Age | Commit message (Collapse) | Author | Files | Lines |
|
administrator not the user
|
|
|
|
The "setpassword" script should use the "samdb_set_password" call to change
the NT user password. Windows Server tests show that "userPassword" is not the
right place to save the NT password and does not inherit the password complexity.
|
|
This looks much nicer than "normal" string exceptions - and fits better in the OO
programming style.
|
|
I fixed them up to match with Windows Server 2003. I don't think that the
creation of them in the provision script is needed so I put them in the
"provision_users.ldif" file.
|
|
Tests show that Windows Server seems to do the access checks on the very last moment.
|
|
This fixes up the change of the primary group of a user when using the ADUC
console:
- When the "primaryGroupId" attribute changes, we have to delete the
"member"/"memberOf" attribute reference of the new primary group and add one
for the old primary group.
- Deny deletion of primary groups according to Windows Server (so we cannot
have invalid "primaryGroupID" attributes in our AD).
- We cannot add a primary group directly before it isn't a secondary one of a
user account.
- We cannot add a secondary reference ("member" attribute) when the group has
been chosen as primary one.
This also removes the LDB templates which are basically overhead now.
This should also fix bug #6599.
|
|
We need this new function to delete users and computers before other objects
on reprovisioning. Otherwise primary groups could be deleted before user/computer
accounts (which isn't allowed anymore by the reworked "samldb" module).
|
|
|
|
this is needed for the _msdcs zone
|
|
Changed the provisioning to use the new script to parse the Microsoft-provided
DisplaySpecifiers LDIF file.
|
|
Created this script based on the existing ms_schema.py script.
- Removed some unnecessary transformations that are only necessary for schema
processing.
- Added capability to parse and properly output base64-encoded values.
- Removed unnecessary attributes based on what attributes were present (and also
what were explicitly removed) from display_specifiers.ldif.
|
|
This is a perl script that does TSIG-GSS DNS updates against a AD
DC. The bind 9.5 nsupdate still doesn't seem to work with TSIG-GSS,
and we need a way to do DNS updates when we vampire a domain, so I
revived this ancient perl script and added a wrapper script that can
update DNS entries using our machine account credentials
|
|
The version of the unitest python module in Ubuntu Jaunty doesn't seem
to support this many level of subdirectories. Moving the tests up one
level solves the problem.
|
|
|
|
|
|
The repl_meta_data module needs to be above the linked_attributes
module, to allow linked_attributes to do its magic
|
|
One for getting attributes with DN syntax, one for getting forward
linked attributes and one for getting the list of partition
|
|
|
|
The previous patches to the provision system cut down on the number of
reconnects, and disabled the partition handling for part of the
process. This means we lost the setting of @OPTIONS as a replicated
attribute into the partitions.
Andrew Bartlett
|
|
This allows us to test out the code that will do the modify of the
prefixMap, and to provide the bindings that may assist a future
upgrade script.
Andrew Bartlett
|
|
This will ensure that the GUID can be filled in correctly, and assist
us to validate DN targets in the future.
Andrew Bartlett
|
|
We were failing because CN=Deleted Objects, which is marked as
'deleted' itself, could not be re-added in a reprovision.
Andrew Bartlett
|
|
the changes from Matthias didn't take account of url and lp being None
in some ldb python instances in 'make test'
|
|
- Centralise the lookups for the default domain (root) in the call "domain_dn"
- Reduce the LDB connections attempts ("connect" calls) from three to one
- tools should load faster
- Make the LDB connection init more like the "ldb_wrap_connection" call
- Load the right UTF8 casefolder which fixes up problems with special characters
(discovered by me: e.g. small "Umlaute" (ä, ö, ü, ...) in the DN weren't upcased
- so records "seemed" lost in TDB)
|
|
Needed for special characters (e.g. in German "Umlaute")
|
|
This reverts commit 53ef426e6f68728763436bd0cd3dd91180c00579.
As abartlet pointed out this causes to load all attributes and therefore gives
us more here than we need (only the check for the DN)!
|
|
|
|
my last patch was not even close ...
I'll leave abartlet to work out how to fix the test case
|
|
Andrew, can you please check this? The idmap.setup_name_mapping tests
look totally out of place here. I'm also not sure I captured your
intention with the other changes
|
|
|
|
Hopefully this will explain a bit more whey things are done the way
that they are done.
Andrew Bartlett
|
|
The Samba4 schema code (called via
samdb.set_schema_from_ldb(schema.ldb)) manages the @ATTRIBUTES and
@INDEXLIST records, so don't wipe them early. The chances are that we
will not change them anyway.
Andrew Bartlett
|
|
Found by Oliver Liebel <oliver@itc.li>
Andrew Bartlett
|
|
This makes no sense, and just causes trouble - we are aiming for
DIGEST-MD5 or NTLM.
Andrew Bartlett
|
|
|
|
This should make setting up LDAP servers more predictable.
When not specified, it is random
Andrew Bartlett
|
|
This fixes the recursive delete in erase_partitions()
For reasons I cannot understand, it is possible to get 'no such
object' trying to delete a DN I just search for without error. Oh
well...
Andrew Bartlett
|
|
Using a single transaction to both erase the bulk of the data and the
rebuild of that data means that the in-memory index list is
maintained, and not written out to disk until it is all compleated.
All the writes then occour at the end.
Andrew Bartlett
|
|
This removes a *lot* of duplicated code and the cause of much
administrator frustration. We now handle starting and stopping the
slapd (at least for the provision), and ensure that there is only one
'right' way to configure the OpenLDAP and Fedora DS backend
We now run OpenLDAP in 'cn=config' mode for online configuration.
To test what was the provision-backend code, a new --ldap-dryrun-mode
option has been added to provision. It quits the provision just
before it would start the LDAP binaries
Andrew Bartlett
|
|
(These will be added back in a future commit)
|
|
This makes it possible to do a bit more of the provision with Samba
helpers, but without some of the otherwise useful things (such as
loading in the global schema) that SamDB does.
Rewrite provision_erase to use a recursive search, rather than a
looping subtree search. This is much more efficient, particularly now
we have one-level indexes enabled.
Delete the @INDEX and similar records *after* deleting all other
visible records, this hopefully also assists performance.
Andrew Bartlett
|
|
This helps ensure we don't load the schema too often in the provision
(allowing a reference in of the schema before the modules load).
Andrew Bartlett
|
|
This allows us to load the schema against one ldb context, but apply
it to another. This will be useful in the provision script, as we
need the schema before we start the LDAP server backend.
Adnrew Bartlett
|
|
|
|
|
|
Tests for the right behaviour of this introduced constructed attribute.
Since we don't support the read-only-ness of those attributes yet, I commented
some lines out.
Also I had to add a function for python which converts domain SIDs in RIDs.
And a small fix for the "groupType" test.
|
|
As the version of OpenLDAP required for Samba4 is fairly new, we don't
want to make it a requirement before this python code is run in 'make
test'.
As such, skip over the actual starting of slapd, but check the rest
runs alright (which still validates syntax and other modules).
Andrew Bartlett
|
|
|
|
heres the summary of all changes/extensions:
- Andrew Bartlett's patch to generate indext
- Howard Chu's idea to use nosync on the DB included, but made optional
- slaptest-path is not needed any more (slapd -Ttest is used instead)
and is therefore removed. slapd-path is now recommended when
openldap-backend is chosen.
its also used for olc-conversion
- slapd-detection is now always done by ldapsearch (ldb module),
looking anonymous for objectClass: OpenLDAProotDSE via our ldapi_uri.
- if ldapsearch was not successfull, (no slapd listening on our socket)
slapd is
started via special generated slapdcommand_prov (ldapi_uri only)
- slapd-"provision-process" startup is done via pythons subprocess.
- the slapd-provision-pid is stored under paths.ldapdir/slapd_provision_pid.
- after provision-backend is finished:
--- slapd.pid is compared with our stored slapd_provision_pid.
if the are unique, slapd.pid will be read out, and the
slapd "provison"-process will be shut down.
--- proper slapd-shutdown is verified again with ldb-search -> ldapi_uri
-> rootDSE.
--- if the pids are different or one of the pid-files is missing, slapd
will not be shut down,
instead an error message is displayed to locate slapd manually
--- extended help-messages (relevant to slapd) are always displayed,
e.g. the commandline with which slapd has to be started when everythings
finished
(slapd-commandline is stored under paths.ldapdir/slapd_command_file.txt))
- upgraded the content of the mini-howto (howto-ol-backend-s4.txt)
|