summaryrefslogtreecommitdiff
path: root/source4/ldap_server
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r17197: This patch moves the encryption of bulk data on SASL negotiated securityAndrew Bartlett4-115/+49
contexts from the application layer into the socket layer. This improves a number of correctness aspects, as we now allow LDAP packets to cross multiple SASL packets. It should also make it much easier to write async LDAP tests from windows clients, as they use SASL by default. It is also vital to allowing OpenLDAP clients to use GSSAPI against Samba4, as it negotiates a rather small SASL buffer size. This patch mirrors the earlier work done to move TLS into the socket layer. Unusual in this pstch is the extra read callback argument I take. As SASL is a layer on top of a socket, it is entirely possible for the SASL layer to drain a socket dry, but for the caller not to have read all the decrypted data. This would leave the system without an event to restart the read (as the socket is dry). As such, I re-invoke the read handler from a timed callback, which should trigger on the next running of the event loop. I believe that the TLS code does require a similar callback. In trying to understand why this is required, imagine a SASL-encrypted LDAP packet in the following formation: +-----------------+---------------------+ | SASL Packet #1 | SASL Packet #2 | ----------------------------------------+ | LDAP Packet #1 | LDAP Packet #2 | ----------------------------------------+ In the old code, this was illegal, but it is perfectly standard SASL-encrypted LDAP. Without the callback, we would read and process the first LDAP packet, and the SASL code would have read the second SASL packet (to decrypt enough data for the LDAP packet), and no data would remain on the socket. Without data on the socket, read events stop. That is why I add timed events, until the SASL buffer is drained. Another approach would be to add a hack to the event system, to have it pretend there remained data to read off the network (but that is ugly). In improving the code, to handle more real-world cases, I've been able to remove almost all the special-cases in the testnonblock code. The only special case is that we must use a deterministic partial packet when calling send, rather than a random length. (1 + n/2). This is needed because of the way the SASL and TLS code works, and the 'resend on failure' requirements. Andrew Bartlett (This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0)
2007-10-10r17193: Remove ancient stuff never really usedSimo Sorce2-364/+0
(This used to be commit a6709196ca4d50fdb84a562cd8f49db4275bb1dc)
2007-10-10r17189: Add the new LDAP rfc seriesSimo Sorce24-0/+27176
(This used to be commit d3f8b813b33d1338e62f099017a1d4a32745e7a2)
2007-10-10r17186: "async" word abuse clean-up part 2Simo Sorce1-3/+3
(This used to be commit c6aa60c7e69abf1f83efc150b1c3ed02751c45fc)
2007-10-10r17185: Oh, I wanted to do this for sooo long time.Simo Sorce1-2/+2
Finally acknowledge that ldb is inherently async and does not have a dual personality anymore Rename all ldb_async_XXX functions to ldb_XXX except for ldb_async_result, it is now ldb_reply to reflect the real function of this structure. Simo. (This used to be commit 25fc7354049d62efeba17681ef1cdd326bc3f2ef)
2007-10-10r16972: Replace the sequence_number function pointer in ldb with the ldb flags.Andrew Bartlett3-2/+11
The function pointer was meant to be unused, this patch fixes partition.c to use ldb_sequence_number(). (No backend provided the pointer any more). Set the flags onto the ldb structure, so that all backends opened by the partitions module inherit the flags. Set the read-ony flag when accessed as the global catalog Modify the LDAP server to track that this query is for the global catalog (by incoming port), and set a opqaue pointer. Next step is to read that opaque pointer in the partitions module. Andrew Bartlett (This used to be commit a1161cb30e4ffa09657a89e03ca85dd6efd4feba)
2007-10-10r16795: Fix crash found by Dave Fenwick <djf@samba.org>.Andrew Bartlett1-0/+2
The session_info was not being attached to the connection, so subsequent checks in the kludge_acl module were looking at free()ed memory. Andrew Bartlett (This used to be commit 7e9079ac7af0bcd5d22040c7418cf58f86a72a1d)
2007-10-10r16234: Set the request timeout from the LDAP search. Without this, theAndrew Bartlett1-1/+3
initial request time is uninitialised, and this causes havoc later. This also allows us to honour the client's wishes. We should be doing this for all the operations... Andrew Bartlett (This used to be commit c8f5b1c9281072179cd3f3cf282cf376dca24ba0)
2007-10-10r15944: rename LDB_ASYNC_ADD -> LDB_ADD, LDB_ASYNC_MODIFY -> LDB_MODIFY, etc...Simo Sorce1-1/+1
(This used to be commit 55d97ef88f377ef1dbf7b1774a15cf9035e2f320)
2007-10-10r15933: remove the last sync call to ldb_requestSimo Sorce1-4/+73
(This used to be commit 10d66aa61dab2e59e5a510cf34b1cfad86fc2529)
2007-10-10r15400: Move the TLS code behind the socket interface.Andrew Bartlett2-12/+8
This reduces caller complexity, because the TLS code is now called just like any other socket. (A new socket context is returned by the tls_init_server and tls_init_client routines). When TLS is not available, the original socket is returned. Andrew Bartlett (This used to be commit 09b2f30dfa7a640f5187b4933204e9680be61497)
2007-10-10r15379: Fix shared library build's unresolved dependenciesJelmer Vernooij1-1/+1
(This used to be commit 0fafa2e59566f8f892d7dfd7dd33d0100b96a780)
2007-10-10r15317: Because LDB is now async, there are more places were we might run theAndrew Bartlett1-15/+22
even context again. We need to ensure we don't process packets until we are finished setting up the connection, have the ldb in place etc. We may need to do the same in other servers. Andrew Bartlett (This used to be commit 9bbc93bef2881251b734732d84bf0b2e5cf8b285)
2007-10-10r15301: Use static libraries internally. This required a few hacks in the buildJelmer Vernooij1-1/+3
system - these should be removed later on. (This used to be commit 06547391669e064d2b92f5841b7df5f101a34cb9)
2007-10-10r15207: Introduce PRIVATE_DEPENDENCIES and PUBLIC_DEPENDENCIES as replacementJelmer Vernooij1-1/+1
for REQUIRED_SUBSYSTEMS. (This used to be commit adc8a019b6da256f104abed1b82bfde6998a2ac9)
2007-10-10r14857: fix bugs noticed by the ibm code checkerStefan Metzmacher1-3/+4
metze (This used to be commit 07626bf3c7dc7162b852cc27e5a7c313ede3862a)
2007-10-10r14673: Don't double-free conn, it is below 'c' free'ed byAndrew Bartlett1-2/+0
stream_terminate_connection() Andrew Bartlett (This used to be commit a6c797986053ecf6bbce54028d7ea4106635c558)
2007-10-10r14567: Make some more functions public.Jelmer Vernooij1-1/+1
(This used to be commit 8e84e6cb6b172c89072723e07f344da8f4476c1f)
2007-10-10r14079: I just found the setproctitle library from alt linux:-)Stefan Metzmacher1-0/+2
- add set_title hook to the process models - use setproctitle library in process_model standard if available - the the title for the task servers and on connections metze (This used to be commit 526f20bbecc9bbd607595637c15fc4001d3f0c70)
2007-10-10r14078: move ldb_global_init() to the main smbd code,Stefan Metzmacher1-2/+0
to fix the process_model standard metze (This used to be commit a465126e15490c5605064eb2387fb589d312db7b)
2007-10-10r13998: From now on ldb_request() will require an alloced requestSimo Sorce1-10/+12
By freeing the request you will be sure everything down the path get freed. this also means you have to steal the results if you want to keep them :) simo. (This used to be commit e8075e6a062ce5edb84485e45d0b841c2ee2af7d)
2007-10-10r13941: fix the buildStefan Metzmacher1-1/+1
metze (This used to be commit d9da948b0f7f9698decc140a0a549d27675d14e4)
2007-10-10r13926: More header splitups.Jelmer Vernooij1-0/+1
(This used to be commit 930daa9f416ecba1d75b8ad46bb42e336545672f)
2007-10-10r13924: Split more prototypes out of include/proto.h + initial work on headerJelmer Vernooij3-0/+5
file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781)
2007-10-10r13812: fix compiler warningStefan Metzmacher1-1/+1
metze (This used to be commit 1340cb1f3bdbde4d3759d77b28631611c4e150bb)
2007-10-10r13786: [merge] Add registration functions for LDB modulesJelmer Vernooij1-0/+2
Applications that use LDB modules will now have to run ldb_global_init() before they can use LDB. The next step will be adding support for loading LDB modules from .so files. This will also allow us to use one LDB without difference between the standalone and the Samba-specific build (This used to be commit 52a235650514039bf8ffee99a784bbc1b6ae6b92)
2007-10-10r13609: Get in the initial work on making ldb asyncSimo Sorce1-47/+2
Currently only ldb_ildap is async, the plan is to first make all backend support the async calls, and then remove the sync functions from backends and keep the only in the API. Modules will need to be transformed along the way. Simo (This used to be commit 1e2c13b2d52de7c534493dd79a2c0596a3e8c1f5)
2007-10-10r13606: An attempt to fix #3525.Andrew Bartlett1-12/+8
The problem was that the supportedControls were being stolen into the result sent to the client, then talloc_free()ed. This caused them to be invalid on the next rootDSE query. This also tries to avoid attaching the result to the long-term samdb context, and avoids an extra loop in the result processing (pointed out by tridge). Andrew BARtlett (This used to be commit d0b8957f38fda4d84a318d6121ad87ba53a9ddb3)
2007-10-10r13508: some ASN.1 element in LDAP are optional,Stefan Metzmacher2-11/+25
make it possible to code the difference between a zero length and a NULL DATA_BLOB... metze (This used to be commit 54f0b19c55df8ad3882f31a114e2ea0e4cf940ae)
2007-10-10r13357: more docsSimo Sorce2-0/+674
(This used to be commit 5af9086deafc88aa1f9256cc0090592ecbd62203)
2007-10-10r13339: Propogate more error infomation into the error packet and reformat theAndrew Bartlett1-38/+49
code a little. This also fixes a segfault when we didn't fill in the error message. Andrew Bartlett (This used to be commit 3be01a4ac7efe8d161910e8339bfe42584c0db86)
2007-10-10r13307: docsSimo Sorce1-0/+787
(This used to be commit e56630d1f8688ff3ff334893a4bc49dff8e36fe2)
2007-10-10r12917: fix decoding of ldap controlsSimo Sorce2-1/+25
some more work on timeouts (This used to be commit a7e2fe3cb33be2effff7eb764047567f2da3cd55)
2007-10-10r12905: add some ldap policiesSimo Sorce1-7/+99
not yet enforced except for the initial connection timeout (This used to be commit fa1ae9a44b0321b8e458bcb7fd1dcc9475b9bad3)
2007-10-10r12880: Remove ldap partitions useless now and probably weSimo Sorce6-785/+604
will not use it anyway as we plan to support partitions in ldb directly like with rootdse Merge ldap_simple_ldb into ldap_backend, it is not simple anymore and makes no sense to have it separated now that ldap partitions are gone Initial attempt at working to some limit to avoid DOSs for the ldap server. Simo. (This used to be commit 97bff3e049eba48019f2b0f3eb5a19e32fef2e23)
2007-10-10r12804: This patch reworks the Samba4 sockets layer to use a socket_addressAndrew Bartlett1-1/+8
structure that is more generic than just 'IP/port'. It now passes make test, and has been reviewed and updated by metze. (Thankyou *very* much). This passes 'make test' as well as kerberos use (not currently in the testsuite). The original purpose of this patch was to have Samba able to pass a socket address stucture from the BSD layer into the kerberos routines and back again. It also removes nbt_peer_addr, which was being used for a similar purpose. It is a large change, but worthwhile I feel. Andrew Bartlett (This used to be commit 88198c4881d8620a37086f80e4da5a5b71c5bbb2)
2007-10-10r12792: fix compiler warningStefan Metzmacher1-1/+0
metze (This used to be commit 1eca5f46c60d09fccbef5e605c06b1b3e3b65feb)
2007-10-10r12733: Merge ldap/ldb controls into main treeSimo Sorce4-28/+80
There's still lot of work to do but the patch is stable enough to be pushed into the main samba4 tree. Simo. (This used to be commit 77125feaff252cab44d26593093a9c211c846ce8)
2007-10-10r12694: Move some headers to the directory of the subsystem they belong to.Jelmer Vernooij1-1/+1
(This used to be commit c722f665c90103f3ed57621c460e32ad33e7a8a3)
2007-10-10r12686: Push the real SASL list into the rootdse.Andrew Bartlett4-16/+25
Get this out of the server credentials, and push it down to ldb via an opaque pointer. Andrew Bartlett (This used to be commit 61700252e05e0be6b4ffa72ffc24a95c665597e3)
2007-10-10r12608: Remove some unused #include lines.Jelmer Vernooij3-5/+0
(This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981)
2007-10-10r12595: There was no comment on the mailing list, so kill the 'ldapsrv:samdb'Andrew Bartlett1-16/+0
parameter. It isn't useful with so many other things in the ldap server opening the database directly. Best to run this as a seperate process, and change the global options. Andrew Bartlett (This used to be commit 34d6220cec763eefa9313f5a39ce7a73b238f7f0)
2007-10-10r12542: Move some more prototypes out to seperate headersJelmer Vernooij2-0/+2
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
2007-10-10r12498: Eliminate INIT_OBJ_FILES and ADD_OBJ_FILES. We were not usingJelmer Vernooij1-1/+1
the difference between these at all, and in the future the fact that INIT_OBJ_FILES include smb_build.h will be sufficient to have recompiles at the right time. (This used to be commit b24f2583edee38abafa58578d8b5c4b43e517def)
2007-10-10r12360: Add simple bind support into our LDAP server.Andrew Bartlett1-2/+42
Needs changes to our client code for automated testing. Andrew Bartlett (This used to be commit e751d814149d847ff1699542a4fa81eb8ca129ec)
2007-10-10r12227: I realised that I wasn't yet seeing authenticated LDAP for the ldbAndrew Bartlett1-5/+2
backend. The idea is that every time we open an LDB, we can provide a session_info and/or credentials. This would allow any ldb to be remote to LDAP. We should also support provisioning to a authenticated ldap server. (They are separate so we can say authenticate as foo for remote, but here we just want a token of SYSTEM). Andrew Bartlett (This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
2007-10-10r12148: add the docs for the paged results controlSimo Sorce1-0/+395
(This used to be commit 9fab4ab2724d8276765cb42f5e8e177c4ef1ca20)
2007-10-10r12126: get rid of the local ->terminate hacks, we do that genericly nowStefan Metzmacher2-39/+10
metze (This used to be commit a7baf165c10c00096265b790d5362905c527806a)
2007-10-10r11958: - fixed memory leaks in the ldb_result handling in ldb operationsAndrew Tridgell1-2/+2
- removed an unnecessary level of pointer in ldb_search structure (This used to be commit b8d4afb14a18dfd8bac79882a035e74d3ed312bd)
2007-10-10r11955: got rid of the old rootDSE code in the ldap server.Andrew Tridgell5-394/+0
The partitioning logic is still there, but we only have one partition. If we need partitioning in the future it might be better to remove this partitioning code and use a partitioning module instead (This used to be commit f4685e7dc9bdc3b9e240c9f5891b9da9251f82e5)