Age | Commit message (Collapse) | Author | Files | Lines |
|
It is a pretty odd thing to do, and it's only because of the
restrictions of DIGEST-MD5 in Cyrus SASL that we do it.
Andrew Bartlett
|
|
Found by Oliver Liebel <oliver@itc.li>
Andrew Bartlett
|
|
Spotted by MICHAEL BROWN <mbrown@mesainc.com>
Andrew Bartlett
|
|
This makes no sense, and just causes trouble - we are aiming for
DIGEST-MD5 or NTLM.
Andrew Bartlett
|
|
|
|
This should make setting up LDAP servers more predictable.
When not specified, it is random
Andrew Bartlett
|
|
This fixes the recursive delete in erase_partitions()
For reasons I cannot understand, it is possible to get 'no such
object' trying to delete a DN I just search for without error. Oh
well...
Andrew Bartlett
|
|
Using a single transaction to both erase the bulk of the data and the
rebuild of that data means that the in-memory index list is
maintained, and not written out to disk until it is all compleated.
All the writes then occour at the end.
Andrew Bartlett
|
|
|
|
This removes a *lot* of duplicated code and the cause of much
administrator frustration. We now handle starting and stopping the
slapd (at least for the provision), and ensure that there is only one
'right' way to configure the OpenLDAP and Fedora DS backend
We now run OpenLDAP in 'cn=config' mode for online configuration.
To test what was the provision-backend code, a new --ldap-dryrun-mode
option has been added to provision. It quits the provision just
before it would start the LDAP binaries
Andrew Bartlett
|
|
(These will be added back in a future commit)
|
|
We now set these as part of the schema load, and we now load the
schema before the provision loads the DB, so setting them here is
pointless
Andrew Bartlett
|
|
This makes it possible to do a bit more of the provision with Samba
helpers, but without some of the otherwise useful things (such as
loading in the global schema) that SamDB does.
Rewrite provision_erase to use a recursive search, rather than a
looping subtree search. This is much more efficient, particularly now
we have one-level indexes enabled.
Delete the @INDEX and similar records *after* deleting all other
visible records, this hopefully also assists performance.
Andrew Bartlett
|
|
This helps ensure we don't load the schema too often in the provision
(allowing a reference in of the schema before the modules load).
Andrew Bartlett
|
|
We need to find a better way to apply this (used in the Fedora DS LDAP
backend), not by trying to tunnel this down the module stack.
Andrew Bartlett
|
|
This allows us to load the schema against one ldb context, but apply
it to another. This will be useful in the provision script, as we
need the schema before we start the LDAP server backend.
Adnrew Bartlett
|
|
|
|
|
|
Either the username or the filter are allowed. If both are given the filter is
going to be used due to a higher precedence.
|
|
|
|
one-line wrapper)
|
|
With the previous check I got random failures when trying to connect to the
LDAP server.
|
|
This corrects commit 7a82aed71b74af8bc2a8a4381541adbb22452d20. The
steal did not set ent->attributes, so it was incorrect to assign to
ent->attributes.
Andrew Bartlett
|
|
This talloc_steal also conflicts with the ldb_map code, and like the
previous commit, is rudundent given the talloc_steal of the whole msg
above.
Andrew Bartlett
|
|
There may or may not be a need to take a reference to the 'name' in
the ldb_map code, but given we seal the whole msg just above here, it
makes no senst to steal the name, but not the values.
Andrew Bartlett
|
|
I want to use this in source3/smbd/
metze
|
|
This will hold code that's shared between source3 and source4.
metze
|
|
|
|
|
|
Tests for the right behaviour of this introduced constructed attribute.
Since we don't support the read-only-ness of those attributes yet, I commented
some lines out.
Also I had to add a function for python which converts domain SIDs in RIDs.
And a small fix for the "groupType" test.
|
|
|
|
This moves the "operational" LDB module to the right place under "dsdb/samdb/ldb_modules"
(suggested by abartlet) and enhances it for supporting dynamic generated
"primaryGroupToken" for AD groups. This should fix bug #6466.
|
|
This fixes the problem with the setting and getting of the "minPwdAge" and
"maxPwdAge" attributes. I wanted to handle them in days but forgot to add
conversions (from "ticks" (tenth of microsecond) -> "days" and backwards).
|
|
the last unlink
Through a suggestion pointed out in bug #6622 the test file sometimes doesn't exist on
the last turn anymore. So we haven't to fail here since it could have been deleted by
a concurrent process (e.g. when the same test runs multiple times). Therefore also
NT_STATUS_OBJECT_NAME_NOT_FOUND is an acceptable result.
|
|
This commit includes:
- Additional static object data in SAMBA 4's AD to start supporting of
- forest updates, - lost and found, - quotas on DS, - physical locations,
- licensing of sites, - subnets, - policies for WMI, - DNS entries in AD
- Reordering of provision*.ldif files to be able to find entries and make future
additions easier
- Add comments in provision*.ldif files to point out where subentries are located
when they are based in other LDIFs
- Removations of autogenerated "cn" attributes
|
|
|
|
|
|
when a client disconnects we expect this to happen, so don't print an
error each time
|
|
As the version of OpenLDAP required for Samba4 is fairly new, we don't
want to make it a requirement before this python code is run in 'make
test'.
As such, skip over the actual starting of slapd, but check the rest
runs alright (which still validates syntax and other modules).
Andrew Bartlett
|
|
|
|
|
|
heres the summary of all changes/extensions:
- Andrew Bartlett's patch to generate indext
- Howard Chu's idea to use nosync on the DB included, but made optional
- slaptest-path is not needed any more (slapd -Ttest is used instead)
and is therefore removed. slapd-path is now recommended when
openldap-backend is chosen.
its also used for olc-conversion
- slapd-detection is now always done by ldapsearch (ldb module),
looking anonymous for objectClass: OpenLDAProotDSE via our ldapi_uri.
- if ldapsearch was not successfull, (no slapd listening on our socket)
slapd is
started via special generated slapdcommand_prov (ldapi_uri only)
- slapd-"provision-process" startup is done via pythons subprocess.
- the slapd-provision-pid is stored under paths.ldapdir/slapd_provision_pid.
- after provision-backend is finished:
--- slapd.pid is compared with our stored slapd_provision_pid.
if the are unique, slapd.pid will be read out, and the
slapd "provison"-process will be shut down.
--- proper slapd-shutdown is verified again with ldb-search -> ldapi_uri
-> rootDSE.
--- if the pids are different or one of the pid-files is missing, slapd
will not be shut down,
instead an error message is displayed to locate slapd manually
--- extended help-messages (relevant to slapd) are always displayed,
e.g. the commandline with which slapd has to be started when everythings
finished
(slapd-commandline is stored under paths.ldapdir/slapd_command_file.txt))
- upgraded the content of the mini-howto (howto-ol-backend-s4.txt)
|
|
This is used by at patch to the NTP project to supply authenticated
time as required by MS-SNTP. (ie, to keep windows clients in time sync
in the domain)
Andrew Bartlett
|
|
easier way
|
|
metze
|
|
metze
|
|
metze
|
|
metze
|
|
metze
|
|
During the creation of the 3 RPC pipes in winbind we try to steal the
RPC binding structure to be a child of the pipe once the pipe is
established. This fails with a talloc warning as the rpc connection
code already holds a reference to the binding.
The fix is to use talloc_reparent() instead.
|