summaryrefslogtreecommitdiff
path: root/source4/ldap_server/ldap_server.h
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r17237: - keep pointer to the different socketsStefan Metzmacher1-2/+6
- we need this to later: - to disallow a StartTLS when TLS is already in use - to place the TLS socket between the raw and sasl socket when we had a sasl bind before the StartTLS - and rfc4513 says that the server may allow to remove the TLS from the tcp connection again and reuse raw tcp - and also a 2nd sasl bind should replace the old sasl socket metze (This used to be commit 10cb9c07ac60b03472f2b0b09c4581cc715002ba)
2007-10-10r17197: This patch moves the encryption of bulk data on SASL negotiated securityAndrew Bartlett1-3/+4
contexts from the application layer into the socket layer. This improves a number of correctness aspects, as we now allow LDAP packets to cross multiple SASL packets. It should also make it much easier to write async LDAP tests from windows clients, as they use SASL by default. It is also vital to allowing OpenLDAP clients to use GSSAPI against Samba4, as it negotiates a rather small SASL buffer size. This patch mirrors the earlier work done to move TLS into the socket layer. Unusual in this pstch is the extra read callback argument I take. As SASL is a layer on top of a socket, it is entirely possible for the SASL layer to drain a socket dry, but for the caller not to have read all the decrypted data. This would leave the system without an event to restart the read (as the socket is dry). As such, I re-invoke the read handler from a timed callback, which should trigger on the next running of the event loop. I believe that the TLS code does require a similar callback. In trying to understand why this is required, imagine a SASL-encrypted LDAP packet in the following formation: +-----------------+---------------------+ | SASL Packet #1 | SASL Packet #2 | ----------------------------------------+ | LDAP Packet #1 | LDAP Packet #2 | ----------------------------------------+ In the old code, this was illegal, but it is perfectly standard SASL-encrypted LDAP. Without the callback, we would read and process the first LDAP packet, and the SASL code would have read the second SASL packet (to decrypt enough data for the LDAP packet), and no data would remain on the socket. Without data on the socket, read events stop. That is why I add timed events, until the SASL buffer is drained. Another approach would be to add a hack to the event system, to have it pretend there remained data to read off the network (but that is ugly). In improving the code, to handle more real-world cases, I've been able to remove almost all the special-cases in the testnonblock code. The only special case is that we must use a deterministic partial packet when calling send, rather than a random length. (1 + n/2). This is needed because of the way the SASL and TLS code works, and the 'resend on failure' requirements. Andrew Bartlett (This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0)
2007-10-10r16972: Replace the sequence_number function pointer in ldb with the ldb flags.Andrew Bartlett1-0/+2
The function pointer was meant to be unused, this patch fixes partition.c to use ldb_sequence_number(). (No backend provided the pointer any more). Set the flags onto the ldb structure, so that all backends opened by the partitions module inherit the flags. Set the read-ony flag when accessed as the global catalog Modify the LDAP server to track that this query is for the global catalog (by incoming port), and set a opqaue pointer. Next step is to read that opaque pointer in the partitions module. Andrew Bartlett (This used to be commit a1161cb30e4ffa09657a89e03ca85dd6efd4feba)
2007-10-10r15400: Move the TLS code behind the socket interface.Andrew Bartlett1-1/+0
This reduces caller complexity, because the TLS code is now called just like any other socket. (A new socket context is returned by the tls_init_server and tls_init_client routines). When TLS is not available, the original socket is returned. Andrew Bartlett (This used to be commit 09b2f30dfa7a640f5187b4933204e9680be61497)
2007-10-10r13924: Split more prototypes out of include/proto.h + initial work on headerJelmer Vernooij1-0/+2
file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
2007-10-10r12917: fix decoding of ldap controlsSimo Sorce1-0/+1
some more work on timeouts (This used to be commit a7e2fe3cb33be2effff7eb764047567f2da3cd55)
2007-10-10r12880: Remove ldap partitions useless now and probably weSimo Sorce1-26/+10
will not use it anyway as we plan to support partitions in ldb directly like with rootdse Merge ldap_simple_ldb into ldap_backend, it is not simple anymore and makes no sense to have it separated now that ldap partitions are gone Initial attempt at working to some limit to avoid DOSs for the ldap server. Simo. (This used to be commit 97bff3e049eba48019f2b0f3eb5a19e32fef2e23)
2007-10-10r12733: Merge ldap/ldb controls into main treeSimo Sorce1-8/+8
There's still lot of work to do but the patch is stable enough to be pushed into the main samba4 tree. Simo. (This used to be commit 77125feaff252cab44d26593093a9c211c846ce8)
2007-10-10r12686: Push the real SASL list into the rootdse.Andrew Bartlett1-0/+1
Get this out of the server credentials, and push it down to ldb via an opaque pointer. Andrew Bartlett (This used to be commit 61700252e05e0be6b4ffa72ffc24a95c665597e3)
2007-10-10r12126: get rid of the local ->terminate hacks, we do that genericly nowStefan Metzmacher1-3/+0
metze (This used to be commit a7baf165c10c00096265b790d5362905c527806a)
2007-10-10r11955: got rid of the old rootDSE code in the ldap server.Andrew Tridgell1-1/+0
The partitioning logic is still there, but we only have one partition. If we need partitioning in the future it might be better to remove this partitioning code and use a partitioning module instead (This used to be commit f4685e7dc9bdc3b9e240c9f5891b9da9251f82e5)
2007-10-10r11622: convert the ldap server to the generic packet codeAndrew Tridgell1-8/+2
(This used to be commit 6ef4ba0c81002c9960dc5fe4fbfd0622957d492a)
2007-10-10r10810: This adds the hooks required to communicate the current user from theAndrew Bartlett1-4/+5
authenticated session down into LDB. This associates a session info structure with the open LDB, allowing a future ldb_ntacl module to allow/deny operations on that basis. Along the way, I cleaned up a few things, and added new helper functions to assist. In particular the LSA pipe uses simpler queries for some of the setup. In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't been worked on (other than making it continue to compile) since January, and I think the features of this module are being put into ldb anyway. I have also changed the partitions in ldap_server to be initialised after the connection, with the private pointer used to associate the ldb with the incoming session. Andrew Bartlett (This used to be commit fd7203789a2c0929eecea8125b57b833a67fed71)
2007-10-10r10709: fixed a crash bug rather similar to the one volker found in the dcerpcAndrew Tridgell1-0/+3
code, where a stream_terminate_connection() while processing a request can cause a later defererence of the connection structure to die. (This used to be commit efbcb0f74176058a74d7134dae4658b891fc6f16)
2007-10-10r10078: - add a 'struct data_blob_list_item'Stefan Metzmacher1-4/+1
- use this for the send_queue's of the different stream_servers to not redefine the same struct so often, and it maybe will be used in other places too metze (This used to be commit b6694f067ab7aff0ee303dbfe8a6e7fad801e7e9)
2007-10-10r7801: the ldap server needs this logic tooAndrew Tridgell1-0/+2
(This used to be commit 1dbb5bf2c1c6e11b3467b6eb1a2206c6299bc25b)
2007-10-10r7747: - simplified the ldap server buffer handlingAndrew Tridgell1-43/+17
- got rid of the special cases for sasl buffers - added a tls_socket_pending() call to determine how much data is waiting on a tls connection - removed the attempt at async handling of ldap calls. The buffers/sockets are all async, but the calls themselves are sync. (This used to be commit 73cb4aad229d08e17e22d5792580bd43a61b142a)
2007-10-10r7746: - added TLS support to our ldap serverAndrew Tridgell1-0/+3
- this involved changing the buffer handling in the ldap server quite a lot, as it didn't handle partial packets at all - removed completely bogus asn1_object_length() function. You can't do that with BER/DER (This used to be commit fed6f4cc6ceaf83aacb581499aeaf6af4ee8ddd2)
2007-10-10r7593: simplified the memory management in the ldap code. Having a mem_ctxAndrew Tridgell1-2/+2
element in a structure is not necessary any more. (This used to be commit 912d0427f52eac811b27bf7e385b0642f7dc7f53)
2007-10-10r5305: removed libcli/ldap/ldap.h from includes.hAndrew Tridgell1-0/+2
(This used to be commit 0df3fdd8178085c40f9cd776cc3e1486ca559c8e)
2007-10-10r5102: This is a major simplification of the logic for controlling top levelAndrew Tridgell1-1/+1
servers in smbd. The old code still contained a fairly bit of legacy from the time when smbd was only handling SMB connection. The new code gets rid of all of the smb_server specific code in smbd/, and creates a much simpler infrastructures for new server code. Major changes include: - simplified the process model code a lot. - got rid of the top level server and service structures completely. The top level context is now the event_context. This got rid of service.h and server.h completely (they were the most confusing parts of the old code) - added service_stream.[ch] for the helper functions that are specific to stream type services (services that handle streams, and use a logically separate process per connection) - got rid of the builtin idle_handler code in the service logic, as none of the servers were using it, and it can easily be handled by a server in future by adding its own timed_event to the event context. - fixed some major memory leaks in the rpc server code. - added registration of servers, rather than hard coding our list of possible servers. This allows for servers as modules in the future. - temporarily disabled the winbind code until I add the helper functions for that type of server - added error checking on service startup. If a configured server fails to startup then smbd doesn't startup. - cleaned up the command line handling in smbd, removing unused options (This used to be commit cf6a46c3cbde7b1eb1b86bd3882b953a2de3a42e)
2007-10-10r2878: add server sasl supportStefan Metzmacher1-3/+1
(there are a lot of clean ups following later, but the LDAP-BASIC test works :-) metze (This used to be commit 34fe29c04a76f2f53f27adcaf9be2dce8d177516)
2007-10-10r2864: - Bind and Unbind are no directory partition operationsStefan Metzmacher1-2/+0
- move Bind Unbind code to a seperate file metze (This used to be commit 3aa1a298970eab563ff6304210bee4696ecec105)
2007-10-10r2862: prepare LDAP SASL support for the serverStefan Metzmacher1-1/+4
metze (This used to be commit 9a7505bd74a453b10aa2d40071bb80eb656bc61f)
2007-10-10r2695: revert "Del" renamingSimo Sorce1-1/+1
(This used to be commit ddd74dae8efe4e04b5a56ee9ecd9d4f87f99d104)
2007-10-10r2689: Use consistent naming Del -> DeleteSimo Sorce1-1/+1
Add delete functionality to ldb simple lda server backend add some const in ldap.h (This used to be commit 5ed9a6eb184f34eb572dd81202237042518ec7cd)
2007-10-10r2688: - fix case where listed attributes are askedStefan Metzmacher1-1/+5
- use the return code of the functions and only call ldapsrv_terminate_connection from ldapsrv_recv() or ldapsrv_send() - the rootdse is now a normal partition metze (This used to be commit af1501a28d700f90cd2243fbfdce6527a0f62961)
2007-10-10r2523: - readd rootDSE replyStefan Metzmacher1-0/+34
- add infrastructure start for having multiple directory partitions (backends) metze (This used to be commit 5103e7fe7873c0309461ad471f0529223d7c38eb)
2007-10-10r2509: add a struct ldapsrv_call which is simular to the dcesrv_call_state ↵Stefan Metzmacher1-8/+32
struct and related stuff... metze (This used to be commit dc1f8212ff717765c40ea5668e841db50e636748)
2007-10-10r2321: add complately untested LDAP server startStefan Metzmacher1-0/+43
based on volker's patch this is compiled by default but not started by default metze (This used to be commit 5387bc423d4dc669cbac6626f8dd3a5498a6519d)