summaryrefslogtreecommitdiff
path: root/source4/libcli/ldap
AgeCommit message (Collapse)AuthorFilesLines
2007-10-10r17230: don't overwrite the error with NT_STATUS_NO_MEMORYStefan Metzmacher1-10/+7
metze (This used to be commit f2196bf9b662d3f38d59eceb8c54f9d2e3f7b505)
2007-10-10r17222: Change the function prototypes for the GENSEc and TLS socket creationAndrew Bartlett2-14/+18
routines to return an NTSTATUS. This should help track down errors. Use a bit of talloc_steal and talloc_unlink to get the real socket to be a child of the GENSEC or TLS socket. Always return a new socket, even for the 'pass-though' case. Andrew Bartlett (This used to be commit 003e2ab93c87267ba28cd67bd85975bad62a8ea2)
2007-10-10r17197: This patch moves the encryption of bulk data on SASL negotiated securityAndrew Bartlett4-95/+26
contexts from the application layer into the socket layer. This improves a number of correctness aspects, as we now allow LDAP packets to cross multiple SASL packets. It should also make it much easier to write async LDAP tests from windows clients, as they use SASL by default. It is also vital to allowing OpenLDAP clients to use GSSAPI against Samba4, as it negotiates a rather small SASL buffer size. This patch mirrors the earlier work done to move TLS into the socket layer. Unusual in this pstch is the extra read callback argument I take. As SASL is a layer on top of a socket, it is entirely possible for the SASL layer to drain a socket dry, but for the caller not to have read all the decrypted data. This would leave the system without an event to restart the read (as the socket is dry). As such, I re-invoke the read handler from a timed callback, which should trigger on the next running of the event loop. I believe that the TLS code does require a similar callback. In trying to understand why this is required, imagine a SASL-encrypted LDAP packet in the following formation: +-----------------+---------------------+ | SASL Packet #1 | SASL Packet #2 | ----------------------------------------+ | LDAP Packet #1 | LDAP Packet #2 | ----------------------------------------+ In the old code, this was illegal, but it is perfectly standard SASL-encrypted LDAP. Without the callback, we would read and process the first LDAP packet, and the SASL code would have read the second SASL packet (to decrypt enough data for the LDAP packet), and no data would remain on the socket. Without data on the socket, read events stop. That is why I add timed events, until the SASL buffer is drained. Another approach would be to add a hack to the event system, to have it pretend there remained data to read off the network (but that is ugly). In improving the code, to handle more real-world cases, I've been able to remove almost all the special-cases in the testnonblock code. The only special case is that we must use a deterministic partial packet when calling send, rather than a random length. (1 + n/2). This is needed because of the way the SASL and TLS code works, and the 'resend on failure' requirements. Andrew Bartlett (This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0)
2007-10-10r16073: On an incoming wildcard search, it is critical that the size beAndrew Bartlett1-2/+2
correct, or we try and do a memcmp on the trailing '\0'. This happens because we now use memcmp for the prefix matching. I just wish I had a test other than a particular invocation of the OSX client. (I've tried and failed so far) Andrew Bartlett (This used to be commit 36aa8390807581442c68ac3ee9dd6eb05d89b86d)
2007-10-10r15854: more talloc_set_destructor() typesafe fixesAndrew Tridgell1-2/+1
(This used to be commit 61c6100617589ac6df4f527877241464cacbf8b3)
2007-10-10r15573: Fix build of systems that have iconv headers in non-standard locationsJelmer Vernooij2-2/+0
Split of system/locale.h header from system/iconv.h Previously, iconv wasn't being used on these systems (This used to be commit aa6d66fda69779d1c2948a1aca85dbd5208f1cba)
2007-10-10r15400: Move the TLS code behind the socket interface.Andrew Bartlett3-20/+22
This reduces caller complexity, because the TLS code is now called just like any other socket. (A new socket context is returned by the tls_init_server and tls_init_client routines). When TLS is not available, the original socket is returned. Andrew Bartlett (This used to be commit 09b2f30dfa7a640f5187b4933204e9680be61497)
2007-10-10r15384: Improve naming of socket library, disable Requires(.private)? fields ↵Jelmer Vernooij1-1/+1
in pkg-config files for now as they break external projects. (This used to be commit f919fd6655f00361691e676d260bd40e0b8ddcc7)
2007-10-10r15373: Rename SOCKET to LIBSAMBA-SOCKET to prevent name clashes with ↵Jelmer Vernooij1-1/+1
-lsocket on SUN boxes. (This used to be commit c95ad11307dc89384c10bd5919817bf12d9c1ed9)
2007-10-10r15365: Fix error in my previous commit, caught by metze.Jelmer Vernooij1-3/+3
(This used to be commit 0d99397007960e555f562f1498a202407e235f36)
2007-10-10r15358: Fix some compiler warnings / type safety. Found by tccJelmer Vernooij1-2/+6
(This used to be commit 12ba42de5886f9f4f9b1698476557e0c217d06f3)
2007-10-10r15313: Fix some dependencies in dso modeJelmer Vernooij1-1/+1
(This used to be commit f0afe9e2ff16515df1b3226b479b19ea3e9c3d0c)
2007-10-10r15297: Move create_security_token() to samdb as it requires SAMDB (and the ↵Jelmer Vernooij1-2/+3
rest of LIBSECURITY doesn't) Make the ldb password_hash module only depend on some keys manipulation code, not full heimdal Some other dependency fixes (This used to be commit 5b3ab728edfc9cdd9eee16ad0fe6dfd4b5ced630)
2007-10-10r15288: fix some problemsSimo Sorce1-3/+3
(This used to be commit d448389be88b3bb9d6f9a3b8a1e1597c4988a0ff)
2007-10-10r15241: Add helper function to set reconnect status defaultsSimo Sorce1-0/+11
(This used to be commit 6fff8f871a607e561531e2aabef37f3469aa85e9)
2007-10-10r15238: Add some code to automatically reconnect if we want to.Simo Sorce3-11/+134
(This used to be commit e2102999e26566543162455b34adbd2b0486b74d)
2007-10-10r15207: Introduce PRIVATE_DEPENDENCIES and PUBLIC_DEPENDENCIES as replacementJelmer Vernooij1-1/+1
for REQUIRED_SUBSYSTEMS. (This used to be commit adc8a019b6da256f104abed1b82bfde6998a2ac9)
2007-10-10r15181: Don't try kerberos sign/seal when in SSLSimo Sorce1-1/+6
(This used to be commit 3be3b1130c41e8e372531c137c46f91c5c0acf98)
2007-10-10r14724: Rearrange some source files, install more headers.Jelmer Vernooij2-2/+3
(This used to be commit 7146c1600f29c349e5bb78f810e7e170b535dd37)
2007-10-10r14542: Remove librpc, libndr and libnbt from includes.hJelmer Vernooij1-0/+4
(This used to be commit 51b4270513752d2eafbe77f9de598de16ef84a1f)
2007-10-10r14511: Install more headersJelmer Vernooij1-1/+2
(This used to be commit e1f896948fad8cf5a1aec300865c250c5721ee7d)
2007-10-10r14424: another empty controls caseAndrew Tridgell1-1/+3
(This used to be commit 7d0eb678bf3649fb4e09da039dd1b716ea3df2cc)
2007-10-10r14423: don't die on no controlsAndrew Tridgell1-1/+3
(This used to be commit 9787fb8e917c22ffe910062630dc4f32473a9fab)
2007-10-10r13960: Generate makefile rules for installing/removing shared modules.Jelmer Vernooij1-1/+1
(This used to be commit 2c746980328431ab04852dc668899e3eb042da99)
2007-10-10r13609: Get in the initial work on making ldb asyncSimo Sorce6-44/+73
Currently only ldb_ildap is async, the plan is to first make all backend support the async calls, and then remove the sync functions from backends and keep the only in the API. Modules will need to be transformed along the way. Simo (This used to be commit 1e2c13b2d52de7c534493dd79a2c0596a3e8c1f5)
2007-10-10r13508: some ASN.1 element in LDAP are optional,Stefan Metzmacher4-55/+112
make it possible to code the difference between a zero length and a NULL DATA_BLOB... metze (This used to be commit 54f0b19c55df8ad3882f31a114e2ea0e4cf940ae)
2007-10-10r13506: zero memory as some ASN.1 elements are optional, and we should ↵Stefan Metzmacher1-1/+1
initialize them for the internal use... found by 'make valgrindtest' metze (This used to be commit 1db9501c5261a974c6da1938537c7991ff6cfefd)
2007-10-10r13372: fixes ... still no joySimo Sorce1-0/+8
(This used to be commit 0e2cca9153619d646b90f32620905ab66b017c6a)
2007-10-10r13361: initial implementation of the vlv controlSimo Sorce1-1/+244
seem still buggy, can't make w2k3 to like it yet (This used to be commit e1318383e91f6f6db39e3e3c9946fbb089753947)
2007-10-10r13354: Add tests to check that controls work properlySimo Sorce1-1/+1
Fix asq module, add a second_stage_init to register with rootdse Fix asq control ldap parsing routines (this was nasty to find out) (This used to be commit 933a80397d137f7d5b79c82a068d62bb6928ef47)
2007-10-10r13352: Integrate Patch to support the ManageDSAIT controlSimo Sorce1-0/+20
from Pete Rowley <prowley@redhat.com> (This used to be commit bf20a848fda1607ca1b0d84791c299c0035793a1)
2007-10-10r13344: Trust SASL to have subtle distinctions between NULL and zero-lengthAndrew Bartlett1-3/+17
responses... Also trust OpenLDAP to be pedantic about it, breaking connections to AD. In any case, we now get this 'right' (by nasty overloading hacks, but hey), and we can now use system-supplied OpenLDAP libs and SASL/GSSAPI to talk to Samba4. Andrew Bartlett (This used to be commit 0cbe18211a95f811b51865bc0e8729e9a302ad25)
2007-10-10r13342: Make the GSSAPI SASL mech actually work, by (shock horror) reading ↵Andrew Bartlett1-13/+6
the spec. GSSAPI differs from GSS-SPNEGO in an additional 3 packets, negotiating a buffer size and what integrity protection/privacy should be used. I worked off draft-ietf-sasl-gssapi-03, and this works against Win2k3. I'm doing this in the hope that Apple clients as well as SASL-based LDAP tools may get a bit further. I still can't get ldapsearch to work, it fails with the ever-helpful 'Local error'. Andrew Bartlett (This used to be commit 3e462897754b30306c1983af2d137329dd937ad6)
2007-10-10r12984: add parse code and ldbsearch cmdline code forStefan Metzmacher1-3/+23
NOTIFICATION LDAP Controls http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_server_notification_oid.asp this doesn't work yet, but it shows that we need to extend ldb to correctly handle async requests... metze (This used to be commit 1fe67189490c9faf499b68a28071a6294a53db0e)
2007-10-10r12977: Some code to implement the client side of the Dirsync controlSimo Sorce1-0/+86
Still investigating how it works. Simo. (This used to be commit bebd403523e581606505e05e7cb621efbc22fa36)
2007-10-10r12925: implement client side of ASQ controlSimo Sorce1-0/+99
(This used to be commit dd386bdc6ca6fe0b25705d5a375d29e6940b437f)
2007-10-10r12917: fix decoding of ldap controlsSimo Sorce1-1/+1
some more work on timeouts (This used to be commit a7e2fe3cb33be2effff7eb764047567f2da3cd55)
2007-10-10r12733: Merge ldap/ldb controls into main treeSimo Sorce9-25/+518
There's still lot of work to do but the patch is stable enough to be pushed into the main samba4 tree. Simo. (This used to be commit 77125feaff252cab44d26593093a9c211c846ce8)
2007-10-10r12694: Move some headers to the directory of the subsystem they belong to.Jelmer Vernooij2-2/+2
(This used to be commit c722f665c90103f3ed57621c460e32ad33e7a8a3)
2007-10-10r12608: Remove some unused #include lines.Jelmer Vernooij5-6/+0
(This used to be commit 70e7449318aa0e9d2639c76730a7d1683b2f4981)
2007-10-10r12592: Remove some useless dependenciesJelmer Vernooij1-1/+2
(This used to be commit ca8db1a0cd77682ac2c6dc4718f5d753a4fcc4db)
2007-10-10r12542: Move some more prototypes out to seperate headersJelmer Vernooij3-0/+4
(This used to be commit 0aca5fd5130d980d07398f3291d294202aefe3c2)
2007-10-10r12498: Eliminate INIT_OBJ_FILES and ADD_OBJ_FILES. We were not usingJelmer Vernooij1-1/+1
the difference between these at all, and in the future the fact that INIT_OBJ_FILES include smb_build.h will be sufficient to have recompiles at the right time. (This used to be commit b24f2583edee38abafa58578d8b5c4b43e517def)
2007-10-10r12116: got rid of composite_trigger_done() and composite_trigger_error(), andAndrew Tridgell1-1/+1
instead make the normal composite_done() and composite_error() functions automatically trigger a delayed callback if the caller has had no opportunity to setup a async callback this removes one of the common mistakes in writing a composite function (This used to be commit f9413ce792ded682e05134b66d433eeec293e6f1)
2007-10-10r12062: SASL negotiation now requires a gensec_security context, so that weAndrew Bartlett1-1/+1
only try permitted mechanims. Andrew Bartlett (This used to be commit 0f50239dc40ee128e4985f8aec5bb5f440a4f3f0)
2007-10-10r11713: separate out the setting of the fde in the packet context from theAndrew Tridgell1-1/+2
enabling of packet serialisation (This used to be commit 6a47cd65a8b588f9ddd375c57caaba08281e7cbb)
2007-10-10r11620: switch the ldap client code over to using the generic packet codeAndrew Tridgell3-173/+129
(This used to be commit 1d29ad2a27d89454e5e3c4a3cf05cc5edde0208c)
2007-10-10r11528: Separate finding dcs from initializing a domain. Makes it easier to ↵Volker Lendecke1-0/+2
possibly support cldap and other stuff in the future. This temporarily disables wbinfo -t, but that will come back soon. Try an ldap bind using gss-spnego. This got me krb5 binds against "our" w2k3 and a trusted w2k, although with some memleaks from krb5 and a BAD_OPTION tgs-rep error. Volker (This used to be commit d14948fdf687c8f70ef9ec35445b7eb04da84253)
2007-10-10r11523: Working towards having Samba3 join Samba4, this allows the SASLAndrew Bartlett1-3/+7
credentials to be NULL, where the client is requesting a CIFS style server-first negTokenInit. Andrew Bartlett (This used to be commit eba652ecc89766304fdad14463072dc311693701)
2007-10-10r11521: Add in client support for checking supportedSASLmechanisms, and thenAndrew Bartlett1-2/+55
determining a mechanism to use. Currently it doesn't to fallbacks like SPNEGO does, but this could be added (to GENSEC, not to here). This also adds a new function to GENSEC, which returns a list of SASL names in our preference order (currently determined by the build system of all things...). Also make the similar function used for OIDs in SPNEGO do the same. This is all a very long-winded way of moving from a hard-coded NTLM to GSS-SPNEGO in our SASL client... Andrew Bartlett (This used to be commit 130eb9bb9a37957614c87e0e6846a812abb51e00)