IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
I changed "uint32_t" to "unsigned int" since the LDB specification prescrives
"unsigned (int)" for counter variables (number of attributes,
number of values...).
Actually ildb_context pointer is not supposed to be
valid after calling ildb_request_done().
This is due to the fact that when calling ildb_request_done()
caller will (most probably) free any locally built
ldap_request objects - thus rendering ildb_context invalid.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
"i" needs to be unsigned on both places since it counts till a "count" variable
of a "struct ldb_result" object which itself is unsigned.
I see counting variables much better as "unsigned" since in most cases we don't
use negative values at all. We've only to be careful on binary searches and
downto counts regarding them.
sctx->refs_store was not initialised, and that made talloc_realloc
grumpy once we started actually returning referrals regularly from
Samba4's partitions module (0be57c7478
by mdw).
We now just use talloc_zero() and forget about this manual
initialisation work. Tracking down use of uninitialised variables
with valgrind was the grand idea when this started, but in practice we
just get segfaults in unusual places.
Andrew Bartlett
Current implementation synchronizes processing for
all types of LDAP request, not only LDAP_Search ones.
Synchronization for ldap replies processing is done
locally in ldb_ildap module as this concerns only
ildb_callback() function.
Signed-off-by: Anatoliy Atanasov <anatoliy.atanasov@postpath.com>
Checks if the partition's uSNUrgent is updated or not, depending
on the class of the object which is created, modified or deleted.
Signed-off-by: Andrew Tridgell <tridge@samba.org>
It's not fully clear what this ":dn" part means for us. What we know is that
older AD implementations (Windows Server 2000, 2003) need it to have extended
matches working in the expected way.
To be able to interoperate with s3's winbind and other tools I and gd decided
to transform this into a warning until we know what to do.
This should fix bug #6511.
We need to eventually get rid of ldb_msg_find_attr_as_string() (or add
a mem_ctx to it), but meanwhile we have too many places that break if
we don't add a nul to the end of ldb msg strings from python.
This changes the meaning of the ->prev pointer in our doubly linked
lists to point at the end of the list from the front of the list. That
allows us to implement DLIST_ADD_END() and related functions in O(1)
time, which can be a huge saving in many places in Samba.
This also means that the 'type' argument to various DLIST_*() macros
is no longer needed, but I have left it in for now to keep the
patchset small, which will make it easier to revert if any problems
are found. In the future we should remove the 'type' arguments.
(jra. Move the one use of DLIST_TAIL over to the new macros).
Current implementation mask NDR_ errors implicitly.
Thus the caller has no opportunity handle such an error.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
The test was using a "changetype: add" to try and add a member to a
group, where it should use a "changetype: modify" with a "add: member"
Also fixed the recovery when the test fails part way through (delete
the test users at the start as well as the end)
Nadya, please check!
The samldb module overrides the error code for some returns when
handling primaryGroupID. We need to take the error from the async
callback to allow this to work reliably
This is intended as a replacement for ldb_string_to_time() for ldb_val
inputs. This ensures it is length limited and includes additional
validity checks
When using w2k3 linked attributes we are allowed to have multiple
values on a single valued attribute. This happens when the other
values are deleted.
Setting the RELAX control tell the ldb-tdb backend to not check for
this on replace, which means the caller has to check for single valued
violations.
We need a separate RMD_LOCAL_USN to allow us to tell what attributes
need to be sent in a getncchanges request. Thanks to Metze for
pointing this out.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This is used to udpate just the DN components of a ldb_dn, leaving the
other extended fields alone. It is needed to prevent linked attribute
updates from removing other extended components.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This canonicalise avoids a problem with an add that has multiple
elements with the same el->name. That is allowed by MS servers, and by
ldb, but it breaks things like the tdb backend and the repl_meta_data
RPMD handling.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
If an ace has the PRINCIPAL_SELF as trustee, this sid has to be replaced with
the onjectSid of the object being checked. PRINCIPAL_SELF is the way to grant rights
to an account over itself.
It isn't very useful just saying that a control is not supported,
without saying which one is the problem
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
This control will allow inspection of internal ldb values, which would
normally be stripped before being presented to users. The first use
will be stripping linked attribute meta data extended components.
The first bug was that setting a component twice could cause it to
appear twice in the DN.
The second bug was that using an existing ldb_val from a previous call
of ldb_dn_get_extended_component() as an argument to
ldb_dn_set_extended_component() would cause a valgrind error (as the
array the val pointed into will change).
(as objectClass will always be a case insensitive ascii string, we can
make a much simpler match function here than for the general case).
Andrew Bartlett
This tries to show that the domain object should not have a
primaryGroupToken, for example. (This passes against the old and new
code, as the failure case requires an object with an objectSid, and
exactly one group in it's subtree. Sadly I don't know of a valid structure
that I can construct to test this).
Andrew Bartlett
Includes the following verifications for the constructed parentGUID:
- Checks if it returns nothing when there is no parent object
- Ensures that attributes mentioned after the parentGUID
are returned correctly (this avoid a bug pointed out by Tridge
during sync constructed parentGUID development)
Signed-off-by: Andrew Tridgell <tridge@samba.org>
This reverts commit 7d400715e9.
"convert_string_talloc_convenience" does always add the NULL termination. Didn't
know that. Thanks Jelmer for pointing out!
- reserve a new Samba OID for recalculate SD control
- fix the update SD function
- fix handling of kvno in the update_machine_account_password function
- fix handling of handles in RPC winreg server
Signed-off-by: Andrew Tridgell <tridge@samba.org>
We were testing for valid DNs in ldbrename in the command line
tool. This hid a bug in the ldb library where we caught a bad DN in
the objectclass module rather than in the main ldb code. It is better
to do validation of the DNs passed on the command line in the library
code, as this gives us more consistent error handling between the
programming APIs for ldb and the command line.
Apparently Windows Server (2003) doesn't like the comma delimiter here. I got
always error 16 ("LDB_NO_SUCH_ATTRIBUTE"). With this change the test works
again.
- The outside API contains "DN" string arguments: Bad. Since in this way we
fully rely on the outside calls regarding the right DN format. Solution: Use
always a "struct ldb_dn" entry. Since this one is interchangeable and we can
handle it in our preferred way.
- DN comparison: The function doesn't seem that efficient. I "upgraded" it a bit
to be more powerful (added a second length check and do both before the string
comparison)
When we rename or modify a record, we need to update the indexes at
the same time. It is important that we use the DN of the actual
message that is stored in the database to do this, not the DN that was
passed in by the user. If the two differ in case then the index
records needs to use the 'real' record DN, as index handling is
currently case sensitive.
When ildap created a new message to forward, it only copied controls for ldb_search
requests. This caused controls for add and modify to be lost in transition
and tests for them could not be implemented.
This specifically fixes a problem showing extra bytes of garbage in list and
print in regshell, even though the vk.data_length has the correct size.
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Don't add only a new objectclass but also a new attribute. Plus let now the
server itself calculate the "lDAPDisplayName" attribute and compare the result.
The DN escape function was using the form \c where c is any
character. The unescape function was using \XX where XX is a 2 digit
hex number. The asymmetry led to quite a few problems when we start to
deal with DNs containing escape chars, such as CN=foo\0ADEL:XXX. The
result was a DN that was not accessible.
This patch changes the escaping to follow RFC2253 much more
closely. We accept either type of escape, and produce the two types of
escape, depending on the character being escaped
This is now in dsdb_dn. Removing this to a specific wrapper avoids a
number of bugs where Binary DNs were being handled incorrectly.
This reverts much of tridge's commit
fd22e03047
Andrew Bartlett
This converts the code from using the binary DN code in ldb_dn to
using a special Samba-specfic wrapper around ldb_dn.
We also use the dsdb_dn code for DN+Binary and DN+String comparisons
(changed from treating them as Binary blobs)
Andrew Bartlett
Rather than have a repeat of the bugs we found at the plugfest where
hexidecimal strings must be in upper or lower case in particular
places, ensure that each caller chooses which case they want.
This reverts most of the callers back to upper case, as things were
before tridge's patch. The critical call in the extended DN code is
of course handled in lower case.
Andrew Bartlett
This size constraint is not correct in it's current form, as windows
does send us rDN values for CN with lengths longer than 64. Once we
know how this constraint really works we can add it back in.
This fixes up the broken "send" method of the python bindings and corrects some
other parameter lists in parsing functions (this is only cosmetic). The reason
for the bug was a superfluous "|"!
This helps pin down where errors occour, by printing a call stack and
setting error strings and trace messages in the transaction case.
Andrew Bartlett
The ldb_dn_explode code normally enforces all special characters,
including a '=', must be escaped. Unfortunately this conflicts with
the ltdb index DNs, which for binary attributes may be base64
encoded. This allows a unescaped '=' as a special case for index DNs.
I think this is better since "ldb_backend_connect" and "ldb_connect" which
propagate those values should return only LDB constants. Therefore a conversion
(especially for "-1") would be needed.
This allows us to reuse a ldb context if it is open twice, instead
of going through the expensive process of a full ldb open. We can
reuse it if all of the parameters are the same.
The change relies on callers using talloc_unlink() or free of a parent
to close a ldb context.
This patch adds a system_session cache, preventing us from having to
recreate it on every ldb open, and allowing us to detect when the same
session is being used in ldb_wrap
Intuitively you would think it couldn't be longer than the minimum of
the two lists, but we are deliberately allowing for duplicates at this
level of the indexing code, which means the result can be longer
This gets rid of the @IDXPTR approach to in-transaction indexing,
instead using an in-memory tdb to hold index values during a
transaction. This also cleans up a lot of the internal indexing logic,
hopefully making it easier to understand.
One of the big changes is in memory management, with a lot more use
made of talloc tricks to avoid copying dn lists, and shortcuts used to
avoid high intersection and union calculation costs.
The overall result is that a re-provision on my laptop goes from 48s
to a bit over 10s.
On OpenSolaris MAP_RENAME and friends are defined in <sys/mman.h> e.g. mmap and friends. So on these systems MAP_* have a meaning. Cleaned up LDB name space by adding LDB_ in front of MAP_* e.g. MAP_RENAME => LDB_MAP_RENAME
Signed-off-by: Torgeir Lerkerød <torgeir.lerkerod@gmail.com>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
We need to keep the old 'ares' from the remote server around so we can forward
it back to the caller. We can't send the same controls (from the last search
entry) twice (and it makes no sense anyway).
Andrew Bartlett
The biggest change is that 'oid' field is transmited in binary format.
Also the field name is changed to 'binary_oid' so that
field format to be clear for callers.
After those changes, Samba4 should work the way it works before -
i.e. no added value here but we should not fail when
partial-oid is part of prefixMap transmited from Win server.
Also, thre is a bug in this patch - partial-binary-OIDs are
not handled correctly. Partial-binary-OIDs received during
replication will be encoded, but not handled correctly.
For KERBEROS applications the realm should be upcase (function "lp_realm") but
for DNS ones it should be used lowcase (function "lp_dnsdomain"). This patch
implements the use of both in the right way.
This reverts commit f9990e9b39.
abartlet claims that this behaviour is too AD specific to put here. Btw I had
also some doubts if this is clean enough. I put it only here to make "ldap.py"
pass.
I'll try to find a new solution soon.
- Enhance test for "distinguishedName"
- Add a test for single-valued attributes
- Add a test for multi-valued attributes
- Add a test for empty messages
- Add a test for empty attributes
It's very useful to know the exact result code when something fails and not
only a generic (by the module) created one.
Sure, there are some exception cases with specific results (special message
constellations, attributes, values...) which shouldn't be changed at all
(examples of them are in the "ldap.py" test). Therefore I looked very
carefully to not change them.
When you try to add a 2nd value to a single valued attribute you get
LDB_ERR_ATTRIBUTE_OR_VALUE_EXISTS. w2k8-r2 join to s4 relies on this
error, doing a replace after it sees the error
