Age | Commit message (Collapse) | Author | Files | Lines |
|
(This used to be commit 6ac6de8476ba036eb041e054bc37e4503dc2fde8)
|
|
Spotted by nobody88 in IRC.
(This used to be commit 38d4e2407afb942de21379dc886f9e4c5532a2b9)
|
|
Andrew Bartlett
(This used to be commit be5eb2da241452ccc0526f4f115aa44c0793c351)
|
|
Andrew Bartlett
(This used to be commit ae2ea1bd0cd2b326b09b372428969f2cf52ce519)
|
|
This means that, except when we back onto LDAP, when it will be
replaced with the mapping backend, we will keep this codepath tested.
Andrew Bartlett
(This used to be commit e8fb5da5a18c1c3bd788b1ab3f814ffb847b00fd)
|
|
(This used to be commit e9bb130d63e86fafc4cbf379e2e237354b88bcf8)
|
|
The less things we manually place into the templates, the easier the
conversion to python will be.
Andrew Bartlett
(This used to be commit f65e5c164476b80468aa19452b108db17c642f8b)
|
|
This code raided from the repl_meta_data module, which probably needs
to be downsized to just handling the replication data.
Andrew Bartlett
(This used to be commit 2a418f33705a792d9d16cf1d4aa3dcda467e6e04)
|
|
Previously, we would create the first record in the DB as an LDIF
file, with the expectation that the administrator would use slapadd to
create the database.
We now do everything over LDAP, which is far simpler, and allows the
LDB module chain to do its work, without special cases.
Also fix naming of the output schema when suggesting the comamnd line
to run ad2oLschema in provision-backend.
Andrew Bartlett
(This used to be commit e77375758d66e94e5e0b6e61a97c9281c3d9c71f)
|
|
remove it from ldb. It is not longer mapped against OpenLDAP.
Andrew Bartlett
(This used to be commit f917ccec85f854423f423bbffc41459d92960a1b)
|
|
incoming LDAP filter.
Warning: Any anr search will perform a full index search. Untill ldb
gets substring indexes, this is unavoidable.
Also implement a testsutie to show we match AD behaviour for this
important extension (used in the Active Directory Users and Computers
MMC plugin, as a genereral 'find').
This will also be useful to OpenChange, as their server needs to
implement this.
Andrew Bartlett
(This used to be commit 044b50947254ccd516c21cb156ab60ab9e3a582d)
|
|
(This used to be commit d0d5c1a823a6601292c061dba2b6f4bde2b9e3dd)
|
|
(This used to be commit 4c7e3843a0e1a914b259526dcd3e50bd238816af)
|
|
Andrew Bartlett
(This used to be commit ba23dac0319f7c5ad89e5d79174520892027afdd)
|
|
provision, and ignore 'no such entry' as an error (it is normal, and
just means the partition is compleatly empty).
Andrew Bartlett
(This used to be commit 1fb8c31a3da6fc07f55027f05dba5e03dcf8a4f7)
|
|
Andrew Bartlett
(This used to be commit a7595d009a89fecd7723a1e356d5a58d687bdbb0)
|
|
samdb before we start writing entries into it.
In doing so, I realised we still used 'dnsDomain', which is not part
of the standard schema (now removed).
We also set the 'wrong' side of the linked attributes for the
masteredBy on each partition - this is now set in provision_self_join
and backlinks via the linked attributes code.
When we have the schema loaded, we must also have a valid domain SID
loaded, so that the objectclass module works. This required some ejs
glue.
Andrew Bartlett
(This used to be commit b0de08916e8cb59ce6a2ea94bbc9ac0679830ac1)
|
|
suppressed with --quiet. Hopefully this will be easier with python.
Andrew Bartlett
(This used to be commit f6e0e15fa5e2b0b7368ff945cc988579aaba0a6c)
|
|
by seperating the modules list into parts. That way, we can remove
the modules that the backend will provide.
Andrew Bartlett
(This used to be commit d67e5c7896f6d3064298897ae4d3204498824b06)
|
|
results, as used particularly by MMC's Active Directory Users and
Computers to list group members.
This may be used on any attribute, but is useful to obtain attributes
that may be lengthy in 'pages'. The implementation presumes that
attributes will always be returned by the DB in the same order.
Andrew Bartlett
(This used to be commit c789a91e00b47b2f02513e97101b9606d00c6aaa)
|
|
netbios names at this point, the calling order has changed, and we
have a more informative place to do it.
Andrew Bartlett
(This used to be commit 3136dccd542a72ecda0c73a91674383736571bb5)
|
|
Andrew Bartlett
(This used to be commit a71414ec3efd3e52a898b58bd2ea7d986518f531)
|
|
Templates just don't belong in the sam.ldb, as they don't obey any of
the other rules. This moves them to a seperate templates.ldb.
In samldb, this patch reworks the duplicate SID and Name detection
code, to use ldb_search_exp_fmt() rather than gendb_search. This
returns far more useful errors, which we now handle and report better.
The call to samdb_search_for_parent_domain() has been moved in samldb,
to allow both the account and SID uniqueness checks to be in the same
domain. This function also returns better errors.
dcesrv_drsuapi.c is updated for the new prototype of
samdb_search_for_parent_domain()
Andrew Bartlett
(This used to be commit f1ab90c88c782c693b41795d70368650806543b5)
|
|
metze
(This used to be commit c6d959e52cf4b86a52e46402392f32450d3c3635)
|
|
Create a phpLDAPadmin configuration file example to use ldapi to talk
to Samba4
Andrew Bartlett
(This used to be commit 54f4c8ba6127757fd272bd97e301188eb69977ed)
|
|
The aim here is to ensure that if we have
CN=Users,DC=samba,DC=example,DC=com
that we cannot have a DN of the form
cn=admin ,cn=useRS,DC=samba,DC=example,DC=com
This module pulls apart the DN, fixes up the relative DN part, and
searches for the parent to copy the base from.
I've used the objectclass module, as I intend to also validate the
placement of child objects, by reading the allowedChildClasses virtual
attribute.
In the future, I'll also force the attribute names to be consistant
(using the case from the schema).
Andrew Bartlett
(This used to be commit c0a0c69ac5a81cfcb7c7d5ba38db59f8686c30ab)
|
|
Much more work is still required here, particularly to handle this
better during the provision, and to handle modifies and deletes, but
this is a start.
Andrew Bartlett
(This used to be commit 2ba99d58e9fe1f8e4b15a58a2fdfce6e876f99b4)
|
|
built a linked_attributes module under this.
Andrew Bartlett
(This used to be commit 4f47e687e579feeb10bb866d62f0c757e5389709)
|
|
over the ldb_tdb part of the problem.
Andrew Bartlett
(This used to be commit daca0cfd2fc2ec3344415d2d31f399ee3bf16151)
|
|
(This used to be commit f61a9b706894de4fa8916b55a24f330eed9f5b0c)
|
|
when a template file is missing.
Andrew Bartlett
(This used to be commit 5093ea1cef910fe01a249b2d7ef602e2374e2b35)
|
|
used subobj.ROLE and not subobj.SERVERROLE as the rest of the code
does.
Andrew Bartlett
(This used to be commit dd1cb33591819c3d4263e594c7a80de899def223)
|
|
--server-role
This must be set to either 'domain controller', 'domain member' or 'standalone'.
The default for the provision now changes to 'standalone'.
This is not because Samba4 is particularlly useful in that mode, but
because we still want a positive sign from the administrator that we
should advertise as a DC.
We now do more to ensure the 'standalone' and 'member server'
provision output is reasonable, and try not to set odd things into the
database that only belong for the DC.
Andrew Bartlett
(This used to be commit 4cc4ed7719aff712e735628410bd3813c7d6aa40)
|
|
The Web 2.0, async client tools were really interesting, but without
developer backing they remain impossible to support into a release.
The most interesting app was the LDB browser, and I intend to replace
this with phpLdapAdmin, preconfigured for Apache during provision.
This also removes the need to 'compile' SWAT on SVN checkouts.
Andrew Bartlett
(This used to be commit cda965e908055d45b1c05bc29cc791f7238d2fae)
|
|
Andrew Bartlett
(This used to be commit 9f18a9711771a88be7c38bc26ae6e59fb98f93dd)
|
|
working module, live or dead, is purely co-incidental.
Andrew Bartlett
(This used to be commit 64cc31642fd2ded149631d07bc022213f19595b8)
|
|
The module is scary: On a rename, it does a search for all entries
under that entry (including itself), and fires off a seperate rename
call for each result. This will fail miserably on an LDAP backend,
but I'll need to work on using hdb for OpenLDAP, and hope Fedora DS
can implement subtree renames at some point.
Andrew Bartlett
(This used to be commit 13908a8cb4dd810503213203efb8d51f77f1f379)
|
|
provision failures when some of the random password values are illigal
LDIF.
Andrew Bartlett
(This used to be commit 876003f6c6466bfd37ec9b05c9a1f1cc83dd9898)
|
|
The keytab in dns.keytab should (I hope) do the job.
Andrew Bartlett
(This used to be commit af4d331eef91ef7699d179d15e7337fff1eff7bb)
|
|
LDIF files for the registry files.
(This used to be commit 67ad556b7388e5d82756e0a3cfc596e44136329c)
|
|
configuration.
When we sort out GSS-TSIG on the server, we can expand this to have
the 'right stuff'.
Andrew Bartlett
(This used to be commit 8f02ade1b2cc164f64f4ea8a371c107ccf6a81b3)
|
|
Before the provisioning enters to the function provision_default_paths (in
scripting/libjs/provision.js), the variable subobj.DNSDOMAIN isn't properly set
(for example for the filename of the DNS zonefile).
Andrew Bartlett
(This used to be commit 07a9db1438df93442c5b50b1b97ca69662749608)
|
|
On default Active Directory installations, the NETLOGON share isn't
an indipendent directory. In fact it's mapped to the subdirectory
"scripts" from the share SYSVOL under <Domain name>.
Andrew Bartlett
(This used to be commit 923d67ea9d78da46235221375b49b6f1d0d6a862)
|
|
This involves creating the SYSVOL and NETLOGON shares at provision
time, and creating the right subdirectories.
This also changes the behaviour of lp.get("foo") in ejs - we now
return undefined, rather than syntax error, if the parameter doesn't
exist (perhaps because the share isn't defined).
Andrew Bartlett
(This used to be commit 45cadf3bc0d38f6600666511a392e1ce353adee7)
|
|
where LDB isn't as strict as OpenLDAP, the self join record contains
duplicate servicePrincipalNames once the DNS name and domain name are
made equal. (Easier to just skip the useless self-join).
Andrew Bartlett
(This used to be commit 49ff929be6fcf57721532de13bdd7a7e1617af6f)
|
|
--ldap-manager-pass= option to work.
Andrew Bartlett
(This used to be commit fbcb1ec14125a4ca57922ec75b01af9a99dcd954)
|
|
Andrew Bartlett
(This used to be commit 17dad5d8c345c2c3a7643bff7a43473339a22d40)
|
|
to set up the LDAP backend.
Andrew Bartlett
(This used to be commit cc7900210a2e473060d5897ec729923ac6b2f18d)
|
|
on metze's schema work.
Andrew Bartlett
(This used to be commit 3111bbdf64f57bf8d2638fd9829c071dcfeb4af1)
|
|
patch).
- samba3sam.js: rework the samba3sam test to not use objectCategory,
as it's has special rules (dnsName a simple match)
- ldap.js: Test the ordering of the objectClass attributes for the baseDN
- schema_init.c: Load the mayContain and mustContain (and system...) attributes when
reading the schema from ldb
- To make the schema load not suck in terms of performance, write the
schema into a static global variable
- ldif_handlers.c: Match objectCategory for equality and canonicolisation
based on the loaded schema, not simple tring manipuation
- ldb_msg.c: don't duplicate attributes when adding attributes to a list
- kludge_acl.c: return allowedAttributesEffective based on schema results
and privilages
Andrew Bartlett
(This used to be commit dcff83ebe463bc7391841f55856d7915c204d000)
|