| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Guenther
|
|
Guenther
|
|
Windows 7 sets it's join password using the unicodePwd attribute (as a
quoted, utf16 string), and does so during the LDAPAdd of the object.
Previously, this code only handled unicodePwd for modifies.
Andrew Bartlett
|
|
|
|
|
|
Using ldb unique indexes for samAccountName doesn't work with DRS as
the other DC may send us a deleted record (tombstone record), which
has the same samAccountName as an existing record. That would then
create two records in the same partition with the same samAccountName.
So we needed to put back the logic in samldb.c which explicitly
checked whether a samAccountName already exists on add
|
|
It seems quite reasonable to allow modules to re-initialise the set of
cached DNs on the ldb context.
Andrew Bartlett
|
|
This job is not complete (the partition module remains a unfinished
task), but now we do use the private ldb headers much less.
Andrew Bartlett
|
|
|
|
|
|
|
|
Enhance the simple ldap map to support also the "systemFlags" attribute in the
correct way.
|
|
- LDB handles now all 32-bit integer attributes correctly (also with overflows)
according to the schema
- LDAP backends handle the attributes "groupType", "userAccountControl" and
"sAMAccountType" correctly. This handling doesn't yet use the schema but
the conversion file "simple_ldap.map.c" which contains them hardcoded.
Did also a refactoring of the conversion function there.
- Bug #6136 should be gone
|
|
|
|
904d0124b46eed7a8ad6e5b73e892ff34b6865ba)
Also including the supporting changes required to pass make test
A number of heimdal functions and constants have changed since we last
imported a tree (for the better, but inconvenient for us).
Andrew Bartlett
|
|
|
|
These attributes now use the unique indexing flag
|
|
|
|
|
|
|
|
|
|
We now generate possibleInferiors at startup, and return it when
requested
|
|
This makes multi-partition ldb's much safer
|
|
Adding --wspp to possibleInferiors.py forces it to use the WSPP
documented algorithm, which doesn't match windows behaviour
|
|
This test code builds the possibleInferiors for every class in the
schema on a target machine, and compares it to the servers
possibleInferiors attribute.
The MS-ADTS spec describes how to calculate possibleInferiors for a
object, but it seems to have some bugs. The spec says that we need to
use AUXCLASSES, and it does not mention the use of the SUBCLASS
tree. In trying to match windows behaviour, I found that I needed to
ignore the AUXCLASSES and build a SUBCLASSES tree.
|
|
we haven't implemented possibleInferiors yet. This test is meant to
help us understand how it works. It tries to construct
possibleInferiors via searches on other attributes, and compares it to
the servers constructed possibleInferiors attribute for each class in
the servers schema.
see [MS-ADTS] section 3.1.1.4.5.21
|
|
This is made up of 4 parts:
1) change our schema to include the parentGUID attribute type
2) in the add hook in the objectclass module, get the objectGUID of
the parent and add it to the message as parentGUID
3) in the rename hook in the objectclass module, get the objectGUID
of the new parent, and insert an async modify request after the
renmam is done
4) added a simple test suite
|
|
The clients that do only lanman auth are on their way out, the
passwords are case insensitive, it does not support unicode and we
should not store such a poor hash of the password if we can avoid it.
Andrew Bartlett
|
|
|
|
consistency with Samba 3.
|
|
do not reference it from ldb.h
|
|
The Win7-beta domain process has changed. It no longer uses SAMR for
setting the password, and instead uses a ldap modify on a SASL
encrypted ldap connection. We didn't handle that as the unicodePwd
attribute has a dual use, holding the nt style MD4 hases for DRS
replication, but holding a UTF-16 plaintext password for a LDAP
modify.
This patch copes with the ldap unicodePwd modify by recognising the
format and creating the correct attributes on the fly. Note that this
assumes we will never get a unicodePwd attribute set in NT MD4 format
with the first 2 and last 2 bytes set to 0x22 0x00.
Andrew Bartlett is looking at a more robust solution, possibly using a
flag to say that this modify came via ldap, and not internal ldb
calls.
|
|
metze
|
|
metze
|
|
metze
|
|
metze
|
|
metze
|
|
|
|
The only 2 modules escaping the rule so far are rootdse and partitions
|
|
Some public functions were mistakenly put into ldb_private.h
Revert all modules to only include ldb_module.h
|
|
metze
|
|
Separate again the public from the private headers.
Add a new header specific for modules.
Also add service function for modules as now ldb_context and ldb_module are
opaque structures for them.
|
|
list=""
list="$list event_context:tevent_context"
list="$list fd_event:tevent_fd"
list="$list timed_event:tevent_timer"
for s in $list; do
o=`echo $s | cut -d ':' -f1`
n=`echo $s | cut -d ':' -f2`
r=`git grep "struct $o" |cut -d ':' -f1 |sort -u`
files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4`
for f in $files; do
cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp
mv $f.tmp $f
done
done
metze
|
|
|
|
|
|
|
|
|
|
The extended_dn_out module provides the functionality now.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
extended_dn_store.
By splitting the module, the extended_dn_in and extended_dn_store
moudles can use extended_dn_out to actually get the extended DN. This
avoids code duplication.
The extended_dn_out module also contains a client implementation of
the OpenLDAP dereference control (draft-masarati-ldap-deref-00).
This also introduces a new control
'DSDB_CONTROL_DN_STORAGE_FORMAT_OID' to ask the extended_dn_out module
to return whatever the 'storage format' is. This allows us to work
with both OpenLDAP (which performs a dereference at run time) and LDB
(which stores the GUID and SID on disk).
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This means that linked attributes will always have the same case form
as the actaul entry, as we search for that entry. We then also use
the GUID and SID found on that entry to fill in the extended DN on disk.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
