Age | Commit message (Collapse) | Author | Files | Lines |
|
Andrew Bartlett
(This used to be commit 5781d0f41ac1847c38ebda290f5e85423dd20186)
|
|
Add in a hook for adding an ACI, needed to allow anonymous access
until we hook across a SYSTEM token to the LDAP server.
Andrew Bartlett
(This used to be commit f45504e2714680978f101b4a98516686a17531df)
|
|
Add a new module entrypoint to handle the new, interesting and
different mappings required for Fedora DS.
Andrew Bartlett
(This used to be commit 600c7f1a68c175b835ce45d13794a6f66bcc8493)
|
|
into an exsting LDAP server. (Allow some parts to pre-exist, and try
to blow away less data).
Andrew Bartlett
(This used to be commit 99faff0ad8fa12d596c599064a0125a6b3365134)
|
|
metze
(This used to be commit 0fcdc8c243f50da5a1203370740ac8d022a5cfdc)
|
|
(This used to be commit 57ee79c15579d1bbe7c0d3202b84a06b75320e40)
|
|
bit-rotted.
Fix up interfaces and interaction between the two..
Andrew Bartlett
(This used to be commit 9b77d285d8cd8999547c0d17e97681d236acbdb0)
|
|
don't delete their contents until we have specified the new partition
locations.
However, preserve the important part of tridge's change, that is to
ensure that no database index is present when the mass delete occours.
In my testing, it is best to leave the index until the provision is
compleated.
Andrew Bartlett
(This used to be commit 962219df7dc53ce6f6889f4b71ee19850c7ff7b5)
|
|
- when wiping a ldb, wipe within each naming context first. By not
wiping the naming contexts we didn't wipe the partitions, which
caused a massive slowdown in re-provisioning due to re-indexing of
the schema.
(This used to be commit b62437214cf7c98c81598c4f37c91ab284928dbb)
|
|
Move default for subobj.LDAPMODULES into scripting/libjs/provision.js
so that SWAT can provision again.
Andrew Bartlett
(This used to be commit a4aafe307d6d1396fa79b0c48b0a36cbf682f0ce)
|
|
Andrew Bartlett
(This used to be commit 9b2003618b28cb045e74937803e9aad773781803)
|
|
(This used to be commit 34bffbaebf50c2a75c91285d5ec82e8f377981cc)
|
|
it does have 'usr'
(This used to be commit 96db975024a744f42a0418e379df1da6c4079fe6)
|
|
Andrew Bartlett
(This used to be commit 77b810f548fffc1298978cc92c842f5e4fc13786)
|
|
default search scope points to.
Andrew Bartlett
(This used to be commit 1a111817a361faab04e73b666624ce554f000034)
|
|
When against a real, schema-checking LDAP backend, we need
extensibleObject on the baseDN entry (as entryUUID isn't run for
creating this basic ldif) output.
(This used to be commit befac43f59c4688f6c6827eb2e4e916c1056a740)
|
|
This lets the modules or backend generate the host and domain GUID,
rather than the randguid() function. These can still be specified
from the command line.
Andrew Bartlett
(This used to be commit 32996ca9d62568006f8bee85a1f2f37c64c04fb5)
|
|
Shutdown and reload the LDB, so the entryUUID module knows to read the
schema (will be changed once we have a central schema store and
notifications).
Andrew Bartlett
(This used to be commit d5814b689eedfc4c4701beb18a516db716a466f1)
|
|
(This used to be commit 177b713288be9c5d559a27d65e16521cbeefc958)
|
|
This causes things to operate as just one transaction (locally), and
to make a minimum of TCP connections when connecting to a remote LDAP
server.
Taking advantage of this, create another file to handle loading the
Samba4 specific schema extensions. Also comment out 'middleName' and
reassign the OID to one in the Samba4 range, as it is 'stolen' from a
netscape range that is used in OpenLDAP and interenet standards for
'ref'.
Andrew Bartlett
(This used to be commit 009d0905947dec9bab81d8e6de5cb424807ffd35)
|
|
This module redirects various samdb requests into different modules,
depending on the prefix. It also makes moving to an LDAP backend
easier, as it is just a different partition backend.
This adds yet another stage to the provision process, as we must setup
the partitions before we setup the magic attributes.
Andrew Bartlett
(This used to be commit 31225b9cb6ef6fcb7bd831043999b1b44ef1b128)
|
|
Commit the classic backwards compatible module which is the default one
(This used to be commit a89cc346b9296cb49929898d257a064a6c2bae86)
|
|
Andrew Bartlett
(This used to be commit 82f5f6c03d005741613c5b00705613c4078c844e)
|
|
This required changes to the rootDSE module, to allow registration of
partitions. In doing so I renamed the 'register' operation to
'register_control' and 'register_partition', which changed a few more
modules.
Due to the behaviour of certain LDAP servers, we create the baseDN
entry in two parts: Firstly, we allow the admin to export a simple
LDIF file to add to their server. Then we perform a modify to add the
remaining attributes.
To delete all users in partitions, we must now search and delete all
objects in the partition, rather than a simple search from the root.
Against LDAP, this might not delete all objects, so we allow this to
fail.
In testing, we found that the 'Domain Controllers' container was
misnamed, and should be 'CN=', rather than 'OU='.
To avoid the Templates being found in default searches, they have been
moved to CN=Templates from CN=Templates,${BASEDN}.
Andrew Bartlett
(This used to be commit b49a4fbb57f10726bd288fdc9fc95c0cbbe9094a)
|
|
Find more possible posix group names for the 'domain users' group, as
the existing options don't exist in OSX.
Andrew Bartlett
(This used to be commit 4e8d7b7fb310a668ae8653bc06036c94249b2b2a)
|
|
metze
(This used to be commit e896c32614fd4fd80a124ccfe49332e319f717f9)
|
|
scripts.
This tests the real module, and avoids duplication.
Andrew Bartlett
(This used to be commit 0859ba59ae00029177cd63366fc59efe8b19c973)
|
|
and use it in provisioning to fullfill rfc 3045 requirements
(This used to be commit 3fb9571a76481560304a826fc945983d52123299)
|
|
unix name mappings
(This used to be commit dc74d8ccf15b9324cd8b90ef9d41cf293b9de8e3)
|
|
(This used to be commit 0cacd69dd57254cb1b51ad7969993bc24bae86c7)
|
|
the main provision logic, so it can also be used as part of the
vampire process
(This used to be commit 95e90169f4e5887ee88116179d96f28f9e06796e)
|
|
I would sugguest to run 'make test && make valgrind' before each commit
at this stage...
metze
(This used to be commit b7a0a778cc77f294aac589416b05dc676696d11e)
|
|
(This used to be commit 1c49ce8df0fd2150c68d0bf4162f1ef69ff3392a)
|
|
domain migration
(This used to be commit c7951d17b1c4f53dd710d6a0fcf87ce678be3ff1)
|
|
Andrew Bartlett
(This used to be commit def31956181833db4c8e5079b745ca60fdf35136)
|
|
code.
Previously, we had to know (or guess) the host and domain guid at the
provision stage. Now we query the database post-provision, to extract
the values and fill in the zone file.
This allows us to generate a correct zone file in the Windows migration case.
In an effort to make SWAT easier to use, I have removed and renamed
some of the provision options.
I have also fixed a nasty issue in my js code. I had implictly
declared a global variable of the name 'join', with disasterious
results for any subsequent user of the string utility function:
esp exception - ASSERT at lib/appweb/ejs/ejsParser.c:2064, 0
Backtrace:
[ 0] substitute_var:20 -> list[i] = join("", list2)
[ 1] setup_file:9 -> data = substitute_var(data, subobj)
Andrew Bartlett
(This used to be commit a38ceefd11f8b748f30383ef36a4752f178bfca1)
|
|
Doing this required reworking ejsnet, particularly so it could take a
set of credentials, not just a username and password argument.
This required fixing the ejsnet.js test script, which now adds and
deletes a user, and is run from 'make test'. This should prevent it
being broken again.
Deleting a user from ejsnet required that the matching backend be
added to libnet, hooking fortunetly onto already existing code for the
actual deletion.
The js credentials interface now handles the 'set machine account' flag.
New functions have been added to provision.js to wrap the basic
operations (so we can write a command line version, as well as the web
based version).
Andrew Bartlett
(This used to be commit a5e7c17c348c45e61699cc1626a0d5eae2df4636)
|
|
main provision script a bit, as the argument list was getting out of
control. (It has been replaced in part with an object).
This also returns the session_info from the auth code into ejs.
We still need access control allowing only root to re-provision.
Andrew Bartlett
(This used to be commit 002cdcf3cab6563909d31edc5d825e857dc0a732)
|
|
Andrew Bartlett
(This used to be commit 42cdad5e3f06c307baf80396fd8449b803ef84c3)
|
|
This should allow us to provision to a 'normal' LDAP server.
Also add in 'session info' hooks (unused). Both of these need to be
hooked in on the webserver.
Andrew Bartlett
(This used to be commit b349d2fbfefd0e0d4620b9e8e0c4136f900be1ae)
|
|
(This used to be commit f4ac7d6359b5a6de04a6ea518dec99f4c9b49b3d)
|
|
with debugging!
Andrew Bartlett
(This used to be commit fe36cb6767ce99432e2778037aad334170dca173)
|
|
server. Now to try another one...
Andrew Bartlett
(This used to be commit 175f616d74ac3567a35713343be0c63c96c5aede)
|
|
backend.
The idea is that every time we open an LDB, we can provide a
session_info and/or credentials. This would allow any ldb to be remote
to LDAP. We should also support provisioning to a authenticated ldap
server.
(They are separate so we can say authenticate as foo for remote, but
here we just want a token of SYSTEM).
Andrew Bartlett
(This used to be commit ae2f3a64ee0b07575624120db45299c65204210b)
|
|
This merges Samba4 up to current lorikeet-heimdal, which includes a
replacement for some Samba-specific hacks.
In particular, the credentials system now supplies GSS client and
server credentials. These are imported into GSS with
gss_krb5_import_creds(). Unfortunetly this can't take an MEMORY
keytab, so we now create a FILE based keytab as provision and join
time.
Because the keytab is now created in advance, we don't spend .4s at
negprot doing sha1 s2k calls. Also, because the keytab is read in
real time, any change in the server key will be correctly picked up by
the the krb5 code.
To mark entries in the secrets which should be exported to a keytab,
there is a new kerberosSecret objectClass. The new routine
cli_credentials_update_all_keytabs() searches for these, and updates
the keytabs.
This is called in the provision.js via the ejs wrapper
credentials_update_all_keytabs().
We can now (in theory) use a system-provided /etc/krb5.keytab, if
krb5Keytab: FILE:/etc/krb5.keytab
is added to the secrets.ldb record. By default the attribute
privateKeytab: secrets.keytab
is set, pointing to allow the whole private directory to be moved
without breaking the internal links.
(This used to be commit 6b75573df49c6210e1b9d71e108a9490976bd41d)
|
|
(This used to be commit 4b56c129c6f1654f9dbe37bc950a836f15c48b3d)
|
|
(This used to be commit 696fa87a212e65d6337c39a84f682b64b52593a5)
|
|
needed for mmc management of Samba4.
(This used to be commit cbbce4fe403efc0b9e63052c2aa1fbb5972f2abe)
|
|
(This used to be commit daa9dcd8f4b1dde801091ec64faa8158481d171c)
|
|
- speed up provisioning a bit using a ldb transaction (also means you
can't end up with a ldb being half done)
(This used to be commit 91dfe304cf688bb81b69ff3192ac84b78b34b311)
|