summaryrefslogtreecommitdiff
path: root/source4/setup/provision_init.ldif
AgeCommit message (Collapse)AuthorFilesLines
2012-11-30s4:provision: add pekList and msDS-ExecuteScriptPassword to @KLUDGEACLStefan Metzmacher1-0/+2
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Michael Adam <obnox@samba.org>
2012-03-26LDB/s4 - deny the "(dn=...)" syntax on search filters when in AD modeMatthias Dieter Wallnöfer1-0/+1
Achieve this by introducing a "disallowDNFilter" flag. Reviewed-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-11-23s4:dsdb Move module configuration from each ldb into samba_dsdb.cAndrew Bartlett1-0/+7
This makes getting the module order correct, the obligation of Samba4 developers, and not system administrators. In particular, once an ldb is updated to use only the 'samba_dsdb' module, no further changes to the ldb should be required when upgrading to later Samba4 versions. (thanks to metze for the suggestion of samba_dsdb as a long-term stable name for the module) Andrew Bartlett
2009-10-21s4:provision Set @OPTIONS in the provision_init.ldifAndrew Bartlett1-0/+3
The new partitions code knows to copy these items in when creating a new parition, so we can set it from the start. Andrew Bartlett
2009-08-26s4:provision Ensure that @OPTIONS is mirrored into each partitionAndrew Bartlett1-3/+0
The previous patches to the provision system cut down on the number of reconnects, and disabled the partition handling for part of the process. This means we lost the setting of @OPTIONS as a replicated attribute into the partitions. Andrew Bartlett
2009-08-17s4:setup Don't manually set @ATTRIBUTES any moreAndrew Bartlett1-32/+0
We now set these as part of the schema load, and we now load the schema before the provision loads the DB, so setting them here is pointless Andrew Bartlett
2008-10-20Mark clearTextPassword as a privilaged attributeAndrew Bartlett1-0/+1
2008-08-20Apply attributes (and their syntax) from the schema into ldbAndrew Bartlett1-0/+7
This changes the @ATTRIBUTES record to be for bootstrapping only, before we find the schema. Andrew Bartlett (This used to be commit 358477fcc041d5fb2e6ac5641c2f899cc49cfb69)
2008-07-12rename sambaPassword -> userPassword.Andrew Bartlett1-2/+2
This attribute is used in a very similar way (virtual attribute updating the password) in AD on Win2003, so eliminate the difference. This should not cause a problem for on-disk passwords, as by default we do not store the plaintext at all. Andrew Bartlett (This used to be commit 1cf0d751493b709ef6b2234ec8847a7499f48ab3)
2007-12-21r25960: Enable checks on the validity of the search base on sam.ldb in Samba4.Andrew Bartlett1-0/+3
Remove bogus check to return NO_SUCH_ENTRY in ldap_backend.c, as this error is now correctly emited from ldb. Andrew Bartlett (This used to be commit ed57862b90812e5a38ca81935b131338112fb19f)
2007-10-10r25203: Don't use subclasses in Samba4, as we always fill out the fullAndrew Bartlett1-11/+0
objectClass list. Andrew Bartlett (This used to be commit e882dcb7aaa52843c656084c47c0b3c49557c22e)
2007-10-10r21298: protect windows password attributes tooStefan Metzmacher1-0/+11
metze (This used to be commit 5c779b3767b47c140fc658fb9aed0ebfd5d956f0)
2007-10-10r20568: split out the rootdse ldifStefan Metzmacher1-20/+0
and set the isSyncronized = TRUE when we done metze (This used to be commit 5875ce1ac6ff694d07787ff0cf81b3429580311b)
2007-10-10r20557: use ${DOMAINDN} instead of ${BASEDN}Stefan Metzmacher1-1/+1
metze (This used to be commit 2a6e6a2695b256411c91768c7bee748228e40e6f)
2007-10-10r20554: - use ${ROOTDN} for the rootDomainNamingContextStefan Metzmacher1-1/+1
- the ${CONFIGDN} is a child of the ${ROOTDN} metze (This used to be commit ebbd8a83c982efdc58e53798d1fd191f08731005)
2007-10-10r20553: add ${CONFIGDN} and ${SCHEMADN} instead of using hardcoded pathsStefan Metzmacher1-5/+5
under ${BASEDN} metze (This used to be commit 09ca6aae12d8e10b76971cf269f7c62f228a4c87)
2007-10-10r20551: use variable instead of hardcoded value for the default siteStefan Metzmacher1-2/+2
metze (This used to be commit 21f433018afbb7b94089969f7ee9acda40ee1a70)
2007-10-10r19258: Don't delete the contents of the partitions twice, and in particularAndrew Bartlett1-16/+0
don't delete their contents until we have specified the new partition locations. However, preserve the important part of tridge's change, that is to ensure that no database index is present when the mass delete occours. In my testing, it is best to leave the index until the provision is compleated. Andrew Bartlett (This used to be commit 962219df7dc53ce6f6889f4b71ee19850c7ff7b5)
2007-10-10r19253: its not so useful to index on objectclass. Much better to search onAndrew Tridgell1-1/+0
objectCategory provision now takes 2.4 secs, down from 24s on my laptop (This used to be commit 3d3144cc06b9987adb3f17e43f2858e7c416b6ae)
2007-10-10r18979: With these extra indexes (also added for the normal case) and aAndrew Bartlett1-0/+2
DB_CONFIG file, we now get reasonable enought performance to pass 'make test' against OpenLDAP. We do have to double the maximum runtime for the torture client however. Andrew Bartlett (This used to be commit 5b3c8cc036c1180c9e96d9aaacd3f2e0a83460e5)
2007-10-10r18440: "builtinDomain" is not a child of "domain"Simo Sorce1-1/+0
(This used to be commit b34646f202d4e8016e627c4bb88842c21d6b2e10)
2007-10-10r17600: Finish the schema conversion tool, and add a mapping file, used to mapAndrew Bartlett1-0/+2
OIDs and skip built-in attributes. Andrew Bartlett (This used to be commit cb2b9d800d1228d41f7872a7b7c8ea5f07816c61)
2007-10-10r17504: Do not use the invented unixID but use the rfc2307 uidNumber and ↵Simo Sorce1-1/+2
gidNumber attributes instead Do not change unixName right now, we don't have an attribute to use in the posixGroup class, and I think we should remove its usage altogether and look up users and groups by their uid/gid only. Simo. (This used to be commit d57b521aadf24a277152ec1ff1dac3210bd14316)
2007-10-10r17330: Enable the partitions module.Andrew Bartlett1-14/+0
This module redirects various samdb requests into different modules, depending on the prefix. It also makes moving to an LDAP backend easier, as it is just a different partition backend. This adds yet another stage to the provision process, as we must setup the partitions before we setup the magic attributes. Andrew Bartlett (This used to be commit 31225b9cb6ef6fcb7bd831043999b1b44ef1b128)
2007-10-10r16082: Index objectCategory like objectClass, as it is searched on a lot.Andrew Bartlett1-0/+1
Andrew Bartlett (This used to be commit 954785db03455daf2ff9b2828e31cb7efffe4f11)
2007-10-10r16028: Re-add the objectclass module, in the new async scheme.Andrew Bartlett1-1/+1
Add a test to show that we need this, and to prove it works (for add at least). Andrew Bartlett (This used to be commit f72079029abb594677bf8c2b63e40c07e910004f)
2007-10-10r15942: Remove the sync internal ldb calls altogether.Simo Sorce1-1/+1
This means that some modules have been disabled as well as they have not been ported to the async interface One of them is the ugly objectclass module. I hope that the change in samldb module will make the MMC happy without the need of this crappy module, we need proper handling in a decent schema module. proxy and ldb_map have also been disabled ldb_sqlite3 need to be ported as well (currenlty just broken). (This used to be commit 51083de795bdcbf649de926e86969adc20239b6d)
2007-10-10r15795: Try to use the async code by defaultSimo Sorce1-2/+2
It passess all my tests, but I still need to work on a lot of stuff. Shouldn't impact anybody else work, so I want to commit now and see what happens Will work to remove the old code from modules and backends soon, and make some more restyling in ldb internals. So, if there is something you don't like in this desgin please speak now. Simo. (This used to be commit 8b2a563e716a789ea77cbfbf2f372724de5361ce)
2007-10-10r14313: Add comments describing some of the dependencies here.Andrew Bartlett1-0/+5
Andrew Bartlett (This used to be commit a79a185b6a8a0ac81a380ff6df5a11e45a19cb16)
2007-10-10r13907: By ordering things this way, we allow the password_hash module to setAndrew Bartlett1-1/+1
the pwdLastSet time on new users (with passwords) correctly. Andrew Bartlett (This used to be commit e1b346b8e096130328440fa388de3474fadc7332)
2007-10-10r13369: let's have a way to show the samba4 version through ejsSimo Sorce1-0/+2
and use it in provisioning to fullfill rfc 3045 requirements (This used to be commit 3fb9571a76481560304a826fc945983d52123299)
2007-10-10r12941: Add Attribute Scoped Search controlSimo Sorce1-1/+1
want to see what it does ? do aq make test and try: ./bin/ldbsearch -H st/private/sam.ldb --controls=asq:1:member -s base -b 'CN=Administrators,CN=Builtin,DC=samba,DC=example,DC=com' 'objectclass=*' have fun. simo. (This used to be commit 900f4fd3435aacc3351f30afb77d3488d2cb4804)
2007-10-10r12762: Simo correctly asked that the policy logic (which attributes containAndrew Bartlett1-0/+9
passwords) be moved into the database, and not be hard-coded in the module source. Andrew Bartlett (This used to be commit 1fbe09ce818ac1603bd747610262865b8698fe04)
2007-10-10r12746: An initial version of the kludge_acls module.Andrew Bartlett1-1/+1
This should be replaced with real ACLs, which tridge is working on. In the meantime, the rules are very simple: - SYSTEM and Administrators can read all. - Users and anonymous cannot read passwords, can read everything else - list of 'password' attributes is hard-coded Most of the difficult work in this was fighting with the C/js interface to add a system_session() all, as it still doesn't get on with me :-) Andrew Bartlett (This used to be commit be9d0cae8989429ef47a713d8f0a82f12966fc78)
2007-10-10r12745: Initial work to support a syntax to pass over controls viaSimo Sorce1-1/+1
command line to ldbsearch. Very rough work, no checks are done on the input yet (will segfault if you make it wrong). Controls are passed via the --controls switch an are comma separated (no escaping yet). General syntax is <ctrl_name>:<criticality> <ctrl_name> is a string <criticality> is 1 or 0 Current semi-parsed controls are: server_sort syntax: server_sort:1:0:attributename 1st parm: criticality 2nd parm: reversed 3rd parm: attribute name to be used for sorting todo: still missing suport for multiple sorting attributes and ordering rule no check on result code paged_results syntax: paged_results:1:100 1st parm: criticality 2nd parm: number of results to be returned todo: ldbsearch will return only the first batch (missing code to cycle over conditionally) no check on result code extended_dn syntax: extended_dn:1:0 1st parm: criticality 2nd parm: type, see MS docs on meaning Simo. (This used to be commit 4c685ac0d1638a1d5392dfe733baf0db77e84858)
2007-10-10r12720: By metze's request, rename the ntPwdHistory attribute toAndrew Bartlett1-2/+2
sambaNTPassword. Likewise lmPwdHistory -> sambaLMPwdHistory. The idea here is to avoid having conflicting formats when we get to replication. We know the base data matches, but we may need to use a module to munge formats. Andrew Bartlett (This used to be commit 8e608dd4bf4f108e02274a9977ced04a0a270570)
2007-10-10r12719: Rename unicodePwd -> sambaPassword.Andrew Bartlett1-1/+1
Because we don't know the syntax of unicodePwd, we want to avoid using that attribute name. It may cause problems later when we get replication form windows. I'm doing this before the tech preview, so we don't get too many supprises as folks upgrade databases into later versions. Andrew Bartlett (This used to be commit 097d9d0b7fd3b1a10fb7039f0671fd459bed2d1b)
2007-10-10r12686: Push the real SASL list into the rootdse.Andrew Bartlett1-1/+0
Get this out of the server credentials, and push it down to ldb via an opaque pointer. Andrew Bartlett (This used to be commit 61700252e05e0be6b4ffa72ffc24a95c665597e3)
2007-10-10r12600: Add a new module to sort the objectclass attribute on store. TheAndrew Bartlett1-1/+1
module is perhaps not the most efficient, but I think it is reasonable. This should restore operation of MMC against Samba4 (broken by the templating fixes). Andrew Bartlett (This used to be commit 41948c4bdbfca1160a01a92994324f9e22422afe)
2007-10-10r12599: This new LDB module (and associated changes) allows Samba4 to operateAndrew Bartlett1-1/+2
using pre-calculated passwords for all kerberos key types. (Previously we could only use these for the NT# type). The module handles all of the hash/string2key tasks for all parts of Samba, which was previously in the rpc_server/samr/samr_password.c code. We also update the msDS-KeyVersionNumber, and the password history. This new module can be called at provision time, which ensures we start with a database that is consistent in this respect. By ensuring that the krb5key attribute is the only one we need to retrieve, this also simplifies the run-time KDC logic. (Each value of the multi-valued attribute is encoded as a 'Key' in ASN.1, using the definition from Heimdal's HDB. This simplfies the KDC code.). It is hoped that this will speed up the KDC enough that it can again operate under valgrind. (This used to be commit e9022743210b59f19f370d772e532e0f08bfebd9)
2007-10-10r12384: I can't spell...Andrew Bartlett1-1/+1
(This used to be commit 566bbfd067f43d86eacc1e867e6f64bac85e285d)
2007-10-10r12383: Fixes for Apple's AD client. Don't segfualt in the KDC, and theyAndrew Bartlett1-0/+1
require the isSynchronized flag in the rootDSE. Andrew Bartlett (This used to be commit e48464c8844b4af1976d8379aef8db9baddd3687)
2007-10-10r11954: add the static rootdse content to the sam ldb,and enable the rootdseAndrew Tridgell1-1/+21
module in @MODULES (This used to be commit cfab88fcc2c740a6d3fd456a009fbb60061b3a53)
2007-10-10r10916: - finished the 'operational' ldb moduleAndrew Tridgell1-1/+1
- removed the timestamps module, replacing it with the operational module - added a ldb_msg_copy_shallow() function which should be used when a module wants to add new elements to a message on add/modify. This is needed because the caller might be using a constant structure, or may want to re-use the structure again - enabled the UTC time attribute syntaxes in the operational module (This used to be commit 61e8b010223ac6a0573185008f3719ba29574688)
2007-10-10r8778: index on nCName in sam.ldb. This was costing us about 75% of the time ↵Andrew Tridgell1-0/+1
in each smb login (This used to be commit f6d24d063ad1a96c326ce6a60adfc224d905afc6)
2007-10-10r8667: Further simply the provision script, by removing the 'name' attribute.Andrew Bartlett1-1/+1
This is now calculated on the fly for every add and modify. Andrew Bartlett (This used to be commit ed1f2e029c840d2b3ecb49dbe6e8cd67588eeeed)
2007-10-10r8650: Use the timestamps and a new objectguid module rather than placingAndrew Bartlett1-0/+51
boilerplate attributes in every entry in provision.ldif. The next step will be to use templates. Andrew Bartlett (This used to be commit 940ed9827f5ab83b668a60a2b0110567dd54c3e2)