summaryrefslogtreecommitdiff
path: root/source4/ldap_server
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r23816: A little more static, but leave the dead code testjoin.c as ↵Andrew Bartlett1-1/+1
documentation. Andrew Bartlett (This used to be commit 6679003c0553804333f0090a91e1fe53837ceb47)
2007-10-10r23792: convert Samba4 to GPLv3Andrew Tridgell5-15/+10
There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa)
2007-10-10r23762: Fix DN renames over LDAP, and instrument the partition module. Add aAndrew Bartlett1-0/+1
test to prove the behaviour of LDAP renames etc. Fix LDB to return correct error code when failing to rename one DN onto another. Andrew Bartlett (This used to be commit 3f3da9c4710b7752ed97f55c2fc3d32a63d352af)
2007-10-10r23036: error checking on asn1_init() failureAndrew Tridgell1-1/+3
(This used to be commit 26cf8494084c0106ef0e1c9b6ef40eeadf945ef2)
2007-10-10r23030: finally fixed up our asn1 code to use better memory allocation. ThisAndrew Tridgell1-5/+5
should allow us to fix some long standing memory leaks. (This used to be commit 3db49c2ec9968221c1361785b94061046ecd159d)
2007-10-10r22403: this dependencies should be privateStefan Metzmacher1-3/+4
metze (This used to be commit c3cc03ffb290cb7c1eba51e98c52e5e7c1aba5fb)
2007-10-10r21806: I've been working over the last week to fix up the LDAP backend forAndrew Bartlett1-2/+4
Samba4. This only broke on global catalog queries, which turned out to be due to changes in the partitions module that metze needed for his DRSUAPI work. I've reworked partitions.c to always include the 'problematic' control, and therefore demonstrated that this is the issue. This ensures consistency, and should help with finding issues like this in future. As this control (DSDB_CONTROL_CURRENT_PARTITION_OID) is not intended to be linearised, I've added logic to allow it to be skipped when creating network packets. I've likewise make our LDAP server skip unknown controls, when marked 'not critical' on it's input, rather than just dropping the entire request. I need some help to generate a correct error packet when it is marked critical. Further work could perhaps be to have the ldap_encode routine return a textual description of what failed to encode, as that would have saved me a lot of time... Andrew Bartlett (This used to be commit eef710668f91d1bbaa2d834d9e653e11c8aac817)
2007-10-10r21511: this seems to be the nicer fix for the problem withStefan Metzmacher1-8/+4
the windows 2000 LDAP client metze (This used to be commit d40465470fa09827ea529e1f2c80bca9efc152a8)
2007-10-10r21496: A number of ldb control and LDAP changes, surrounding theAndrew Bartlett1-4/+15
'phantom_root' flag in the search_options control - Add in support for LDB controls to the js layer - Test the behaviour - Implement support for the 'phantom_root' flag in the partitions module - Make the LDAP server set the 'phantom_root' flag in the search_options control - This replaces the global_catalog flag passed down as an opaque pointer - Rework the string-format control parsing function into ldb_parse_control_strings(), returning errors by ldb_errorstring() method, rather than with printf to stderr - Rework some of the ldb_control handling logic Andrew Bartlett (This used to be commit 2b3df7f38d7790358dbb4de1b8609bf794a351fb)
2007-10-10r20906: allow LDAP simple binds using the following syntaxes in the DN field:Stefan Metzmacher1-1/+1
CN=Administrator,CN=Users,DC=w2k3,DC=vmnet1,DC=vm,DC=base Administrator@W2K3 W2K3\Administrator w2k3.vmnet1.vm.base/Users/Administrator w2k3 also allows this (and maybe more...?) metze (This used to be commit 40c27ef88df9021e9ef2a6c43aabab709ac9662f)
2007-10-10r20407: the oMObjectClass values are not padded to 10 bytes!Stefan Metzmacher1-4/+4
metze (This used to be commit f860dd2dca391edf55975d582dda0c1d01ddb6e3)
2007-10-10r20322: I assume the options attribute of the nTDSDSA object containsStefan Metzmacher1-2/+2
mutiple flags not just 1 for being a global catalog metze (This used to be commit 202645e196b1425f9043bd34dd02a1418e2e3dd9)
2007-10-10r20189: remove unused struct elementStefan Metzmacher1-2/+0
metze (This used to be commit d20d1872d5ed1176928b85ef9811c6a5177d0148)
2007-10-10r20149: Remove the smb.conf distinction between PDC and BDC. Now the correctAndrew Bartlett1-5/+40
way to setup a Samba4 DC is to set 'server role = domain controller'. We use the fSMORoleOwner attribute in the base DN to determine the PDC. This patch is quite large, as I have corrected a number of places that assumed taht we are always the PDC, or that used the smb.conf lp_server_role() to determine that. Also included is a warning fix in the SAMR code, where the IDL has seperated a couple of types for group display enumeration. We also now use the ldb database to determine if we should run the global catalog service. In the near future, I will complete the DRSUAPI DsGetDomainControllerInfo server-side on the same basis. Andrew Bartlett (This used to be commit 67d8365e831adf3eaecd8b34dcc481fc82565893)
2007-10-10r19832: better prototypes for the linearization functions:Simo Sorce1-1/+1
- ldb_dn_get_linearized returns a const string - ldb_dn_alloc_linearized allocs astring with the linearized dn (This used to be commit 3929c086d5d0b3f08b1c4f2f3f9602c3f4a9a4bd)
2007-10-10r19831: Big ldb_dn optimization and interfaces enhancement patchSimo Sorce2-23/+24
This patch changes a lot of the code in ldb_dn.c, and also removes and add a number of manipulation functions around. The aim is to avoid validating a dn if not necessary as the validation code is necessarily slow. This is mainly to speed up internal operations where input is not user generated and so we can assume the DNs need no validation. The code is designed to keep the data as a string if possible. The code is not yet 100% perfect, but pass all the tests so far. A memleak is certainly present, I'll work on that next. Simo. (This used to be commit a580c871d3784602a9cce32d33419e63c8236e63)
2007-10-10r19722: fix memory leaks and hierachie bugsStefan Metzmacher1-4/+6
metze (This used to be commit fddcbf5d4cce77705be43956ea93895432b64aa1)
2007-10-10r19721: ldapsrv_SearchCallback isn't needed any moreStefan Metzmacher1-60/+1
ldb_search_default_callback does the same... metze (This used to be commit 0edac60ec6f1e67de8e08f4e71e56b674915ad6e)
2007-10-10r19598: Ahead of a merge to current lorikeet-heimdal:Andrew Bartlett2-0/+3
Break up auth/auth.h not to include the world. Add credentials_krb5.h with the kerberos dependent prototypes. Andrew Bartlett (This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
2007-10-10r19531: Make struct ldb_dn opaque and local to ldb_dn.cSimo Sorce1-4/+7
(This used to be commit 889fb983ba1cf8a11424a8b3dc3a5ef76e780082)
2007-10-10r19522: Remove gensec and credentials dependency from the rootdse module (lessAndrew Bartlett2-1/+32
dependency loops). This moves the evaluation of the SASL mechansim list to display in the rootDSE to the ldap server. Andrew Bartlett (This used to be commit 379da475e224d93c05d91b37902c121eb4007d97)
2007-10-10r18989: Fixes found by these two LDAP testsuites:Andrew Bartlett1-0/+4
- http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/ - http://gleg.net/protover_ldap_sample.shtml Also fixes found by a subsequent audit of the code for similar issues. (This used to be commit 441a4f6262459dabfefd9bb12622ada9c007a60c)
2007-10-10r18909: use newer functions that were introduced after this code was madeSimo Sorce1-7/+2
(This used to be commit 3ce1796eb4cca7fd78366ee540a998a1ca377866)
2007-10-10r18301: I discovered how to load the warnings from a build farm build intoAndrew Tridgell2-3/+3
emacs compile mode (hint, paste to a file, and compile as "cat filename"). This allowed me to fix nearly all the warnings for a IA_64 SuSE build very quickly. (This used to be commit eba6c84efff735bb0ca941ac4b755ce2b0591667)
2007-10-10r17930: Merge noinclude branch:Jelmer Vernooij3-3/+3
* Move dlinklist.h, smb.h to subsystem-specific directories * Clean up ads.h and move what is left of it to dsdb/ (only place where it's used) (This used to be commit f7afa1cb77f3cfa7020b57de12e6003db7cfcc42)
2007-10-10r17829: Fix the order of the bytesSimo Sorce1-8/+8
(This used to be commit 9910c01a3a5dd417c47e83b9c9b6df8f4547e816)
2007-10-10r17644: change the ldap server to always use the single process model. We areAndrew Tridgell1-2/+8
not aiming to produce a high performance parallel ldap server, so better to reserve the extra CPUs on a SMP box for file serving. (This used to be commit 45c0580e5d3b18301bc5706423bb407d001fb61d)
2007-10-10r17642: some more mappingsSimo Sorce1-3/+7
(This used to be commit df1fe1a5c543453d5500ded30a982e7795d88670)
2007-10-10r17641: some more info, add oMObjectClass values (binary :-/)Simo Sorce1-23/+24
(This used to be commit b07a783b9881c5df305b939cd2acf9ee69610e9c)
2007-10-10r17632: This is the most accurate mappings between LDAP OID Syntaxes and AD ↵Simo Sorce1-0/+74
Syntaxes. Generated by scripts that cross information from the Windows Schema and the aggregate schema and cross verified by searching on the net (This used to be commit 996452844a9ac3df10e8b2c63dc693e5a753fc9d)
2007-10-10r17631: Some syntaxes from MS in a now vanished internet draftSimo Sorce1-0/+137
(This used to be commit 1020edb0c721da8889f5ce93e5497bb34ebbf786)
2007-10-10r17586: merge lib/netif into lib/socket and use -lnsl -lsocket on theStefan Metzmacher1-1/+1
configure check for the interfaces. should fix the build on some old sun boxes metze (This used to be commit f20e251bfd9f1eb7ce5c00739631b1625a2aa467)
2007-10-10r17516: Change helper function names to make more clear what they are meant ↵Simo Sorce1-1/+1
to do (This used to be commit ad75cf869550af66119d0293503024d41d834e02)
2007-10-10r17434: update our indexSimo Sorce1-1/+24
(This used to be commit 9f79714389373735807c1ed8ec9f2fddaa77a9dc)
2007-10-10r17433: remove obsoleted RFCsSimo Sorce9-8993/+1
(This used to be commit 7dffabc744271b0ab98d00c0cc23600d1b536d29)
2007-10-10r17341: pass a messaging context to auth_context_create()Stefan Metzmacher1-4/+10
and gensec_server_start(). calling them with NULL for event context or messaging context is no longer allowed! metze (This used to be commit 679ac74e71b111344f1097ab389c0b83a9247710)
2007-10-10r17251: - split out the starttls into its own functionStefan Metzmacher1-42/+96
- give an operations error when tls is already on the socket metze (This used to be commit 9190d134c9be774c53f6dae52b7c4cdcc053d00f)
2007-10-10r17240: move extended operations to a new fileStefan Metzmacher3-78/+98
metze (This used to be commit 0b16350fa2da39a66c4479dbf74182b06f7ed91a)
2007-10-10r17237: - keep pointer to the different socketsStefan Metzmacher4-3/+10
- we need this to later: - to disallow a StartTLS when TLS is already in use - to place the TLS socket between the raw and sasl socket when we had a sasl bind before the StartTLS - and rfc4513 says that the server may allow to remove the TLS from the tcp connection again and reuse raw tcp - and also a 2nd sasl bind should replace the old sasl socket metze (This used to be commit 10cb9c07ac60b03472f2b0b09c4581cc715002ba)
2007-10-10r17226: add some comments about ldap binds and pending requestsStefan Metzmacher1-0/+14
metze (This used to be commit e8db1fb55833ab7b9e0be391ff822b34682cb38c)
2007-10-10r17224: Accept the start-tls extended request. Getting OpenLDAP to recogniseAndrew Bartlett1-1/+58
our certificate, and proceed with the connection is left as an exercise for the reader... Andrew Bartlett (This used to be commit 9bd66d4c95dd971e2b1b6371ba3ffc6c178c0d4c)
2007-10-10r17222: Change the function prototypes for the GENSEc and TLS socket creationAndrew Bartlett2-16/+25
routines to return an NTSTATUS. This should help track down errors. Use a bit of talloc_steal and talloc_unlink to get the real socket to be a child of the GENSEC or TLS socket. Always return a new socket, even for the 'pass-though' case. Andrew Bartlett (This used to be commit 003e2ab93c87267ba28cd67bd85975bad62a8ea2)
2007-10-10r17215: Prepare the SASL socket before actually settting it. This allowsAndrew Bartlett1-29/+51
errors to be reported corectly, rather than just dropping the socket. Andrew Bartlett (This used to be commit 83dd22accfd565e86d831490043d6beaa9648c96)
2007-10-10r17197: This patch moves the encryption of bulk data on SASL negotiated securityAndrew Bartlett4-115/+49
contexts from the application layer into the socket layer. This improves a number of correctness aspects, as we now allow LDAP packets to cross multiple SASL packets. It should also make it much easier to write async LDAP tests from windows clients, as they use SASL by default. It is also vital to allowing OpenLDAP clients to use GSSAPI against Samba4, as it negotiates a rather small SASL buffer size. This patch mirrors the earlier work done to move TLS into the socket layer. Unusual in this pstch is the extra read callback argument I take. As SASL is a layer on top of a socket, it is entirely possible for the SASL layer to drain a socket dry, but for the caller not to have read all the decrypted data. This would leave the system without an event to restart the read (as the socket is dry). As such, I re-invoke the read handler from a timed callback, which should trigger on the next running of the event loop. I believe that the TLS code does require a similar callback. In trying to understand why this is required, imagine a SASL-encrypted LDAP packet in the following formation: +-----------------+---------------------+ | SASL Packet #1 | SASL Packet #2 | ----------------------------------------+ | LDAP Packet #1 | LDAP Packet #2 | ----------------------------------------+ In the old code, this was illegal, but it is perfectly standard SASL-encrypted LDAP. Without the callback, we would read and process the first LDAP packet, and the SASL code would have read the second SASL packet (to decrypt enough data for the LDAP packet), and no data would remain on the socket. Without data on the socket, read events stop. That is why I add timed events, until the SASL buffer is drained. Another approach would be to add a hack to the event system, to have it pretend there remained data to read off the network (but that is ugly). In improving the code, to handle more real-world cases, I've been able to remove almost all the special-cases in the testnonblock code. The only special case is that we must use a deterministic partial packet when calling send, rather than a random length. (1 + n/2). This is needed because of the way the SASL and TLS code works, and the 'resend on failure' requirements. Andrew Bartlett (This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0)
2007-10-10r17193: Remove ancient stuff never really usedSimo Sorce2-364/+0
(This used to be commit a6709196ca4d50fdb84a562cd8f49db4275bb1dc)
2007-10-10r17189: Add the new LDAP rfc seriesSimo Sorce24-0/+27176
(This used to be commit d3f8b813b33d1338e62f099017a1d4a32745e7a2)
2007-10-10r17186: "async" word abuse clean-up part 2Simo Sorce1-3/+3
(This used to be commit c6aa60c7e69abf1f83efc150b1c3ed02751c45fc)
2007-10-10r17185: Oh, I wanted to do this for sooo long time.Simo Sorce1-2/+2
Finally acknowledge that ldb is inherently async and does not have a dual personality anymore Rename all ldb_async_XXX functions to ldb_XXX except for ldb_async_result, it is now ldb_reply to reflect the real function of this structure. Simo. (This used to be commit 25fc7354049d62efeba17681ef1cdd326bc3f2ef)
2007-10-10r16972: Replace the sequence_number function pointer in ldb with the ldb flags.Andrew Bartlett3-2/+11
The function pointer was meant to be unused, this patch fixes partition.c to use ldb_sequence_number(). (No backend provided the pointer any more). Set the flags onto the ldb structure, so that all backends opened by the partitions module inherit the flags. Set the read-ony flag when accessed as the global catalog Modify the LDAP server to track that this query is for the global catalog (by incoming port), and set a opqaue pointer. Next step is to read that opaque pointer in the partitions module. Andrew Bartlett (This used to be commit a1161cb30e4ffa09657a89e03ca85dd6efd4feba)
2007-10-10r16795: Fix crash found by Dave Fenwick <djf@samba.org>.Andrew Bartlett1-0/+2
The session_info was not being attached to the connection, so subsequent checks in the kludge_acl module were looking at free()ed memory. Andrew Bartlett (This used to be commit 7e9079ac7af0bcd5d22040c7418cf58f86a72a1d)