Age | Commit message (Collapse) | Author | Files | Lines |
|
CN=Administrator,CN=Users,DC=w2k3,DC=vmnet1,DC=vm,DC=base
Administrator@W2K3
W2K3\Administrator
w2k3.vmnet1.vm.base/Users/Administrator
w2k3 also allows this (and maybe more...?)
metze
(This used to be commit 40c27ef88df9021e9ef2a6c43aabab709ac9662f)
|
|
metze
(This used to be commit f860dd2dca391edf55975d582dda0c1d01ddb6e3)
|
|
mutiple flags not just 1 for being a global catalog
metze
(This used to be commit 202645e196b1425f9043bd34dd02a1418e2e3dd9)
|
|
metze
(This used to be commit d20d1872d5ed1176928b85ef9811c6a5177d0148)
|
|
way to setup a Samba4 DC is to set 'server role = domain controller'.
We use the fSMORoleOwner attribute in the base DN to determine the PDC.
This patch is quite large, as I have corrected a number of places that
assumed taht we are always the PDC, or that used the smb.conf
lp_server_role() to determine that.
Also included is a warning fix in the SAMR code, where the IDL has
seperated a couple of types for group display enumeration.
We also now use the ldb database to determine if we should run the
global catalog service.
In the near future, I will complete the DRSUAPI
DsGetDomainControllerInfo server-side on the same basis.
Andrew Bartlett
(This used to be commit 67d8365e831adf3eaecd8b34dcc481fc82565893)
|
|
- ldb_dn_get_linearized
returns a const string
- ldb_dn_alloc_linearized
allocs astring with the linearized dn
(This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd)
|
|
This patch changes a lot of the code in ldb_dn.c, and also
removes and add a number of manipulation functions around.
The aim is to avoid validating a dn if not necessary as the
validation code is necessarily slow. This is mainly to speed up
internal operations where input is not user generated and so we
can assume the DNs need no validation. The code is designed to
keep the data as a string if possible.
The code is not yet 100% perfect, but pass all the tests so far.
A memleak is certainly present, I'll work on that next.
Simo.
(This used to be commit a580c871d3784602a9cce32d33419e63c8236e63)
|
|
metze
(This used to be commit fddcbf5d4cce77705be43956ea93895432b64aa1)
|
|
ldb_search_default_callback does the same...
metze
(This used to be commit 0edac60ec6f1e67de8e08f4e71e56b674915ad6e)
|
|
Break up auth/auth.h not to include the world.
Add credentials_krb5.h with the kerberos dependent prototypes.
Andrew Bartlett
(This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
|
|
(This used to be commit 889fb983ba1cf8a11424a8b3dc3a5ef76e780082)
|
|
dependency loops).
This moves the evaluation of the SASL mechansim list to display in the
rootDSE to the ldap server.
Andrew Bartlett
(This used to be commit 379da475e224d93c05d91b37902c121eb4007d97)
|
|
- http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/
- http://gleg.net/protover_ldap_sample.shtml
Also fixes found by a subsequent audit of the code for similar issues.
(This used to be commit 441a4f6262459dabfefd9bb12622ada9c007a60c)
|
|
(This used to be commit 3ce1796eb4cca7fd78366ee540a998a1ca377866)
|
|
emacs compile mode (hint, paste to a file, and compile as "cat
filename").
This allowed me to fix nearly all the warnings for a IA_64 SuSE build
very quickly.
(This used to be commit eba6c84efff735bb0ca941ac4b755ce2b0591667)
|
|
* Move dlinklist.h, smb.h to subsystem-specific directories
* Clean up ads.h and move what is left of it to dsdb/
(only place where it's used)
(This used to be commit f7afa1cb77f3cfa7020b57de12e6003db7cfcc42)
|
|
(This used to be commit 9910c01a3a5dd417c47e83b9c9b6df8f4547e816)
|
|
not aiming to produce a high performance parallel ldap server, so
better to reserve the extra CPUs on a SMP box for file serving.
(This used to be commit 45c0580e5d3b18301bc5706423bb407d001fb61d)
|
|
(This used to be commit df1fe1a5c543453d5500ded30a982e7795d88670)
|
|
(This used to be commit b07a783b9881c5df305b939cd2acf9ee69610e9c)
|
|
Syntaxes.
Generated by scripts that cross information from the Windows Schema and the
aggregate schema and cross verified by searching on the net
(This used to be commit 996452844a9ac3df10e8b2c63dc693e5a753fc9d)
|
|
(This used to be commit 1020edb0c721da8889f5ce93e5497bb34ebbf786)
|
|
configure check for the interfaces.
should fix the build on some old sun boxes
metze
(This used to be commit f20e251bfd9f1eb7ce5c00739631b1625a2aa467)
|
|
to do
(This used to be commit ad75cf869550af66119d0293503024d41d834e02)
|
|
(This used to be commit 9f79714389373735807c1ed8ec9f2fddaa77a9dc)
|
|
(This used to be commit 7dffabc744271b0ab98d00c0cc23600d1b536d29)
|
|
and gensec_server_start().
calling them with NULL for event context or messaging context
is no longer allowed!
metze
(This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710)
|
|
- give an operations error when tls is already on the socket
metze
(This used to be commit 9190d134c9be774c53f6dae52b7c4cdcc053d00f)
|
|
metze
(This used to be commit 0b16350fa2da39a66c4479dbf74182b06f7ed91a)
|
|
- we need this to later:
- to disallow a StartTLS when TLS is already in use
- to place the TLS socket between the raw and sasl socket
when we had a sasl bind before the StartTLS
- and rfc4513 says that the server may allow to remove the TLS from
the tcp connection again and reuse raw tcp
- and also a 2nd sasl bind should replace the old sasl socket
metze
(This used to be commit 10cb9c07ac60b03472f2b0b09c4581cc715002ba)
|
|
metze
(This used to be commit e8db1fb55833ab7b9e0be391ff822b34682cb38c)
|
|
our certificate, and proceed with the connection is left as an
exercise for the reader...
Andrew Bartlett
(This used to be commit 9bd66d4c95dd971e2b1b6371ba3ffc6c178c0d4c)
|
|
routines to return an NTSTATUS. This should help track down errors.
Use a bit of talloc_steal and talloc_unlink to get the real socket to
be a child of the GENSEC or TLS socket.
Always return a new socket, even for the 'pass-though' case.
Andrew Bartlett
(This used to be commit 003e2ab93c87267ba28cd67bd85975bad62a8ea2)
|
|
errors to be reported corectly, rather than just dropping the socket.
Andrew Bartlett
(This used to be commit 83dd22accfd565e86d831490043d6beaa9648c96)
|
|
contexts from the application layer into the socket layer.
This improves a number of correctness aspects, as we now allow LDAP
packets to cross multiple SASL packets. It should also make it much
easier to write async LDAP tests from windows clients, as they use SASL
by default. It is also vital to allowing OpenLDAP clients to use GSSAPI
against Samba4, as it negotiates a rather small SASL buffer size.
This patch mirrors the earlier work done to move TLS into the socket
layer.
Unusual in this pstch is the extra read callback argument I take. As
SASL is a layer on top of a socket, it is entirely possible for the
SASL layer to drain a socket dry, but for the caller not to have read
all the decrypted data. This would leave the system without an event
to restart the read (as the socket is dry).
As such, I re-invoke the read handler from a timed callback, which
should trigger on the next running of the event loop. I believe that
the TLS code does require a similar callback.
In trying to understand why this is required, imagine a SASL-encrypted
LDAP packet in the following formation:
+-----------------+---------------------+
| SASL Packet #1 | SASL Packet #2 |
----------------------------------------+
| LDAP Packet #1 | LDAP Packet #2 |
----------------------------------------+
In the old code, this was illegal, but it is perfectly standard
SASL-encrypted LDAP. Without the callback, we would read and process
the first LDAP packet, and the SASL code would have read the second SASL
packet (to decrypt enough data for the LDAP packet), and no data would
remain on the socket.
Without data on the socket, read events stop. That is why I add timed
events, until the SASL buffer is drained.
Another approach would be to add a hack to the event system, to have it
pretend there remained data to read off the network (but that is ugly).
In improving the code, to handle more real-world cases, I've been able
to remove almost all the special-cases in the testnonblock code. The
only special case is that we must use a deterministic partial packet
when calling send, rather than a random length. (1 + n/2). This is
needed because of the way the SASL and TLS code works, and the 'resend
on failure' requirements.
Andrew Bartlett
(This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0)
|
|
(This used to be commit a6709196ca4d50fdb84a562cd8f49db4275bb1dc)
|
|
(This used to be commit d3f8b813b33d1338e62f099017a1d4a32745e7a2)
|
|
(This used to be commit c6aa60c7e69abf1f83efc150b1c3ed02751c45fc)
|
|
Finally acknowledge that ldb is inherently async and does not have a dual personality anymore
Rename all ldb_async_XXX functions to ldb_XXX except for ldb_async_result, it is now ldb_reply
to reflect the real function of this structure.
Simo.
(This used to be commit 25fc7354049d62efeba17681ef1cdd326bc3f2ef)
|
|
The function pointer was meant to be unused, this patch fixes
partition.c to use ldb_sequence_number(). (No backend provided the
pointer any more).
Set the flags onto the ldb structure, so that all backends opened by
the partitions module inherit the flags.
Set the read-ony flag when accessed as the global catalog
Modify the LDAP server to track that this query is for the global
catalog (by incoming port), and set a opqaue pointer.
Next step is to read that opaque pointer in the partitions module.
Andrew Bartlett
(This used to be commit a1161cb30e4ffa09657a89e03ca85dd6efd4feba)
|
|
The session_info was not being attached to the connection, so
subsequent checks in the kludge_acl module were looking at free()ed
memory.
Andrew Bartlett
(This used to be commit 7e9079ac7af0bcd5d22040c7418cf58f86a72a1d)
|
|
initial request time is uninitialised, and this causes havoc later.
This also allows us to honour the client's wishes.
We should be doing this for all the operations...
Andrew Bartlett
(This used to be commit c8f5b1c9281072179cd3f3cf282cf376dca24ba0)
|
|
(This used to be commit 55d97ef88f377ef1dbf7b1774a15cf9035e2f320)
|
|
(This used to be commit 10d66aa61dab2e59e5a510cf34b1cfad86fc2529)
|
|
This reduces caller complexity, because the TLS code is now called
just like any other socket. (A new socket context is returned by the
tls_init_server and tls_init_client routines).
When TLS is not available, the original socket is returned.
Andrew Bartlett
(This used to be commit 09b2f30dfa7a640f5187b4933204e9680be61497)
|
|
(This used to be commit 0fafa2e59566f8f892d7dfd7dd33d0100b96a780)
|
|
even context again. We need to ensure we don't process packets until
we are finished setting up the connection, have the ldb in place etc.
We may need to do the same in other servers.
Andrew Bartlett
(This used to be commit 9bbc93bef2881251b734732d84bf0b2e5cf8b285)
|
|
system - these should be removed later on.
(This used to be commit 06547391669e064d2b92f5841b7df5f101a34cb9)
|
|
for REQUIRED_SUBSYSTEMS.
(This used to be commit adc8a019b6da256f104abed1b82bfde6998a2ac9)
|
|
metze
(This used to be commit 07626bf3c7dc7162b852cc27e5a7c313ede3862a)
|