Age | Commit message (Collapse) | Author | Files | Lines |
|
The problem here is that these attributes are not mapped in the
simple_ldap_map, and they were changed a while back.
Andrew Bartlett
|
|
This helps us ensure that the backend knows about and respects the
dereference control if our caller has asked that the extended DN control
be considered critical.
Andrew Bartlett
|
|
The schema should be considered read-only when we are using the OL
backend, as we can't update the backend schema in real time anyway.
Andrew Bartlett
|
|
|
|
|
|
|
|
stack
Also a function to check dsHeuristics value to determine of anonymous access should be blocked
|
|
struct dom_sid
This makes the structure much more like NT_USER_TOKEN in the source3/
code. (The remaining changes are that privilages still need to be merged)
Andrew Bartlett
|
|
when adding a user with the RODC_JOIN control, the samAccountName is
automatically set to the krbtgt_NNNNN form
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
|
|
This also changes the primary group for anonymous to be the anonymous
SID, and adds code to detect and ignore this when constructing the token.
Andrew Bartlett
|
|
This makes the structure more like Samba3's NT_USER_TOKEN
|
|
password change control
|
|
DSDB_CONTROL_PASSWORD_CHANGE_OID control
This control is used from the SAMR and "kpasswd" password changes. It is
strictly private and means "this is a password change and not a password set".
|
|
control
This contains the NT and/or LM hash of the password specified by the user.
|
|
Rename it to "DSDB_CONTROL_PASSWORD_CHANGE_OID". This control will afterwards
contain a record with the specified old password as NT and/or LM hash.
|
|
we saw a crash with a bad pointer here, and this may help track it
down
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
when this is in user_account_control the account is a RODC, and we
need to set the primaryGroupID to be DOMAIN_RID_READONLY_DCS
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this is used by w2k8r2 when doing a RODC dcpromo
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
msDS-SecondaryKrbTgtNumber is setup with a value that is outside the
range allowed by the schema (the schema has
rangeLower==rangeUpper==65536). We need to mark this element as being
internally generated to avoid the range checks
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
When this flag is set on an element in an add/modify request then the
normal validate_ldb() call that checks the element against schema
constraints is disabled
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
The flags field of message elements is part of a set of flags. We had
LDB_FLAG_MOD_MASK for extracting the type, but it was only rarely
being used (only 1 call used it correctly). This adds
LDB_FLAG_MOD_MASK() to make it more obvious what is going on.
This will allow us to use some of the other flags bits for internal
markers on elements
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this control disables the system only check for nTDSDSA add operations
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
the ldb_msg_add_fmt() call returns LDB_SUCCESS on success
|
|
this control adds a unique msDS-SecondaryKrbTgtNumber attribute to a
user object.
There is some 'interesting' interaction with the rangeLower and
rangeUpper attributes and this add. We don't implementat
rangeLower/rangeUpper yet, but when we do we'll need an override for
this control (or be careful about module ordering).
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
important failure cases
|
|
|
|
on password change operations
This is to match the SAMR password change behaviour.
|
|
(Needed by upgradeprovision for example)
|
|
|
|
passwords
Sooner or later this module should take over all password change actions.
|
|
To match the passwords.py test
|
|
Perform it only when a "rIDSet" does exist. Requested by ekacnet for
"upgradeprovision".
|
|
"systemFlags" section
Also here we have to test for single-valueness.
|
|
validation
|
|
specific objects
(only using the RELAX flag allowed)
|
|
To be more consistent with the MS-ADTS doc.
|
|
message elements
Requested by MS-ADTS 3.1.1.5.2.2
|
|
We don't need to have it around until the end of the function.
|
|
Obviously this has been forgotten by Nadya.
|
|
Moved the access check on extended operations to acl module and removed kludge_acl
|
|
We've to test for the WRITE flag if we are performing an NC add. And if it
isn't an NC add then only the WRITE or no flag is allowed.
|
|
This is requested by MS-ADTS 3.1.1.5.2.2 (NC add operation).
|
|
Also here we have to work with the default base DN.
After some reading I've discovered that this isn't really true. The forest
partition does exist on one or more DCs and is there the same as the default
base DN (which is already checked by the module).
And if we have other DCs which contain child domains then they never contain
data of the forest domain beside the schema and the configuration partition
(which are checked anyway) since a DC can always contain only one domain!
Link: http://www.informit.com/articles/article.aspx?p=26896&seqNum=5
|
|
After some reading I've discovered that this isn't really true. The forest
partition does exist on one or more DCs and is there the same as the default
base DN (which is already checked by the module).
And if we have other DCs which contain child domains then they never contain
data of the forest domain beside the schema and the configuration partition
(which are checked anyway) since a DC can always contain only one domain!
Link: http://www.informit.com/articles/article.aspx?p=26896&seqNum=5
|
|
|
|
MS-ADTS 3.1.1.5.5.3
|
|
"check_constraints" and perform more checks
Always considering MS-ADTS 3.1.1.5.4.1.2.
|
|
|