Age | Commit message (Collapse) | Author | Files | Lines |
|
determine the source of the request
The aclread module used to use a control to make sure the request comes from the ldap server,
but now the rootdse filters out any unregistered controls comming from ldap, so the control is
lost. Using the LDB_HANDLE_FLAG_UNTRUSTED is a much more elegant solution.
Autobuild-User: Nadezhda Ivanova <nivanova@samba.org>
Autobuild-Date: Wed Oct 27 11:55:11 UTC 2010 on sn-devel-104
|
|
|
|
|
|
|
|
|
|
|
|
This control is exactly thought for the actions which previously were performed
using the RELAX one.
We agreed that the RELAX control will only remain for interactions with OpenLDAP.
|
|
LDB_CONTROL_BYPASS_OPERATIONAL_OID
It's nicer to have this consistent with "BYPASS_PASSWORD_HASH".
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
This must be available to the OpenLDAP backend, to set the GUID values
in some situations. We need a proper ACL mechanism to control the use
or abuse of this control.
This reverts commit 10adee89367cee9add993869280542418fb3d370.
|
|
This makes our LDAP much more secure and less error-prone.
Autobuild-User: Matthias Dieter Wallnöfer <mdw@samba.org>
Autobuild-Date: Sat Oct 16 19:43:36 UTC 2010 on sn-devel-104
|
|
- add missing private controls and comments
- use control defines rather than hardcoded values -> easier to comprehend
- reorder controls
|
|
these contexts can have references
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Tue Sep 28 00:04:03 UTC 2010 on sn-devel-104
|
|
We need talloc_reparent() instead
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Mon Sep 27 20:38:00 UTC 2010 on sn-devel-104
|
|
metze
|
|
|
|
|
|
this control adds a unique msDS-SecondaryKrbTgtNumber attribute to a
user object.
There is some 'interesting' interaction with the rangeLower and
rangeUpper attributes and this add. We don't implementat
rangeLower/rangeUpper yet, but when we do we'll need an override for
this control (or be careful about module ordering).
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
many controls are simple present/not-present flags, and don't need
their own parsers
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
this converts all callers that use the Samba4 loadparm lp_ calling
convention to use the lpcfg_ prefix.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID controls.
Signed-off-by: Matthias Dieter Wallnöfer <mdw@samba.org>
|
|
|
|
control
|
|
|
|
libcli_ldap.h
It took a little while to find where to update this...
Andrew Bartlett
|
|
It is a problem if a samba header is called ldap.h if we also want
to use OpenLDAP's ldap.h
Andrew Bartlett
|
|
them
|
|
|
|
|
|
LDB_CONTROL_AS_SYSTEM_OID
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Current implementation synchronizes processing for
all types of LDAP request, not only LDAP_Search ones.
Synchronization for ldap replies processing is done
locally in ldb_ildap module as this concerns only
ildb_callback() function.
Signed-off-by: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
- reserve a new Samba OID for recalculate SD control
- fix the update SD function
- fix handling of kvno in the update_machine_account_password function
- fix handling of handles in RPC winreg server
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
|
|
This patch, inspired by a patche by Endi S. Dewata
<edewata@redhat.com>, allows this control to be passed to the LDAP
backend.
Andrew Bartlett
|
|
For KERBEROS applications the realm should be upcase (function "lp_realm") but
for DNS ones it should be used lowcase (function "lp_dnsdomain"). This patch
implements the use of both in the right way.
|
|
|
|
It is a pretty odd thing to do, and it's only because of the
restrictions of DIGEST-MD5 in Cyrus SASL that we do it.
Andrew Bartlett
|
|
metze
|
|
LDAP_SERVER_SHOW_RECYCLED_OID 1.2.840.113556.1.4.2064
LDAP_SERVER_SHOW_DEACTIVATED_LINK_OID 1.2.840.113556.1.4.2065
metze
|
|
|
|
As they can we static there, we pass the specific handlers as parameter
where we need to support controls.
metze
|
|
defined in C.
metze
|
|
metze
|
|
metze
|
|
metze
|
|
This prepares using ldap_message.c in source3/ later
metze
|
|
metze
|
|
Our packet layer relies on the event system reliably telling us when a
packet is available. When we are using a socket layer like TLS then
things get a bit trickier, as there may be bytes in the encryption
buffer which could be read even if there are no bytes at the socket
level. The GNUTLS library is supposed to prevent this happening by
always leaving some data at the socket level when there is data to be
processed in its buffers, but it seems that this is not always
reliable.
To work around this I have added a new packet option
packet_set_unreliable_select() which tells the packet layer to not
assume that the socket layer has a reliable select, and to instead
keep trying to read from the socket until it gets back no data. This
option is set for the ldap client and server when TLS is negotiated.
This seems to fix the problems with the ldaps tests.
|
|
metze
|