summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb/ldb_modules
AgeCommit message (Collapse)AuthorFilesLines
2010-10-13s4:samldb LDB module - deny creation of temporary duplicate accountsMatthias Dieter Wallnöfer1-0/+12
2010-10-13s4:samldb LDB module - proof the account type also on LDB modify operationsMatthias Dieter Wallnöfer1-0/+8
2010-10-13s4:samldb LDB module - support the group type changing properlyMatthias Dieter Wallnöfer1-1/+53
This is exactly that what Windows allows. It was proven by a blackbox test. And we also need to deny add operations of builtin groups.
2010-10-13s4:samldb LDB module - deny also the direct modification of ↵Matthias Dieter Wallnöfer1-3/+14
"isCriticalSystemObject" on modify operations
2010-10-13s4:objectclass LDB module - deny the creation of "isCriticalSystemObject" ↵Matthias Dieter Wallnöfer1-0/+9
entries They're only allowed to be created with the RELAX control specified.
2010-10-13s4:samldb LDB module - first implementation of the samldb primary group triggerMatthias Dieter Wallnöfer1-48/+61
This was done according to MS-SAMR 3.1.1.8.2 But do use it only for add operations at the moment.
2010-10-13s4:samldb LDB module - use the new "objectclass_trigger" for add operationsMatthias Dieter Wallnöfer1-142/+33
Additionally clean up "samldb_fill_object" which is now much easier to comprehend.
2010-10-13s4:samldb LDB module - first implementation of the samldb objectclass triggerMatthias Dieter Wallnöfer1-0/+176
This was done according to MS-SAMR 3.1.1.8.1 I need to perform some RELAX checks since otherwise the provision wouldn't work anymore.
2010-10-13dsdb/schema_data: Build as shared object.Jelmer Vernooij1-1/+1
2010-10-13dsdb/schema_load: Build as shared object.Jelmer Vernooij1-1/+1
2010-10-13s4-schema: don't name variables after standard libc functionsAndrew Tridgell1-3/+3
2010-10-12libcli/security Provide a common, top level libcli/security/security.hAndrew Bartlett1-1/+0
This will reduce the noise from merges of the rest of the libcli/security code, without this commit changing what code is actually used. This includes (along with other security headers) dom_sid.h and security_token.h Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Oct 12 05:54:10 UTC 2010 on sn-devel-104
2010-10-12libcli/security Use common security.hAndrew Bartlett3-4/+3
This includes dom_sid.h and security_token.h and will be moved to the top level shortly. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Oct 12 03:35:36 UTC 2010 on sn-devel-104
2010-10-12s4-libcli/security Use seperate subsystem for session related functionsAndrew Bartlett4-3/+6
The merged I plan in this area require spliting security.h into two header files, a common header and a session.h for the remaining source4-specific code. Andrew Bartlett
2010-10-12dsdb: Build more modules as shared objects.Jelmer Vernooij1-14/+14
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Tue Oct 12 02:12:29 UTC 2010 on sn-devel-104
2010-10-11dsdb: Build some more modules as shared objects.Jelmer Vernooij1-7/+7
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Mon Oct 11 23:22:33 UTC 2010 on sn-devel-104
2010-10-11dsdb: Build some more modules as shared object files.Jelmer Vernooij1-10/+10
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Mon Oct 11 21:13:25 UTC 2010 on sn-devel-104
2010-10-11dsdb: Build some more modules as .so files.Jelmer Vernooij1-9/+9
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Mon Oct 11 19:14:58 UTC 2010 on sn-devel-104
2010-10-11credentials: Split up into several subsystems.Jelmer Vernooij1-1/+1
2010-10-10dsdb/modules: Split up helpers a bit to prevent recursive dependencies.Jelmer Vernooij7-93/+134
Autobuild-User: Jelmer Vernooij <jelmer@samba.org> Autobuild-Date: Sun Oct 10 23:47:54 UTC 2010 on sn-devel-104
2010-10-11dsdb modules: Split ridalloc out of common helpers, because of dependency loops.Jelmer Vernooij3-5/+12
2010-10-10ldb-samba: Rename samdb_relative_path to ldb_relative_path, as it's not ↵Jelmer Vernooij1-1/+2
samdb-specific.
2010-10-10dsdb: Move attr_in_list to SAMDB_COMMON to avoid circular dependency between ↵Jelmer Vernooij1-12/+0
SAMDB_COMMON and DSDB_MODULE_HELPERS.
2010-10-06s4:samldb LDB module - remove "type" parameter of "samldb_fill_object"Matthias Dieter Wallnöfer1-6/+9
It's a bit redundant given that we have the "type" variable on "ac". Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Wed Oct 6 10:20:45 UTC 2010 on sn-devel-104
2010-10-05s4:subtree_delete LDB module - remove the DN from an error messageMatthias Dieter Wallnöfer1-3/+6
It may looks funny but the DN output prevents older ADUC versions (tested with release 2000) to perform subtree deletes properly. Version 2008 has this fixed. Additionally some smaller changes ("%u" for printing unsigned integers, module name prefix, nicer line-wrap). Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Tue Oct 5 16:48:19 UTC 2010 on sn-devel-104
2010-10-05s4:samldb LDB module - simplify/unify the message handling on add and modify ↵Matthias Dieter Wallnöfer1-28/+54
operations - Perform only shallow copies (should be enough) - Perform only one copy per operation (also on modifications) - Build a new request on modify operations if needed ("modified" flag) - this makes it look cleaner - Fix an important bug: the "el" pointers could have changed after modifications. Therefore we have to refresh them on the FLAG_DELETE checks Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org> Autobuild-Date: Tue Oct 5 09:24:57 UTC 2010 on sn-devel-104
2010-10-05s4:samldb LDB module - assign better memory contexts on two placesMatthias Dieter Wallnöfer1-2/+2
2010-10-05Add missing dependencies for com_err.Jelmer Vernooij1-2/+2
2010-10-05heimdal: Fix name of hx509 library.Jelmer Vernooij1-1/+1
2010-10-03s4:objectclass LDB module - introduce allowed system flags restrictionMatthias Dieter Wallnöfer1-6/+11
Let us do the distinction by real use and provision by the RELAX flag Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:dsdb - substitute the "show_deleted" with the "show_recycled" controlMatthias Dieter Wallnöfer9-20/+23
We intend to see always all objects with the "show_deleted" control specified. To see also recycled objects (beginning with 2008_R2 function level) we need to use the new "show_recycled" control. As far as I see this is only internal code and therefore we don't run into problems if we do substitute it. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:subtree_rename LDB module - also already deleted objects have to be renamedMatthias Dieter Wallnöfer1-2/+13
This is needed if the SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE flag was specified and the parent is renamed. To be able to do this we also need to relax the constraint checks (using the "isDeleted" proof). Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:show_deleted LDB module - also support the "show_recycled" controlMatthias Dieter Wallnöfer1-11/+62
MS-ADTS 3.1.1.3.4.1 and MS-ADTS 3.1.1.5.5 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:repl_meta_data LDB module - consider the ↵Matthias Dieter Wallnöfer1-10/+25
SYSTEM_FLAG_DISALLOW_MOVE_ON_DELETE flag Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:subtree_delete LDB module - it is only responsible for non-deleted objectsMatthias Dieter Wallnöfer1-2/+1
The deleted objects (tombstones, recycled & deleted objects) are handled by "repl_meta_data". Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:objectclass LDB module - fix the "crossRef" delete protectionMatthias Dieter Wallnöfer1-3/+9
This is what Windows does Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:objectclass LDB module - fix the delete behaviour of server containersMatthias Dieter Wallnöfer1-2/+2
A typo prevented the right behaviour. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-10-03s4:acl_read LDB module - fix counter typeMatthias Dieter Wallnöfer1-1/+2
2010-10-02s4-drs: fixed comparison login in replicated renamesAndrew Tridgell1-45/+72
we need to ensure we only ever compare USNs from the same originating invocation ID. Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Sat Oct 2 01:45:19 UTC 2010 on sn-devel-104
2010-10-01s4-rpmd: fixed a use after realloc bugAndrew Tridgell1-2/+8
we could use old_el after the base message had been re allocated, due to adding timestamps. We need to re-find the element before using it Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-10-01s4-dsdb: fail the transaction instead of asserting on errorAndrew Tridgell1-2/+10
It is more useful to fail the transaction and give the user an error message than to assert when we have an error in the repl_meta_data module Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-29s4-samldb: also set a password on the krbtgt_NNNN accountAndrew Tridgell1-0/+11
when we setup the krbtgt_NNNN account using the DCPROMO_OID control, we also need to set an initial password for this account Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2010-09-29s4-rodc: RODC should not accept requests for role transferNadezhda Ivanova1-0/+12
A RODC cannot assume a role, and unwillingToPerform must be returned if such request is sent via LDAP
2010-09-29s4-dsdb Add ldb_reset_err_string() when we set error codes.Andrew Bartlett1-0/+1
If we don't we could show an old, incrorrect error
2010-09-29s4-dsdb Fix segfault in error case in rootdse moduleAndrew Bartlett1-1/+4
2010-09-27s4-ldb: removed an unused variableAndrew Tridgell1-1/+0
2010-09-27s4-ldb: Added ldb_request_replace_controlNadezhda Ivanova1-1/+1
It is the same as ldb_request_add_control, except it will replace an existing control. Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Mon Sep 27 19:00:38 UTC 2010 on sn-devel-104
2010-09-26s4-ldbmodules: Added new module aclread to handle access checks on LDAP searchNadezhda Ivanova4-0/+327
It is currently enabled only if the request comes from the LDAP server, and is disabled by default. Use acl:search=true in smb.conf to enable it. It filters out all objects the user is not allowed to see, and all attributes the user does not have RP on. Extended access not supported yet.
2010-09-26s4-tests: Removed search tests with anonymous credentials as they fail ↵Nadezhda Ivanova1-1/+1
againts Windows These tests will fail in make test as well if the acl_read module is enabled.
2010-09-26s4-dsdb: Added a function to check access on a particular object by its guidNadezhda Ivanova1-0/+37
Similar to dsdb_check_access_on_dn, only it searches by guid.