| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
This reverts commit 6276343ce1b7dd7d217e5a419c09f209f5f87379.
This is not needed anymore.
metze
|
| |
|
|
|
|
|
|
|
|
| |
before copying them"
This reverts commit fa87027592f71179c22f132e375038217bc9d36a.
This check is done one level above now.
metze
|
| |
|
|
|
|
|
|
| |
it's given
Sorry, I removed this logic while cleaning up indentation levels...
metze
|
| |
|
|
|
| |
When we don't have the cleartext of the new password then don't check it
using "samdb_check_password".
|
| | |
|
| |
|
|
| |
copying them
|
| |
|
|
|
| |
This is to don't break the provision process at the moment. We need to find
a better solution.
|
| |
|
|
|
|
| |
Based on the Patch from Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>.
metze
|
| |
|
|
|
|
|
|
| |
- Implement the password restrictions as specified in "samdb_set_password"
(complexity, minimum password length, minimum password age...).
- We support only (administrative) password reset operations at the moment
- Support password (administrative) reset and change operations (consider
MS-ADTS 3.1.1.3.1.5)
|
| |
|
|
|
| |
Windows Server performs the constraint checks in a different way than we do.
All testing has been done using "passwords.py".
|
| |
|
|
|
|
|
|
| |
- Enhance comments
- Get some more attributes from the domain and user object (needed later)
- Check for right objectclass on change/set operations (instances of
"user" and/or "inetOrgPerson") - otherwise forward the request
- (Cosmetic) cleanup in asynchronous results regarding return values
|
| |
|
|
|
|
|
| |
- Add a new control for getting status informations (domain informations,
password change status) directly from the module
- Add a new control for allowing direct hash changes
- Introduce an addtional control "change_old password checked" for the password
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
metze
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This means that the existing kvno will no longer be valid, all
unix-based domain members may need to be rejoined, and
upgradeprovision run to update the local kvno in
secrets.ldb/secrets.keytab.
This is required to match the algorithm used by Windows DCs, which we
may be replicating with. We also need to find a way to generate a
reasonable kvno with the OpenLDAP backend.
Andrew Bartlett
|
| |
|
|
|
|
| |
Check on modify if we are RODC and return referral.
On the ldap backend side now we pass context and ldb_modify_default_callback
to propagate the referral error to the client.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The upgraded link values are were allocated on tmp_ctx, and need to be
kept until they are written to the DB. If we don't give the correct
context, they will be gone after the talloc_free(tmp_ctx).
Found by Matthieu Patou <mat+Informatique.Samba@matws.net>
Andrew Bartlett
|
| | |
|
| |
|
|
| |
getting older attributes is quite common
|
| |
|
|
|
|
|
| |
these partitions and not on the server we are replicating from. Also
check for deleted partitions.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
|
| |
DN links outside the set of partitions we are replication should be
allowed.
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is used for allowing operations by RODCs, and denying them
operations that should only be allowed for a full DC
This required a new domain_sid argument to
security_session_user_level()
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Rusty Russell <rusty@samba.org>
|
| | |
|
| |
|
|
|
|
| |
This means we are only doing the checks for schema changes
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
| |
|
|
| |
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
| |
|
|
|
|
|
|
| |
The SIDs in some queries were not being passed as binary, but as
strings in comparison with the securityIdentifer object. We need to
recognise that these are SIDs in the simple_ldap_map.
Andrew Bartlett
|
| |
|
|
|
|
|
|
| |
This is rather than rdn_name, which tries to do the job on the client
side. We need to leave this module in the stack for Fedora DS (and of
course the LDB backend).
Andrew Bartlett
|
| |
|
|
|
|
|
| |
In the future, LDAP backends will be resposible for maintaining the
'name' attributes.
Andrew Bartlett
|
| |
|
|
|
|
|
| |
By putting these values into the cache on the LDB, this reduces some
of the noise in provision, particularly with the LDAP backend.
Andrew Bartlett
|
| | |
|
| |
|
|
| |
metze
|
| |
|
|
|
|
|
|
| |
The first is the forest base DN, the second the domain base DN. At the moment
we assume that they are both the same but it hasn't to be so.
Nadia, I would invite you to fix the outstanding parts regarding this (I added
comments).
|
| |
|
|
|
| |
We should use the "ldb_get_*_basedn" calls since they are available in the LDB
library.
|
| | |
|
| |
|
|
| |
Purely cosmetic change.
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This returns the currently connected user's full token. This is very
useful for debugging, and should be used in ACL tests.
Andrew Bartlett
|
| |
|
|
|
|
|
| |
This error occours when an extended DN cannot be resolved, so it's
most helpful to print the problematic extended DN.
Andrew Bartlett
|
| |
|
|
|
|
| |
If we can't get @REPLCHANGED, default to a value of 0.
Andrew Bartlett
|
| | |
|
| |
|
|
|
|
| |
dsdb_module_load_partition_usn().
Signed-off-by: Matthias Dieter Wallnöfer <mwallnoefer@yahoo.de>
|
| |
|
|
| |
them
|
| |
|
|
|
| |
Rewrote wafsamba using a new dependency handling system, and started
adding the waf test code
|
| | |
|
