Age | Commit message (Collapse) | Author | Files | Lines |
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
Guenther
|
|
This must not be treated as a normal string (strlen truncates it).
Guenther
|
|
The previous code incorrectly cast an ldb_val into a char *.
Andrew Bartlett
|
|
The ldb_val is length-limited, and while normally NULL terminated,
this avoids the chance that this particular value might not be, as
well as avoiding a cast.
Andrew Bartlett
|
|
make them wrappers around convert_string{,talloc}_convenience().
|
|
I'm very glad we have such a comprehensive testsuite for the SAMR
password change process, as it makes this a much easier task to get
right.
Andrew Bartlett
|
|
This uses a virtual attribute 'clearTextPassword' (name chosen to
match references in MS-SAMR) that contains the length-limited blob
containing an allegidly UTF16 password. This ensures we do no
validation or filtering of the password before we get a chance to MD4
it. We can then do the required munging into UTF8, and in future
implement the rules Microsoft has provided us with for invalid inputs.
All layers in the process now deal with the strings as length-limited
inputs, incluing the krb5 string2key calls.
This commit also includes a small change to samdb_result_passwords()
to ensure that LM passwords are not returned to the application logic
if LM authentication is disabled.
The objectClass module has been modified to allow the
clearTextPassword attribute to pass down the stack.
Andrew Bartlett
|
|
Guenther
|
|
|
|
|
|
The previous ldb_search() interface made it way too easy to leak results,
and being able to use a printf-like expression turns to be really useful.
|
|
UTF-16 input
The input checking is important, as otherwise we could set the wrong
password.
Andrew Bartlett
|
|
The 'comment' element in a number of domain structures is called
oem_information. This was picked up actually because with OpenLDAP
doing the schema checking, it noticed that 'comment' was not a valid
attribute.
The rename tries to keep this consistant in both the LDB mappings and
IDL, so we don't make the same mistake in future.
This has no real schema impact, as this value isn't actually used for
anything, as 'comment' was not used in the provision.
Andrew Bartlett
(This used to be commit 65dc0d536590d055a5ee775606ac90ee5fcaee9a)
|
|
(This used to be commit b4e1ae07a284c044704322446c94351c2decff91)
|
|
Now that we don't create users/domain groups/aliases in the builtin
domain, we hit some bugs in the server-side implementation of the
enumeration functions.
In essence, it turns out to be: don't treat 0 as a special case.
Also, fix up the PDC name to always be returned. I'm sure nothing
actually uses it, particularly for BUILTIN...
Andrew Bartlett
(This used to be commit 353bb79f568f20c8469cb9458f7b14c24612ad23)
|
|
The gendb_*() API does not return error codes, and mixes error returns
with the count of returned entries.
Andrew Bartlett
(This used to be commit facbc8dfa5188fdd610f400b5be6e05bc33b0820)
|
|
This reworks quite a few parts of our provision system to use
CN=NETBIOSNAME as the domain for member servers.
This makes it clear that these domains are not in the DNS structure,
while complying with our own schema (found by OpenLDAP's schema
validation).
Andrew Bartlett
(This used to be commit bda6a38b055fed2394e65cdc0b308a1442116402)
|
|
(lest we have an account set with 0 flags)
Andrew Bartlett
(This used to be commit 7a46e72f8dbb191ac8a811eb4cd95210fab7dc7b)
|
|
More correctly handle expired passwords, and do not expire machine accounts.
Test that the behaviour is consistant with windows, using the RPC-SAMR test.
Change NETLOGON to directly query the userAccountControl, just because
we don't want to do the extra expiry processing here.
Andrew Bartlett
(This used to be commit acda1f69bc9b9c43e157e254d0bae54d11363661)
|
|
We need to be far more granular bout this - in particular, we need a
decide LDAP -> NTSTATUS conversion.
Andrew Bartlett
(This used to be commit 30fc3752c7573fcf8b1a41f7b3bc8dad860077f8)
|
|
(This used to be commit 6ac86f8be7d9a8c5ab396a93e6d1e6819e11f173)
|
|
(This used to be commit e53e79eebef3ece6978f0a2b4a1ee0a0814bb5d2)
|
|
(This used to be commit 40ae12c08647c47a9c504d39ee6f61c32b4e5748)
|
|
(This used to be commit 95a6ef7fc8757ccfd90dbf0d6c9b5098f10b10b6)
|
|
(This used to be commit 6fd0d9d3b75546d08c24c513e05b1843d5777608)
|
|
(This used to be commit fc1f4d2d65d4c983cba5421e7ffb64dd75482860)
|
|
(This used to be commit 1ab76ecc5311fa863e5d04899b6f110899818f55)
|
|
(This used to be commit 7280c1e9415daabb2712db1372e23f9846272ede)
|
|
further up the call stack.
(This used to be commit 0721a07aada6a1fae6dcbd610b8783df57d7bbad)
|
|
wrappers to ldb_add() etc. samdb_replace() remains, as it sets flags on
all entries as 'replace'.
Andrew Bartlett
(This used to be commit 09c0faa5b7e1a560bf13b99a2584012a47377bb6)
|
|
(This used to be commit 56dfcb4f2f8e74c9d8b2fe3a0df043781188a555)
|
|
(This used to be commit b7371f1a191fb86834c0d586d094f39f0b04544b)
|
|
(This used to be commit 3fcc960839c6e5ca4de2c3c042f12f369ac5f238)
|
|
alignment of the union.
Sorry for the time it took to test and fix this.
Andrew Bartlett
(This used to be commit 5b893fc6f59aa9324360ca1af4b504a2c140e806)
|
|
(This used to be commit abe8349f9b4387961ff3665d8c589d61cd2edf31)
|
|
Andrew Bartlett
(This used to be commit 9aae9b1d243c23b96c0d8d28603b7e0ba25ac1c9)
|