IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Nov 27 10:07:18 UTC 2020 on sn-devel-184
lib/util/safe_string.h is similar to source3/include/safe_string.h, but
the former has fewer checks. It is missing bcopy, strcasecmp, and
strncasecmp.
Add the missing elements to lib/util/safe_string.h remove the other
safe_string.h which is in the source3-specific path. To accomodate
existing uses of str(n?)casecmp, add #undef lines to source files where
they are used.
Signed-off-by: Matthew DeVore <matvore@google.com>
Reviewed-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 28 02:18:40 UTC 2020 on sn-devel-184
See RFC4511 section 4.4.1 and
https://lists.samba.org/archive/cifs-protocol/2020-August/003515.html
for details: Windows terminates LDAP connections when the krb5 ticket
expires, Samba should do the same. This patch slightly deviates from
Windows behaviour by sending a LDAP exop response with msgid 0 that is
ASN1-encoded conforming to RFC4511.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14465
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
We don't need the asn1 struct after this point anymore
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Mon Aug 17 11:10:04 UTC 2020 on sn-devel-184
Slight optimization for the ldap server: We don't need to copy the
client PDU into the ASN1 struct, the decoding process happens
immediately in the same routine.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Add search request size limits to ldap_decode calls.
The ldap server uses the smb.conf variable
"ldap max search request size" which defaults to 250Kb.
For cldap the limit is hard coded as 4096.
Credit to OSS-Fuzz
REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20454
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14334
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Extended DN requests seem to have been incorrectly handled.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14029
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Thu Jul 11 05:25:26 UTC 2019 on sn-devel-184
Ensure that the referrals returned in a search request use the same
scheme as the request, i.e. referrals recieved via ldap are prefixed
with "ldap://" and those over ldaps are prefixed with "ldaps://"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12478
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri May 24 05:12:14 UTC 2019 on sn-devel-184
Based on earlier work by Garming Sam.
This allows the server to stop working on a reply that will never
be sent to the client as it is too large.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This should limit the amount we send to GENSEC at a
time where it may help avoid large realloc or memcpy calls.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This allows us to replace the implicit limit via data_blob_append()
removed in the previous commit.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This avoids a the implicit 256MB limit on LDAP replies (allowing this
to be increased in the future) and means we copy less memory around.
However because we can only have 1024 entries in a struct iovec (on Linux)
we will need to call tstream_writev_queue_send() multiple times.
Calling it in chunks of 1024 seems a reasonable compromise, the
gensec layer will chunk it out smaller if required.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This avoids holding the memory for the response twice,
by the time the result is queued it is only ASN.1 encoded.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This was always set to 0 so was poinless. Any LDAP scope can return 0 entries,
even a SCOPE_BASE if the filter does not match.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Removing this (system) database open from the later auth stack results
in a 15-30% improvement in different types of binds and on different
hardware (presumably better with slower disk speeds).
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ldb_msg_new() is currently the same as talloc_zero(), but it might
not always be.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This should silence CID 1418508 and CID 1418512
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
In the case of hitting the talloc ~256MB limit, this causes a crash in
the server.
Note that you would actually need to load >256MB of data into the LDAP.
Although there is some generated/hidden data which would help you reach that
limit (descriptors and RMD blobs).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Add a post fork hook to the service API this will be called:
- standard process model
immediately after the task_init.
- single process model
immediately after the task_init
- prefork process model, inhibit_pre_fork = true
immediately after the task_init
- prefork process model, inhibit_pre_fork = false
after each service worker has forked. It is not run on the service
master process.
The post fork hook is not called in the standard model if a new process
is forked on a new connection. It is instead called immediately after
the task_init.
The task_init hook has been changed to return an error code. This ensures
the post_fork code is only run if the task_init code completed successfully.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu May 24 03:35:00 CEST 2018 on sn-devel-144
Instead, except in RPC which is a special SNOWFLAKE, we rely on the struct
service_details in the init function.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
Refactor the process model code to allow the addition of a prefork
process model.
- Add a process context to contain process model specific state
- Add a service details structure to allow service to indicate which
process model options they can support.
In the new code the services advertise the features they support to the
process model. The process model context is plumbed through to allow the
process model to keep track of the supported options, and any state
the process model may require.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
However, do not plumb it to the client-seen error string, as it could contain server paths.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
This allows one LDAP socket to proceed if another fails, and reduces the
impact of a crash becoming a DoS bug, as it only impacts one socket.
This may mean we have a lot of idle tasks, but this should not be a big
issue
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 15 13:18:47 CEST 2017 on sn-devel-144
We checked a few lines above already, check with:
git show -U10
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
The old conn->session_info (as well as conn->ldb) should only be changed
after a successful Bind().
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
talloc_reference will be removed completely in the next commits...
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
We set result = LDAP_SUCCESS above and have goto do_reply;
in all cases where we overwrite 'result'.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>