Age | Commit message (Collapse) | Author | Files | Lines |
|
Using ldb unique indexes for samAccountName doesn't work with DRS as
the other DC may send us a deleted record (tombstone record), which
has the same samAccountName as an existing record. That would then
create two records in the same partition with the same samAccountName.
So we needed to put back the logic in samldb.c which explicitly
checked whether a samAccountName already exists on add
|
|
We found this as an object came across from w2k3 with zero values,
which caused a segv when we tried to decrypt the first value
|
|
The previous code incorrectly assumed that attributes such as
subClassOf come over the wire as strings. In fact they come over as 32
bit integers which refer to goversIDs. We have to post-process these
as it sometimes happens that a governsID comes over the wire before
the record that defines what it means.
|
|
|
|
It seems quite reasonable to allow modules to re-initialise the set of
cached DNs on the ldb context.
Andrew Bartlett
|
|
This job is not complete (the partition module remains a unfinished
task), but now we do use the private ldb headers much less.
Andrew Bartlett
|
|
|
|
|
|
|
|
Enhance the simple ldap map to support also the "systemFlags" attribute in the
correct way.
|
|
I tried hard to not change the program logic. Should fix bug #6439.
|
|
- LDB handles now all 32-bit integer attributes correctly (also with overflows)
according to the schema
- LDAP backends handle the attributes "groupType", "userAccountControl" and
"sAMAccountType" correctly. This handling doesn't yet use the schema but
the conversion file "simple_ldap.map.c" which contains them hardcoded.
Did also a refactoring of the conversion function there.
- Bug #6136 should be gone
|
|
|
|
|
|
904d0124b46eed7a8ad6e5b73e892ff34b6865ba)
Also including the supporting changes required to pass make test
A number of heimdal functions and constants have changed since we last
imported a tree (for the better, but inconvenient for us).
Andrew Bartlett
|
|
|
|
|
|
|
|
These attributes now use the unique indexing flag
|
|
|
|
|
|
|
|
|
|
This bit actually means that we should ignore the minimum password
length field for this user. It doesn't mean that the password should
be seen as empty
|
|
|
|
|
|
|
|
This file (contining metze's decryption routines) is now also be used by
Samba3's DRSUAPI implementation
Andrew Bartlett
|
|
|
|
We are probably still using more memory here than we need to. That
needs to be looked at.
|
|
|
|
We now generate possibleInferiors at startup, and return it when
requested
|
|
Sadly it still segfaults at this stage
Andrew Bartlett
|
|
|
|
|
|
This is all working towards supporting the full WSPP schema without a
major performance penalty.
We now use binary searches when looking up classes and attributes. We
also avoid the loop loading the attributes into ldb, by adding a hook
to override the ldb attribute search function in a module. The
attributes can thus be loaded once, and then saved as part of the
global schema.
Also added support for a few more key attribute syntaxes, as needed
for the full schema.
|
|
or from ldb
|
|
|
|
This makes multi-partition ldb's much safer
|
|
|
|
Adding --wspp to possibleInferiors.py forces it to use the WSPP
documented algorithm, which doesn't match windows behaviour
|
|
This test code builds the possibleInferiors for every class in the
schema on a target machine, and compares it to the servers
possibleInferiors attribute.
The MS-ADTS spec describes how to calculate possibleInferiors for a
object, but it seems to have some bugs. The spec says that we need to
use AUXCLASSES, and it does not mention the use of the SUBCLASS
tree. In trying to match windows behaviour, I found that I needed to
ignore the AUXCLASSES and build a SUBCLASSES tree.
|
|
we haven't implemented possibleInferiors yet. This test is meant to
help us understand how it works. It tries to construct
possibleInferiors via searches on other attributes, and compares it to
the servers constructed possibleInferiors attribute for each class in
the servers schema.
see [MS-ADTS] section 3.1.1.4.5.21
|
|
|
|
This is made up of 4 parts:
1) change our schema to include the parentGUID attribute type
2) in the add hook in the objectclass module, get the objectGUID of
the parent and add it to the message as parentGUID
3) in the rename hook in the objectclass module, get the objectGUID
of the new parent, and insert an async modify request after the
renmam is done
4) added a simple test suite
|
|
The clients that do only lanman auth are on their way out, the
passwords are case insensitive, it does not support unicode and we
should not store such a poor hash of the password if we can avoid it.
Andrew Bartlett
|
|
The short-to-long name canonicalisation rules use the schema, so
clearly they won't work when loading it.
Andrew Bartlett
|
|
This search uses the index, and is not recursive, so should avoid the
major performance problem with the current sorted schema load.
The ad2oLschema code (recently moved to provision-backend) no longer
needs the schema to be sorted.
Andrew Bartlett
|
|
This avoids the need to assume that the schema is sorted on load,
which happens more often and is a major performace issue in the
Samba4's use of ldb.
Andrew Bartlett
|
|
This removes a level of indirection via external binaries in the
provision-backend code, and also makes better use of our internal code
for loading schema from an LDIF file.
Remaining to do: Sort the output again, as the load from LDIF is
unsorted (also needed because the normal LDB load from sorted input is too slow
anyway, and is only needed here).
Andrew Bartlett
|