Age | Commit message (Collapse) | Author | Files | Lines |
|
"-1" we shouldn't force a password change
This value is set by the ADUC console.
|
|
When this right is granted, the user can add or remove themselves from a group even
if they dont have write property right.
|
|
|
|
control
|
|
This control will allow the linked_attributes module to know if
repl_meta_data has already handled the creation of forward and back
links.
Andrew Bartlett
|
|
Andrew Bartlett
|
|
"samdb_msg_add_(add/del)val" calls
This supports now also coexisting add and delete message elements with the
same attribute name.
|
|
|
|
|
|
"size_t" counters aren't really needed here (we don't check data lengths).
And we save the result in a certain "num_sids" variable which is of type
"unsigned".
|
|
|
|
This needed by the "cn_name_len"-1 accesses.
And use a "size_t"-typed variable for storing it (length specificators should
always be stored using "size_t" variables).
|
|
This is a rewrite of the lookup_rids code, using a query based on the
extended DN for a clearer interface.
By splitting this out, the logic is able to be shared, rather than
copied, into a passdb wrapper.
Andrew Bartlett
|
|
This is a rewrite of the group membership lookup code, using the
stored extended DNs to avoid doing the lookup into each member to find
the SID
By splitting this out, the logic is able to be shared, rather than
copied, into a passdb wrapper.
Andrew Bartlett
|
|
This allows this logic to be shared, rather than copied, into a passdb
wrapper.
Andrew Bartlett
|
|
This allows this logic to be shared, rather than copied, into a passdb
wrapper.
Andrew Bartlett
|
|
This allows this logic to be shared, rather than copied, into a passdb
wrapper.
Andrew Bartlett
|
|
The NULL search expression expands to (objectClass=*), but %s expands
NULL to (NULL) which doesn't parse...
Andrew Bartlett
|
|
|
|
|
|
metze
|
|
metze
|
|
Make use of the new "change old password checked" control.
|
|
Adapt the two functions for the restructured "password_hash" module. This
means that basically all checks are now performed in the mentioned module.
An exception consists in the SAMR password change calls since they need very
precise NTSTATUS return codes on wrong constraints ("samr_password.c") file
|
|
This is needed since we have not only reset operations on password fields
(attributes marked with REPLACE flag) but also change operations which can be
performed by users itself. They have one attribute with the old value marked
with the REMOVE flag and one with the new one marked with the ADD flag.
This function helps to retrieve them (argument "new" is used for the new
password on both reset and change).
|
|
We may as well fall back rather than return NULL (which callers don't
do useful things with).
Andrew Bartlett
|
|
Check on modify if we are RODC and return referral.
On the ldap backend side now we pass context and ldb_modify_default_callback
to propagate the referral error to the client.
|
|
|
|
|
|
This function is used in DRSUpdateRefs() implementation where we
get DSA's objectGUID rather than invocationId
|
|
as client site
metze
|
|
client address
The lookup of the client site is done using the subnets in the configuration
partition. If no one matches we use the Windows Server fallback mechansim.
This means: if only one site is available just use it. If they're more set the
output variable to "".
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This test is in the wrong place. We end up validating our own flags.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this validates that a invocationID matches an account sid
This will be used to ensure that we don't allow DRS replication
from someone a non-DC or administrator
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This will be used by the RODC code
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This patch fits the calling to the new samdb_rodc() function and
fix a little bug in this function.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This function is intended to check if some client is not lying about
his flags. At this moment, it only checks for RODC flags.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This patch creates the samdb_is_rodc() function, which looks for
the NTDSDSA object for a DC that has a specific invocationId
and if msDS-isRODC is present on such object and it is TRUE, then
consider the DC as a RODC.
The new samdb_rodc() function uses the samdb_is_rodc() function
for the local server.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
By putting these values into the cache on the LDB, this reduces some
of the noise in provision, particularly with the LDAP backend.
Andrew Bartlett
|
|
|
|
|
|
domainname
|
|
"samdb_schema_dn"
They aren't needed anymore.
|
|
We should use the "ldb_get_*_basedn" calls since they are available in the LDB
library.
|
|
|
|
This function should not traverse the module stack again, but instead
run from this point. Also add a matching
dsdb_module_load_partition_usn() and change repl_meta_data to match.
Andrew Bartlett
|
|
Split the dsdb_access_check_on_dn so it can be reused for checks
from both within the module stack and outside it.
|
|
Made this an utility function so it can be used for access checking
outside of the acl ldb module, such as checking validated writes and
control access rights in other protocols (e. g drs)
|
|
|
|
No need to have "signed" counters at those places.
|