button). (This used to be commit d275c0e384db08c2a6efc28e52844f676ff71fb6)