summaryrefslogtreecommitdiff
path: root/source4/libcli/ldap
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r9505: Work on GENSEC and the code that calls it, for tighter interfaceAndrew Bartlett1-8/+26
requirements, and for better error reporting. In particular, the composite session setup (extended security/SPNEGO) code now returns errors, rather than NT_STATUS_NO_MEMORY. This is seen particularly when GENSEC fails to start. The tighter interface rules apply to NTLMSSP, which must be called exactly the right number of times. This is to match some of our other less-tested modules, where adding flexablity is harder. (and this is security code, so let's just get it right). As such, the DCE/RPC and LDAP clients have been updated. Andrew Bartlett (This used to be commit 134550cf752b9edad66c3368750bfb4bbd9d55d1)
2007-10-10r9240: - move struct security_token to the idl file, with this we canStefan Metzmacher1-5/+5
the ndr_pull/push/print functions for it in the ntacl-lsm module - fix compiler warnings in the ldap_encode_ndr_* code metze (This used to be commit 83d65d0d7ed9c240ad44aa2c881c1f07212bfda4)
2007-10-10r8917: Better support for extended ldap search operationsSimo Sorce1-17/+49
Try to follow the RFC where possible and adapt to openLdap and AD way of handling this structure (This used to be commit d844d45d87b4114bc1b9af2e40f8c27ba3e219de)
2007-10-10r8811: Fix the build..Jelmer Vernooij1-0/+1
(This used to be commit fac77f5fa267da57a55e88cad8993897e80741a0)
2007-10-10r8585: add to ldb and ldap comparison functionalitySimo Sorce1-9/+96
better pares filters Approx is currently only a stub need to dig more info to understand what it really means and how it works exactly (This used to be commit a9e8cd0bad27ed2b3c6a12302e787ba3c9a70a3c)
2007-10-10r8530: Now our ldap server is able to fullfill present and substring searchesSimo Sorce1-36/+184
(This used to be commit a910671bd8c6d2d8d5b6ff30fc07ead244e696f1)
2007-10-10r8523: match a zero message id in ldap replies to the last request sent. ↵Andrew Tridgell1-0/+8
Thanks to simo for noticing that this is needed to catch the server sending a "can't decode request" error reply (This used to be commit 6e81e866dc7a5dc014d2d9f2e09803c6adfd1830)
2007-10-10r8414: Some C++ friendlyness fixes - 'not' is apparently a keyword in C++.Tim Potter1-3/+3
(This used to be commit bcfb3a45e4a5962fe763f8071d4458f4bd11605b)
2007-10-10r7860: switch our ldb storage format to use a NDR encoded objectSid. This isAndrew Tridgell1-1/+1
quite a large change as we had lots of code that assumed that objectSid was a string in S- format. metze and simo tried to convince me to use NDR format months ago, but I didn't listen, so its fair that I have the pain of fixing all the code now :-) This builds on the ldb_register_samba_handlers() and ldif handlers code I did earlier this week. There are still three parts of this conversion I have not finished: - the ltdb index records need to use the string form of the objectSid (to keep the DNs sane). Until that it done I have disabled indexing on objectSid, which is a big performance hit, but allows us to pass all our tests while I rejig the indexing system to use a externally supplied conversion function - I haven't yet put in place the code that allows client to use the "S-xxx-yyy" form for objectSid in ldap search expressions. w2k3 supports this, presumably by looking for the "S-" prefix to determine what type of objectSid form is being used by the client. I have been working on ways to handle this, but am not happy with them yet so they aren't part of this patch - I need to change pidl to generate push functions that take a "const void *" instead of a "void*" for the data pointer. That will fix the couple of new warnings this code generates. Luckily it many places the conversion to NDR formatted records actually simplified the code, as it means we no longer need as many calls to dom_sid_parse_talloc(). In some places it got more complex, but not many. (This used to be commit d40bc2fa8ddd43560315688eebdbe98bdd02756c)
2007-10-10r7855: fixed a typoAndrew Tridgell1-1/+1
(This used to be commit a1155651e722e28496be02b729c950afae5db9a9)
2007-10-10r7810: don't give errors when the ldap server sends us reference repliesAndrew Tridgell1-1/+2
(This used to be commit f2b2d2626f5eb4fbd7d7c5cdcde486d00fc19447)
2007-10-10r7770: added ldaps support to our ldap client libraryAndrew Tridgell3-9/+19
(This used to be commit 8f5c2e8682795258a6361b9516a38a8fabdef150)
2007-10-10r7763: fixed some circular dependenciesAndrew Tridgell1-1/+1
(This used to be commit 3bdf89b0f7521ca39d48dc4c32fe96971d4d60fd)
2007-10-10r7749: some bug fixes from testing with socket:testnonblockAndrew Tridgell1-2/+3
- fixed some infinite loops in asn1.c - ensure asn1 callers know if an error is end of buffer or bad data - handle npending 0 in ldap server (This used to be commit f22c3b84c8912ccd36e676a782b58f1841be8875)
2007-10-10r7747: - simplified the ldap server buffer handlingAndrew Tridgell1-1/+1
- got rid of the special cases for sasl buffers - added a tls_socket_pending() call to determine how much data is waiting on a tls connection - removed the attempt at async handling of ldap calls. The buffers/sockets are all async, but the calls themselves are sync. (This used to be commit 73cb4aad229d08e17e22d5792580bd43a61b142a)
2007-10-10r7725: fixed a bug with partial asn1 frames in the ldap clientAndrew Tridgell1-0/+3
(This used to be commit 0f22306a9c61c1b00aeb0f3bf7e875d9b7b4606d)
2007-10-10r7724: added encoding of LDB_OP_NOT search componentsAndrew Tridgell1-1/+6
(This used to be commit 82b1feeafea57ca1b8d7bf79f777eebcc703769c)
2007-10-10r7723: - fix a mismatched asn1 push/pop on bindAndrew Tridgell1-29/+26
- add error checking to ldap_encode() - fixed the asn1 codes for extended search - use asn1 context macros (This used to be commit 25d500b6e559b9a530ae65a21046cfde0f8c41af)
2007-10-10r7722: when we get a zero read, the connection is deadAndrew Tridgell1-2/+1
(This used to be commit 060323530454edf21b217550b373513e5860146c)
2007-10-10r7720: - simplify the asn1 decode of ldap_search() a lot, taking advantage ofAndrew Tridgell2-3/+6
the fact that the ldap data structures now use ldb_message_element. - fixed null termination of elements in ildap (This used to be commit 09060994c1ed12073ae6e1131d7074db8fdc523c)
2007-10-10r7717: fixed some typosAndrew Tridgell1-4/+4
(This used to be commit fc8feee56034fe165359c804d111f80e5b3ebb65)
2007-10-10r7716: a single wrapped ldap blob can contain multiple ldap messagesAndrew Tridgell1-3/+3
(This used to be commit de5f265b6c586335965a6de844c203206261cc3b)
2007-10-10r7715: ensure we don't print null strings in ldap_errstr()Andrew Tridgell1-1/+3
(This used to be commit dc419fc89973c2d7fa333df389b75cb218e8a848)
2007-10-10r7713: fixed error display in ildap_search()Andrew Tridgell1-0/+6
(This used to be commit abc9f4bd89d0eda655f7de01db49cbbb64682bf4)
2007-10-10r7665: - added a ildap_*() interface to our internal ldap library. ThisAndrew Tridgell5-2/+241
interface is very similar to the traditional ldap interface, and will be used as part of a ldb backend based on the current ldb_ldap backend - fixed some allocation issues in ldb_msg.c (This used to be commit b34a29dcf26f68a2f47380a6c74a4095fdfd2fbe)
2007-10-10r7633: this patch started as an attempt to make the dcerpc code use a givenAndrew Tridgell1-1/+1
event_context for the socket_connect() call, so that when things that use dcerpc are running alongside anything else it doesn't block the whole process during a connect. Then of course I needed to change any code that created a dcerpc connection (such as the auth code) to also take an event context, and anything that called that and so on .... thus the size of the patch. There were 3 places where I punted: - abartlet wanted me to add a gensec_set_event_context() call instead of adding it to the gensec init calls. Andrew, my apologies for not doing this. I didn't do it as adding a new parameter allowed me to catch all the callers with the compiler. Now that its done, we could go back and use gensec_set_event_context() - the ejs code calls auth initialisation, which means it should pass in the event context from the web server. I punted on that. Needs fixing. - I used a NULL event context in dcom_get_pipe(). This is equivalent to what we did already, but should be fixed to use a callers event context. Jelmer, can you think of a clean way to do that? I also cleaned up a couple of things: - libnet_context_destroy() makes no sense. I removed it. - removed some unused vars in various places (This used to be commit 3a3025485bdb8f600ab528c0b4b4eef0c65e3fc9)
2007-10-10r7626: a new ldap client library. Main features are:Andrew Tridgell7-999/+767
- hooked into events system, so requests can be truly async and won't interfere with other processing happening at the same time - uses NTSTATUS codes for errors (previously errors were mostly ignored). In a similar fashion to the DOS error handling, I have reserved a range of the NTSTATUS code 32 bit space for LDAP error codes, so a function can return a LDAP error code in a NTSTATUS - much cleaner packet handling (This used to be commit 2e3c660b2fc20e046d82bf1cc296422b6e7dfad0)
2007-10-10r7599: it turns out we were not using the ldif code in libcli/ldap/ at all,Andrew Tridgell1-393/+0
so best to just remove it. If we need it again, then it will be easy to just use a wrapper around the ldb code. (This used to be commit b316e1c2d3e4dc09c321ec72b40d78ffb855e101)
2007-10-10r7598: take advantage of struct data_blob and struct ldb_val being the sameAndrew Tridgell2-14/+3
structure in a couple of places (This used to be commit bcd4671acae2be51958cbae23a0ab2dd2b194a5e)
2007-10-10r7596: next step in ldap cleanup. I'm aiming to get rid of the cut&pastedAndrew Tridgell3-24/+18
ldif parsing code in libcli/ldap/ldap_ldif.c, and instead use the ldb ldif code. To do that I have changed the ldap code to use 'struct ldb_message_element' instead of 'struct ldap_attribute'. They are essentially the same structure anyway, so by making them really the same it will be much easier to use the ldb code in libcli/ldap/ I have also made 'struct ldb_val' the same as a DATA_BLOB, which will simplify data handling in quite a few places (I haven't yet removed all the code that maps between these two, that will come later) (This used to be commit 87fc3073392236221a3a6b933284e9e477c24ae5)
2007-10-10r7593: simplified the memory management in the ldap code. Having a mem_ctxAndrew Tridgell4-69/+55
element in a structure is not necessary any more. (This used to be commit 912d0427f52eac811b27bf7e385b0642f7dc7f53)
2007-10-10r7567: added wire parsing of NOT and extended ldap search requests. ThisAndrew Tridgell1-37/+97
allows us to parse and handle the complex queries we are getting from w2k, such as (|(|(&(!(groupType:1.2.840.113556.1.4.803=1))(groupType:1.2.840.113556.1.4.803=2147483648)(groupType:1.2.840.113556.1.4.804=6))(samAccountType=805306368))(samAccountType=805306369)) (This used to be commit 041bce591306a0fb26bd31fe371e30021ea5c0c1)
2007-10-10r7527: - added a ldb_search_bytree() interface, which takes a ldb_parse_treeAndrew Tridgell2-34/+10
instead of a search expression. This allows our ldap server to pass its ASN.1 parsed search expressions straight to ldb, instead of going via strings. - updated all the ldb modules code to handle the new interface - got rid of the separate ldb_parse.h now that the ldb_parse structures are exposed externally - moved to C99 structure initialisation in ldb - switched ldap server to using ldb_search_bytree() (This used to be commit 96620ab2ee5d440bbbc51c1bc0cad9977770f897)
2007-10-10r7524: make the ldap ASN.1 filter parse code go via a structAndrew Tridgell1-77/+107
ldb_parse_tree. This also fixes the error handling. next step will be to pass the parse tree straight into ldb, avoiding the string encoding completely. (This used to be commit 235cf625e20767c8d5d30c5955ae45e1fdf88bf2)
2007-10-10r7519: rip the copy of the ldap expression parser out of libcli/ldap/ and useAndrew Tridgell4-421/+43
the original one in lib/ldb/ instead. Having two copies of this code is silly. (This used to be commit 0e9f18c44858b692c724c004f362de9e3dc15db5)
2007-10-10r6817: - fixed empty ldap search elements in filtersAndrew Tridgell3-1/+19
- added support for guids in cldap netlogon searches. the cldap server now passes the LDAP-CLDAP torture test (This used to be commit eb7979d9def389942fa1c54693d2dfcb8828f544)
2007-10-10r6763: added functions in libcli/ldap/ to binary encode some NDR structures intoAndrew Tridgell4-2/+89
ldap friendly filter strings (This used to be commit 8890dd3ac331cffe83226a356c52df89c917c2b0)
2007-10-10r6745: - escape spaces in binary ldap blobsAndrew Tridgell2-3/+15
- expose the ldap filter string parsing outside of ldap.c (This used to be commit b644ff6fe164fbe359c47e4d34f5ad490ff61d5b)
2007-10-10r6732: - move sasl send recv code to the ldap libStefan Metzmacher2-1/+188
- support 'modrdn' ldif metze (This used to be commit b6a1734699953964fcde6fe6ea7048496492eb33)
2007-10-10r6726: support binary search elements in ldap_decode()Andrew Tridgell1-6/+42
(This used to be commit 2b36f1dfdd6cf3ab89f63b541ae4cd905fb03c8d)
2007-10-10r6689: minor ldap client library workAndrew Tridgell2-24/+63
- added support for binary encoded search filters - fixed some const handling - changed the message type to an enum, to help debugging (This used to be commit d5353b63428698d1ce95c50e2626f1841fa637e3)
2007-10-10r6028: A MAJOR update to intergrate the new credentails system fully withAndrew Bartlett2-22/+9
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'. GENSEC now no longer has it's own handling of 'set username' etc, instead it uses cli_credentials calls. In order to link the credentails code right though Samba, a lot of interfaces have changed to remove 'username, domain, password' arguments, and these have been replaced with a single 'struct cli_credentials'. In the session setup code, a new parameter 'workgroup' contains the client/server current workgroup, which seems unrelated to the authentication exchange (it was being filled in from the auth info). This allows in particular kerberos to only call back for passwords when it actually needs to perform the kinit. The kerberos code has been modified not to use the SPNEGO provided 'principal name' (in the mechListMIC), but to instead use the name the host was connected to as. This better matches Microsoft behaviour, is more secure and allows better use of standard kerberos functions. To achieve this, I made changes to our socket code so that the hostname (before name resolution) is now recorded on the socket. In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now in libcli/auth/schannel.c, and it looks much more like a standard GENSEC module. The actual sign/seal code moved to libcli/auth/schannel_sign.c in a previous commit. The schannel credentails structure is now merged with the rest of the credentails, as many of the values (username, workstation, domain) where already present there. This makes handling this in a generic manner much easier, as there is no longer a custom entry-point. The auth_domain module continues to be developed, but is now just as functional as auth_winbind. The changes here are consequential to the schannel changes. The only removed function at this point is the RPC-LOGIN test (simulating the load of a WinXP login), which needs much more work to clean it up (it contains copies of too much code from all over the torture suite, and I havn't been able to penetrate its 'structure'). Andrew Bartlett (This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2007-10-10r5322: removed a whole bunch of #include lines that minimal_includes.plAndrew Tridgell1-1/+0
thinks are not needed. Now to see how this fares on the build farm :) (This used to be commit 80ffcc650c9c86141507edd8338b97814a85f868)
2007-10-10r5308: trimmed back a lot of the old macros from smb_macros.hAndrew Tridgell1-2/+2
(This used to be commit bf43c9bdcf9e654d123f6a2b29feb9189ca9e561)
2007-10-10r5305: removed libcli/ldap/ldap.h from includes.hAndrew Tridgell5-0/+63
(This used to be commit 0df3fdd8178085c40f9cd776cc3e1486ca559c8e)
2007-10-10r5298: - got rid of pstring.h from includes.h. This at least makes it a bitAndrew Tridgell2-2/+4
less likely that anyone will use pstring for new code - got rid of winbind_client.h from includes.h. This one triggered a huge change, as winbind_client.h was including system/filesys.h and defining the old uint32 and uint16 types, as well as its own pstring and fstring. (This used to be commit 9db6c79e902ec538108d6b7d3324039aabe1704f)
2007-10-10r5137: fix typesStefan Metzmacher1-1/+1
metze (This used to be commit add1c579375d08040f722946da31ee3862f9e7ac)
2007-10-10r5107: moved the horrible ldap socket code, and the even worseAndrew Tridgell1-0/+240
asn1-tied-to-blocking-sockets code into the ldap client and torture suite, and out of the generic libs, so nobody else is tempted to use it for any new code. (This used to be commit 39d1ced21baeca40d1fca62ba65243ca8f15757e)
2007-10-10r5037: got rid of all of the TALLOC_DEPRECATED stuff. My apologies for theAndrew Tridgell3-14/+14
large commit. I thought this was worthwhile to get done for consistency. (This used to be commit ec32b22ed5ec224f6324f5e069d15e92e38e15c0)
2007-10-10r5034: - added a type mapping function in pidl, so the type names in our IDLAndrew Tridgell1-6/+6
files don't need to match the type names in the generated headers - with this type mapping we no longer need definitions for the deprecated "int32", "uint8" etc form of types. We can now force everyone to use the standard types int32_t, uint8_t etc. - fixed all the code that used the deprecated types - converted the IDL types "int64" and "uint64" to "dlong" and "udlong". These are the 4 byte aligned 64 bit integers that Microsoft internally define as two 32 bit integers in a structure. After discussions with Ronnie Sahlberg we decided that calling these "int64" was confusing, as it implied a true 8 byte aligned type - fixed all the cases where we incorrectly used things like "NTTIME_hyper" in our C code. The generated API now uses a NTTIME for those. The fact that it is hyper-aligned on the wire is not relevant to the API, and should remain just a IDL property (This used to be commit f86521677d7ff16bdc4815f9524e5286026f10f3)