Age | Commit message (Collapse) | Author | Files | Lines |
|
allows us to parse and handle the complex queries we are getting from
w2k, such as
(|(|(&(!(groupType:1.2.840.113556.1.4.803=1))(groupType:1.2.840.113556.1.4.803=2147483648)(groupType:1.2.840.113556.1.4.804=6))(samAccountType=805306368))(samAccountType=805306369))
(This used to be commit 041bce591306a0fb26bd31fe371e30021ea5c0c1)
|
|
instead of a search expression. This allows our ldap server to pass
its ASN.1 parsed search expressions straight to ldb, instead of going
via strings.
- updated all the ldb modules code to handle the new interface
- got rid of the separate ldb_parse.h now that the ldb_parse
structures are exposed externally
- moved to C99 structure initialisation in ldb
- switched ldap server to using ldb_search_bytree()
(This used to be commit 96620ab2ee5d440bbbc51c1bc0cad9977770f897)
|
|
ldb_parse_tree. This also fixes the error handling.
next step will be to pass the parse tree straight into ldb, avoiding
the string encoding completely.
(This used to be commit 235cf625e20767c8d5d30c5955ae45e1fdf88bf2)
|
|
the original one in lib/ldb/ instead. Having two copies of this code
is silly.
(This used to be commit 0e9f18c44858b692c724c004f362de9e3dc15db5)
|
|
- added support for guids in cldap netlogon searches.
the cldap server now passes the LDAP-CLDAP torture test
(This used to be commit eb7979d9def389942fa1c54693d2dfcb8828f544)
|
|
ldap friendly filter strings
(This used to be commit 8890dd3ac331cffe83226a356c52df89c917c2b0)
|
|
- expose the ldap filter string parsing outside of ldap.c
(This used to be commit b644ff6fe164fbe359c47e4d34f5ad490ff61d5b)
|
|
- support 'modrdn' ldif
metze
(This used to be commit b6a1734699953964fcde6fe6ea7048496492eb33)
|
|
(This used to be commit 2b36f1dfdd6cf3ab89f63b541ae4cd905fb03c8d)
|
|
- added support for binary encoded search filters
- fixed some const handling
- changed the message type to an enum, to help debugging
(This used to be commit d5353b63428698d1ce95c50e2626f1841fa637e3)
|
|
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
|
|
thinks are not needed. Now to see how this fares on the build farm :)
(This used to be commit 80ffcc650c9c86141507edd8338b97814a85f868)
|
|
(This used to be commit bf43c9bdcf9e654d123f6a2b29feb9189ca9e561)
|
|
(This used to be commit 0df3fdd8178085c40f9cd776cc3e1486ca559c8e)
|
|
less likely that anyone will use pstring for new code
- got rid of winbind_client.h from includes.h. This one triggered a
huge change, as winbind_client.h was including system/filesys.h and
defining the old uint32 and uint16 types, as well as its own
pstring and fstring.
(This used to be commit 9db6c79e902ec538108d6b7d3324039aabe1704f)
|
|
metze
(This used to be commit add1c579375d08040f722946da31ee3862f9e7ac)
|
|
asn1-tied-to-blocking-sockets code into the ldap client and torture
suite, and out of the generic libs, so nobody else is tempted to use
it for any new code.
(This used to be commit 39d1ced21baeca40d1fca62ba65243ca8f15757e)
|
|
large commit. I thought this was worthwhile to get done for
consistency.
(This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0)
|
|
files don't need to match the type names in the generated headers
- with this type mapping we no longer need definitions for the
deprecated "int32", "uint8" etc form of types. We can now force
everyone to use the standard types int32_t, uint8_t etc.
- fixed all the code that used the deprecated types
- converted the IDL types "int64" and "uint64" to "dlong" and
"udlong". These are the 4 byte aligned 64 bit integers that
Microsoft internally define as two 32 bit integers in a
structure. After discussions with Ronnie Sahlberg we decided that
calling these "int64" was confusing, as it implied a true 8 byte
aligned type
- fixed all the cases where we incorrectly used things like
"NTTIME_hyper" in our C code. The generated API now uses a NTTIME for
those. The fact that it is hyper-aligned on the wire is not relevant
to the API, and should remain just a IDL property
(This used to be commit f86521677d7ff16bdc4815f9524e5286026f10f3)
|
|
- added #if TALLOC_DEPRECATED around the _p functions
- fixes the code that broke from the above
while doing this I fixed quite a number of places that were
incorrectly using the non type-safe talloc functions to use the type
safe ones. Some were even doing multiplies for array allocation, which
is potentially unsafe.
(This used to be commit 6e7754abd0c225527fb38363996a6e241b87b37e)
|
|
talloc_size() or talloc_array_p() where appropriate.
also fixed a memory leak in pvfs_copy_file() (failed to free a memory
context)
(This used to be commit 89b74b53546e1570b11b3702f40bee58aed8c503)
|
|
(disabled by default, set parametric option: gensec:gssapi=yes to enable).
This module backs directly onto GSSAPI, and allows us to sign and seal
GSSAPI/Krb5 connections in particular. This avoids me reinventing the
entire GSSAPI wheel.
Currently a lot of things are left as default - we will soon start
specifiying OIDs as well as passwords (it uses the keytab only at the
moment). Tested with our LDAP-* torture tests against Win2k3.
My hope is to use this module to access the new SPNEGO implementation
in Heimdal, to avoid having to standards-verify our own.
Andrew Bartlett
(This used to be commit 14b650c85db14a9bf97e24682b2643b63c51ff35)
|
|
Andrew Bartlett
(This used to be commit 13aa88ed65a8914000cccbecf80929db3df65037)
|
|
Andrew Bartlett
(This used to be commit 722f59c7c8d09f548d9325c6051d6687d7aa16c2)
|
|
the backend what is actually in use
metze
(This used to be commit 6f3eb7bc03609108b9e0ea5676fca3d04140e737)
|
|
(This used to be commit eec698254f67365f27b4b7569fa982e22472aca1)
|
|
(This used to be commit 80d15fa3402a9d1183467463f6b21c0b674bc442)
|
|
- Use .mk files directly (no need for a SMB_*_MK() macro when adding a new SUBSYSTEM, MODULE or BINARY). This allows addition of new modules and subsystems without running configure
- Add support for generating .dot files with the Samba4 dependency tree (as used by the graphviz and springgraph utilities)
(This used to be commit 64826da834e26ee0488674e27a0eae36491ee179)
|
|
metze
(This used to be commit 9701abfa3a5f6351c8c7bced6adb751be9f5ff31)
|
|
metze
(This used to be commit 4868f1ea857e94f60dbde83bfb54def8a5ee728f)
|
|
(vl: we should only sync the parsing code with trunk)
- use hierachical talloc in the ldap client code
metze
(This used to be commit 1e9c0b68ca9ddb28877d45fc1b47653b13a7446d)
|
|
(This used to be commit a7e5bde6befa8da8fc7447b295d9177126f74964)
|
|
ioctl.h)
(This used to be commit b97e395c814762024336c1cf4d7c25be8da5813a)
|
|
- tidied up some of the system includes
- moved a few more structures back from misc.idl to netlogon.idl and samr.idl now that pidl
knows about inter-IDL dependencies
(This used to be commit 7b7477ac42d96faac1b0ff361525d2c63cedfc64)
|
|
the ldb part isn't ideal, I will have to think of a better solution
(This used to be commit 6b1f86aea8427a8e957b1aeb0ec2f507297f07cb)
|
|
I have created the include/system/ directory, which will contain the
wrappers for the system includes for logical subsystems. So far I have
created include/system/kerberos.h and include/system/network.h, which
contain all the system includes for kerberos code and networking code.
These are the included in subsystems that need kerberos or networking
respectively.
Note that this method avoids the mess of #ifdef HAVE_XXX_H in every C
file, instead each C module includes the include/system/XXX.h file for
the logical system support it needs, and the details are kept isolated
in include/system/
This patch also creates a "struct ipv4_addr" which replaces "struct
in_addr" in our code. That avoids every C file needing to import all
the system networking headers.
(This used to be commit 2e25c71853f8996f73755277e448e7d670810349)
|
|
metze
(This used to be commit c730d7d638875c239f0b67c1d4b25eb1fb01c5ff)
|
|
metze
(This used to be commit f1d8f4bc5df5b4f284739096684c9dbc76352511)
|
|
Andrew Bartlett
(This used to be commit 9c911b361c4dbb058eb48150c113c2e95b8053da)
|
|
metze
(This used to be commit e23dcb18870450be4252a0dba3e427f73291da25)
|
|
and some minor changes
- make ldap_encode/decode_response maore usable
metze
(This used to be commit cc77baf729a56499e19a50dcb1a404a4777b36d5)
|
|
try a sasl sealed CompareRequest
abartlet: we need to check how SINGING only can work,
it failed for me:-(
metze
(This used to be commit 1dabd04e265bbc1e8335f816708c2639746d9afd)
|
|
check the result of ldap_receive()
metze
(This used to be commit 778cf6d92bc3c50add43b573652c2aefef65026c)
|
|
metze
(This used to be commit 4233067921d386d4bf02218b479083cdbe2bd3c1)
|
|
en/decode CompareRequest/Response correct
metze
(This used to be commit 72dfea2b07aea83d0965a585f6e388eb88a7c6d1)
|
|
(This used to be commit ddd74dae8efe4e04b5a56ee9ecd9d4f87f99d104)
|
|
(This used to be commit 3d587a7141908362657afc2dfd0c78d73a5fed07)
|
|
Add delete functionality to ldb simple lda server backend
add some const in ldap.h
(This used to be commit 5ed9a6eb184f34eb572dd81202237042518ec7cd)
|
|
taking a context (so when you pass a NULL pointer you end up with
memory in a top level context). Fixed it by changing the API to take a
context. The context is only used if the pointer you are reallocing is
NULL.
(This used to be commit 8dc23821c9f54b2f13049b5e608a0cafb81aa540)
|
|
by making our gensec structures a talloc child of the open connection
we can be sure that it will be destroyed when the connection is
dropped.
(This used to be commit f12ee2f241aab1549bc1d9ca4c35a35a1ca0d09d)
|