summaryrefslogtreecommitdiff
path: root/source3/passdb/pdb_ldap.c
AgeCommit message (Collapse)AuthorFilesLines
2003-02-22Remove 'unixsam' from the default passdb backends.Andrew Bartlett1-59/+0
The intention is to remove the muliple passdb backends, but we need the 'guest' account to always be there. If the admin adds the guest account to (say) LDAP, there will only be one backend required for operation. This helps remove some nasty behaviours with adding accounts to the system for both the RPC 'create user' and the SAMSYNC code. Users 'added' with an 'add user/machine' script won't magicly appear, and machine accounts 'pre-added' to unix, but not the smbpasswd file will not cause mayhem. This commit also implements somthing tridge discussed with me, the concept of 'default' passdb operation pointers - so that each backend does not need it's own stub funcitons wrapping the default tdb privilages/group mapping code. This also removes an implicit 'sid->name' and 'name->sid' mapping from our own local SID space, to winbind usernames. When adding mapping for NIS/LDAP non-sam users in future, we need to be careful. Andrew Bartlett (This used to be commit 6f32fa234961a525760a05418a08ec48d22d7617)
2003-02-01More ldap parinoia - if we ever get more than one result, bail. The order weAndrew Bartlett1-5/+23
get them in should be indeterminate, so just picking the first one would be bad... Andrew Bartlett (This used to be commit 21da8c3bb39c507eb90865549c3bb3538dcea138)
2003-02-01Always escape ldap filter strings. Escaping code was from pam_ldap, but I'm toAndrew Bartlett1-3/+19
blame for the realloc() stuff. Plus a couple of minor updates to libads. Andrew Bartlett (This used to be commit 34b2e558a4b3cfd753339bb228a9799e27ed8170)
2003-01-15initialize acct_ctrl before using itHerb Lewis1-2/+1
remove ldap_msgfree(result); as result is unitialized at this point (This used to be commit dc8882778694289ca461de57d443992f52ab7524)
2003-01-14Fix some debug lines, and add a bit more info to help track down ldapAndrew Bartlett1-8/+15
connectivity problems. Andrew Bartlett (This used to be commit 68de9a59203ed9778f11b78f233dc437b9dab55d)
2003-01-14clearer debug message when the user is already in the ldap dbAndrew Tridgell1-1/+2
(This used to be commit 31894ba0e5847eb934688598cd8d65bead23c58b)
2003-01-02BIG patch...Andrew Bartlett1-1/+1
This patch makes Samba compile cleanly with -Wwrite-strings. - That is, all string literals are marked as 'const'. These strings are always read only, this just marks them as such for passing to other functions. What is most supprising is that I didn't need to change more than a few lines of code (all in 'net', which got a small cleanup of net.h and extern variables). The rest is just adding a lot of 'const'. As far as I can tell, I have not added any new warnings - apart from making all of tdbutil.c's function const (so they warn for adding that const string to struct). Andrew Bartlett (This used to be commit 92a777d0eaa4fb3a1c7835816f93c6bdd456816d)
2002-12-03use FILE_MACRO instead of __FILE__Herb Lewis1-5/+5
use FUNCTION_MACRO instead of __FUNCTION_ (This used to be commit 243763d6eb107ab2444d81025232c8fe795baaf1)
2002-11-24Move from NT_STATUS_UNSUCCESSFUL to NT_STATUS_NO_SUCH_USER, and other slightlyAndrew Bartlett1-16/+21
more useful error codes. (This used to be commit 5b1185b4e8592e6bc1abe581950571e249c03a78)
2002-11-20fixed a number of places where we can try to free a wild pointer orAndrew Tridgell1-2/+14
look for the record count after an invalid search. This fixes a segv in ldapsam (This used to be commit d076823c73731a4c83f49a21f13360a38d54406e)
2002-11-12Removed global_myworkgroup, global_myname, global_myscope. Added liberalJeremy Allison1-4/+4
dashes of const. This is a rather large check-in, some things may break. It does compile though :-). Jeremy. (This used to be commit 82b8f749a36b42e22186297482aad2abb04fab8a)
2002-11-08Make smbpasswd use the group mapping, and fix spelling in ldapsam.Andrew Bartlett1-14/+14
This gets user mangler for doamins working again. Andrew Bartlett (This used to be commit 205209f77f154a2a5d5f7a255194d7953860a4db)
2002-11-02Clean up this a little - add comments describing a bit of what is going onAndrew Bartlett1-5/+6
here. (This used to be commit 88455313f6551a75eff4df2f0ba91430948c1c78)
2002-11-02Add a 'ldap trust ids' option that lets pdb_ldap check for posixAccountAndrew Bartlett1-33/+92
attributes rather than calling getpwnam() on the user. This should help fix some of metze's performance issues - particularly on enumerations. There is a consequential change to the operation of 'non unix account's in LDAP - they are no longer restricted to being 'within' the NUA range, but will always be added to that range. Finally, there is the doco for this and the previous LDAP SSL changes. (This used to be commit 18abaeffda300074a507561d8372d5bfddc8fe50)
2002-11-02Return the result code, not false (0 == success) on error...Andrew Bartlett1-1/+1
(This used to be commit f91c363bc05d1c82ad8a99a5c0d59b46cf820aac)
2002-11-02Fixes for pdb_ldap:Andrew Bartlett1-111/+103
- Default is now for start-tls, on the ldap (not ldaps) port - We check for 'I am currently root' in the right place now, and don't accidentily use a cached connection. - We don't loop on failure to be root, or some other errors. - A bit cleaner error reporting for add/modify. - Both the OpenLDAP and manual URI parsing tested. Andrew Bartlett (This used to be commit cfa1e459d727764feddcfdd8c9c0404282e2d0e8)
2002-10-26One more step towards to better PDC.Andrew Bartlett1-208/+330
This patch, from "Stefan (metze) Metzmacher" <metze@metzemix.de> implements an LDAP connection cache. This removes the quite silly situation where every single passdb operation involved a new LDAP connection. The hope is that this will give us a decent performance boost in some usrmgr related activities, and in the sid->name/sid->uid code. The remaining things I think are 'todo' for pdb_ldap (in the near term) are: - intergrate volker's next_rid patch for NUA accounts, - add a 'trust ldap ids' option (remove Get_Pwnam() hit on enumerations). - put the group mapping actually into ldap - Schema fixes and do utf8 conversion - server failover (try a second server for the rebind on fail) - ensure we block between an 'add' and the ldap master replicating to our local slave (mezte found this issue, kills domain joins) Andrew Bartlett (This used to be commit 3418da16456511490beb0d1045fff24576b48273)
2002-10-21This moves the group mapping API into the passdb backend.Volker Lendecke1-1/+60
Currently this calls back to mapping.c, but we have the framework to get the information into LDAP and the passdb.tdb (should we? I think so..). This has received moderate testing with net rpc vampire and usrmgr. I found the add_groupmem segfault in add_aliasmem as well, but that will be another checkin. Volker (This used to be commit f30095852fea19421ac8e25dfe9c5cd4b2206f84)
2002-10-17Revert changesVolker Lendecke1-24/+22
(This used to be commit 84b62f6d96a77ccbc1b4475ab0780a4e4c9d4875)
2002-10-16No functional change. I'm trying to understand pdb_ldap.c andVolker Lendecke1-22/+24
found an unecessary parameter to ldapsam_search_one_user. Volker (This used to be commit a085670c7e3a0ca82df749592fd5c6a86def1d53)
2002-10-12Nice *big* patch from metze.Andrew Bartlett1-99/+161
The actual design change is relitivly small however: It all goes back to jerry's 'BOOL store', added to many of the elements in a SAM_ACCOUNT. This ensured that smb.conf defaults did not get 'fixed' into ldap. This was a great win for admins, and this patch follows in the same way. This patch extends the concept - we don't store values back into LDAP unless they have been changed. So if we read a value, but don't update it, or we read a value, find it's not there and use a default, we will not update ldap with that value. This reduced clutter in our LDAP DB, and makes it easier to change defaults later on. Metze's particular problem was that when we 'write back' an unchanged value, we would clear any muliple values in that feild. Now he can still have his mulitivalued 'uid' feild, without Samba changing it for *every* other operation. This also applies to many other attributes, and helps to eliminate a nasty race condition. (Time between get and set) This patch is big, and needs more testing, but metze has tested usrmgr, and I've fixed some pdbedit bugs, and tested domain joins, so it isn't compleatly flawed ;-). The same system will be introduced into the SAM code shortly, but this fixes bugs that people were coming across in production uses of Samba 3.0/HEAD, hence it's inclusion here. Andrew Bartlett (This used to be commit 7f237bde212eb188df84a5d8adb598a93fba8155)
2002-10-12We already set LDAPv3 at connect time, no need to set it again.Andrew Bartlett1-8/+0
(This used to be commit c8e32d485bf205b6965579f94063effd86777f3f)
2002-09-27Readd the 2.2 --with-ldapsam paramaters so as to allow a smooth upgrade path toAndrew Bartlett1-4/+19
a 3.0 based PDC. Change defaults to use SSL, so that this also matches. Andrew Bartlett (This used to be commit 36c2a3820faa1d90cd331881720be0e61ab93460)
2002-09-26move all the passdb internal interface to NTSTATUSSimo Sorce1-63/+70
only the interface has been fully moved to NTSTATUS not all the plugins make full use of it, but have been all converted. My testings passed completely, however a bit of more testing is welcome Simo. (This used to be commit 102a26e06591928a03b49cd312a65811ed46314f)
2002-09-25This patch from "Stefan (metze) Metzmacher" <metze@metzemix.de> cleans upAndrew Bartlett1-116/+175
pdb_ldap and adds a 'ldap passwd sync' option. The idea with this option is to do allow an ldap backend to do all the fancy password hashing etc - and to tell smbd no to try and double-up. Using 'ldap passwd sync = only' will do this, but is not recommended unless such a backend is in place... Running 'ldap passwd sync = yes' just gets you the same as doing 'pam passwd sync = yes' and having both PAM and pam_ldap correctly configured for 'magic root' behaviour, but only using ldap connection, and one set of credentials. This also gets us closer to allowing ldap to say 'password too short' etc, which might assist in maintaining a consistant password policy. Andrew Bartlett (This used to be commit f13e243f1a13d34ae057b40b01f561e8b95d4570)
2002-09-25If adding a user to ldap, make sure we have the 'account' structural class, orAndrew Bartlett1-0/+1
else we can't add to OpenLDAP 2.1 (This used to be commit d9a91a41441c156223760cb356fa997ea7bdbc1a)
2002-08-06Try to bind with LDAPv3 if possible.Andrew Bartlett1-7/+19
Andrew Bartlett (This used to be commit 0e420878f26bdd19b5defb78a5fe4c31662ec941)
2002-08-05Try to make this easier to debug - display the username that failed.Andrew Bartlett1-1/+1
Andrew Bartlett (This used to be commit 8405bccd4e7a5315e58890ffa5d481031636f88a)
2002-07-30These are not critical errors, they should not be a level 0.Andrew Bartlett1-3/+3
Andrew Bartlett (This used to be commit 082c0324cde38fadd70934a10849c7d40a34e3b1)
2002-07-27Update the rebind code in pdb_ldap.Andrew Bartlett1-34/+114
I've still not tested this, but I didn't test the last lot and I'm pretty sure I stuffed it up - but at least this rebind procedure matches the function prototype. It should also be fine on OpenLDAP 2.1 if I'm lucky. Andrew Bartlett (This used to be commit 064f269508d05cc833cf7bfd5613e4fe389f32dc)
2002-07-26fix parameters for ldap_set_rebind_proc() from OpenLDAP 2.1Gerald Carter1-2/+7
(This used to be commit a6725d4ce95ca8807ccefe4ce033b45d0635da6d)
2002-07-21Name get and set dir drive functions consistently.Tim Potter1-1/+1
(This used to be commit 290a304d2c1b70d20129236e20a0ff664179023e)
2002-07-14addedd new (t)alloc_sub_* functionsSimo Sorce1-4/+4
they will get a const string and return a (t)alloced epanded one. also modified passdb/* stuff to use this one. (This used to be commit d378ac1e2efb0efc9a0f983d69cf678ca6255fd5)
2002-07-10If we get a SID from group mapping, no need to check it's prefix.Andrew Bartlett1-6/+6
Just set it directly. Andrew Bartlett (This used to be commit 202202bc475f3b8500423b1a9ccf0adc80a4dc49)
2002-07-05Fix debug comment.Andrew Bartlett1-1/+1
(This used to be commit f32980c807adf8287436be0d5a223b9b1ce399b8)
2002-07-03Fix the spelling in the LDAP attributesAndrew Bartlett1-2/+2
(This used to be commit dab26f8891a77640ce382ce1785ca5dd22d43c22)
2002-07-01used findstatic.pl to make some variables static and remove some deadAndrew Tridgell1-1/+1
code (This used to be commit 91ad9041e9507d36eb3f40c23c5d4df61f139ef0)
2002-06-26Another bug fix from metze.Andrew Bartlett1-1/+1
(This used to be commit 5c754cef19c9580e2cb1e23152a1097d11ca8c60)
2002-06-22Add module versioning to the passdb module systemAndrew Bartlett1-1/+1
All passdb modules need to include a 'magic' macro that creates simple 'return my version number' function. (from metze and jelmer) Also fix up the dir_drive autosubsitute code to correctly use lp_logon_drive(). (from metze) Andrew Bartlett (This used to be commit 4a57c445dd4354034fc41b132a484afe6ab66e16)
2002-06-14Allow non unix accounts to be added to an ldap directory without NUA accountsAndrew Bartlett1-0/+4
already. Andrew Bartlett (This used to be commit a5d5b4cf2555b9bbded31b556d4fc74c00c6c490)
2002-06-13Latest patch from metze <metze@metzemix.de> to move most of samba acrossAndrew Bartlett1-4/+6
to using SIDs instead of RIDs. The new funciton sid_peek_check_rid() takes an 'expected domain sid' argument. The idea here is to prevent mistakes where the SID is implict, but isn't the same one that we have in the struct. Andrew Bartlett (This used to be commit 04f9a8ff4c7982f6597c0f6748f85d66d4784901)
2002-05-26change: pdb_getsampwrid() ->pdb_getsampwsid()Simo Sorce1-1/+8
passdb interface change, now the passdb modules will be asked for SID not for rid, the modules have been updated with a passthrough function that calls the old getsampwrid() functions. srv_samr_nt.c functions that made use of the pdb_getsampwrid funcion has been updated to use the SID one. (This used to be commit f5c6496c33fa7f5c2826540ffb4a49d8a5790fb3)
2002-05-25Only reterive the attributes we are actually going to use - rather thanAndrew Bartlett1-3/+14
the whole record which could include things like photos's etc. Andrew Bartlett (This used to be commit bbc69545516f29cc4e05ba6238b03eb504f28226)
2002-05-22Updates for sane storage of ldap root DN passwords (tested, with upgradeAndrew Bartlett1-30/+102
from 2.2 format) and LDAP rebind support (untested, I don't have a setup to match). Andrew Bartlett (This used to be commit 4f7ba78c9d50ac584497dcf1d78ce613112742d4)
2002-05-18so here it is the code to introduce seriously debugggging classes.Simo Sorce1-0/+3
this is a first step only passdb stuff has beein "classized". - so what can you do? set debug level to: 1 poasdb:10 that will make all the code run at debug level 1 except the code in passdb/* files that will run at level 10 TODO: fix the man page - also smbcontrol has this nice feature so smbcontrol smbd debug 3 passdb:5 will set every smbd to have a default log level of 3 while passdb stuff will be at level 5 and so no.. minor cosmetic fix to pdbedit is there too (This used to be commit be5c3b3f5781ddc002ffcc98df04ab024dcef4ca)
2002-05-18Remove const from some functions to match the changed prototype in aAndrew Bartlett1-3/+3
previous commit, and remove some unsued variables. Main change: Make sure to fill in the username when making a non-unix account from smbpasswd. (This used to be commit 7019486eacb72ca44c42ce620b8696bb29f12292)
2002-05-18A few things in this commit:Andrew Bartlett1-22/+28
cleanup some of the code in net_rpc_join re const warnings and fstrings. Passdb: Make the %u and %U substituions in passdb work. This is done by declaring these paramters to be 'const' and doing the substitution manually. I'm told this is us going full circle, but I can't really see a better way. Finally these things actually seem to work properly... Make the lanman code use the pdb's recorded values for homedir etc rather than the values from lp_*() Add code to set the plaintext password in the passdb, where it can decide how to store/set it. For use with a future 'ldap password change' option, or somthing like that... Add pdb_unix, so as to remove the 'not in passdb' special cases from the local_lookup_*() code. Quite small, as it uses the new 'struct passwd -> SAM_ACCOUNT' code that is now in just one place. (also used by pdb_smbpasswd) Other: Fix up the adding of [homes] at session setup time to actually pass the right string, that is the unix homedir, not the UNC path. Fix up [homes] so that for winbind users is picks the correct name. (bad interactions with the default domain code previously) Change the rpc_server/srv_lsa_nt.c code to match NT when for the SATUS_NONE_MAPPED reply: This was only being triggered on no queries, now it is on the 'no mappings' (ie all mappings failed). Checked against Win2k. Policy Question: Should SID -> unix_user.234/unix_group.364 be considered a mapping or not? Currently it isn't. Andrew Bartlett (This used to be commit c28668068b5a3b3cf3c4317e5fb32ec9957f3e34)
2002-05-17Make --with-ldapsam 'go away'. This is now a standard, stable, featureAndrew Bartlett1-3/+3
and there is no real reason for it to depend on more than the abilty to compile the code. (This used to be commit 64aaec137e39595e6e61b55eb525615683a1393c)
2002-04-23Spelling fixes from vanceAndrew Bartlett1-6/+6
(This used to be commit 70c6f5fc6d3ec3121b29d1e46e7fd3933fbcce6b)
2002-04-13Fix the compile-bug in pdb_ldap from my last patch.Andrew Bartlett1-4/+4
Andrew Bartlett (This used to be commit 81eaa7924b7bd3a13d049bce7fe7a16ab9174364)