| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Much more work is still required here, particularly to handle this
better during the provision, and to handle modifies and deletes, but
this is a start.
Andrew Bartlett
(This used to be commit 2ba99d58e9fe1f8e4b15a58a2fdfce6e876f99b4)
|
|
The module is scary: On a rename, it does a search for all entries
under that entry (including itself), and fires off a seperate rename
call for each result. This will fail miserably on an LDAP backend,
but I'll need to work on using hdb for OpenLDAP, and hope Fedora DS
can implement subtree renames at some point.
Andrew Bartlett
(This used to be commit 13908a8cb4dd810503213203efb8d51f77f1f379)
|
|
ldb_subclass list.
Next step will be to have this module also set the objectCategory and
default ntSecurityDescriptor
Andrew Bartlett
(This used to be commit 0f7135a4685a1117a54c2f019df6c6de22b8dd32)
|
|
* Change license to LGPL, so it can be used by non-Samba users of
LDB (cleared with Martin as well).
* Include ldb_map in standalone build.
* Move ldb_map to its own directory
(This used to be commit a90202abca26c0da5425a2f3dd8494077c3290fd)
|
|
metze
(This used to be commit 7f07895cac3e933b39f81bf67812834352184af0)
|
|
them as a hook on ldb modify, via a module.
This should allow the secrets.ldb to be edited by the admin, and to
have things update in the on-disk keytab just as an in-memory keytab
would.
This isn't really a dsdb plugin, but I don't have any other good ideas
about where to put it.
Andrew Bartlett
(This used to be commit 6ce557a1aff4754d2622be8f1c6695d9ee788d54)
|
|
it hides objects with isDeleted=TRUE by default, and let them through
if the control is present
metze
(This used to be commit 7108d62cb0360e734045eb39c03508d8528dc9cc)
|
|
metze
(This used to be commit 341fae8e8465e67023ab0e82110835669a593577)
|
|
constraints and it also loads the dsdb_schema at startup.
currently it only loads the dsdb_schema
metze
(This used to be commit d78de0fb68f8b4ef4c5372f3c3ed171e44cf2037)
|
|
other things
on startup into memory structures in future.
metze
(This used to be commit fbb1f85e320830f52bdf410ad61f2ec60e168d80)
|
|
the merging of existing objects is not implemented yet...
there are a few ifdef REPLMD_FULL_ASYNC because we need to workarouns
ldb's async infrastructure (which don't handle full async sub requests nicely)
metze
(This used to be commit da4ff0e7ccde47b3e092313ba22422350cf50f78)
|
|
But this is currently needed to make regpatch linking in
the dsdb/schema/schema_*.o object files.
the problem is that the linker doesn't find any references to public symbols
in this files and removes them from the link list.
gnu ld has a --whole-archive option, but it seems to be not portable...
I think the solution with prelinking using 'ld -r' to create one object file
for a subsystem instead of using 'ar -rcs' to create an archive for a subsystem...
jelmer: any ideas about this problem?
metze
(This used to be commit 46df7ff6e5e74eddcb81b5a195e82688d83afaf4)
|
|
- I'll add handling of replication meta data to it
for orginating changes
- I'll pass replication meta data via a ldb control
for applying replicated changes
- It will also update the replUpToDateVector attribute in
in root object of the partition
- It will handle deleted records by adding the isDeleted=TRUE attribute
and move them to the CN=Deleted Objects container of the partition
- I make a copy to play with the code without breaking
the LDAP backend setup
metze
(This used to be commit 045ddfe1ec626fab5e8fd75c5b47f0525b7ebb01)
|
|
better handle the Samba3 backend.
I've refactored the password format patch to use the routines in
lib/samba3/smbpasswd.c, which has required me to move this into a
seperate subsystem, due to recursive dependencies.
Andrew Bartlett
(This used to be commit 14e2c877a82d1fcf060455f9b46de5767b71438d)
|
|
libraries
works again now, by specifying --enable-dso to configure.
(This used to be commit 7a01235067a4800b07b8919a6a475954bfb0b04c)
|
|
* libreplace can now build stand-alone
* add stub testsuite for libreplace
* make talloc/tdb/ldb use libreplace
(This used to be commit fe7ca4b1454e01a33ed0d53791ebffdd349298b4)
|
|
(This used to be commit b49b8f5cb5ffa29a3b63f70a1f437c9720d2228c)
|
|
At the moment it is able to validate an object has no conflicting
objectlasses that it meets the criteria to be inserted as child of
the parent and also sorts and create the objectclass hierarchy so
that the objectclass .c module can be obsoleted.
Not activated by default as we have to completely rework the
current provisioning method. (In my tests I could not activate
it before all other ldif except for the one that create users
were loaded, make test seem to be happy anyway if it is activated
after provisioning).
Next steps will be attribute and attribute syntax checking on add operation.
And then the modify operation will follow.
Simo.
(This used to be commit 0c444ba1adfb9ce5cfa736bf0620aa3bec66050d)
|
|
Andrew Bartlett
(This used to be commit 0e19d159697e99f6c45879cf42c39c9b2b134ffa)
|
|
Martin Kühl
<mkhl@samba.org>.
Martin took over the work done last year by Jelmer, in last year's
SoC. This was a substanital task, as the the ldb modules API changed
significantly during the past year, with the addition of async calls.
This changeset reimplements and enables the ldb_map ldb module and
adapts the example module and test case, both named samba3sam, to the
implementation.
The ldb_map module supports splitting an ldb database into two parts
(called the "local" and "remote" part) and storing the data in one of
them (the remote database) in a different format while the other acts
as a fallback.
This allows ldb to e.g. store to and load data from a remote LDAP
server and present it according to the Samba4 schema while still
allowing the LDAP to present and modify its data separately.
A complex example of this is the samba3sam module (by Jelmer
Vernooij), which maps data between the samba3 and samba4 schemas.
A simpler example is given by the entryUUID module (by Andrew
Bartlett), which handles some of the differences between AD and
OpenLDAP in operational attributes. It principally maps objectGUID,
to and from entryUUID elements. This is also an example of a module
that doesn't use the local backend as fallback storage.
This merge also splits the ldb_map.c file into smaller, more
manageable parts.
(This used to be commit af2bece4d343a9f787b2e3628848b266cec2b9f0)
|
|
it by default.
Andrew Bartlett
(This used to be commit c1ea0a350cdc2c5ddfd71e08f8c3907d97fc1efd)
|
|
Andrew Bartlett
(This used to be commit 8b0f6e637ee3ef0767be4017b4106877c185d7c7)
|
|
ldb API changes.
Andrew Bartlett
(This used to be commit 44806c67dbabe2952fe355de76d7fa51f772775f)
|
|
This required changes to the rootDSE module, to allow registration of
partitions. In doing so I renamed the 'register' operation to
'register_control' and 'register_partition', which changed a few more
modules.
Due to the behaviour of certain LDAP servers, we create the baseDN
entry in two parts: Firstly, we allow the admin to export a simple
LDIF file to add to their server. Then we perform a modify to add the
remaining attributes.
To delete all users in partitions, we must now search and delete all
objects in the partition, rather than a simple search from the root.
Against LDAP, this might not delete all objects, so we allow this to
fail.
In testing, we found that the 'Domain Controllers' container was
misnamed, and should be 'CN=', rather than 'OU='.
To avoid the Templates being found in default searches, they have been
moved to CN=Templates from CN=Templates,${BASEDN}.
Andrew Bartlett
(This used to be commit b49a4fbb57f10726bd288fdc9fc95c0cbbe9094a)
|
|
This means that some modules have been disabled as well as they
have not been ported to the async interface
One of them is the ugly objectclass module.
I hope that the change in samldb module will make the MMC happy
without the need of this crappy module, we need proper handling
in a decent schema module.
proxy and ldb_map have also been disabled
ldb_sqlite3 need to be ported as well (currenlty just broken).
(This used to be commit 51083de795bdcbf649de926e86969adc20239b6d)
|
|
rest of LIBSECURITY doesn't)
Make the ldb password_hash module only depend on some keys manipulation code, not full heimdal
Some other dependency fixes
(This used to be commit 5b3ab728edfc9cdd9eee16ad0fe6dfd4b5ced630)
|
|
for REQUIRED_SUBSYSTEMS.
(This used to be commit adc8a019b6da256f104abed1b82bfde6998a2ac9)
|
|
(This used to be commit f10fae23f0685b2d9c6174596e1c66d799f02c52)
|
|
(This used to be commit 2c746980328431ab04852dc668899e3eb042da99)
|
|
(This used to be commit 9a188eb1f48a50d92a67a4fc2b3899b90074059a)
|
|
Applications that use LDB modules will now have to run ldb_global_init()
before they can use LDB.
The next step will be adding support for loading LDB modules from .so
files. This will also allow us to use one LDB without difference between the
standalone and the Samba-specific build
(This used to be commit 52a235650514039bf8ffee99a784bbc1b6ae6b92)
|
|
This should be replaced with real ACLs, which tridge is working on.
In the meantime, the rules are very simple:
- SYSTEM and Administrators can read all.
- Users and anonymous cannot read passwords, can read everything else
- list of 'password' attributes is hard-coded
Most of the difficult work in this was fighting with the C/js
interface to add a system_session() all, as it still doesn't get on
with me :-)
Andrew Bartlett
(This used to be commit be9d0cae8989429ef47a713d8f0a82f12966fc78)
|
|
There's still lot of work to do but the patch is stable
enough to be pushed into the main samba4 tree.
Simo.
(This used to be commit 77125feaff252cab44d26593093a9c211c846ce8)
|
|
Re-introduce and use the OUTPUT_TYPE property for MODULEs to force
specific modules to always be included
(This used to be commit f9eede3d40098eddc3618ee48f9253cdddb94a6f)
|
|
using pre-calculated passwords for all kerberos key types.
(Previously we could only use these for the NT# type).
The module handles all of the hash/string2key tasks for all parts of
Samba, which was previously in the rpc_server/samr/samr_password.c
code. We also update the msDS-KeyVersionNumber, and the password
history. This new module can be called at provision time, which
ensures we start with a database that is consistent in this respect.
By ensuring that the krb5key attribute is the only one we need to
retrieve, this also simplifies the run-time KDC logic. (Each value of
the multi-valued attribute is encoded as a 'Key' in ASN.1, using the
definition from Heimdal's HDB. This simplfies the KDC code.).
It is hoped that this will speed up the KDC enough that it can again
operate under valgrind.
(This used to be commit e9022743210b59f19f370d772e532e0f08bfebd9)
|
|
the difference between these at all, and in the future the
fact that INIT_OBJ_FILES include smb_build.h will be sufficient to
have recompiles at the right time.
(This used to be commit b24f2583edee38abafa58578d8b5c4b43e517def)
|
|
the ldap server. The reason for the change is that ldb modules need
some way to get at the static info stored in the rootDSE (such as the
location of the schema) but they can't do that right now
(This used to be commit 7e226383f2cd2ce9bb3983ab6a3de454649f8a15)
|
