Age | Commit message (Collapse) | Author | Files | Lines |
|
Make use of the new "change old password checked" control.
|
|
Adapt the two functions for the restructured "password_hash" module. This
means that basically all checks are now performed in the mentioned module.
An exception consists in the SAMR password change calls since they need very
precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
|
|
This is needed since we have not only reset operations on password fields
(attributes marked with REPLACE flag) but also change operations which can be
performed by users itself. They have one attribute with the old value marked
with the REMOVE flag and one with the new one marked with the ADD flag.
This function helps to retrieve them (argument "new" is used for the new
password on both reset and change).
|
|
We may as well fall back rather than return NULL (which callers don't
do useful things with).
Andrew Bartlett
|
|
Check on modify if we are RODC and return referral.
On the ldap backend side now we pass context and ldb_modify_default_callback
to propagate the referral error to the client.
|
|
|
|
|
|
This function is used in DRSUpdateRefs() implementation where we
get DSA's objectGUID rather than invocationId
|
|
as client site
metze
|
|
client address
The lookup of the client site is done using the subnets in the configuration
partition. If no one matches we use the Windows Server fallback mechansim.
This means: if only one site is available just use it. If they're more set the
output variable to "".
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This test is in the wrong place. We end up validating our own flags.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this validates that a invocationID matches an account sid
This will be used to ensure that we don't allow DRS replication
from someone a non-DC or administrator
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This will be used by the RODC code
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This patch fits the calling to the new samdb_rodc() function and
fix a little bug in this function.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This function is intended to check if some client is not lying about
his flags. At this moment, it only checks for RODC flags.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This patch creates the samdb_is_rodc() function, which looks for
the NTDSDSA object for a DC that has a specific invocationId
and if msDS-isRODC is present on such object and it is TRUE, then
consider the DC as a RODC.
The new samdb_rodc() function uses the samdb_is_rodc() function
for the local server.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
By putting these values into the cache on the LDB, this reduces some
of the noise in provision, particularly with the LDAP backend.
Andrew Bartlett
|
|
|
|
|
|
domainname
|
|
"samdb_schema_dn"
They aren't needed anymore.
|
|
We should use the "ldb_get_*_basedn" calls since they are available in the LDB
library.
|
|
|
|
This function should not traverse the module stack again, but instead
run from this point. Also add a matching
dsdb_module_load_partition_usn() and change repl_meta_data to match.
Andrew Bartlett
|
|
Split the dsdb_access_check_on_dn so it can be reused for checks
from both within the module stack and outside it.
|
|
Made this an utility function so it can be used for access checking
outside of the acl ldb module, such as checking validated writes and
control access rights in other protocols (e. g drs)
|
|
|
|
No need to have "signed" counters at those places.
|
|
|
|
when the ntds objects were moved by a recent change it broke the
calculation of the server site
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Always better to rely on the standards rather than on custom results.
|
|
In a single record search, LDB_ERR_CONSTRAINT_VIOLATION is more useful
than the generic LDB_ERR_OPERATIONS_ERROR
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
dsdb_find_dn_by_guid() now takes a struct GUID instead of a
guid_string. All the callers in fact wanted a struct GUID, so we now
avoid the extra conversion.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
much simpler code by using dsdb_flags
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
dsdb_flags
Allows for arbitrary controls
|
|
This allows for controls to be added easily where they are needed.
|
|
|
|
This will be used to allow the flag based ldb functions to work on
both a ldb or a module, thus saving a lot of specialist functions.
|
|
This will be used in the drsuapi server
|
|
I wonder why nobody noticed this since for sure this "tombstone" functionality
was broken till now.
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This makes things much simpler for the callers
|
|
|
|
When a object or attribute is created/updated/deleted, according
to [MS-ADTS] 3.1.1.5.1.6, it stores the uSNUrgent on @REPLCHANGED
for the partitions that it belongs.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
In lsa_BinaryString length and size are byte counts!
TODO: we may need to do byte order conversion in this functions too...
metze
|
|
This is important as LDAP servers always play with int32 values
and we have to encode 0x80000000 as "-2147483648" instead of "2147483648".
metze
|
|
This is important as LDAP servers always play with int64 values
and we have to encode 0x8000000000000000LL as "-9223372036854775808"
instead of "9223372036854775808".
metze
|
|
|
|
|