| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This looks much nicer than "normal" string exceptions - and fits better in the OO
programming style.
|
|
I fixed them up to match with Windows Server 2003. I don't think that the
creation of them in the provision script is needed so I put them in the
"provision_users.ldif" file.
|
|
Tests show that Windows Server seems to do the access checks on the very last moment.
|
|
This fixes up the change of the primary group of a user when using the ADUC
console:
- When the "primaryGroupId" attribute changes, we have to delete the
"member"/"memberOf" attribute reference of the new primary group and add one
for the old primary group.
- Deny deletion of primary groups according to Windows Server (so we cannot
have invalid "primaryGroupID" attributes in our AD).
- We cannot add a primary group directly before it isn't a secondary one of a
user account.
- We cannot add a secondary reference ("member" attribute) when the group has
been chosen as primary one.
This also removes the LDB templates which are basically overhead now.
This should also fix bug #6599.
|
|
Changed the provisioning to use the new script to parse the Microsoft-provided
DisplaySpecifiers LDIF file.
|
|
|
|
|
|
The repl_meta_data module needs to be above the linked_attributes
module, to allow linked_attributes to do its magic
|
|
One for getting attributes with DN syntax, one for getting forward
linked attributes and one for getting the list of partition
|
|
The previous patches to the provision system cut down on the number of
reconnects, and disabled the partition handling for part of the
process. This means we lost the setting of @OPTIONS as a replicated
attribute into the partitions.
Andrew Bartlett
|
|
This allows us to test out the code that will do the modify of the
prefixMap, and to provide the bindings that may assist a future
upgrade script.
Andrew Bartlett
|
|
This will ensure that the GUID can be filled in correctly, and assist
us to validate DN targets in the future.
Andrew Bartlett
|
|
|
|
my last patch was not even close ...
I'll leave abartlet to work out how to fix the test case
|
|
Andrew, can you please check this? The idmap.setup_name_mapping tests
look totally out of place here. I'm also not sure I captured your
intention with the other changes
|
|
Hopefully this will explain a bit more whey things are done the way
that they are done.
Andrew Bartlett
|
|
The Samba4 schema code (called via
samdb.set_schema_from_ldb(schema.ldb)) manages the @ATTRIBUTES and
@INDEXLIST records, so don't wipe them early. The chances are that we
will not change them anyway.
Andrew Bartlett
|
|
Found by Oliver Liebel <oliver@itc.li>
Andrew Bartlett
|
|
This makes no sense, and just causes trouble - we are aiming for
DIGEST-MD5 or NTLM.
Andrew Bartlett
|
|
|
|
This should make setting up LDAP servers more predictable.
When not specified, it is random
Andrew Bartlett
|
|
Using a single transaction to both erase the bulk of the data and the
rebuild of that data means that the in-memory index list is
maintained, and not written out to disk until it is all compleated.
All the writes then occour at the end.
Andrew Bartlett
|
|
This removes a *lot* of duplicated code and the cause of much
administrator frustration. We now handle starting and stopping the
slapd (at least for the provision), and ensure that there is only one
'right' way to configure the OpenLDAP and Fedora DS backend
We now run OpenLDAP in 'cn=config' mode for online configuration.
To test what was the provision-backend code, a new --ldap-dryrun-mode
option has been added to provision. It quits the provision just
before it would start the LDAP binaries
Andrew Bartlett
|
|
As the version of OpenLDAP required for Samba4 is fairly new, we don't
want to make it a requirement before this python code is run in 'make
test'.
As such, skip over the actual starting of slapd, but check the rest
runs alright (which still validates syntax and other modules).
Andrew Bartlett
|
|
|
|
heres the summary of all changes/extensions:
- Andrew Bartlett's patch to generate indext
- Howard Chu's idea to use nosync on the DB included, but made optional
- slaptest-path is not needed any more (slapd -Ttest is used instead)
and is therefore removed. slapd-path is now recommended when
openldap-backend is chosen.
its also used for olc-conversion
- slapd-detection is now always done by ldapsearch (ldb module),
looking anonymous for objectClass: OpenLDAProotDSE via our ldapi_uri.
- if ldapsearch was not successfull, (no slapd listening on our socket)
slapd is
started via special generated slapdcommand_prov (ldapi_uri only)
- slapd-"provision-process" startup is done via pythons subprocess.
- the slapd-provision-pid is stored under paths.ldapdir/slapd_provision_pid.
- after provision-backend is finished:
--- slapd.pid is compared with our stored slapd_provision_pid.
if the are unique, slapd.pid will be read out, and the
slapd "provison"-process will be shut down.
--- proper slapd-shutdown is verified again with ldb-search -> ldapi_uri
-> rootDSE.
--- if the pids are different or one of the pid-files is missing, slapd
will not be shut down,
instead an error message is displayed to locate slapd manually
--- extended help-messages (relevant to slapd) are always displayed,
e.g. the commandline with which slapd has to be started when everythings
finished
(slapd-commandline is stored under paths.ldapdir/slapd_command_file.txt))
- upgraded the content of the mini-howto (howto-ol-backend-s4.txt)
|
|
|
|
Rather than have the functional levels scattered in 4 different,
unconnected locations, the provision script now sets it, and the
rootdse module maintains it's copy only as a cached view onto the
original values.
We also use the functional level to determine if we should store AES
Kerberos keys.
Andrew Bartlett
|
|
|
|
|
|
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
|
|
This was missed in the earlier work to use this in provision-backend
Andrew Bartlett
|
|
Loading data in a transaction is faster than without.
Andrew Bartlett
|
|
This removes a level of indirection via external binaries in the
provision-backend code, and also makes better use of our internal code
for loading schema from an LDIF file.
Remaining to do: Sort the output again, as the load from LDIF is
unsorted (also needed because the normal LDB load from sorted input is too slow
anyway, and is only needed here).
Andrew Bartlett
|
|
|
|
For example, if we don't create the admin user (perhaps expecting
users to be in LDAP already, or we are due an incoming replication) we
should not confuse the administrator by printing a unused password.
Andrew Bartlett
|
|
Conflicts:
source4/scripting/python/samba/provision.py
|
|
Also remove the copy of the licence text from licence.txt, to ensure
we don't get variations between the copies.
Andrew Bartlett
|
|
|
|
Here's a first attempt at moving the minschema_wspp code into a
library as Andrew requested. Since this script no longer has to
generate CN=aggregate, I've simplified it quite a bit to a level where
it almost does a line-by-line translation. This is faster and simpler,
but it may not catch as many errors in the ad-schema files as the
previous versions did.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
- removed workaround for olcSyncprovConfig - creation (works perfect now
with 2.4.15, release was today)
- added 1 message-helpline, which is displayed when running
provision-backend with olc and/or mmr setup
- corrected 1 wrong slapcommand-helpline
- slapd.conf is removed now in case of olc-setup
- added 1 copyright-line to provision.py and provision-backend
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
These extensions add mmr (multi-master-replication) and olc
(openldap-online-configuration) capabilities to the
provisioning-scripts (provision-backend and provision.py), for use
with the openldap-backend (only versions >=2.4.15!).
Changes / additions made to the provision-backend -script:
added new command-line-options:
--ol-mmr-urls=<list of whitespace separated ldap-urls> for use with mmr
(can be combined with --ol-olc=yes),
--ol-olc=[yes/no] (activate automatic conversion from static slapd.conf
to olc),
--ol-slaptest=<path to slaptest binary> (needed in conjunction with
--ol-olc=yes)
Changes / additions made to the provision.py -script: added
extensions, that will automatically generate the chosen mmr and/or olc
setup for the openldap backend, according to the to chosen parameters
set in the provision-backend script
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
|
|
|
We need to figure out why the deletes on the database fail, but for
now doing an unlink of templates_tdb isn't too bad.
Andrew Bartlett
|
|
other exceptions silently.
|
|
python module.
|
|
|
|
fixes test.
|
|
|
