| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
instead of hardcoded GENSEC_FEATURE_SEAL.
That means plain LDAP is now the default.
metze
(This used to be commit b69471866c2a6c61002147938f233f2f63963ba4)
|
|
Break up auth/auth.h not to include the world.
Add credentials_krb5.h with the kerberos dependent prototypes.
Andrew Bartlett
(This used to be commit 2b569c42e0fbb596ea82484d0e1cb22e193037b9)
|
|
libraries
works again now, by specifying --enable-dso to configure.
(This used to be commit 7a01235067a4800b07b8919a6a475954bfb0b04c)
|
|
- http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/ldapv3/
- http://gleg.net/protover_ldap_sample.shtml
Also fixes found by a subsequent audit of the code for similar issues.
(This used to be commit 441a4f6262459dabfefd9bb12622ada9c007a60c)
|
|
library. Even though we don't like to that library, it gets loaded via
nss-ldap, which means nss-ldap calls into the samba ldap lib with the
wrong parameters, and crashes.
We really need to use a completely different namespace in libcli/ldap/
(This used to be commit c440e0eed9afae5fe69995a7416971e7c8560779)
|
|
(This used to be commit f4b4bd945f5c3955aab0c3cf89ad6cdda7529dac)
|
|
ldapi://).
Andrew Bartlett
(This used to be commit 556a21faeed0b6e3cc6efcfa8e0939b151a802de)
|
|
Andrew Bartlett
(This used to be commit 1920cb8b3978f745cba7e854410deb9174de2dc0)
|
|
OpenLDAP backend.
Andrew Bartlett
(This used to be commit da66b53e6ac39c5f020781830ee69d460aa0cae5)
|
|
* Move dlinklist.h, smb.h to subsystem-specific directories
* Clean up ads.h and move what is left of it to dsdb/
(only place where it's used)
(This used to be commit f7afa1cb77f3cfa7020b57de12e6003db7cfcc42)
|
|
metze
(This used to be commit 96259f0f24b114e505241c9d2deb702a8b40f1b6)
|
|
metze
(This used to be commit 40dc7c1787c16bfc15ac87fee81d2d2d1f3d2fde)
|
|
metze
(This used to be commit 84e74a759cfa49ebc8b4ba1b8e729d6d920fc55a)
|
|
with this you can limit a search to a specific partitions
or a search over all partitions without getting referrals.
(Witch is the default behavior on the Global Catalog Port)
metze
(This used to be commit 4ccd0f8171f3748ee6efe1abd3f894d2cdf46bf4)
|
|
metze
(This used to be commit 23759a1e9b05c4fde475a9016cb0b7447656d7e7)
|
|
metze
(This used to be commit f2196bf9b662d3f38d59eceb8c54f9d2e3f7b505)
|
|
routines to return an NTSTATUS. This should help track down errors.
Use a bit of talloc_steal and talloc_unlink to get the real socket to
be a child of the GENSEC or TLS socket.
Always return a new socket, even for the 'pass-though' case.
Andrew Bartlett
(This used to be commit 003e2ab93c87267ba28cd67bd85975bad62a8ea2)
|
|
contexts from the application layer into the socket layer.
This improves a number of correctness aspects, as we now allow LDAP
packets to cross multiple SASL packets. It should also make it much
easier to write async LDAP tests from windows clients, as they use SASL
by default. It is also vital to allowing OpenLDAP clients to use GSSAPI
against Samba4, as it negotiates a rather small SASL buffer size.
This patch mirrors the earlier work done to move TLS into the socket
layer.
Unusual in this pstch is the extra read callback argument I take. As
SASL is a layer on top of a socket, it is entirely possible for the
SASL layer to drain a socket dry, but for the caller not to have read
all the decrypted data. This would leave the system without an event
to restart the read (as the socket is dry).
As such, I re-invoke the read handler from a timed callback, which
should trigger on the next running of the event loop. I believe that
the TLS code does require a similar callback.
In trying to understand why this is required, imagine a SASL-encrypted
LDAP packet in the following formation:
+-----------------+---------------------+
| SASL Packet #1 | SASL Packet #2 |
----------------------------------------+
| LDAP Packet #1 | LDAP Packet #2 |
----------------------------------------+
In the old code, this was illegal, but it is perfectly standard
SASL-encrypted LDAP. Without the callback, we would read and process
the first LDAP packet, and the SASL code would have read the second SASL
packet (to decrypt enough data for the LDAP packet), and no data would
remain on the socket.
Without data on the socket, read events stop. That is why I add timed
events, until the SASL buffer is drained.
Another approach would be to add a hack to the event system, to have it
pretend there remained data to read off the network (but that is ugly).
In improving the code, to handle more real-world cases, I've been able
to remove almost all the special-cases in the testnonblock code. The
only special case is that we must use a deterministic partial packet
when calling send, rather than a random length. (1 + n/2). This is
needed because of the way the SASL and TLS code works, and the 'resend
on failure' requirements.
Andrew Bartlett
(This used to be commit 5d7c9c12cb2b39673172a357092b80cd814850b0)
|
|
correct, or we try and do a memcmp on the trailing '\0'.
This happens because we now use memcmp for the prefix matching.
I just wish I had a test other than a particular invocation of the OSX
client. (I've tried and failed so far)
Andrew Bartlett
(This used to be commit 36aa8390807581442c68ac3ee9dd6eb05d89b86d)
|
|
(This used to be commit 61c6100617589ac6df4f527877241464cacbf8b3)
|
|
Split of system/locale.h header from system/iconv.h
Previously, iconv wasn't being used on these systems
(This used to be commit aa6d66fda69779d1c2948a1aca85dbd5208f1cba)
|
|
This reduces caller complexity, because the TLS code is now called
just like any other socket. (A new socket context is returned by the
tls_init_server and tls_init_client routines).
When TLS is not available, the original socket is returned.
Andrew Bartlett
(This used to be commit 09b2f30dfa7a640f5187b4933204e9680be61497)
|
|
in pkg-config files for now as
they break external projects.
(This used to be commit f919fd6655f00361691e676d260bd40e0b8ddcc7)
|
|
-lsocket on SUN
boxes.
(This used to be commit c95ad11307dc89384c10bd5919817bf12d9c1ed9)
|
|
(This used to be commit 0d99397007960e555f562f1498a202407e235f36)
|
|
(This used to be commit 12ba42de5886f9f4f9b1698476557e0c217d06f3)
|
|
(This used to be commit f0afe9e2ff16515df1b3226b479b19ea3e9c3d0c)
|
|
rest of LIBSECURITY doesn't)
Make the ldb password_hash module only depend on some keys manipulation code, not full heimdal
Some other dependency fixes
(This used to be commit 5b3ab728edfc9cdd9eee16ad0fe6dfd4b5ced630)
|
|
(This used to be commit d448389be88b3bb9d6f9a3b8a1e1597c4988a0ff)
|
|
(This used to be commit 6fff8f871a607e561531e2aabef37f3469aa85e9)
|
|
(This used to be commit e2102999e26566543162455b34adbd2b0486b74d)
|
|
for REQUIRED_SUBSYSTEMS.
(This used to be commit adc8a019b6da256f104abed1b82bfde6998a2ac9)
|
|
(This used to be commit 3be3b1130c41e8e372531c137c46f91c5c0acf98)
|
|
(This used to be commit 7146c1600f29c349e5bb78f810e7e170b535dd37)
|
|
(This used to be commit 51b4270513752d2eafbe77f9de598de16ef84a1f)
|
|
(This used to be commit e1f896948fad8cf5a1aec300865c250c5721ee7d)
|
|
(This used to be commit 7d0eb678bf3649fb4e09da039dd1b716ea3df2cc)
|
|
(This used to be commit 9787fb8e917c22ffe910062630dc4f32473a9fab)
|
|
(This used to be commit 2c746980328431ab04852dc668899e3eb042da99)
|
|
Currently only ldb_ildap is async, the plan
is to first make all backend support the async calls,
and then remove the sync functions from backends and
keep the only in the API.
Modules will need to be transformed along the way.
Simo
(This used to be commit 1e2c13b2d52de7c534493dd79a2c0596a3e8c1f5)
|
|
make it possible to code the difference between a zero length and a NULL DATA_BLOB...
metze
(This used to be commit 54f0b19c55df8ad3882f31a114e2ea0e4cf940ae)
|
|
initialize
them for the internal use...
found by 'make valgrindtest'
metze
(This used to be commit 1db9501c5261a974c6da1938537c7991ff6cfefd)
|
|
(This used to be commit 0e2cca9153619d646b90f32620905ab66b017c6a)
|
|
seem still buggy, can't make w2k3 to like it yet
(This used to be commit e1318383e91f6f6db39e3e3c9946fbb089753947)
|
|
Fix asq module, add a second_stage_init to register with rootdse
Fix asq control ldap parsing routines (this was nasty to find out)
(This used to be commit 933a80397d137f7d5b79c82a068d62bb6928ef47)
|
|
from Pete Rowley <prowley@redhat.com>
(This used to be commit bf20a848fda1607ca1b0d84791c299c0035793a1)
|
|
responses...
Also trust OpenLDAP to be pedantic about it, breaking connections to AD.
In any case, we now get this 'right' (by nasty overloading hacks, but
hey), and we can now use system-supplied OpenLDAP libs and SASL/GSSAPI
to talk to Samba4.
Andrew Bartlett
(This used to be commit 0cbe18211a95f811b51865bc0e8729e9a302ad25)
|
|
the spec.
GSSAPI differs from GSS-SPNEGO in an additional 3 packets, negotiating
a buffer size and what integrity protection/privacy should be used.
I worked off draft-ietf-sasl-gssapi-03, and this works against Win2k3.
I'm doing this in the hope that Apple clients as well as SASL-based
LDAP tools may get a bit further.
I still can't get ldapsearch to work, it fails with the ever-helpful
'Local error'.
Andrew Bartlett
(This used to be commit 3e462897754b30306c1983af2d137329dd937ad6)
|
|
NOTIFICATION LDAP Controls
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/ldap_server_notification_oid.asp
this doesn't work yet, but it shows that we need to extend ldb to correctly
handle async requests...
metze
(This used to be commit 1fe67189490c9faf499b68a28071a6294a53db0e)
|
|
Still investigating how it works.
Simo.
(This used to be commit bebd403523e581606505e05e7cb621efbc22fa36)
|
