1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
Commit Graph

82 Commits

Author SHA1 Message Date
Matthias Dieter Wallnöfer
44df2488e3 s4: fix various warnings (not "const" related ones) 2009-10-02 15:33:48 +02:00
Andrew Bartlett
7496095c1b s4:libcli/ldap Explain why we set a hostname for ldapi:// connections
It is a pretty odd thing to do, and it's only because of the
restrictions of DIGEST-MD5 in Cyrus SASL that we do it.

Andrew Bartlett
2009-08-17 11:08:42 +10:00
Stefan Metzmacher
a3bcbd1775 s4:libcli/ldap: the tls code steals the original socket on its own now
metze
2009-07-31 14:42:05 +02:00
Stefan Metzmacher
f6b0a99cef libcli/ldap: move generic ldap control encoding code to ldap_message.c
As they can we static there, we pass the specific handlers as parameter
where we need to support controls.

metze
2009-02-24 17:55:41 +01:00
Andrew Tridgell
bb7e6f0f51 Worked around a problem with select/poll/epoll and gnutls
Our packet layer relies on the event system reliably telling us when a
packet is available. When we are using a socket layer like TLS then
things get a bit trickier, as there may be bytes in the encryption
buffer which could be read even if there are no bytes at the socket
level. The GNUTLS library is supposed to prevent this happening by
always leaving some data at the socket level when there is data to be
processed in its buffers, but it seems that this is not always
reliable.

To work around this I have added a new packet option
packet_set_unreliable_select() which tells the packet layer to not
assume that the socket layer has a reliable select, and to instead
keep trying to read from the socket until it gets back no data. This
option is set for the ldap client and server when TLS is negotiated.

This seems to fix the problems with the ldaps tests.
2009-02-18 17:37:45 +11:00
Stefan Metzmacher
1c8580cfa9 s4:libcli/ldap: convert to tevent_* api
metze
2009-01-03 19:58:56 +01:00
Stefan Metzmacher
5fa0d3d568 s4:socket: use a socket_wrapper aware function to auto close the fd event for sockets
metze
2009-01-03 19:58:53 +01:00
Stefan Metzmacher
183c379fe5 s4:lib/tevent: rename structs
list=""
list="$list event_context:tevent_context"
list="$list fd_event:tevent_fd"
list="$list timed_event:tevent_timer"

for s in $list; do
	o=`echo $s | cut -d ':' -f1`
	n=`echo $s | cut -d ':' -f2`
	r=`git grep "struct $o" |cut -d ':' -f1 |sort -u`
	files=`echo "$r" | grep -v source3 | grep -v nsswitch | grep -v packaging4`
	for f in $files; do
		cat $f | sed -e "s/struct $o/struct $n/g" > $f.tmp
		mv $f.tmp $f
	done
done

metze
2008-12-29 20:46:40 +01:00
Stefan Metzmacher
fc31f2c526 s4:lib/socket: socket_connect_send() and socket_connect_ev() should only wrok with addresses
metze
2008-12-18 13:32:51 +01:00
Jelmer Vernooij
8baf169549 Fix function parameters. 2008-10-23 22:10:08 +02:00
Jelmer Vernooij
9565999755 Fix include paths to new location of libutil. 2008-10-11 21:31:42 +02:00
Simo Sorce
b2901da479 LDB ASYNC: misc changes 2008-09-29 04:22:20 +02:00
Simo Sorce
83b0c5d43f Fix nasty bug that would come up only if a client connection to a remote
ldap server suddenly dies.
We were creating a wrong talloc hierarchy, so the event.fde was not
freed automatically as expected. This in turn made the event system call
the ldap io handlers with a null packet structure, causing a segfault.
Fix also the ordering in ldap_connection_dead()
Thanks to Metze for the huge help in tracking down this one.
2008-09-24 01:43:57 -04:00
Andrew Bartlett
403f4f94ff Make up a full hostname for ldapi connections.
The DIGEST-MD5 SASL method requires a hostname, so provide one.

Andrew Bartlett
(This used to be commit edfb2ed1f2)
2008-07-15 15:10:29 +10:00
Simo Sorce
4e83011f72 Remove more event_context_init() uses from function calls within deep down the code.
Make sure we pass around the event_context where we need it instead.
All test but a few python ones fail. Jelmer promised to fix them.
(This used to be commit 3045d39162)
2008-04-21 18:12:33 -04:00
Jelmer Vernooij
afe3e8172d Install public header files again and include required prototypes.
(This used to be commit 47ffbbf674)
2008-04-02 04:53:27 +02:00
Jelmer Vernooij
939edd0eb7 util: Move asn1 to lib/util to trim down the number of subsystems.
(This used to be commit 44e1cfd2d0)
2008-01-15 01:04:38 +01:00
Jelmer Vernooij
5f4842cf65 r26376: Add context for libcli_resolve.
(This used to be commit 459e1466a4)
2007-12-21 05:49:12 +01:00
Jelmer Vernooij
b65dba2245 r26355: Eliminate global_loadparm in more places.
(This used to be commit 5d589a0d94)
2007-12-21 05:49:01 +01:00
Jelmer Vernooij
01d2acfdb4 r26335: Specify name_resolve_order to socket code.
(This used to be commit b03e5d0011)
2007-12-21 05:48:46 +01:00
Jelmer Vernooij
2f8dc4f48f r26266: Remove more global_loadparm uses.
(This used to be commit 99113075c4)
2007-12-21 05:47:42 +01:00
Jelmer Vernooij
bbdfbf8d9d r26238: Add a loadparm context parameter to torture_context, remove more uses of global_loadparm.
(This used to be commit a33a553054)
2007-12-21 05:47:20 +01:00
Andrew Bartlett
364266e22a r26192: Handle, test and implement the style of extended_dn requiest that MMC uses.
It appears that the control value is optional, implying type 0 responses.

Failing to parse this was causing LDAP disconnects with 'unavailable
critical extension'.

Andrew Bartlett
(This used to be commit 833dfc2f2a)
2007-12-21 05:46:44 +01:00
Andrew Tridgell
5861a17042 r25692: fixed another example where the free of fde and the free of the socket
causes the fd to be closed before epoll is told
(This used to be commit d19686cf8a)
2007-12-21 05:43:16 +01:00
Jelmer Vernooij
2151cde580 r25554: Convert last instances of BOOL, True and False to the standard types.
(This used to be commit 566aa14139)
2007-10-10 15:07:55 -05:00
Andrew Tridgell
0479a2f1cb r23792: convert Samba4 to GPLv3
There are still a few tidyups of old FSF addresses to come (in both s3
and s4). More commits soon.
(This used to be commit fcf38a38ac)
2007-10-10 14:59:12 -05:00
Andrew Tridgell
931f594cf1 r23036: error checking on asn1_init() failure
(This used to be commit 26cf849408)
2007-10-10 14:52:43 -05:00
Andrew Tridgell
7bb939b1cb r23030: finally fixed up our asn1 code to use better memory allocation. This
should allow us to fix some long standing memory leaks.
(This used to be commit 3db49c2ec9)
2007-10-10 14:52:42 -05:00
Andrew Bartlett
cb00a33c67 r22884: Be consistant with the case of these constants.
Andrew Bartlett
(This used to be commit 7b086eebd6)
2007-10-10 14:52:28 -05:00
Stefan Metzmacher
1c8b46bb72 r22405: fix memory leak in error path
metze
(This used to be commit d19195bfa5)
2007-10-10 14:51:15 -05:00
Andrew Bartlett
9b03286b32 r21806: I've been working over the last week to fix up the LDAP backend for
Samba4.  This only broke on global catalog queries, which turned out to
be due to changes in the partitions module that metze needed for his
DRSUAPI work.

I've reworked partitions.c to always include the 'problematic' control,
and therefore demonstrated that this is the issue.  This ensures
consistency, and should help with finding issues like this in future.

As this control (DSDB_CONTROL_CURRENT_PARTITION_OID) is not intended to
be linearised, I've added logic to allow it to be skipped when creating
network packets.

I've likewise make our LDAP server skip unknown controls, when marked
'not critical' on it's input, rather than just dropping the entire
request.  I need some help to generate a correct error packet when it is
marked critical.

Further work could perhaps be to have the ldap_encode routine return a
textual description of what failed to encode, as that would have saved
me a lot of time...

Andrew Bartlett
(This used to be commit eef710668f)
2007-10-10 14:49:29 -05:00
Andrew Bartlett
3370f2f2d7 r21761: - Give more detail on LDAP client library failures (make it clear
where the error is from)

- Make default error string more consistant

Andrew Bartlett
(This used to be commit 7f115579d2)
2007-10-10 14:49:24 -05:00
Jelmer Vernooij
4fa24df98d r19507: Merge my DSO fixes branch. Building Samba's libraries as shared libraries
works again now, by specifying --enable-dso to configure.
(This used to be commit 7a01235067)
2007-10-10 14:24:41 -05:00
Andrew Tridgell
e91cee468e r18309: FreeBSD 6.1 has a symbol ldap_new_connection() in the system ldap
library. Even though we don't like to that library, it gets loaded via
nss-ldap, which means nss-ldap calls into the samba ldap lib with the
wrong parameters, and crashes.

We really need to use a completely different namespace in libcli/ldap/
(This used to be commit c440e0eed9)
2007-10-10 14:18:06 -05:00
Andrew Tridgell
d7534e0cc7 r18256: use the right status variable
(This used to be commit f4b4bd945f)
2007-10-10 14:17:57 -05:00
Andrew Bartlett
e21e8379a2 r18024: The %c sscanf format I'm using doesn't null terminate.
Andrew Bartlett
(This used to be commit 1920cb8b39)
2007-10-10 14:17:04 -05:00
Andrew Bartlett
22ced36791 r18021: Add ldapi support to our LDAP client. To be used for testing an
OpenLDAP backend.

Andrew Bartlett
(This used to be commit da66b53e6a)
2007-10-10 14:17:03 -05:00
Jelmer Vernooij
0329d755a7 r17930: Merge noinclude branch:
* Move dlinklist.h, smb.h to subsystem-specific directories
 * Clean up ads.h and move what is left of it to dsdb/
   (only place where it's used)
(This used to be commit f7afa1cb77)
2007-10-10 14:16:54 -05:00
Andrew Bartlett
9d6f276717 r17222: Change the function prototypes for the GENSEc and TLS socket creation
routines to return an NTSTATUS.  This should help track down errors.

Use a bit of talloc_steal and talloc_unlink to get the real socket to
be a child of the GENSEC or TLS socket.

Always return a new socket, even for the 'pass-though' case.

Andrew Bartlett
(This used to be commit 003e2ab93c)
2007-10-10 14:10:20 -05:00
Andrew Bartlett
ba07fa43d0 r17197: This patch moves the encryption of bulk data on SASL negotiated security
contexts from the application layer into the socket layer.

This improves a number of correctness aspects, as we now allow LDAP
packets to cross multiple SASL packets.  It should also make it much
easier to write async LDAP tests from windows clients, as they use SASL
by default.  It is also vital to allowing OpenLDAP clients to use GSSAPI
against Samba4, as it negotiates a rather small SASL buffer size.

This patch mirrors the earlier work done to move TLS into the socket
layer.

Unusual in this pstch is the extra read callback argument I take.  As
SASL is a layer on top of a socket, it is entirely possible for the
SASL layer to drain a socket dry, but for the caller not to have read
all the decrypted data.  This would leave the system without an event
to restart the read (as the socket is dry).

As such, I re-invoke the read handler from a timed callback, which
should trigger on the next running of the event loop.  I believe that
the TLS code does require a similar callback.

In trying to understand why this is required, imagine a SASL-encrypted
LDAP packet in the following formation:

+-----------------+---------------------+
| SASL  Packet #1 | SASL Packet #2      |
----------------------------------------+
| LDAP Packet #1       | LDAP Packet #2 |
----------------------------------------+

In the old code, this was illegal, but it is perfectly standard
SASL-encrypted LDAP.  Without the callback, we would read and process
the first LDAP packet, and the SASL code would have read the second SASL
packet (to decrypt enough data for the LDAP packet), and no data would
remain on the socket.

Without data on the socket, read events stop.  That is why I add timed
events, until the SASL buffer is drained.

Another approach would be to add a hack to the event system, to have it
pretend there remained data to read off the network (but that is ugly).

In improving the code, to handle more real-world cases, I've been able
to remove almost all the special-cases in the testnonblock code.  The
only special case is that we must use a deterministic partial packet
when calling send, rather than a random length.  (1 + n/2).  This is
needed because of the way the SASL and TLS code works, and the 'resend
on failure' requirements.

Andrew Bartlett
(This used to be commit 5d7c9c12cb)
2007-10-10 14:10:18 -05:00
Andrew Tridgell
971d30bb20 r15854: more talloc_set_destructor() typesafe fixes
(This used to be commit 61c6100617)
2007-10-10 14:08:32 -05:00
Andrew Bartlett
742c110cd6 r15400: Move the TLS code behind the socket interface.
This reduces caller complexity, because the TLS code is now called
just like any other socket.  (A new socket context is returned by the
tls_init_server and tls_init_client routines).

When TLS is not available, the original socket is returned.

Andrew Bartlett
(This used to be commit 09b2f30dfa)
2007-10-10 14:05:32 -05:00
Simo Sorce
886329898c r15288: fix some problems
(This used to be commit d448389be8)
2007-10-10 14:05:02 -05:00
Simo Sorce
13f17436ea r15241: Add helper function to set reconnect status defaults
(This used to be commit 6fff8f871a)
2007-10-10 14:04:23 -05:00
Simo Sorce
8f16429947 r15238: Add some code to automatically reconnect if we want to.
(This used to be commit e2102999e2)
2007-10-10 14:04:23 -05:00
Simo Sorce
00fe70e5b9 r13609: Get in the initial work on making ldb async
Currently only ldb_ildap is async, the plan
is to first make all backend support the async calls,
and then remove the sync functions from backends and
keep the only in the API.

Modules will need to be transformed along the way.

Simo
(This used to be commit 1e2c13b2d5)
2007-10-10 13:51:59 -05:00
Simo Sorce
c908d0b2aa r12733: Merge ldap/ldb controls into main tree
There's still lot of work to do but the patch is stable
enough to be pushed into the main samba4 tree.

Simo.
(This used to be commit 77125feaff)
2007-10-10 13:49:47 -05:00
Jelmer Vernooij
78c50015bb r12694: Move some headers to the directory of the subsystem they belong to.
(This used to be commit c722f665c9)
2007-10-10 13:49:39 -05:00
Jelmer Vernooij
d4de4c2d21 r12608: Remove some unused #include lines.
(This used to be commit 70e7449318)
2007-10-10 13:49:03 -05:00
Jelmer Vernooij
2cd5ca7d25 r12542: Move some more prototypes out to seperate headers
(This used to be commit 0aca5fd513)
2007-10-10 13:47:55 -05:00