summaryrefslogtreecommitdiff
path: root/source4/ldap_server
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r20906: allow LDAP simple binds using the following syntaxes in the DN field:Stefan Metzmacher1-1/+1
CN=Administrator,CN=Users,DC=w2k3,DC=vmnet1,DC=vm,DC=base Administrator@W2K3 W2K3\Administrator w2k3.vmnet1.vm.base/Users/Administrator w2k3 also allows this (and maybe more...?) metze (This used to be commit 40c27ef88df9021e9ef2a6c43aabab709ac9662f)
2007-10-10r20407: the oMObjectClass values are not padded to 10 bytes!Stefan Metzmacher1-4/+4
metze (This used to be commit f860dd2dca391edf55975d582dda0c1d01ddb6e3)
2007-10-10r20322: I assume the options attribute of the nTDSDSA object containsStefan Metzmacher1-2/+2
mutiple flags not just 1 for being a global catalog metze (This used to be commit 202645e196b1425f9043bd34dd02a1418e2e3dd9)
2007-10-10r20189: remove unused struct elementStefan Metzmacher1-2/+0
metze (This used to be commit d20d1872d5ed1176928b85ef9811c6a5177d0148)
2007-10-10r20149: Remove the smb.conf distinction between PDC and BDC. Now the correctAndrew Bartlett1-5/+40
way to setup a Samba4 DC is to set 'server role = domain controller'. We use the fSMORoleOwner attribute in the base DN to determine the PDC. This patch is quite large, as I have corrected a number of places that assumed taht we are always the PDC, or that used the smb.conf lp_server_role() to determine that. Also included is a warning fix in the SAMR code, where the IDL has seperated a couple of types for group display enumeration. We also now use the ldb database to determine if we should run the global catalog service. In the near future, I will complete the DRSUAPI DsGetDomainControllerInfo server-side on the same basis. Andrew Bartlett (This used to be commit 67d8365e831adf3eaecd8b34dcc481fc82565893)
2007-10-10r19832: better prototypes for the linearization functions:Simo Sorce1-1/+1
- ldb_dn_get_linearized returns a const string - ldb_dn_alloc_linearized allocs astring with the linearized dn (This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd)
2007-10-10r19831: Big ldb_dn optimization and interfaces enhancement patchSimo Sorce2-23/+24
This patch changes a lot of the code in ldb_dn.c, and also removes and add a number of manipulation functions around. The aim is to avoid validating a dn if not necessary as the validation code is necessarily slow. This is mainly to speed up internal operations where input is not user generated and so we can assume the DNs need no validation. The code is designed to keep the data as a string if possible. The code is not yet 100% perfect, but pass all the tests so far. A memleak is certainly present, I'll work on that next. Simo. (This used to be commit a580c871d3784602a9cce32d33419e63c8236e63)
2007-10-10r19722: fix memory leaks and hierachie bugsStefan Metzmacher1-4/+6
metze (This used to be commit fddcbf5d4cce77705be43956ea93895432b64aa1)
2007-10-10r19721: ldapsrv_SearchCallback isn't needed any moreStefan Metzmacher1-60/+1
ldb_search_default_callback does the same... metze (This used to be commit 0edac60ec6f1e67de8e08f4e71e56b674915ad6e)
2007-10-10r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett2-0/+3
Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2007-10-10r19531: Make struct ldb_dn opaque and local to ldb_dn.cSimo Sorce1-4/+7
(This used to be commit 889fb983ba1cf8a11424a8b3dc3a5ef76e780082)
2007-10-10r19522: Remove gensec and credentials dependency from the rootdse module (lessAndrew Bartlett2-1/+32
dependency loops). This moves the evaluation of the SASL mechansim list to display in the rootDSE to the ldap server. Andrew Bartlett (This used to be commit 379da475e224d93c05d91b37902c121eb4007d97)
2007-10-10r18989: Fixes found by these two LDAP testsuites:Andrew Bartlett1-0/+4
- http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/ - http://gleg.net/protover_ldap_sample.shtml Also fixes found by a subsequent audit of the code for similar issues. (This used to be commit 441a4f6262459dabfefd9bb12622ada9c007a60c)
2007-10-10r18909: use newer functions that were introduced after this code was madeSimo Sorce1-7/+2
(This used to be commit 3ce1796eb4cca7fd78366ee540a998a1ca377866)
2007-10-10r18301: I discovered how to load the warnings from a build farm build intoAndrew Tridgell2-3/+3
emacs compile mode (hint, paste to a file, and compile as "cat filename"). This allowed me to fix nearly all the warnings for a IA_64 SuSE build very quickly. (This used to be commit eba6c84efff735bb0ca941ac4b755ce2b0591667)
2007-10-10r17930: Merge noinclude branch:Jelmer Vernooij3-3/+3
* Move dlinklist.h, smb.h to subsystem-specific directories * Clean up ads.h and move what is left of it to dsdb/ (only place where it's used) (This used to be commit f7afa1cb77f3cfa7020b57de12e6003db7cfcc42)
2007-10-10r17829: Fix the order of the bytesSimo Sorce1-8/+8
(This used to be commit 9910c01a3a5dd417c47e83b9c9b6df8f4547e816)
2007-10-10r17644: change the ldap server to always use the single process model. We areAndrew Tridgell1-2/+8
not aiming to produce a high performance parallel ldap server, so better to reserve the extra CPUs on a SMP box for file serving. (This used to be commit 45c0580e5d3b18301bc5706423bb407d001fb61d)
2007-10-10r17642: some more mappingsSimo Sorce1-3/+7
(This used to be commit df1fe1a5c543453d5500ded30a982e7795d88670)
2007-10-10r17641: some more info, add oMObjectClass values (binary :-/)Simo Sorce1-23/+24
(This used to be commit b07a783b9881c5df305b939cd2acf9ee69610e9c)
2007-10-10r17632: This is the most accurate mappings between LDAP OID Syntaxes and AD ↵Simo Sorce1-0/+74
Syntaxes. Generated by scripts that cross information from the Windows Schema and the aggregate schema and cross verified by searching on the net (This used to be commit 996452844a9ac3df10e8b2c63dc693e5a753fc9d)
2007-10-10r17631: Some syntaxes from MS in a now vanished internet draftSimo Sorce1-0/+137
(This used to be commit 1020edb0c721da8889f5ce93e5497bb34ebbf786)
2007-10-10r17586: merge lib/netif into lib/socket and use -lnsl -lsocket on theStefan Metzmacher1-1/+1
configure check for the interfaces. should fix the build on some old sun boxes metze (This used to be commit f20e251bfd9f1eb7ce5c00739631b1625a2aa467)
2007-10-10r17516: Change helper function names to make more clear what they are meant ↵Simo Sorce1-1/+1
to do (This used to be commit ad75cf869550af66119d0293503024d41d834e02)
2007-10-10r17434: update our indexSimo Sorce1-1/+24
(This used to be commit 9f79714389373735807c1ed8ec9f2fddaa77a9dc)
2007-10-10r17433: remove obsoleted RFCsSimo Sorce9-8993/+1
(This used to be commit 7dffabc744271b0ab98d00c0cc23600d1b536d29)
2007-10-10r17341: pass a messaging context to auth_context_create()Stefan Metzmacher1-4/+10
and gensec_server_start(). calling them with NULL for event context or messaging context is no longer allowed! metze (This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710)
2007-10-10r17251: - split out the starttls into its own functionStefan Metzmacher1-42/+96
- give an operations error when tls is already on the socket metze (This used to be commit 9190d134c9be774c53f6dae52b7c4cdcc053d00f)
2007-10-10r17240: move extended operations to a new fileStefan Metzmacher3-78/+98
metze (This used to be commit 0b16350fa2da39a66c4479dbf74182b06f7ed91a)
2007-10-10r17237: - keep pointer to the different socketsStefan Metzmacher4-3/+10
- we need this to later: - to disallow a StartTLS when TLS is already in use - to place the TLS socket between the raw and sasl socket when we had a sasl bind before the StartTLS - and rfc4513 says that the server may allow to remove the TLS from the tcp connection again and reuse raw tcp - and also a 2nd sasl bind should replace the old sasl socket metze (This used to be commit 10cb9c07ac60b03472f2b0b09c4581cc715002ba)
2007-10-10r17226: add some comments about ldap binds and pending requestsStefan Metzmacher1-0/+14
metze (This used to be commit e8db1fb55833ab7b9e0be391ff822b34682cb38c)
2007-10-10r17224: Accept the start-tls extended request. Getting OpenLDAP to recogniseAndrew Bartlett1-1/+58
our certificate, and proceed with the connection is left as an exercise for the reader... Andrew Bartlett (This used to be commit 9bd66d4c95dd971e2b1b6371ba3ffc6c178c0d4c)
2007-10-10r17222: Change the function prototypes for the GENSEc and TLS socket creationAndrew Bartlett2-16/+25
routines to return an NTSTATUS. This should help track down errors. Use a bit of talloc_steal and talloc_unlink to get the real socket to be a child of the GENSEC or TLS socket. Always return a new socket, even for the 'pass-though' case. Andrew Bartlett (This used to be commit 003e2ab93c87267ba28cd67bd85975bad62a8ea2)
2007-10-10r17215: Prepare the SASL socket before actually settting it. This allowsAndrew Bartlett1-29/+51
errors to be reported corectly, rather than just dropping the socket. Andrew Bartlett (This used to be commit 83dd22accfd565e86d831490043d6beaa9648c96)
2007-10-10r17197: This patch moves the encryption of bulk data on SASL negotiated securityAndrew Bartlett4-115/+49
contexts from the application layer into the socket layer. This improves a number of correctness aspects, as we now allow LDAP packets to cross multiple SASL packets. It should also make it much easier to write async LDAP tests from windows clients, as they use SASL by default. It is also vital to allowing OpenLDAP clients to use GSSAPI against Samba4, as it negotiates a rather small SASL buffer size. This patch mirrors the earlier work done to move TLS into the socket layer. Unusual in this pstch is the extra read callback argument I take. As SASL is a layer on top of a socket, it is entirely possible for the SASL layer to drain a socket dry, but for the caller not to have read all the decrypted data. This would leave the system without an event to restart the read (as the socket is dry). As such, I re-invoke the read handler from a timed callback, which should trigger on the next running of the event loop. I believe that the TLS code does require a similar callback. In trying to understand why this is required, imagine a SASL-encrypted LDAP packet in the following formation: +-----------------+---------------------+ | SASL Packet #1 | SASL Packet #2 | ----------------------------------------+ | LDAP Packet #1 | LDAP Packet #2 | ----------------------------------------+ In the old code, this was illegal, but it is perfectly standard SASL-encrypted LDAP. Without the callback, we would read and process the first LDAP packet, and the SASL code would have read the second SASL packet (to decrypt enough data for the LDAP packet), and no data would remain on the socket. Without data on the socket, read events stop. That is why I add timed events, until the SASL buffer is drained. Another approach would be to add a hack to the event system, to have it pretend there remained data to read off the network (but that is ugly). In improving the code, to handle more real-world cases, I've been able to remove almost all the special-cases in the testnonblock code. The only special case is that we must use a deterministic partial packet when calling send, rather than a random length. (1 + n/2). This is needed because of the way the SASL and TLS code works, and the 'resend on failure' requirements. Andrew Bartlett (This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0)
2007-10-10r17193: Remove ancient stuff never really usedSimo Sorce2-364/+0
(This used to be commit a6709196ca4d50fdb84a562cd8f49db4275bb1dc)
2007-10-10r17189: Add the new LDAP rfc seriesSimo Sorce24-0/+27176
(This used to be commit d3f8b813b33d1338e62f099017a1d4a32745e7a2)
2007-10-10r17186: "async" word abuse clean-up part 2Simo Sorce1-3/+3
(This used to be commit c6aa60c7e69abf1f83efc150b1c3ed02751c45fc)
2007-10-10r17185: Oh, I wanted to do this for sooo long time.Simo Sorce1-2/+2
Finally acknowledge that ldb is inherently async and does not have a dual personality anymore Rename all ldb_async_XXX functions to ldb_XXX except for ldb_async_result, it is now ldb_reply to reflect the real function of this structure. Simo. (This used to be commit 25fc7354049d62efeba17681ef1cdd326bc3f2ef)
2007-10-10r16972: Replace the sequence_number function pointer in ldb with the ldb flags.Andrew Bartlett3-2/+11
The function pointer was meant to be unused, this patch fixes partition.c to use ldb_sequence_number(). (No backend provided the pointer any more). Set the flags onto the ldb structure, so that all backends opened by the partitions module inherit the flags. Set the read-ony flag when accessed as the global catalog Modify the LDAP server to track that this query is for the global catalog (by incoming port), and set a opqaue pointer. Next step is to read that opaque pointer in the partitions module. Andrew Bartlett (This used to be commit a1161cb30e4ffa09657a89e03ca85dd6efd4feba)
2007-10-10r16795: Fix crash found by Dave Fenwick <djf@samba.org>.Andrew Bartlett1-0/+2
The session_info was not being attached to the connection, so subsequent checks in the kludge_acl module were looking at free()ed memory. Andrew Bartlett (This used to be commit 7e9079ac7af0bcd5d22040c7418cf58f86a72a1d)
2007-10-10r16234: Set the request timeout from the LDAP search. Without this, theAndrew Bartlett1-1/+3
initial request time is uninitialised, and this causes havoc later. This also allows us to honour the client's wishes. We should be doing this for all the operations... Andrew Bartlett (This used to be commit c8f5b1c9281072179cd3f3cf282cf376dca24ba0)
2007-10-10r15944: rename LDB_ASYNC_ADD -> LDB_ADD, LDB_ASYNC_MODIFY -> LDB_MODIFY, etc...Simo Sorce1-1/+1
(This used to be commit 55d97ef88f377ef1dbf7b1774a15cf9035e2f320)
2007-10-10r15933: remove the last sync call to ldb_requestSimo Sorce1-4/+73
(This used to be commit 10d66aa61dab2e59e5a510cf34b1cfad86fc2529)
2007-10-10r15400: Move the TLS code behind the socket interface.Andrew Bartlett2-12/+8
This reduces caller complexity, because the TLS code is now called just like any other socket. (A new socket context is returned by the tls_init_server and tls_init_client routines). When TLS is not available, the original socket is returned. Andrew Bartlett (This used to be commit 09b2f30dfa7a640f5187b4933204e9680be61497)
2007-10-10r15379: Fix shared library build's unresolved dependenciesJelmer Vernooij1-1/+1
(This used to be commit 0fafa2e59566f8f892d7dfd7dd33d0100b96a780)
2007-10-10r15317: Because LDB is now async, there are more places were we might run theAndrew Bartlett1-15/+22
even context again. We need to ensure we don't process packets until we are finished setting up the connection, have the ldb in place etc. We may need to do the same in other servers. Andrew Bartlett (This used to be commit 9bbc93bef2881251b734732d84bf0b2e5cf8b285)
2007-10-10r15301: Use static libraries internally. This required a few hacks in the buildJelmer Vernooij1-1/+3
system - these should be removed later on. (This used to be commit 06547391669e064d2b92f5841b7df5f101a34cb9)
2007-10-10r15207: Introduce PRIVATE_DEPENDENCIES and PUBLIC_DEPENDENCIES as replacementJelmer Vernooij1-1/+1
for REQUIRED_SUBSYSTEMS. (This used to be commit adc8a019b6da256f104abed1b82bfde6998a2ac9)
2007-10-10r14857: fix bugs noticed by the ibm code checkerStefan Metzmacher1-3/+4
metze (This used to be commit 07626bf3c7dc7162b852cc27e5a7c313ede3862a)