Age | Commit message (Collapse) | Author | Files | Lines |
|
these partitions and not on the server we are replicating from. Also
check for deleted partitions.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
DN links outside the set of partitions we are replication should be
allowed.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This is used for allowing operations by RODCs, and denying them
operations that should only be allowed for a full DC
This required a new domain_sid argument to
security_session_user_level()
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Rusty Russell <rusty@samba.org>
|
|
|
|
This means we are only doing the checks for schema changes
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
The SIDs in some queries were not being passed as binary, but as
strings in comparison with the securityIdentifer object. We need to
recognise that these are SIDs in the simple_ldap_map.
Andrew Bartlett
|
|
This is rather than rdn_name, which tries to do the job on the client
side. We need to leave this module in the stack for Fedora DS (and of
course the LDB backend).
Andrew Bartlett
|
|
In the future, LDAP backends will be resposible for maintaining the
'name' attributes.
Andrew Bartlett
|
|
By putting these values into the cache on the LDB, this reduces some
of the noise in provision, particularly with the LDAP backend.
Andrew Bartlett
|
|
|
|
metze
|
|
The first is the forest base DN, the second the domain base DN. At the moment
we assume that they are both the same but it hasn't to be so.
Nadia, I would invite you to fix the outstanding parts regarding this (I added
comments).
|
|
We should use the "ldb_get_*_basedn" calls since they are available in the LDB
library.
|
|
|
|
Purely cosmetic change.
|
|
|
|
|
|
This returns the currently connected user's full token. This is very
useful for debugging, and should be used in ACL tests.
Andrew Bartlett
|
|
This error occours when an extended DN cannot be resolved, so it's
most helpful to print the problematic extended DN.
Andrew Bartlett
|
|
If we can't get @REPLCHANGED, default to a value of 0.
Andrew Bartlett
|
|
|
|
dsdb_module_load_partition_usn().
Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
|
|
them
|
|
Rewrote wafsamba using a new dependency handling system, and started
adding the waf test code
|
|
|
|
|
|
|
|
This uses the ldb sequence number, in a hope to detect an unchanged
schema quicker.
Andrew Bartlett
|
|
This commit reworks Samba4's schema loading code to detect when it
needs to reload the schema. This is done by watching the @REPLCHANGED
special DN.
The reload happens by means of a callback, which is only set when the
schema is loaded from the ldb - not when loaded from an LDIF file or
DRS.
We also rework the global schema handling - instead of storing the
pointer to the global schema in each ldb, we store a flag indicating
that the global schema should be returned at run time. This makes it
much easier to switch to a new global schema.
Andrew Bartlett
|
|
This function should not traverse the module stack again, but instead
run from this point. Also add a matching
dsdb_module_load_partition_usn() and change repl_meta_data to match.
Andrew Bartlett
|
|
We don't currently require this, but we may move this way in future.
|
|
Schema loads now come at a price, so avoid doing them if we don't have
to (such as when doing an @REPLCHANGED or other special DN based
search).
Andrew Bartlett
|
|
This is done so that it can be (in future) removed when the OpenLDAP
backend is in use and the rdn_val module is used, while keeping as
similar semantics as possible between the module stacks.
Andrew Bartlett
|
|
"talloc_reference"
|
|
|
|
Andrew Bartlett
|
|
This choses an appropriate talloc context to attach the schema too,
long enough lived to ensure it does not go away before the operation
compleates.
Andrew Bartlett
|
|
|
|
dsdb_get_schema() isn't a very cheap call, due to the use of LDB
opaque pointers. We need to call it less, and instead pass it as a
parameter where possible.
This also changes to the new API with a talloc context.
Andrew Bartlett
|
|
It's easier to just set it up when we can, then to deal with the
ordering issues in ldb startup. As long as we have it ready if a real
client ever asks for it, then we should be happy.
Andrew Bartlett
|
|
|
|
|
|
Split the dsdb_access_check_on_dn so it can be reused for checks
from both within the module stack and outside it.
|
|
|
|
Made this an utility function so it can be used for access checking
outside of the acl ldb module, such as checking validated writes and
control access rights in other protocols (e. g drs)
|
|
Necessary because rdn module will be moved lower than acl in the stack.
|
|
appropriate
|
|
appropriate
I used "unsigned int" counters where we count LDB objects (LDB specification
prescribes to use "unsigned" index variables).
But on DSDB replication object counters I used "uint32_t" typed variables as it
is suggested.
If a counter variable counts both types of objects I used "unsigned int" since
size(unsigned int) >= size(uint32_t), but on most platforms equal.
|
|
appropriate
|