Age | Commit message (Collapse) | Author | Files | Lines |
|
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sun Oct 10 23:47:54 UTC 2010 on sn-devel-104
|
|
We intend to see always all objects with the "show_deleted" control specified.
To see also recycled objects (beginning with 2008_R2 function level) we need to
use the new "show_recycled" control.
As far as I see this is only internal code and therefore we don't run into
problems if we do substitute it.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
We need these to be accessible to the aclread module as well.
|
|
this allows you to call dsdb_req_chain_debug() in gdb or when writing
debug code to see the request chain
|
|
struct dom_sid
This makes the structure much more like NT_USER_TOKEN in the source3/
code. (The remaining changes are that privilages still need to be merged)
Andrew Bartlett
|
|
This makes the structure more like Samba3's NT_USER_TOKEN
|
|
DSDB_CONTROL_PASSWORD_CHANGE_OID control
This control is used from the SAMR and "kpasswd" password changes. It is
strictly private and means "this is a password change and not a password set".
|
|
The flags field of message elements is part of a set of flags. We had
LDB_FLAG_MOD_MASK for extracting the type, but it was only rarely
being used (only 1 call used it correctly). This adds
LDB_FLAG_MOD_MASK() to make it more obvious what is going on.
This will allow us to use some of the other flags bits for internal
markers on elements
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Moved the access check on extended operations to acl module and removed kludge_acl
|
|
After some reading I've discovered that this isn't really true. The forest
partition does exist on one or more DCs and is there the same as the default
base DN (which is already checked by the module).
And if we have other DCs which contain child domains then they never contain
data of the forest domain beside the schema and the configuration partition
(which are checked anyway) since a DC can always contain only one domain!
Link: http://www.informit.com/articles/article.aspx?p=26896&seqNum=5
|
|
|
|
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
It's also a possible password change/set attribute candidate.
|
|
actually checked
Memory allocations and their result checks should be as tight as possible.
|
|
|
|
this replaces "return LDB_ERR_OPERATIONS_ERROR" with "return ldb_operr(ldb)"
in places in the dsdb code where we don't already explicitly set an
error string. This should make is much easier to track down dsdb
module bugs that result in an operations error.
|
|
These CARs need to be checked on password change and password reset operations.
Apparently the password attributes are not influenced by Write Property.
Single detele operations and modifications of dBCSPwd are let through to the
password_hash module. This is determined experimentally.
|
|
|
|
|
|
When this right is granted, the user can add or remove themselves from a group even
if they dont have write property right.
|
|
"ldb_attr_cmp" or "strcasecmp"
|
|
Since the attribute schema checking code moved back we need to give here the
"LDB_ERR_NO_SUCH_ATTRIBUTE" error.
|
|
|
|
|
|
|
|
The first is the forest base DN, the second the domain base DN. At the moment
we assume that they are both the same but it hasn't to be so.
Nadia, I would invite you to fix the outstanding parts regarding this (I added
comments).
|
|
dsdb_get_schema() isn't a very cheap call, due to the use of LDB
opaque pointers. We need to call it less, and instead pass it as a
parameter where possible.
This also changes to the new API with a talloc context.
Andrew Bartlett
|
|
Split the dsdb_access_check_on_dn so it can be reused for checks
from both within the module stack and outside it.
|
|
|
|
Made this an utility function so it can be used for access checking
outside of the acl ldb module, such as checking validated writes and
control access rights in other protocols (e. g drs)
|
|
Necessary because rdn module will be moved lower than acl in the stack.
|
|
|
|
|
|
It is needed to not break the various LDAP backends. For reference look at
bug #7040.
|
|
|
|
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Check to see if there were any messages passed to acl_modify before
debugging the first one. I think I caused this by some malformed
LDIF.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
If an ace has the PRINCIPAL_SELF as trustee, this sid has to be replaced with
the onjectSid of the object being checked. PRINCIPAL_SELF is the way to grant rights
to an account over itself.
|
|
|
|
allowedChildClassesEffective.
Behavior as documented in WSPP and tested. Needs optimisation though.
|
|
Fixed sd creation not working on LDAP modify.
Fixed incorrect replacement of CO and CG.
Fixed incorrect access check on modify for SD modification.
Fixed failing sec_descriptor test and enabled it.
Fixed failing sd add test in ldap.python
|
|
At this point, support for checks on LDAP add, delete, rename and modify.
Old kludge_acl is still there to handle the searches.
This module is synchronous as the async version was impossible to debug,
will be converted to async after some user testing.
|
|
|
|
Currently disabled. The search will be greatly modified,
also the object tree stuff will be simplified.
|