| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
this preserves the request hierarchy for dsdb_module_*() calls inside
dsdb ldb modules
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
used
Make it much harder to import bad data into the password attributes.
This isn't 100% safe, but much better than no checks.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Mon Dec 13 16:17:36 CET 2010 on sn-devel-104
|
|
This seems to have been broken some time ago - till someone on the
mailing list noticed it.
I've also added a testsuite (and some additional SamDB python helpers) which
should prove this.
|
|
|
|
conversion errors
This errors can happen also on a regular basis - then we shouldn't return
ERR_OPERATIONS_ERROR (this error code is reserved for very serious failures).
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Nov 13 12:37:36 UTC 2010 on sn-devel-104
|
|
The cleartext_utf16_str variable was declared char **, but due to the
cast on convert_string_talloc() and the lack of type checking here and
on data_blob_const (due to void *) it was able to be used as if it was
a char *.
The simple solution seems to be to fill in cleartext_utf16 blob directly.
Andrew Bartlett
|
|
The UTF16MUNGED helper will map all invalid sequences (except odd
input length) to valid input sequences, per the rules. Therefore if
it fails, we need to bail out, somehing serious is wrong.
Andrew Bartlett
|
|
according to the "dSHeuristics"
|
|
the password_hash LDB module
It's only used there and so I think it doesn't really belong in
"dsdb/common/util.c" (I first thought that it could be useful for ACL checking
but obviously it wasn't).
|
|
enables/disables the two "userPassword" behaviours
- Enabled: "userPassword" password change behaviour (will later be linked to the
"dSHeuristics")
- Disabled: "userPassword" plain attribute behaviour (default)
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Mon Nov 8 15:28:06 UTC 2010 on sn-devel-104
|
|
complicated
|
|
- don't crash when no values where specified
- return ERR_CONSTRAINT_VIOLATION on malformed messages
- only check for flags when we are involved in a LDB modify operation
|
|
attributes isn't possible
|
|
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Fri Nov 5 12:31:28 UTC 2010 on sn-devel-104
|
|
|
|
|
|
"samdb_result_uint64" and "samdb_result_string"
We have ldb_msg_find_attr_as_* calls which do exactly the same. Therefore this
reduces only code redundancies.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
password change control
|
|
Rename it to "DSDB_CONTROL_PASSWORD_CHANGE_OID". This control will afterwards
contain a record with the specified old password as NT and/or LM hash.
|
|
The flags field of message elements is part of a set of flags. We had
LDB_FLAG_MOD_MASK for extracting the type, but it was only rarely
being used (only 1 call used it correctly). This adds
LDB_FLAG_MOD_MASK() to make it more obvious what is going on.
This will allow us to use some of the other flags bits for internal
markers on elements
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
important failure cases
|
|
|
|
on password change operations
This is to match the SAMR password change behaviour.
|
|
|
|
passwords
Sooner or later this module should take over all password change actions.
|
|
To match the passwords.py test
|
|
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
this replaces "return LDB_ERR_OPERATIONS_ERROR" with "return ldb_operr(ldb)"
in places in the dsdb code where we don't already explicitly set an
error string. This should make is much easier to track down dsdb
module bugs that result in an operations error.
|
|
metze
|
|
metze
|
|
When a user only provides only the lanman hash (and nothing else) and the
lanman authentication is deactivated then we end in an account with no
password attribute at all! Lock this down.
|
|
hash
Previously, only the conversion from cleartext to the LM hash was deactivated,
and not when the user specified it directly through "dBCSPwd".
|
|
|
|
"ldb_msg_remove_attr" behaviour
|
|
|
|
|
|
This reverts commit 6276343ce1b7dd7d217e5a419c09f209f5f87379.
This is not needed anymore.
metze
|
|
before copying them"
This reverts commit fa87027592f71179c22f132e375038217bc9d36a.
This check is done one level above now.
metze
|
|
it's given
Sorry, I removed this logic while cleaning up indentation levels...
metze
|
|
When we don't have the cleartext of the new password then don't check it
using "samdb_check_password".
|
|
|
|
copying them
|
|
This is to don't break the provision process at the moment. We need to find
a better solution.
|
|
Based on the Patch from Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>.
metze
|
|
- Implement the password restrictions as specified in "samdb_set_password"
(complexity, minimum password length, minimum password age...).
- We support only (administrative) password reset operations at the moment
- Support password (administrative) reset and change operations (consider
MS-ADTS 3.1.1.3.1.5)
|
|
Windows Server performs the constraint checks in a different way than we do.
All testing has been done using "passwords.py".
|
|
- Enhance comments
- Get some more attributes from the domain and user object (needed later)
- Check for right objectclass on change/set operations (instances of
"user" and/or "inetOrgPerson") - otherwise forward the request
- (Cosmetic) cleanup in asynchronous results regarding return values
|
