Age | Commit message (Collapse) | Author | Files | Lines |
|
The Win7-beta domain process has changed. It no longer uses SAMR for
setting the password, and instead uses a ldap modify on a SASL
encrypted ldap connection. We didn't handle that as the unicodePwd
attribute has a dual use, holding the nt style MD4 hases for DRS
replication, but holding a UTF-16 plaintext password for a LDAP
modify.
This patch copes with the ldap unicodePwd modify by recognising the
format and creating the correct attributes on the fly. Note that this
assumes we will never get a unicodePwd attribute set in NT MD4 format
with the first 2 and last 2 bytes set to 0x22 0x00.
Andrew Bartlett is looking at a more robust solution, possibly using a
flag to say that this modify came via ldap, and not internal ldb
calls.
|
|
metze
|
|
metze
|
|
metze
|
|
metze
|
|
metze
|
|
|
|
The only 2 modules escaping the rule so far are rootdse and partitions
|
|
Some public functions were mistakenly put into ldb_private.h
Revert all modules to only include ldb_module.h
|
|
metze
|
|
Separate again the public from the private headers.
Add a new header specific for modules.
Also add service function for modules as now ldb_context and ldb_module are
opaque structures for them.
|
|
list=""
list="$list event_context:tevent_context"
list="$list fd_event:tevent_fd"
list="$list timed_event:tevent_timer"
for s in $list; do
o=`echo $s | cut -d ':' -f1`
n=`echo $s | cut -d ':' -f2`
r=`git grep "struct $o" |cut -d ':' -f1 |sort -u`
files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4`
for f in $files; do
cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp
mv $f.tmp $f
done
done
metze
|
|
|
|
|
|
|
|
|
|
The extended_dn_out module provides the functionality now.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
extended_dn_store.
By splitting the module, the extended_dn_in and extended_dn_store
moudles can use extended_dn_out to actually get the extended DN. This
avoids code duplication.
The extended_dn_out module also contains a client implementation of
the OpenLDAP dereference control (draft-masarati-ldap-deref-00).
This also introduces a new control
'DSDB_CONTROL_DN_STORAGE_FORMAT_OID' to ask the extended_dn_out module
to return whatever the 'storage format' is. This allows us to work
with both OpenLDAP (which performs a dereference at run time) and LDB
(which stores the GUID and SID on disk).
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This means that linked attributes will always have the same case form
as the actaul entry, as we search for that entry. We then also use
the GUID and SID found on that entry to fill in the extended DN on disk.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
When things go wrong with LDB, this routine seems to be particularly
sensitive to it. This extra debugging should help the next poor soul who
breaks LDB.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Encode and decode the OpenLDAP dereference control (draft-masarati-ldap-deref-00)
At this time, the ldb_controls infrustructure does not handle request
and reply controls having different formats, so this is purely the
client implementation (ie, there is no decode of the client->server
packet, and no encode of the server->client packet).
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This module is not used at the moment, but if we do use it again, we
should try to avoid duplicate lists.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This avoids accidentily running off the end of a string, and uses a
single 'guess which type of GUID I have' algorithm.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
It seems that in 2deeb99fff1a90c79ba1927e1a069362e250a63c adding the
partition control to this request was missed out.
Andrew Bartlett
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
This fixes the creation of the user object for incoming trusts
in dcesrv_lsa_CreateTrustedDomain_base().
And now w2k3 trust samba4 just fine:-)
metze
|
|
metze
|
|
We're using @ROOTDSE instead of CN=ROOTDSE.
metze
|
|
This causes the linked attribute modifies to occour after the original
operation is entered in the transaction (any failure still fails the
lot). This means (I hope) that we can have another module search the
originating record when the backlink is created, filling in the GUID
and SID for the extended DN.
Andrew Bartlett
|
|
(This module has been split up into extended_dn_in, extended_dn_out
and extended_dn_store).
Andrew Bartlett
|
|
metze
|
|
metze
|
|
metze
|
|
|
|
The ldb_val is length-limited, and while normally NULL terminated,
this avoids the chance that this particular value might not be, as
well as avoiding a cast.
Andrew Bartlett
|
|
This bug occours frequenetly in ldb users because the union so happens
to be layed out that this works. However, it is still incorrect
usage...
Andrew Bartlett
|
|
now to work out how to test this ...
|
|
|
|
make them wrappers around convert_string{,talloc}_convenience().
|
|
|
|
remove some unused functions.
|
|
3.
|
|
|
|
it should always have been. Make it also async so that it is not a special case.
|
|
This uses a virtual attribute 'clearTextPassword' (name chosen to
match references in MS-SAMR) that contains the length-limited blob
containing an allegidly UTF16 password. This ensures we do no
validation or filtering of the password before we get a chance to MD4
it. We can then do the required munging into UTF8, and in future
implement the rules Microsoft has provided us with for invalid inputs.
All layers in the process now deal with the strings as length-limited
inputs, incluing the krb5 string2key calls.
This commit also includes a small change to samdb_result_passwords()
to ensure that LM passwords are not returned to the application logic
if LM authentication is disabled.
The objectClass module has been modified to allow the
clearTextPassword attribute to pass down the stack.
Andrew Bartlett
|
|
Commit 51baa8deec00244cc0a6e3d29c53932427800610 included a
copy-and-paste bug which caused all MMC mangement utilities to break.
Because of the typo Samba4 would no longer include the magic 'you may
write to these attributes/create these classes' attributes, these
tools would display all fields greyed out or 'read only', and not
allow the creation of child objects.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Also, use the constants more in the "ldif_handlers" module.
|
|
This commit applies some cosmetic corrections for the DSDB (Directory Server Database).
|