1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Commit Graph

38 Commits

Author SHA1 Message Date
Andrew Tridgell
5e54558c6d r23784: use the GPLv3 boilerplate as recommended by the FSF and the license text
(This used to be commit b0132e94fc)
2007-10-10 12:28:22 -05:00
Jeremy Allison
d824b98f80 r23779: Change from v2 or later to v3 or later.
Jeremy.
(This used to be commit 407e6e695b)
2007-10-10 12:28:20 -05:00
Volker Lendecke
0d91334fe7 r21784: Replace smb_register_idle_event() with event_add_timed(). This fixes winbind
who did not run the idle events to drop ldap connections.

Volker
(This used to be commit af3308ce5a)
2007-10-10 12:18:33 -05:00
Volker Lendecke
55e70f6987 r20215: Next step trying to fix the Solaris build.
I think "anonimous" is correctly spelled "anonymous". The Solaris compile is
referring to this as "anonymous" in line 814 of smbldap.c. Simo, please check.

Thanks,

Volker
(This used to be commit a77d8fa08e)
2007-10-10 12:16:33 -05:00
Simo Sorce
4225f9a4bd r20116: Start merging in the work done to create the new idmap subsystem.
Simo.
(This used to be commit 50cd8bffee)
2007-10-10 12:16:25 -05:00
Günther Deschner
38060f70a5 r16122: As we use 'inetOrgPerson' as structural objectclass for new accounts for
eDir, we already add 'sn' as required attribute on LDAP add
operations.

When we modify an entry, we need to request 'sn' as well in our
attribute lists, so that we don't try to add it a second time.

Guenther
(This used to be commit e018ea3d1d)
2007-10-10 11:17:21 -05:00
Gerald Carter
75ef18fa75 r13460: by popular demand....
* remove pdb_context data structure
* set default group for DOMAIN_RID_GUEST user as RID 513 (just
  like Windows)
* Allow RID 513 to resolve to always resolve to a name
* Remove auto mapping of guest account primary group given the
  previous 2 changes
(This used to be commit 7a2da5f0cc)
2007-10-10 11:10:04 -05:00
Gerald Carter
0af1500fc0 r13316: Let the carnage begin....
Sync with trunk as off r13315
(This used to be commit 17e63ac4ed)
2007-10-10 11:06:23 -05:00
Gerald Carter
54abd2aa66 r10656: BIG merge from trunk. Features not copied over
* \PIPE\unixinfo
* winbindd's {group,alias}membership new functions
* winbindd's lookupsids() functionality
* swat (trunk changes to be reverted as per discussion with Deryck)
(This used to be commit 939c3cb5d7)
2007-10-10 11:04:48 -05:00
James Peach
2c42509673 r9303: Clobber compiler warnings. Patch from Jason Mader <jason@ncac.gwu.edu> plus
some extra function declarations. Bugzilla bug #2523.
(This used to be commit 98d364459d)
2007-10-10 11:00:32 -05:00
Volker Lendecke
d3d6126d94 r6351: This is quite a large and intrusive patch, but there are not many pieces that
can be taken out of it, so I decided to commit this in one lump. It changes
the passdb enumerating functions to use ldap paged results where possible. In
particular the samr calls querydispinfo, enumdomusers and friends have
undergone significant internal changes. I have tested this extensively with
rpcclient and a bit with usrmgr.exe. More tests and the merge to trunk will
follow later.

The code is based on a first implementation by Günther Deschner, but has
evolved quite a bit since then.

Volker
(This used to be commit f0bb44ac58)
2007-10-10 10:56:38 -05:00
Jeremy Allison
a5f84481e3 r5655: Added support for Novell NDS universal password. Code donated by
Vince Brimhall <vbrimhall@novell.com> - slight tidyup by me to
use Samba conventions.
Vince - thanks a *lot* for this code - please test to make sure
I haven't messed anything up.
Jeremy.
(This used to be commit 6f5ea963ab)
2007-10-10 10:55:54 -05:00
Volker Lendecke
f51677051c r5428: Apply some const. LDAP attribs should now be declared const char *attr[]. This
gives some new warnings in smbldap.c, but a the callers are cleaned up.

Volker
(This used to be commit 543799fc0d)
2007-10-10 10:55:40 -05:00
Günther Deschner
6c84ecb556 r5349: After talking with Jerry, reverted the addition of account policies to
passdb in 3_0 (they are still in trunk).

Guenther
(This used to be commit fdf9bdbbac)
2007-10-10 10:55:38 -05:00
Günther Deschner
b4afdc08d5 r4925: Migrate Account Policies to passdb (esp. replicating ldapsam).
Does automated migration from account_policy.tdb v1 and v2 and offers a
pdbedit-Migration interface. Jerry, please feel free to revert that if
you have other plans.

Guenther
(This used to be commit 75af83dfcd)
2007-10-10 10:55:08 -05:00
Günther Deschner
0c6010238d r4840: * Add more generic root-dse inspection function to check for given
controls or extensions.
* Check and remember if ldapsam's LDAP Server support paged results
(in preparation of adding async paged-results to set|get|end-sampwent in
ldapsam).

Guenther
(This used to be commit ced58bd884)
2007-10-10 10:53:57 -05:00
Gerald Carter
c3ba8b9a53 r4736: small set of merges from rtunk to minimize the diffs
(This used to be commit 4b351f2fcc)
2007-10-10 10:53:52 -05:00
Volker Lendecke
55fe875a44 r3563: During a typical logon a modern workstation makes a lot of anonymous session
setups on its way to open a pipe. This gets rid of many round-trips to the
LDAP server during logon by setting up the server_info_guest once and not
asking the LDAP server and nss every time. Make sure that the ldap connection
is reopened in the child. (I did not look at the sql backends.)

Volker
(This used to be commit 3298f6105e)
2007-10-10 10:53:09 -05:00
Volker Lendecke
ec62d5a968 r2444: Based on jmcd's patch, implement special lists for the ldap user attributes to
delete.

Richard, IMHO this is the better solution to the problem you currently
have. Please review.

Thanks,

Volker
(This used to be commit 6957d6a892)
2007-10-10 10:52:43 -05:00
Jeremy Allison
bdab948fcf r1810: Patch from Richard Renard <rrenard@idealx.com> to store
logon hours attributes in an LDAP database.
Jeremy.
(This used to be commit dac72638fb)
2007-10-10 10:52:21 -05:00
Volker Lendecke
ec1bbbf858 r1588: This is one of the more pathetic patches I ever checked in. Many hours of
coding have passed, but I could not find a way to get the OpenLDAP libraries
to reliably time out on any of the queries we make, *and* get correct error
returns. No, async calls and ldap_result does NOT work, or I was simply too
stupid to correctly interpret the OpenLDAP manpage and source.

We can not allow to hang indefinitely in an ldap query, especially not for
winbindd. "ldap timeout" now specifies the overall timeout for the complete
operation, that's why I increased that to 15 seconds.

Volker
(This used to be commit 269f075087)
2007-10-10 10:52:16 -05:00
Jeremy Allison
1c5867502a r1388: Adding password history code for ldap backend, based on a patch from
"Jianliang Lu" <j.lu@tiesse.com>. Multi-string attribute changed to
linearised pstring due to ordering issues. A few other changes to
fix race conditions. I will add the tdb backend code next. This code
compiles but has not yet been tested with password history policy
set to greater than zero. Targeted for 3.0.6.
Jeremy.
(This used to be commit dd54b2a3c4)
2007-10-10 10:52:09 -05:00
Jeremy Allison
569177a194 r1317: Patch from Joe Meadows "Joe Meadows" <jameadows@webopolis.com> to
add a timeout to the ldap open calls. New parameter, ldap timeout
added.
Jeremy.
(This used to be commit e5b3094c4c)
2007-10-10 10:52:06 -05:00
Gerald Carter
7af3777ab3 r116: volker's patch for local group and group nesting
(This used to be commit b393469d95)
2007-10-10 10:51:10 -05:00
Jim McDonough
a15393a3d9 r53: Remove modifyTimestamp from list of our attributes. We just check it for
cache entry time comparisons in password lockout.  Fixes problems where
pdb_ldap tries to delete the operational attribute modifyTimestamp when
deleting a user account.
(This used to be commit 5ebcb9081e)
2007-10-10 10:51:06 -05:00
Jim McDonough
357998ddbd Password lockout for LDAP backend. Caches autolock flag, bad count, and
bad time locally, updating the directory only for hitting the policy limit
or resetting.

This needed to be done at the passdb level rather than auth, because some
of the functions need to be supported from tools such as pdbedit.  It was
done at the LDAP backend level instead of generically after discussion,
because of the complexity of inserting it at a higher level.

The login cache read/write/delete is outside of the ldap backend, so it could
easily be called by other backends.  tdbsam won't call it for obvious
reasons, and authors of other backends need to decide if they want to
implement it.
(This used to be commit 2a679cbc87)
2004-03-18 19:22:51 +00:00
Jim McDonough
3d18997afd Get MungedDial actually working with full TS strings in it for pdb_ldap.
I know this isn't pretty, but neither was our assumption that all strings
from the directory fit inside a pstring.  There was no way this worked
before will all versions of usrmgr (for example, the only version of
mine that has the TS Confic button).
(This used to be commit d275c0e384)
2004-03-11 16:32:19 +00:00
Jim McDonough
401959b7d7 Add bad password count/time attributes
(This used to be commit 003318939f)
2004-02-23 02:47:33 +00:00
Volker Lendecke
3a1b189a9f This is metze's LDAP rebind sleep patch:
When smb.conf tells us to write to a read-only LDAP replica and we are
redirected by the LDAP server, the replication might take some seconds,
especially over slow links. This patch delays the next read after a rebind for
'ldap rebind sleep' milliseconds.

Metze, thanks for your patience.

Volker
(This used to be commit 63ffa770b6)
2003-12-25 22:42:15 +00:00
Gerald Carter
5df2fd4175 support munged dial for ldapsam; patch from Aurlien Degrmont; bug 800
(This used to be commit 1c3c16abc9)
2003-12-04 04:52:00 +00:00
Jeremy Allison
3a48e4b287 The "unknown_5" 32 bit field in the user structs is actually 2 16-bit
fields, bad_password_count and logon_count. Ensure this is stored/fetched
in the various SAMs. As it replaces the unknown_5 field this fits
exactly into the tdb SAM without any binary problems. It also is added
to the LDAP SAM as two extra attributes. It breaks compatibility with
the experimental SAMs xml and mysql. The maintainers of these SAMs must
fix them so upgrades like this can be done transparently. I will insist
on the "experimental" status until this is solved.
Jeremy.
(This used to be commit cd7bd8c2da)
2003-09-18 23:53:48 +00:00
Volker Lendecke
9ec9df5fe4 Disconnect an idle LDAP connection after 150 seconds.
Not strictly a bugfix, but it should considerably reduce the load we
put on LDAP servers given that at least nss_ldap on Linux keeps a
connection open.

And it should also stress our reconnect-code a bit more ;-)

Thanks to metze for this!

Volker
(This used to be commit e68d8eabeb)
2003-07-17 11:24:54 +00:00
Andrew Bartlett
4168d61fb2 This patch cleans up some of our ldap code, for better behaviour:
We now always read the Domain SID out of LDAP.  If the local secrets.tdb
is ever different to LDAP, it is overwritten out of LDAP.   We also
store the 'algorithmic rid base' into LDAP, and assert if it changes.
(This ensures cross-host synchronisation, and allows for possible
integration with idmap).  If we fail to read/add the domain entry, we just
fallback to the old behaviour.

We always use an existing DN when adding IDMAP entries to LDAP, unless
no suitable entry is available.  This means that a user's posixAccount
will have a SID added to it, or a user's sambaSamAccount will have a UID
added.  Where we cannot us an existing DN, we use
'sambaSid=S-x-y-z,....' as the DN.

The code now allows modifications to the ID mapping in many cases.

Likewise, we now check more carefully when adding new user entires to LDAP,
to not duplicate SIDs (for users, at this stage), and to add the sambaSamAccount
onto the idmap entry for that user, if it is already established (ensuring
we do not duplicate sambaSid entries in the directory).

The allocated UID code has been expanded to take into account the space
between '1000 - algorithmic rid base'.  This much better fits into what
an NT4 does - allocating in the bottom part of the RID range.

On the code cleanup side of things, we now share as much code as
possible between idmap_ldap and pdb_ldap.

We also no longer use the race-prone 'enumerate all users' method for
finding the next RID to allocate.  Instead, we just start at the bottom
of the range, and increment again if the user already exists.  The first
time this is run, it may well take a long time, but next time will just
be able to use the next Rid.

Thanks to metze and AB for double-checking parts of this.

Andrew Bartlett
(This used to be commit 9c595c8c23)
2003-07-04 13:29:42 +00:00
Andrew Bartlett
eb61c82382 Patch to move functions directly from pdb_ldap.c into lib/smbldap.c
The functions are unchanged.  Next step is to make idmap_ldap use them.

Andrew Bartlett
(This used to be commit 57617a0f8c)
2003-06-25 12:51:58 +00:00
Andrew Bartlett
f70cc4cdc1 This patch works towards to goal of common code shared between idmap_ldap
and pdb_ldap.

So far, it's just a function rename, so that the next patch can be a very
simple matter of copying functions, without worrying about what changed
in the process.

Also removes the 'static' pointers for the rebind procedures, replacing them
with a linked list of value/key lookups.  (Only needed on older LDAP client
libs)

Andrew Bartlett
(This used to be commit f93167a7e1)
2003-06-21 00:45:03 +00:00
Gerald Carter
70da79f8a8 fix build on systems w/o LDAP libs
(This used to be commit f33aeaa039)
2003-06-06 20:31:19 +00:00
Gerald Carter
711f8d0a13 * break out more common code used between pdb_ldap and idmap_ldap
* remove 'winbind uid' and 'winbind gid' parameters (replaced
  by current idmap parameter)
* create the sambaUnixIdPool entries automatically in the 'ldap
  idmap suffix'
* add new 'ldap idmap suffix' and 'ldap group suffix' parametrer
* "idmap backend = ldap" now accepts 'ldap:ldap://server/' format
  (parameters are passed to idmap init() function
(This used to be commit 1665926281)
2003-06-06 13:48:39 +00:00
Gerald Carter
3bdfd57a2d working draft of the idmap_ldap code.
Includes sambaUnixIdPool objectclass

Still needs cleaning up wrt to name space.
More changes to come, but at least we now have a
a working distributed winbindd solution.
(This used to be commit 8241758544)
2003-06-05 02:34:30 +00:00