IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
for objectClass=xyz. The code has been warning at me 'no
covert_operator set', and indeed this is the case. (It then proceeds to
strip this as a search expression)
In this commit, I have implemented a convert_operator for objectClass,
by pretending it is a simple MAP_CONVERT operator for the search
requests.
I also have changed the logic for when we should bail out. I can only
see reason to bail out on the search if we have both local and remote
trees. How can a remote-only search be un-splittable?
Andrew Bartlett
(This used to be commit 656e58672c)
needs to be renamed (operation_add?).
This allows me to match the behaviour and substitute with the
entryUUID module for remote LDAP connections.
Andrew Bartlett
(This used to be commit af02b4d7c6)
<mkhl@samba.org>.
Martin took over the work done last year by Jelmer, in last year's
SoC. This was a substanital task, as the the ldb modules API changed
significantly during the past year, with the addition of async calls.
This changeset reimplements and enables the ldb_map ldb module and
adapts the example module and test case, both named samba3sam, to the
implementation.
The ldb_map module supports splitting an ldb database into two parts
(called the "local" and "remote" part) and storing the data in one of
them (the remote database) in a different format while the other acts
as a fallback.
This allows ldb to e.g. store to and load data from a remote LDAP
server and present it according to the Samba4 schema while still
allowing the LDAP to present and modify its data separately.
A complex example of this is the samba3sam module (by Jelmer
Vernooij), which maps data between the samba3 and samba4 schemas.
A simpler example is given by the entryUUID module (by Andrew
Bartlett), which handles some of the differences between AD and
OpenLDAP in operational attributes. It principally maps objectGUID,
to and from entryUUID elements. This is also an example of a module
that doesn't use the local backend as fallback storage.
This merge also splits the ldb_map.c file into smaller, more
manageable parts.
(This used to be commit af2bece4d3)
Do not change unixName right now, we don't have an attribute to use in the posixGroup class,
and I think we should remove its usage altogether and look up users and groups by their uid/gid only.
Simo.
(This used to be commit d57b521aad)
with this you can limit a search to a specific partitions
or a search over all partitions without getting referrals.
(Witch is the default behavior on the Global Catalog Port)
metze
(This used to be commit 4ccd0f8171)
because the handlers are called within the async callbacks
in side the main search.
Also it makes no sense to give the sddl encoder the sid of the primary
domain when we need a description of a real security_descriptor,
this only makes sense for the defaultSecurityDescriptor...
metze
(This used to be commit 92f133f1ef)
Finally acknowledge that ldb is inherently async and does not have a dual personality anymore
Rename all ldb_async_XXX functions to ldb_XXX except for ldb_async_result, it is now ldb_reply
to reflect the real function of this structure.
Simo.
(This used to be commit 25fc735404)
that it should handle the add without a search.
Now that I'm working on better behaviour with an LDAP backend, I've
fixed the module to do just that. For an ADD, and a MODIFY with the
REPLACE flag, we do not need the search step.
Andrew Bartlett
(This used to be commit 87573e2ee4)
The function pointer was meant to be unused, this patch fixes
partition.c to use ldb_sequence_number(). (No backend provided the
pointer any more).
Set the flags onto the ldb structure, so that all backends opened by
the partitions module inherit the flags.
Set the read-ony flag when accessed as the global catalog
Modify the LDAP server to track that this query is for the global
catalog (by incoming port), and set a opqaue pointer.
Next step is to read that opaque pointer in the partitions module.
Andrew Bartlett
(This used to be commit a1161cb30e)
This clearly links the log function with its private pointer, and
makes the argument list for tdb_open_ex a bit shorter.
Andrew Bartlett
(This used to be commit 5d5503e8d8)
In particular, this removes one use of the LDB_DN_NULL_FAILED macro,
which was being used on more than DNs, had an embedded goto, and
confused the IBM checker.
In the password_hash code, ensure that sambaAttr is not, before
checking the number of values.
In GENSEC, note that this switch value can't occour. This seems to be
the only way to quiet both the IBM checker and gcc, as well as cope
with possibly invalid inputs.
Andrew Bartlet
(This used to be commit 3e58350ec2)
easier to chase down what modules or application code gets wrong.
Ensure not to leave memory allocated on failure in ldb_search()
Andrew Bartlett
(This used to be commit 0828739951)
as part of ldb.
This allows tdb failures to be passed all the way up to Samba's DEBUG
system, which allowed easier debugging.
Unfortunately I had to extend the tdb API, as the logging function
didn't have a context pointer.
I've worked over the 'debug levels' in TDB. Most of them were 0,
which didn't seem right, as some were trace-like messages. We didn't
see any of these previously, except when accessing TDB directly.
Andrew Bartlett
(This used to be commit 58898092c1)
This required changes to the rootDSE module, to allow registration of
partitions. In doing so I renamed the 'register' operation to
'register_control' and 'register_partition', which changed a few more
modules.
Due to the behaviour of certain LDAP servers, we create the baseDN
entry in two parts: Firstly, we allow the admin to export a simple
LDIF file to add to their server. Then we perform a modify to add the
remaining attributes.
To delete all users in partitions, we must now search and delete all
objects in the partition, rather than a simple search from the root.
Against LDAP, this might not delete all objects, so we allow this to
fail.
In testing, we found that the 'Domain Controllers' container was
misnamed, and should be 'CN=', rather than 'OU='.
To avoid the Templates being found in default searches, they have been
moved to CN=Templates from CN=Templates,${BASEDN}.
Andrew Bartlett
(This used to be commit b49a4fbb57)
r15944.
Hey idra I think a better rename would be to keep the LDB_REQ suffix
here to remain consistent with the other enums (e.g ldb_reply_type,
ldb_async_wait_type and ldb_async_state).
(This used to be commit d44ee8c43b)
the whole ldb structure.
Because the sequence number was a fn pointer on the main ldb context,
turn it into a full request (currently sync).
Andrew Bartlett
(This used to be commit fbe7d0ca90)
change the code to exploit that in ldb
I still have to reintroduce transactions when you call ldb_request directly,
I have some plans I hop to be able to develop in the next weekend
(This used to be commit 3511120602)
at least a generic error, even when inside a transaction.
This helps debugging ldb/js interactions a lot...
Andrew Bartlett
(This used to be commit b607acf6f0)
- we were giving OPERATIONS_ERROR in all cases:-(
- we now pass ALREADY_EXIST fine to the caller,
and the code in libnet_site.c is happy again.
- this bug wasn't noticed for a long time because
the ldb_ildap code always passed SUCCESS to it's caller
metze
(This used to be commit 7b9d711920)
This means that some modules have been disabled as well as they
have not been ported to the async interface
One of them is the ugly objectclass module.
I hope that the change in samldb module will make the MMC happy
without the need of this crappy module, we need proper handling
in a decent schema module.
proxy and ldb_map have also been disabled
ldb_sqlite3 need to be ported as well (currenlty just broken).
(This used to be commit 51083de795)
It passess all my tests, but I still need to work on a lot of stuff.
Shouldn't impact anybody else work, so I want to commit now and see what happens
Will work to remove the old code from modules and backends soon, and make some
more restyling in ldb internals.
So, if there is something you don't like in this desgin please speak now.
Simo.
(This used to be commit 8b2a563e71)
Fix up behaviour of Ldb.__setitem__() function. It should overwrite the
element data.
Add wrapper for ldb_msg_sanity_check().
(This used to be commit d67e055f86)
Recursive dependencies are now forbidden (the build system
will bail out if there are any).
I've split up auth_sam.c into auth_sam.c and sam.c. Andrew,
please rename sam.c / move its contents to whatever/wherever you think suits
best.
(This used to be commit 6646384aaf)
Don't try and steal the result of a search on failure, it has already
been talloc_free()'ed by the ildb code.
Andrew Bartlett
(This used to be commit a99bd2e033)
Prototypes are now spread over multiple headers, usually one per subsystem.
This change is required to allow proper header dependencies later on,
without recompiling Samba each time the mtime of any source file changes.
(This used to be commit 3da79bf909)
- VERSION: should contain the current version. Will be made part of the filename.
- SO_VERSION: should contain the latest version that this on is compatible to. Will be used for setting the soname of the shared library.
Fix sonames and use them on platforms that support them
Remove symlinking code. ldconfig will take care of creating the symlinks now
that we set the soname.
(This used to be commit 7871b07e21)
get anything if not waiting for all, keeping this
value may just lead to false expectations.
You either make blocking call waiting for ALL results
transforming this in a sync call, or either you loop
expecting from 0 to all results being returned at any
time on any of these loops.
It should be clear also that when you may receive results
at any time as soon as you call ldb_request.
Your callback may have received all results even before
calling ldb_async_wait the first time.
Simo.
(This used to be commit 6f041068b5)
By freeing the request you will be sure everything down the path get freed.
this also means you have to steal the results if you want to keep them :)
simo.
(This used to be commit e8075e6a06)
but modules don't work yet..
(Run LIBRARY_OUTPUT_TYPE=SHARED_LIBRARY MODULE_OUTPUT_TYPE=SHARED_LIBRARY ./config.status)
(This used to be commit ba74f24e42)
my previous patch added it for modules). This is the next step towards
LDB backends and modules as run-time loadable .so files.
(This used to be commit fb2f70de4f)
Applications that use LDB modules will now have to run ldb_global_init()
before they can use LDB.
The next step will be adding support for loading LDB modules from .so
files. This will also allow us to use one LDB without difference between the
standalone and the Samba-specific build
(This used to be commit 52a2356505)
ldb_msg_add_steal_value().
These try to maintain the talloc heirachy, which must be correct
otherwise talloc_steal operations of entire attribute lists fails.
This fixes the currentTime value, found by using Microsoft's dcdiag
tool (before this commit, it pointed to invalid memory, due to the
changes in -r 13606)
Andrew Bartlett
(This used to be commit 424df1bb36)
The module was just used to get to the ldb so it was meningless.
Also add LDB_WAIT_ONCE e relative code in ldb_ildap.c
(This used to be commit d5b467b7c1)
Currently only ldb_ildap is async, the plan
is to first make all backend support the async calls,
and then remove the sync functions from backends and
keep the only in the API.
Modules will need to be transformed along the way.
Simo
(This used to be commit 1e2c13b2d5)
Fix asq module, add a second_stage_init to register with rootdse
Fix asq control ldap parsing routines (this was nasty to find out)
(This used to be commit 933a80397d)
Until we do not have an internal utf8 compliant
casefloding function we cannot pass this test
in the non-samba build
(This used to be commit 5d93c1eeba)
safe function if the user provides an utf8
compliant casefold function to ldb.
- Fix toupper_m and tolower_m to not crash if
the case tables are not found
- Let load_case_table() search into the correct
directory in the search tree for the case
tables so that we can test utf8
Simo
(This used to be commit e12f070958)
to correctly support utf8 comparisons
add an ldb_attr_Casefold function for attribute names and use it
instead of casefold in the right places
(This used to be commit 3b4eb2413b)
was used just in one places and by mistake, as there we should have
been using ldb_attr_cmp()
Remove ldb_caseless_cmp() ... going on with the cleanup and utf8 compliance
effort.
Simo.
(This used to be commit afda68d7bf)
Also add a way to provide utf8 compliant functions
by registering them with ldb_set_utf8_fns()
Next comes code to register samba internal utf8 functions.
Simo.
(This used to be commit ac9b8a41ff)
In the return value res->msgs, msgs was not a child of res, in the
indexed path. Instead, it hung directly off the ldb, which was
sometimes a long-term context.
Also remove unused parameters.
Found by --leak-report-full
Andrew Bartlett
(This used to be commit 29cb5af827)
- also w2k doesn't work correct with max_attrs = 0, so we should use
a high number, with this I'm getting the same results from w2k and w2k3
metze
(This used to be commit ce9f086c3c)
want to see what it does ?
do aq make test and try:
./bin/ldbsearch -H st/private/sam.ldb --controls=asq:1:member -s base -b 'CN=Administrators,CN=Builtin,DC=samba,DC=example,DC=com' 'objectclass=*'
have fun.
simo.
(This used to be commit 900f4fd343)
it currently doesn't do much, but it's later
prevent adding corrupted records via ldbedit,
and will take care of the versionID counter
metze
(This used to be commit a6f279bc43)
- 'make doxygen' generated the api documentation under apidocs/
Many thanks to Brad Hards <bradh@frogmouth.net> for the patches!
metze
(This used to be commit e98d483174)
now the three supported controls (paged_results,
server_sort, extended_dn) are fully functional
and the infrastructure to add more is in place.
valgrind is happy too :)
Simo.
(This used to be commit bd8e262937)
This should be replaced with real ACLs, which tridge is working on.
In the meantime, the rules are very simple:
- SYSTEM and Administrators can read all.
- Users and anonymous cannot read passwords, can read everything else
- list of 'password' attributes is hard-coded
Most of the difficult work in this was fighting with the C/js
interface to add a system_session() all, as it still doesn't get on
with me :-)
Andrew Bartlett
(This used to be commit be9d0cae89)
command line to ldbsearch. Very rough work, no checks are
done on the input yet (will segfault if you make it wrong).
Controls are passed via the --controls switch an are comma
separated (no escaping yet).
General syntax is <ctrl_name>:<criticality>
<ctrl_name> is a string
<criticality> is 1 or 0
Current semi-parsed controls are:
server_sort
syntax: server_sort:1:0:attributename
1st parm: criticality
2nd parm: reversed
3rd parm: attribute name to be used for sorting
todo: still missing suport for multiple sorting
attributes and ordering rule
no check on result code
paged_results
syntax: paged_results:1:100
1st parm: criticality
2nd parm: number of results to be returned
todo: ldbsearch will return only the first batch
(missing code to cycle over conditionally)
no check on result code
extended_dn
syntax: extended_dn:1:0
1st parm: criticality
2nd parm: type, see MS docs on meaning
Simo.
(This used to be commit 4c685ac0d1)
