IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This is slightly less efficient, because we no longer keep a cache on
the gensec structures, but much clearer in terms of memory ownership.
Both gensec_session_info() and gensec_session_key() now take a mem_ctx
and put the result only on that context.
Some duplication of memory in the callers (who were rightly uncertain
about who was the rightful owner of the returned memory) has been
removed to compensate for the internal copy.
Andrew Bartlett
thi ensures we are using the header corresponding to the version of
ldb we're linking against. Otherwise we could use the system ldb for
link and the in-tree one for include
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
We need to be able to set the logon parameters in the same way as in the
ntlm server so we can handle openldap simple authentication call correctly.
Autobuild-User: Anatoliy Atanasov <anatoliy@samba.org>
Autobuild-Date: Fri Nov 5 06:32:43 UTC 2010 on sn-devel-104
This should make our sasl and tls handling much more robust
against partial sent pdus.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Fri Oct 8 11:55:26 UTC 2010 on sn-devel-104
This reverts commit b53fbc75ac.
There are problems with problems with broken gnutls versions.
We can readd this once we have the needed configure checks to
detect the bug in gnutls. See https://bugzilla.samba.org/show_bug.cgi?id=7218.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Thu Oct 7 10:31:18 UTC 2010 on sn-devel-104
When starting GENSEC on the server, the auth subsystem context must be
passed in, which now includes function pointers to the key elements.
This should (when the other dependencies are fixed up) allow GENSEC to
exist as a client or server library without bundling in too much of
our server code.
Andrew Bartlett
ldap server suddenly dies.
We were creating a wrong talloc hierarchy, so the event.fde was not
freed automatically as expected. This in turn made the event system call
the ldap io handlers with a null packet structure, causing a segfault.
Fix also the ordering in ldap_connection_dead()
Thanks to Metze for the huge help in tracking down this one.
CN=Administrator,CN=Users,DC=w2k3,DC=vmnet1,DC=vm,DC=base
Administrator@W2K3
W2K3\Administrator
w2k3.vmnet1.vm.base/Users/Administrator
w2k3 also allows this (and maybe more...?)
metze
(This used to be commit 40c27ef88d)
Break up auth/auth.h not to include the world.
Add credentials_krb5.h with the kerberos dependent prototypes.
Andrew Bartlett
(This used to be commit 2b569c42e0)
emacs compile mode (hint, paste to a file, and compile as "cat
filename").
This allowed me to fix nearly all the warnings for a IA_64 SuSE build
very quickly.
(This used to be commit eba6c84eff)
and gensec_server_start().
calling them with NULL for event context or messaging context
is no longer allowed!
metze
(This used to be commit 679ac74e71)
- we need this to later:
- to disallow a StartTLS when TLS is already in use
- to place the TLS socket between the raw and sasl socket
when we had a sasl bind before the StartTLS
- and rfc4513 says that the server may allow to remove the TLS from
the tcp connection again and reuse raw tcp
- and also a 2nd sasl bind should replace the old sasl socket
metze
(This used to be commit 10cb9c07ac)
routines to return an NTSTATUS. This should help track down errors.
Use a bit of talloc_steal and talloc_unlink to get the real socket to
be a child of the GENSEC or TLS socket.
Always return a new socket, even for the 'pass-though' case.
Andrew Bartlett
(This used to be commit 003e2ab93c)
contexts from the application layer into the socket layer.
This improves a number of correctness aspects, as we now allow LDAP
packets to cross multiple SASL packets. It should also make it much
easier to write async LDAP tests from windows clients, as they use SASL
by default. It is also vital to allowing OpenLDAP clients to use GSSAPI
against Samba4, as it negotiates a rather small SASL buffer size.
This patch mirrors the earlier work done to move TLS into the socket
layer.
Unusual in this pstch is the extra read callback argument I take. As
SASL is a layer on top of a socket, it is entirely possible for the
SASL layer to drain a socket dry, but for the caller not to have read
all the decrypted data. This would leave the system without an event
to restart the read (as the socket is dry).
As such, I re-invoke the read handler from a timed callback, which
should trigger on the next running of the event loop. I believe that
the TLS code does require a similar callback.
In trying to understand why this is required, imagine a SASL-encrypted
LDAP packet in the following formation:
+-----------------+---------------------+
| SASL Packet #1 | SASL Packet #2 |
----------------------------------------+
| LDAP Packet #1 | LDAP Packet #2 |
----------------------------------------+
In the old code, this was illegal, but it is perfectly standard
SASL-encrypted LDAP. Without the callback, we would read and process
the first LDAP packet, and the SASL code would have read the second SASL
packet (to decrypt enough data for the LDAP packet), and no data would
remain on the socket.
Without data on the socket, read events stop. That is why I add timed
events, until the SASL buffer is drained.
Another approach would be to add a hack to the event system, to have it
pretend there remained data to read off the network (but that is ugly).
In improving the code, to handle more real-world cases, I've been able
to remove almost all the special-cases in the testnonblock code. The
only special case is that we must use a deterministic partial packet
when calling send, rather than a random length. (1 + n/2). This is
needed because of the way the SASL and TLS code works, and the 'resend
on failure' requirements.
Andrew Bartlett
(This used to be commit 5d7c9c12cb)
The session_info was not being attached to the connection, so
subsequent checks in the kludge_acl module were looking at free()ed
memory.
Andrew Bartlett
(This used to be commit 7e9079ac7a)
will not use it anyway as we plan to support
partitions in ldb directly like with rootdse
Merge ldap_simple_ldb into ldap_backend, it is
not simple anymore and makes no sense to have
it separated now that ldap partitions are gone
Initial attempt at working to some limit to avoid DOSs
for the ldap server.
Simo.
(This used to be commit 97bff3e049)
authentication. This pulls the creating of the keytab back to the
credentials code, and removes the special case of 'use keberos keytab
= yes' for now.
This allows (and requires) the callers to specify the credentials for
the server credentails to GENSEC. This allows kpasswdd (soon to be
added) to use a different set of kerberos credentials.
The 'use kerberos keytab' code will be moved into the credentials
layer, as the layers below now expect a keytab.
We also now allow for the old secret to be stored into the
credentials, allowing service password changes.
Andrew Bartlett
(This used to be commit 205f77c579)
authenticated session down into LDB. This associates a session info
structure with the open LDB, allowing a future ldb_ntacl module to
allow/deny operations on that basis.
Along the way, I cleaned up a few things, and added new helper functions
to assist. In particular the LSA pipe uses simpler queries for some of
the setup.
In ldap_server, I have removed the 'ldasrv:hacked' module, which hasn't
been worked on (other than making it continue to compile) since January,
and I think the features of this module are being put into ldb anyway.
I have also changed the partitions in ldap_server to be initialised
after the connection, with the private pointer used to associate the ldb
with the incoming session.
Andrew Bartlett
(This used to be commit fd7203789a)
- got rid of the special cases for sasl buffers
- added a tls_socket_pending() call to determine how much data is waiting on a tls connection
- removed the attempt at async handling of ldap calls. The buffers/sockets are all async, but the calls themselves
are sync.
(This used to be commit 73cb4aad22)