| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
look for the record count after an invalid search. This fixes a segv
in ldapsam
|
| | |
|
| | |
|
| |
|
|
| |
anymore
|
| |
|
|
|
|
| |
dashes of const. This is a rather large check-in, some things may break.
It does compile though :-).
Jeremy.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
This gets user mangler for doamins working again.
Andrew Bartlett
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
sam account object, then pdb_update_sam_account() can be used to
update an account. This code path could lead to the methods element of
the account being used when uninitialised (leading to a segv)
Easiest fix is to always make that that when creating a sam_account
object we initialise the methods to null, so that the passdb code
knows that it needs to be filled in.
|
| |
|
|
|
|
|
| |
Also tidied up some of Richard's code (I don't think he uses the compiler
flags -g -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual like
I do :-) :-).
Jeremy.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
this will fix some of the problems on the build farm @ Compaq (where they have
a *lot* of accounts...).
|
| | |
|
| |
|
|
|
|
|
| |
say exactly the same thing - in particular that we can algorithmic rid base ==
1000, and use the BASE_RID macro to avoid the use of magic numbers.
Andrew Bartlett
|
| |
|
|
| |
Volker
|
| |
|
|
| |
here.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
attributes rather than calling getpwnam() on the user.
This should help fix some of metze's performance issues - particularly on
enumerations.
There is a consequential change to the operation of 'non unix account's in LDAP
- they are no longer restricted to being 'within' the NUA range, but will
always be added to that range.
Finally, there is the doco for this and the previous LDAP SSL changes.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
- Default is now for start-tls, on the ldap (not ldaps) port
- We check for 'I am currently root' in the right place now, and don't
accidentily use a cached connection.
- We don't loop on failure to be root, or some other errors.
- A bit cleaner error reporting for add/modify.
- Both the OpenLDAP and manual URI parsing tested.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch, from "Stefan (metze) Metzmacher" <metze@metzemix.de> implements an
LDAP connection cache. This removes the quite silly situation where every
single passdb operation involved a new LDAP connection.
The hope is that this will give us a decent performance boost in some usrmgr
related activities, and in the sid->name/sid->uid code.
The remaining things I think are 'todo' for pdb_ldap (in the near term) are:
- intergrate volker's next_rid patch for NUA accounts,
- add a 'trust ldap ids' option (remove Get_Pwnam() hit on enumerations).
- put the group mapping actually into ldap
- Schema fixes and do utf8 conversion
- server failover (try a second server for the rebind on fail)
- ensure we block between an 'add' and the ldap master replicating to our
local slave (mezte found this issue, kills domain joins)
Andrew Bartlett
|
| | |
|
| |
|
|
| |
aka vorlon)
|
| |
|
|
|
|
| |
like user RIDs.
Volker
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently this calls back to mapping.c, but we have the framework
to get the information into LDAP and the passdb.tdb (should we? I
think so..).
This has received moderate testing with net rpc vampire and
usrmgr. I found the add_groupmem segfault in add_aliasmem as
well, but that will be another checkin.
Volker
|
| |
|
|
|
|
| |
<agruen@suse.de>.
Jeremy.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
found an unecessary parameter to ldapsam_search_one_user.
Volker
|
| |
|
|
| |
Volker
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The actual design change is relitivly small however:
It all goes back to jerry's 'BOOL store', added to many of the elements in a
SAM_ACCOUNT. This ensured that smb.conf defaults did not get 'fixed' into
ldap. This was a great win for admins, and this patch follows in the same way.
This patch extends the concept - we don't store values back into LDAP unless
they have been changed. So if we read a value, but don't update it, or we
read a value, find it's not there and use a default, we will not update
ldap with that value. This reduced clutter in our LDAP DB, and makes it
easier to change defaults later on.
Metze's particular problem was that when we 'write back' an unchanged value,
we would clear any muliple values in that feild. Now he can still have his
mulitivalued 'uid' feild, without Samba changing it for *every* other
operation.
This also applies to many other attributes, and helps to eliminate a nasty
race condition. (Time between get and set)
This patch is big, and needs more testing, but metze has tested usrmgr, and
I've fixed some pdbedit bugs, and tested domain joins, so it isn't compleatly
flawed ;-).
The same system will be introduced into the SAM code shortly, but this fixes
bugs that people were coming across in production uses of Samba 3.0/HEAD, hence
it's inclusion here.
Andrew Bartlett
|
| | |
|
| |
|
|
|
| |
MAX_PRINT_JOBS in a queue.
Jeremy.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Add const to some more functions, and reintroduce 'net rpc join oldstyle' as
*only* trying an old-style join.
This means that we can rely on it not prompting for a password on the build
farm.
Andrew Bartlett
|
| |
|
|
|
|
|
|
| |
a 3.0 based PDC.
Change defaults to use SSL, so that this also matches.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
| |
better job of working with usrmgr. Previously we were blanking out entires,
and all sort of mischif.
The new patch (which I've now had a chance to test/modify) also takes care not
to expand % values (ie we go \\%L\%U -> \\server\user, we don't want to store
\\server\user back) and to correctly notice 'not set' compared to 'null string'
etc.
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
| |
only the interface has been fully moved to NTSTATUS
not all the plugins make full use of it, but have been all converted.
My testings passed completely, however a bit of more testing is welcome
Simo.
|
| | |
|
| |
|
|
|
|
|
| |
flag to what we expect. This handles the 'upgrade' from unixsam beter (where
all $ terminated accounts are machines).
Andrew Bartlett
|
| |
|
|
| |
bug reported by metze
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pdb_ldap and adds a 'ldap passwd sync' option.
The idea with this option is to do allow an ldap backend to do all the fancy
password hashing etc - and to tell smbd no to try and double-up. Using 'ldap
passwd sync = only' will do this, but is not recommended unless such a backend
is in place...
Running 'ldap passwd sync = yes' just gets you the same as doing 'pam passwd
sync = yes' and having both PAM and pam_ldap correctly configured for 'magic
root' behaviour, but only using ldap connection, and one set of credentials.
This also gets us closer to allowing ldap to say 'password too short' etc,
which might assist in maintaining a consistant password policy.
Andrew Bartlett
|
| |
|
|
| |
else we can't add to OpenLDAP 2.1
|
| |
|
|
|
| |
were no longer locking the secrets entry. I saw this on a live system.
Jeremy.
|
| |
|
|
|
|
|
| |
be traversals being attempted. Yes, this was from bitter experience (and
an out of control server :-). Also allow callers to break out of a tdb_chainlock
with sigalarm if desired.
Jeremy.
|
