summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb/ldb_modules/acl.c
AgeCommit message (Collapse)AuthorFilesLines
2011-02-28Fix some typesJelmer Vernooij1-1/+1
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Mon Feb 28 23:30:06 CET 2011 on sn-devel-104
2011-02-15s4:acl LDB module - interpret "userAccountControl" as "uint32_t"Matthias Dieter Wallnöfer1-3/+3
This is the same way as it is done in the samldb LDB module. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Tue Feb 15 12:08:26 CET 2011 on sn-devel-104
2011-02-14s4-ldb_modules/acl: Use ntds_guid for SPN check only we have a DC objectKamen Mazdrashki1-6/+5
ntds_guid is NULL otherwise as it doesn't make sense for not a DC object Autobuild-User: Kamen Mazdrashki <kamenim@samba.org> Autobuild-Date: Mon Feb 14 13:15:31 CET 2011 on sn-devel-104
2011-02-14s4-ldb_modules/acl: Get correct NTDSDSA objectGUID to check SPN forKamen Mazdrashki1-2/+17
2011-02-14s4/ldb_modules/acl.c: Fix calculation for samAccountName string lenKamen Mazdrashki1-1/+1
2011-01-28s4-acl: Fixed returning uninitialized ldap error in case of some critical ↵Nadezhda Ivanova1-7/+10
errors. Autobuild-User: Nadezhda Ivanova <nivanova@samba.org> Autobuild-Date: Fri Jan 28 12:04:01 CET 2011 on sn-devel-104
2011-01-17s4-dsdb: pass parent request to dsdb_module_*() functions Andrew Tridgell1-12/+13
this preserves the request hierarchy for dsdb_module_*() calls inside dsdb ldb modules Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-12-23s4:acl LDB module - "acl_rename" - memory contexts fixupMatthias Dieter Wallnöfer1-5/+19
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Thu Dec 23 22:49:41 CET 2010 on sn-devel-104
2010-12-23s4:acl LDB module - add a missing "talloc_free(tmp_ctx)" in an error pathMatthias Dieter Wallnöfer1-0/+1
Just for consistency. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Thu Dec 23 21:46:38 CET 2010 on sn-devel-104
2010-12-22s4-acl: Implementation of Validated-SPN validated writeNadezhda Ivanova1-0/+215
If this right is granted to a user, they may modify the SPN of an object with some value restrictions serviceName can be set only if the object is a DC, and then only to the default domain and netbios name, or ntds_guid._msdsc_.forest_domain. If the serviceType is GC, only to the forest root domain. If the serviceType is ldap, then to forest_domain or netbiosname. InstanceType can be samAccountName or dnsHostName.
2010-11-20s4:acl LDB module - it's more correct to count the password attributes using ↵Matthias Dieter Wallnöfer1-3/+6
"unsigned int" Since these are derived from a LDB result. Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Sat Nov 20 11:29:07 CET 2010 on sn-devel-104
2010-11-16s4:acl LDB module - use also here "dsdb_find_nc_root" to implement the ↵Matthias Dieter Wallnöfer1-28/+57
NC-specific checks Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Tue Nov 16 15:12:13 UTC 2010 on sn-devel-104
2010-11-11s4:password_hash and acl LDB modules - handle the "userPassword" attribute ↵Matthias Dieter Wallnöfer1-3/+22
according to the "dSHeuristics"
2010-11-08s4:acl LDB module - define the delete passwords special case a bit betterMatthias Dieter Wallnöfer1-3/+4
2010-11-01s4-ldb: enable version checking in dsdb ldb modulesAndrew Tridgell1-0/+1
2010-11-01s4-dsdb: convert the rest of the ldb modules to the new module typeAndrew Tridgell1-1/+6
2010-10-16s4:dsdb - fix unsigned integer save problems using the "%u" specifierMatthias Dieter Wallnöfer1-2/+2
The issue here is that we have not yet first cast to int32_t explicitly, before we cast to an signed int to printf() into the %d or cast to a int64_t before we then cast to a long long to printf into a %lld. There are *no* unsigned integers in Active Directory LDAP, even the RID allocations and ms-DS-Secondary-KrbTgt-Number are *signed* quantities. (See the schema, and the syntax definitions in schema_syntax.c). The failure has been detected by Matthieu Patou on the buildfarm host "tridge" due to a malformed "groupType" attribute. The solution is to use the "%d" specifier. Either to use it directly - or better (when possible) use the call "samdb_msg_add_uint" (which encapsulates it). This patch changes such problematic situations.
2010-10-10dsdb/modules: Split up helpers a bit to prevent recursive dependencies.Jelmer Vernooij1-0/+1
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sun Oct 10 23:47:54 UTC 2010 on sn-devel-104
2010-10-03s4:dsdb - substitute the "show_deleted" with the "show_recycled" controlMatthias Dieter Wallnöfer1-1/+1
We intend to see always all objects with the "show_deleted" control specified. To see also recycled objects (beginning with 2008_R2 function level) we need to use the new "show_recycled" control. As far as I see this is only internal code and therefore we don't run into problems if we do substitute it. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-09-26s4-dsdb: Moved some helper functions to a separate fileNadezhda Ivanova1-220/+0
We need these to be accessible to the aclread module as well.
2010-09-25s4-dsdb: added tagging of requests in dsdb modulesAndrew Tridgell1-0/+1
this allows you to call dsdb_req_chain_debug() in gdb or when writing debug code to see the request chain
2010-08-23s4:security Change struct security_token->sids from struct dom_sid * to ↵Andrew Bartlett1-1/+1
struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-18s4:security Remove use of user_sid and group_sid from struct security_tokenAndrew Bartlett1-1/+3
This makes the structure more like Samba3's NT_USER_TOKEN
2010-08-17s4:acl LDB module - support password changes over the ↵Matthias Dieter Wallnöfer1-1/+15
DSDB_CONTROL_PASSWORD_CHANGE_OID control This control is used from the SAMR and "kpasswd" password changes. It is strictly private and means "this is a password change and not a password set".
2010-08-17s4-ldb: use LDB_FLAG_MOD_TYPE() to extract element type from messagesAndrew Tridgell1-3/+3
The flags field of message elements is part of a set of flags. We had LDB_FLAG_MOD_MASK for extracting the type, but it was only rarely being used (only 1 call used it correctly). This adds LDB_FLAG_MOD_MASK() to make it more obvious what is going on. This will allow us to use some of the other flags bits for internal markers on elements Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-08-04s4-dsdb: Removed kludge_acl as it is no longer necessaryNadezhda Ivanova1-0/+39
Moved the access check on extended operations to acl module and removed kludge_acl
2010-08-01s4:acl LDB module - remove the "forest DN" checkMatthias Dieter Wallnöfer1-6/+3
After some reading I've discovered that this isn't really true. The forest partition does exist on one or more DCs and is there the same as the default base DN (which is already checked by the module). And if we have other DCs which contain child domains then they never contain data of the forest domain beside the schema and the configuration partition (which are checked anyway) since a DC can always contain only one domain! Link: http://www.informit.com/articles/article.aspx?p=26896&seqNum=5
2010-08-01s4:acl LDB module - remove unused call "is_root_base_dn"Matthias Dieter Wallnöfer1-8/+0
2010-07-16s4-loadparm: 2nd half of lp_ to lpcfg_ conversionAndrew Tridgell1-1/+1
this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-08s4:acl LDB module - password attributes - check also the "dBCSPwd" attributeMatthias Dieter Wallnöfer1-2/+2
It's also a possible password change/set attribute candidate.
2010-07-08s4:acl LDB module - move a "mem_ctx" creation to the place where it is ↵Matthias Dieter Wallnöfer1-1/+2
actually checked Memory allocations and their result checks should be as tight as possible.
2010-07-08s4-source4/dsdb/samdb/ldb_modules/acl.c Use DSDB_FLAG_NEXT_MODULE flagKamen Mazdrashki1-5/+12
2010-07-07s4-dsdb: use ldb_operr() in the dsdb codeAndrew Tridgell1-30/+25
this replaces "return LDB_ERR_OPERATIONS_ERROR" with "return ldb_operr(ldb)" in places in the dsdb code where we don't already explicitly set an error string. This should make is much easier to track down dsdb module bugs that result in an operations error.
2010-07-05s4-dsdb: Implementation of User-Change-Password and User-Force-Password-ChangeNadezhda Ivanova1-79/+162
These CARs need to be checked on password change and password reset operations. Apparently the password attributes are not influenced by Write Property. Single detele operations and modifications of dBCSPwd are let through to the password_hash module. This is determined experimentally.
2010-06-29Fixed incorrect use of cn instead of lDAPDisplayNameNadezhda Ivanova1-2/+2
2010-06-28s4:acl LDB module - fix counter typeMatthias Dieter Wallnöfer1-1/+2
2010-06-28Implementation of self membership validated right.Nadezhda Ivanova1-1/+100
When this right is granted, the user can add or remove themselves from a group even if they dont have write property right.
2010-06-07s4:acl LDB module - LDB attribute names should be compared using ↵Matthias Dieter Wallnöfer1-2/+2
"ldb_attr_cmp" or "strcasecmp"
2010-06-07s4:acl LDB module - adaption for "objectclass_attrs" moduleMatthias Dieter Wallnöfer1-5/+15
Since the attribute schema checking code moved back we need to give here the "LDB_ERR_NO_SUCH_ATTRIBUTE" error.
2010-06-06s4:acl LDB module - fix counter types where appropriateMatthias Dieter Wallnöfer1-2/+4
2010-05-10s4:acl ldb module - fix typosMatthias Dieter Wallnöfer1-3/+3
2010-04-16s4:Replaced dsdb_get_dom_sid_from_ldb_message() with samdb_result_dom_sid()Nadezhda Ivanova1-24/+5
2010-04-13s4:acl/descriptor LDB module - distinguish between root and default basednMatthias Dieter Wallnöfer1-0/+6
The first is the forest base DN, the second the domain base DN. At the moment we assume that they are both the same but it hasn't to be so. Nadia, I would invite you to fix the outstanding parts regarding this (I added comments).
2010-03-16s4:dsdb/acl Reduce calls to dsdb_get_schema() and add memory contextAndrew Bartlett1-24/+46
dsdb_get_schema() isn't a very cheap call, due to the use of LDB opaque pointers. We need to call it less, and instead pass it as a parameter where possible. This also changes to the new API with a talloc context. Andrew Bartlett
2010-03-12Split the dsdb_access_check_on_dn.Nadezhda Ivanova1-5/+44
Split the dsdb_access_check_on_dn so it can be reused for checks from both within the module stack and outside it.
2010-03-12Fixed ACL module to use dsdb_module_* API.Nadezhda Ivanova1-9/+9
2010-03-12Moved access_check_on_dn from acl module as an utility.Nadezhda Ivanova1-156/+19
Made this an utility function so it can be used for access checking outside of the acl ldb module, such as checking validated writes and control access rights in other protocols (e. g drs)
2010-03-09Added a check for permissions to modify the RDN attribute on rename.Nadezhda Ivanova1-0/+12
Necessary because rdn module will be moved lower than acl in the stack.
2010-03-07s4:acl LDB module - change counter variable to "unsigned"Matthias Dieter Wallnöfer1-1/+1
2010-02-13s4-dsdb: use TYPESAFE_QSORT() in dsdb codeAndrew Tridgell1-9/+3
generated by cgit (git 2.34.1) at 2024-07-05 18:16:44 +0000