IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
auth interface and implement the sync version as wrapper
to auth_check_password_send/recv()
as next all callers need to be converted to the async interface
and then the modules
metze
- note this is still uses the sync update() hook of the gensec modules
but it allows me to fix the callers first
Later auth_check_password() will also get an async version,
so that we can later implement an async version of auth_winbind
using async IRPC to the winbind task.
metze
ref pointers!
I'm sure there're more places and more care is needed when idl files
are changed. Hopefully testing against windows in the build farm
find such bugs in future...
Why is in the client library this no more possible:
NTSTATUS foo([in,out,ref] uint8 *foo);
and then just
r.in.foo = &foo;
status = dcerpc_foo(p, mem_ctx, &r);
and r.out.foo will set to r.in.foo via pidl magic,
that worked some time ago...
metze
- we need this to later:
- to disallow a StartTLS when TLS is already in use
- to place the TLS socket between the raw and sasl socket
when we had a sasl bind before the StartTLS
- and rfc4513 says that the server may allow to remove the TLS from
the tcp connection again and reuse raw tcp
- and also a 2nd sasl bind should replace the old sasl socket
metze
without the agreement of the peer. This can cause problems, because
one side things sealing is disabled, while the other thinks it is
enabled.
Andrew Bartlett
routines to return an NTSTATUS. This should help track down errors.
Use a bit of talloc_steal and talloc_unlink to get the real socket to
be a child of the GENSEC or TLS socket.
Always return a new socket, even for the 'pass-though' case.
Andrew Bartlett
Actually you can't test both classic and ldb together, but you can replace the standard
script/tests/mktestsetup.sh file with this one and run make test to see share_ldb in action
of spoolss. If snum is to be removed, then we should make at least the attempt
to walk parts of the code before and after the changes.
This walks GetPrinterInfo level 0-7.
Volker
contexts from the application layer into the socket layer.
This improves a number of correctness aspects, as we now allow LDAP
packets to cross multiple SASL packets. It should also make it much
easier to write async LDAP tests from windows clients, as they use SASL
by default. It is also vital to allowing OpenLDAP clients to use GSSAPI
against Samba4, as it negotiates a rather small SASL buffer size.
This patch mirrors the earlier work done to move TLS into the socket
layer.
Unusual in this pstch is the extra read callback argument I take. As
SASL is a layer on top of a socket, it is entirely possible for the
SASL layer to drain a socket dry, but for the caller not to have read
all the decrypted data. This would leave the system without an event
to restart the read (as the socket is dry).
As such, I re-invoke the read handler from a timed callback, which
should trigger on the next running of the event loop. I believe that
the TLS code does require a similar callback.
In trying to understand why this is required, imagine a SASL-encrypted
LDAP packet in the following formation:
+-----------------+---------------------+
| SASL Packet #1 | SASL Packet #2 |
----------------------------------------+
| LDAP Packet #1 | LDAP Packet #2 |
----------------------------------------+
In the old code, this was illegal, but it is perfectly standard
SASL-encrypted LDAP. Without the callback, we would read and process
the first LDAP packet, and the SASL code would have read the second SASL
packet (to decrypt enough data for the LDAP packet), and no data would
remain on the socket.
Without data on the socket, read events stop. That is why I add timed
events, until the SASL buffer is drained.
Another approach would be to add a hack to the event system, to have it
pretend there remained data to read off the network (but that is ugly).
In improving the code, to handle more real-world cases, I've been able
to remove almost all the special-cases in the testnonblock code. The
only special case is that we must use a deterministic partial packet
when calling send, rather than a random length. (1 + n/2). This is
needed because of the way the SASL and TLS code works, and the 'resend
on failure' requirements.
Andrew Bartlett
Finally acknowledge that ldb is inherently async and does not have a dual personality anymore
Rename all ldb_async_XXX functions to ldb_XXX except for ldb_async_result, it is now ldb_reply
to reflect the real function of this structure.
Simo.
and the maximum amount of user data that may be fitted into that.
This is used in the new SASL code, to correctly honour SASL buffer sizes.
Andrew Bartlett
