[SCM] Samba Shared Repository - branch master updated
Jelmer Vernooij
jelmer at samba.org
Sat Nov 13 06:59:20 MST 2010
On Sat, 2010-11-13 at 11:50 +0100, Matthias Dieter Wallnöfer wrote:
> Well basically yes, ekacnet.
>
> But I don't see any problem to use "modify_ldif"/"add_ldif" when sending
> very special requests as password changes and others. Sometimes it's
> really needed due to encoding constraints.
Can you give an example of this? E.g. in this situation below it would
be simpler without the ldif. Since LDIFs are always converted to ldb
Message anyway before they are processed I don't see how they could be
used in a larger number of situations.
Cheers,
Jelmer
> u Patou wrote:
> > Hi Mathias,
> >
> > We try to get rid of the modify_ldif way of doing ldb modification.
> > It's better to create a ldb.Message() object and then do a
> > ldb.modify() with it like this:
> >
> >
> > --- a/source4/scripting/python/samba/upgradehelpers.py
> > +++ b/source4/scripting/python/samba/upgradehelpers.py
> > @@ -835,14 +835,13 @@ def update_machine_account_password(samdb,
> > secrets_ldb, names):
> > res = samdb.search(expression=expression, attrs=[])
> > assert(len(res) == 1)
> >
> > + msg = ldb.Message(res[0].dn)
> > machinepass = samba.generate_random_password(128, 255)
> > -
> > - samdb.modify_ldif("""
> > -dn: """ + str(res[0].dn) + """
> > -changetype: modify
> > -replace: clearTextPassword
> > -clearTextPassword:: """ +
> > base64.b64encode(machinepass.encode('utf-16-le')) + """
> > -""")
> > + mpu = machinepass.encode('utf-16-le')
> > + msg["clearTextPassword"] = ldb.MessageElement(mpu,
> > + ldb.FLAG_MOD_REPLACE,
> > + "clearTextPassword")
> > + samdb.modify(msg)
> >
> > res = samdb.search(expression=("samAccountName=%s$" %
> > names.netbiosname),
> > attrs=["msDs-keyVersionNumber"])
> >
> > Matthieu.
> >
> > On 11/11/2010 12:48, Matthias Dieter WallnXXfer wrote:
> >> The branch, master has been updated
> >> via bb241f5 s4:pytevent.c - fix a discard const warning
> >> via f036790 ldb:ldb_ldap.c rename operation - check for the
> >> RDN name and value
> >> via feb00fe s4:dsdb - proof against empty RDN values where
> >> expected
> >> via 4fe63d9 Cannot create OU using custom Schema class
> >> via e96c9df s4:objectclass LDB module - allow RDNs also to
> >> come from superclasses
> >> via 4f86f29 s4:passwords.py - add a test for the normal
> >> "userPassword" behaviour
> >> via 7f171a9 s4:password_hash and acl LDB modules - handle
> >> the "userPassword" attribute according to the "dSHeuristics"
> >> via d6c78fb s4:password_hash LDB module - move
> >> "samdb_msg_find_old_and_new_ldb_val" into the password_hash LDB module
> >> via eff1e8c s4:libnet/libnet_samsync_ldb.c - remove
> >> "userPassword" remove code
> >> via 39f8661 s4:local_password LDB module - remove schema
> >> checking code and fix some typos
> >> via ed704c2 s4:ldb_modules/util.c - "dsHeuristics" ->
> >> "dSHeuristics"
> >> via 79548f0 s4:selftest/tests.py - skip the "passwords.py"
> >> suite on Windows 2000 domain function level
> >> via 5ded90e s4:acl.py - two password change tests are
> >> expected to fails on Windows 2000 function level
> >> via 2403aaa s4:upgradehelpers.py - use "clearTextPassword"
> >> rather than "userPassword"
> >> via 7c59ece s4:speedtest.py - use "unicodePwd" for setting
> >> user's password
> >> via 0e94569 s4:speedtest.py - remove duplicated code
> >> via 0a29e55 s4:speedtest.py - fix script name in the help text
> >> via ed1ca1c s4:speedtest.py - make it executable
> >> via cc7f390 s4:python tests - fix script names in the help text
> >> from ee50bdd s4-loadparm: fix the FLAG_DEFAULT settings on
> >> specially handled parameters
> >>
> >> http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
> >>
> >>
> >> - Log -----------------------------------------------------------------
> >> commit bb241f5cf8424c2576d5bc33ac149e5720b82068
> >> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Date: Wed Nov 10 16:21:41 2010 +0100
> >>
> >> s4:pytevent.c - fix a discard const warning
> >>
> >> Autobuild-User: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Autobuild-Date: Thu Nov 11 09:47:55 UTC 2010 on sn-devel-104
> >>
> >> commit f0367905d9a6db76712f1dcf9734f64fe5c5e1b3
> >> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Date: Wed Nov 10 16:20:38 2010 +0100
> >>
> >> ldb:ldb_ldap.c rename operation - check for the RDN name and value
> >>
> >> Make it more similar to "ldb_ildap.c" and also more save
> >>
> >> commit feb00fe7cc238a78b3832c116cb4634936597735
> >> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Date: Wed Nov 10 16:05:16 2010 +0100
> >>
> >> s4:dsdb - proof against empty RDN values where expected
> >>
> >> This should prevent crashes as pointed out on the mailing list.
> >>
> >> commit 4fe63d927e5e684d3e2bec9642a1e77b056ab2ed
> >> Author: Zahari Zahariev<zahari.zahariev at postpath.com>
> >> Date: Tue Nov 9 14:55:32 2010 +0200
> >>
> >> Cannot create OU using custom Schema class
> >>
> >> If we define our own child class 'subClassOf' system Schema class
> >> e.g. organizationalUnit then we cannot create OU in the Dafualt
> >> Naming Context that has this custom Schama class in the objectClass
> >> attribute.
> >>
> >> commit e96c9df817326197a0866a18ad53621405b8bee8
> >> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Date: Wed Nov 10 15:12:02 2010 +0100
> >>
> >> s4:objectclass LDB module - allow RDNs also to come from
> >> superclasses
> >>
> >> Detected by a testcase written by Zahari Zahariev.
> >>
> >> commit 4f86f297a22655067006f88eed5f6cb980742b81
> >> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Date: Tue Nov 9 15:04:47 2010 +0100
> >>
> >> s4:passwords.py - add a test for the normal "userPassword"
> >> behaviour
> >>
> >> Just to make sure that this works now too
> >>
> >> commit 7f171a9e0f9b5945bd16a1330ba0908090659030
> >> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Date: Tue Nov 9 14:39:30 2010 +0100
> >>
> >> s4:password_hash and acl LDB modules - handle the "userPassword"
> >> attribute according to the "dSHeuristics"
> >>
> >> commit d6c78fbd3a88e9fc7b625a03d163e9b5098b94d6
> >> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Date: Tue Nov 9 14:45:18 2010 +0100
> >>
> >> s4:password_hash LDB module - move
> >> "samdb_msg_find_old_and_new_ldb_val" into the password_hash LDB module
> >>
> >> It's only used there and so I think it doesn't really belong in
> >> "dsdb/common/util.c" (I first thought that it could be useful
> >> for ACL checking
> >> but obviously it wasn't).
> >>
> >> commit eff1e8cd5d17ca990341e463da03fb1075bdb0d0
> >> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Date: Tue Nov 9 18:46:37 2010 +0100
> >>
> >> s4:libnet/libnet_samsync_ldb.c - remove "userPassword" remove code
> >>
> >> It could also be a normal attribute with a normal content, and
> >> if it's not
> >> like that then it's for sure empty.
> >>
> >> commit 39f86619f5f30461d3c1896e88b6b3df2b51a26e
> >> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Date: Tue Nov 9 18:42:26 2010 +0100
> >>
> >> s4:local_password LDB module - remove schema checking code and
> >> fix some typos
> >>
> >> This is now done by the "objectclass_attrs" LDB module.
> >>
> >> commit ed704c28b2f24228b61dee21d873f6b09bf98ca4
> >> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Date: Tue Nov 9 19:44:27 2010 +0100
> >>
> >> s4:ldb_modules/util.c - "dsHeuristics" -> "dSHeuristics"
> >>
> >> commit 79548f0da243884d60845f61fe2404e26eb52f65
> >> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Date: Thu Nov 11 10:01:26 2010 +0100
> >>
> >> s4:selftest/tests.py - skip the "passwords.py" suite on Windows
> >> 2000 domain function level
> >>
> >> The "userPassword" password change functionality isn't available
> >> and so it
> >> causes big parts of the testsuite to fail. On the other hand
> >> we've basic tests
> >> in "acl.py" and indirectly also over SAMR and kpasswd so I
> >> propose to simply
> >> skip it.
> >>
> >> commit 5ded90ef66744e8919868362ac455bdbf4b1568b
> >> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Date: Thu Nov 11 09:33:06 2010 +0100
> >>
> >> s4:acl.py - two password change tests are expected to fails on
> >> Windows 2000 function level
> >>
> >> commit 2403aaa7591e1827d91644579dbf503d8e9a7df6
> >> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Date: Wed Nov 10 14:01:58 2010 +0100
> >>
> >> s4:upgradehelpers.py - use "clearTextPassword" rather than
> >> "userPassword"
> >>
> >> It's the default internal s4 password change attribute
> >>
> >> commit 7c59ecec5078c0ab8587bb322a228419f5a8c978
> >> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Date: Wed Nov 10 13:26:31 2010 +0100
> >>
> >> s4:speedtest.py - use "unicodePwd" for setting user's password
> >>
> >> It's available on all AD hosts (including Windows 2000) and on
> >> all configurations!
> >>
> >> commit 0e945697f59b7215d46af0709ac698f7483850df
> >> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Date: Wed Nov 10 13:28:22 2010 +0100
> >>
> >> s4:speedtest.py - remove duplicated code
> >>
> >> commit 0a29e552cb29cadbb75e64d8cc1278891132a7b0
> >> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Date: Wed Nov 10 13:37:46 2010 +0100
> >>
> >> s4:speedtest.py - fix script name in the help text
> >>
> >> commit ed1ca1c49e10c9f97aa1334f9aedf631352d144c
> >> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Date: Wed Nov 10 13:29:14 2010 +0100
> >>
> >> s4:speedtest.py - make it executable
> >>
> >> commit cc7f390bf940a2f009e16c3811e38424d62ca2dd
> >> Author: Matthias Dieter Wallnöfer<mdw at samba.org>
> >> Date: Wed Nov 10 13:35:30 2010 +0100
> >>
> >> s4:python tests - fix script names in the help text
> >>
> >> -----------------------------------------------------------------------
> >>
> >> Summary of changes:
> >> lib/tevent/pytevent.c | 2 +-
> >> source4/dsdb/common/util.c | 67 +------------
> >> source4/dsdb/samdb/ldb_modules/acl.c | 25 ++++-
> >> source4/dsdb/samdb/ldb_modules/local_password.c | 18 +--
> >> source4/dsdb/samdb/ldb_modules/objectclass.c | 54 ++++++++--
> >> source4/dsdb/samdb/ldb_modules/password_hash.c | 117
> >> +++++++++++++++++-----
> >> source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 8 ++
> >> source4/dsdb/samdb/ldb_modules/samldb.c | 13 ++-
> >> source4/dsdb/samdb/ldb_modules/util.c | 24 ++++-
> >> source4/dsdb/samdb/ldb_modules/wscript_build | 2 +-
> >> source4/dsdb/tests/python/acl.py | 19 +++-
> >> source4/dsdb/tests/python/ldap_schema.py | 58 +++++++++++-
> >> source4/dsdb/tests/python/passwords.py | 100
> >> ++++++++++++++++++-
> >> source4/dsdb/tests/python/sec_descriptor.py | 2 +-
> >> source4/dsdb/tests/python/urgent_replication.py | 2 +-
> >> source4/lib/ldb/ldb_ldap/ldb_ldap.c | 14 ++-
> >> source4/lib/ldb/modules/rdn_name.c | 15 ++-
> >> source4/libnet/libnet_samsync_ldb.c | 6 -
> >> source4/scripting/devel/speedtest.py | 9 +-
> >> source4/scripting/python/samba/upgradehelpers.py | 13 ++-
> >> source4/selftest/tests.py | 6 +-
> >> 21 files changed, 424 insertions(+), 150 deletions(-)
> >> mode change 100644 => 100755 source4/scripting/devel/speedtest.py
> >>
> >>
> >> Changeset truncated at 500 lines:
> >>
> >> diff --git a/lib/tevent/pytevent.c b/lib/tevent/pytevent.c
> >> index 5999802..22541bb 100644
> >> --- a/lib/tevent/pytevent.c
> >> +++ b/lib/tevent/pytevent.c
> >> @@ -629,7 +629,7 @@ static void
> >> py_tevent_context_dealloc(TeventContext_Object *self)
> >>
> >> static PyObject *py_tevent_context_new(PyTypeObject *type, PyObject
> >> *args, PyObject *kwargs)
> >> {
> >> - const char *kwnames[] = { "name", NULL };
> >> + const char * const kwnames[] = { "name", NULL };
> >> char *name = NULL;
> >> struct tevent_context *ev;
> >> TeventContext_Object *ret;
> >> diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
> >> index 16d5011..7f6ce64 100644
> >> --- a/source4/dsdb/common/util.c
> >> +++ b/source4/dsdb/common/util.c
> >> @@ -699,68 +699,6 @@ struct ldb_message_element
> >> *samdb_find_attribute(struct ldb_context *ldb,
> >> return NULL;
> >> }
> >>
> >> -/*
> >> - * This is intended for use by the "password hash" module since there
> >> - * password changes can be specified through one message element
> >> with the
> >> - * new password (to set) and another one with the old password (to
> >> unset).
> >> - *
> >> - * The first which sets a password (new value) can have flags
> >> - * (LDB_FLAG_MOD_ADD, LDB_FLAG_MOD_REPLACE) but also none (on "add"
> >> operations
> >> - * for entries). The latter (old value) has always specified
> >> - * LDB_FLAG_MOD_DELETE.
> >> - *
> >> - * Returns LDB_ERR_CONSTRAINT_VIOLATION and
> >> LDB_ERR_UNWILLING_TO_PERFORM if
> >> - * matching message elements are malformed in respect to the
> >> set/change rules.
> >> - * Otherwise it returns LDB_SUCCESS.
> >> - */
> >> -int samdb_msg_find_old_and_new_ldb_val(const struct ldb_message *msg,
> >> - const char *name,
> >> - enum ldb_request_type operation,
> >> - const struct ldb_val **new_val,
> >> - const struct ldb_val **old_val)
> >> -{
> >> - unsigned int i;
> >> -
> >> - *new_val = NULL;
> >> - *old_val = NULL;
> >> -
> >> - if (msg == NULL) {
> >> - return LDB_SUCCESS;
> >> - }
> >> -
> >> - for (i = 0; i< msg->num_elements; i++) {
> >> - if (ldb_attr_cmp(msg->elements[i].name, name) != 0) {
> >> - continue;
> >> - }
> >> -
> >> - if ((operation == LDB_MODIFY)&&
> >> - (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) ==
> >> LDB_FLAG_MOD_DELETE)) {
> >> - /* 0 values are allowed */
> >> - if (msg->elements[i].num_values == 1) {
> >> - *old_val =&msg->elements[i].values[0];
> >> - } else if (msg->elements[i].num_values> 1) {
> >> - return LDB_ERR_CONSTRAINT_VIOLATION;
> >> - }
> >> - } else if ((operation == LDB_MODIFY)&&
> >> - (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) ==
> >> LDB_FLAG_MOD_REPLACE)) {
> >> - if (msg->elements[i].num_values> 0) {
> >> - *new_val
> >> =&msg->elements[i].values[msg->elements[i].num_values - 1];
> >> - } else {
> >> - return LDB_ERR_UNWILLING_TO_PERFORM;
> >> - }
> >> - } else {
> >> - /* Add operations and LDB_FLAG_MOD_ADD */
> >> - if (msg->elements[i].num_values> 0) {
> >> - *new_val
> >> =&msg->elements[i].values[msg->elements[i].num_values - 1];
> >> - } else {
> >> - return LDB_ERR_CONSTRAINT_VIOLATION;
> >> - }
> >> - }
> >> - }
> >> -
> >> - return LDB_SUCCESS;
> >> -}
> >> -
> >> int samdb_find_or_add_value(struct ldb_context *ldb, struct
> >> ldb_message *msg, const char *name, const char *set_value)
> >> {
> >> if (samdb_find_attribute(ldb, msg, name, set_value) == NULL) {
> >> @@ -1657,7 +1595,12 @@ int samdb_find_site_for_computer(struct
> >> ldb_context *ldb,
> >> talloc_free(dn);
> >> return LDB_ERR_INVALID_DN_SYNTAX;
> >> }
> >> +
> >> rdn_val = ldb_dn_get_rdn_val(dn);
> >> + if (rdn_val == NULL) {
> >> + return LDB_ERR_OPERATIONS_ERROR;
> >> + }
> >> +
> >> (*site_name) = talloc_strndup(mem_ctx, (const char
> >> *)rdn_val->data, rdn_val->length);
> >> talloc_free(dn);
> >> if (!*site_name) {
> >> diff --git a/source4/dsdb/samdb/ldb_modules/acl.c
> >> b/source4/dsdb/samdb/ldb_modules/acl.c
> >> index 3cf768e..b6635b1 100644
> >> --- a/source4/dsdb/samdb/ldb_modules/acl.c
> >> +++ b/source4/dsdb/samdb/ldb_modules/acl.c
> >> @@ -61,6 +61,7 @@ struct acl_context {
> >> bool allowedChildClasses;
> >> bool allowedChildClassesEffective;
> >> bool sDRightsEffective;
> >> + bool userPassword;
> >> const char * const *attrs;
> >> struct dsdb_schema *schema;
> >> };
> >> @@ -542,7 +543,8 @@ static int acl_check_password_rights(TALLOC_CTX
> >> *mem_ctx,
> >> struct ldb_request *req,
> >> struct security_descriptor *sd,
> >> struct dom_sid *sid,
> >> - const struct GUID *oc_guid)
> >> + const struct GUID *oc_guid,
> >> + bool userPassword)
> >> {
> >> int ret = LDB_SUCCESS;
> >> unsigned int del_attr_cnt = 0, add_attr_cnt = 0, rep_attr_cnt = 0;
> >> @@ -557,6 +559,10 @@ static int acl_check_password_rights(TALLOC_CTX
> >> *mem_ctx,
> >> return ldb_module_oom(module);
> >> }
> >> for (l = passwordAttrs; *l != NULL; l++) {
> >> + if ((!userPassword)&& (ldb_attr_cmp(*l, "userPassword") ==
> >> 0)) {
> >> + continue;
> >> + }
> >> +
> >> while ((el = ldb_msg_find_element(msg, *l)) != NULL) {
> >> if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE) {
> >> ++del_attr_cnt;
> >> @@ -632,6 +638,7 @@ static int acl_modify(struct ldb_module *module,
> >> struct ldb_request *req)
> >> struct security_descriptor *sd;
> >> struct dom_sid *sid = NULL;
> >> struct ldb_control *as_system = ldb_request_get_control(req,
> >> LDB_CONTROL_AS_SYSTEM_OID);
> >> + bool userPassword = dsdb_user_password_support(module, req);
> >> TALLOC_CTX *tmp_ctx = talloc_new(req);
> >> static const char *acl_attrs[] = {
> >> "nTSecurityDescriptor",
> >> @@ -732,14 +739,15 @@ static int acl_modify(struct ldb_module
> >> *module, struct ldb_request *req)
> >> continue;
> >> }
> >> else if (ldb_attr_cmp("unicodePwd",
> >> req->op.mod.message->elements[i].name) == 0 ||
> >> - ldb_attr_cmp("userPassword",
> >> req->op.mod.message->elements[i].name) == 0 ||
> >> + (userPassword&& ldb_attr_cmp("userPassword",
> >> req->op.mod.message->elements[i].name) == 0) ||
> >> ldb_attr_cmp("clearTextPassword",
> >> req->op.mod.message->elements[i].name) == 0) {
> >> ret = acl_check_password_rights(tmp_ctx,
> >> module,
> >> req,
> >> sd,
> >> sid,
> >> - guid);
> >> + guid,
> >> + userPassword);
> >> if (ret != LDB_SUCCESS) {
> >> goto fail;
> >> }
> >> @@ -1074,6 +1082,11 @@ static int acl_search_callback(struct
> >> ldb_request *req, struct ldb_reply *ares)
> >> if (data&& data->password_attrs) {
> >> if (!ac->am_system) {
> >> for (i = 0; data->password_attrs[i]; i++) {
> >> + if ((!ac->userPassword)&&
> >> + (ldb_attr_cmp(data->password_attrs[i],
> >> + "userPassword") == 0))
> >> + continue;
> >> +
> >> ldb_msg_remove_attr(ares->message,
> >> data->password_attrs[i]);
> >> }
> >> }
> >> @@ -1115,6 +1128,7 @@ static int acl_search(struct ldb_module
> >> *module, struct ldb_request *req)
> >> ac->allowedChildClasses =
> >> ldb_attr_in_list(req->op.search.attrs, "allowedChildClasses");
> >> ac->allowedChildClassesEffective =
> >> ldb_attr_in_list(req->op.search.attrs, "allowedChildClassesEffective");
> >> ac->sDRightsEffective = ldb_attr_in_list(req->op.search.attrs,
> >> "sDRightsEffective");
> >> + ac->userPassword = dsdb_user_password_support(module, ac);
> >> ac->schema = dsdb_get_schema(ldb, ac);
> >>
> >> /* replace any attributes in the parse tree that are private,
> >> @@ -1125,6 +1139,11 @@ static int acl_search(struct ldb_module
> >> *module, struct ldb_request *req)
> >> /* remove password attributes */
> >> if (data&& data->password_attrs) {
> >> for (i = 0; data->password_attrs[i]; i++) {
> >> + if ((!ac->userPassword)&&
> >> + (ldb_attr_cmp(data->password_attrs[i],
> >> + "userPassword") == 0))
> >> + continue;
> >> +
> >> ldb_parse_tree_attr_replace(req->op.search.tree,
> >> data->password_attrs[i],
> >> "kludgeACLredactedattribute");
> >> diff --git a/source4/dsdb/samdb/ldb_modules/local_password.c
> >> b/source4/dsdb/samdb/ldb_modules/local_password.c
> >> index f544689..c0e1e9a 100644
> >> --- a/source4/dsdb/samdb/ldb_modules/local_password.c
> >> +++ b/source4/dsdb/samdb/ldb_modules/local_password.c
> >> @@ -39,13 +39,15 @@
> >>
> >> #define PASSWORD_GUID_ATTR "masterGUID"
> >>
> >> -/* This module maintains a local password database, seperate from
> >> the main LDAP server.
> >> +/* This module maintains a local password database, separate from
> >> the main LDAP
> >> + server.
> >>
> >> - This allows the password database to be syncronised in a
> >> multi-master
> >> + This allows the password database to be synchronised in a
> >> multi-master
> >> fashion, seperate to the more difficult concerns of the main
> >> - database. (With passwords, the last writer always wins)
> >> + database. (With passwords, the last writer always wins)
> >>
> >> - Each incoming add/modify is split into a remote, and a local
> >> request, done in that order.
> >> + Each incoming add/modify is split into a remote, and a local
> >> request, done
> >> + in that order.
> >>
> >> We maintain a list of attributes that are kept locally - perhaps
> >> this should use the @KLUDGE_ACL list of passwordAttribute
> >> @@ -173,14 +175,6 @@ static int local_password_add(struct ldb_module
> >> *module, struct ldb_request *req
> >> return ldb_next_request(module, req);
> >> }
> >>
> >> - /* TODO: remove this when userPassword will be in schema */
> >> - if (!ldb_msg_check_string_attribute(req->op.add.message,
> >> "objectClass", "person")) {
> >> - ldb_asprintf_errstring(ldb,
> >> - "Cannot relocate a password on entry: %s, does
> >> not have objectClass 'person'",
> >> - ldb_dn_get_linearized(req->op.add.message->dn));
> >> - return LDB_ERR_OBJECT_CLASS_VIOLATION;
> >> - }
> >> -
> >> /* From here, we assume we have password attributes to split
> >> off */
> >> ac = lpdb_init_context(module, req);
> >> if (!ac) {
> >> diff --git a/source4/dsdb/samdb/ldb_modules/objectclass.c
> >> b/source4/dsdb/samdb/ldb_modules/objectclass.c
> >> index 6702b01..2e95eb5 100644
> >> --- a/source4/dsdb/samdb/ldb_modules/objectclass.c
> >> +++ b/source4/dsdb/samdb/ldb_modules/objectclass.c
> >> @@ -334,8 +334,10 @@ static int fix_dn(struct ldb_context *ldb,
> >> return ldb_operr(ldb);
> >> }
> >>
> >> -
> >> rdn_val = ldb_dn_get_rdn_val(newdn);
> >> + if (rdn_val == NULL) {
> >> + return ldb_operr(ldb);
> >> + }
> >>
> >> #if 0
> >> /* the rules for rDN length constraints are more complex than
> >> @@ -468,6 +470,8 @@ static int objectclass_do_add(struct oc_context *ac)
> >> const struct dsdb_class *objectclass;
> >> struct ldb_dn *objectcategory;
> >> int32_t systemFlags = 0;
> >> + unsigned int i, j;
> >> + bool found;
> >> int ret;
> >>
> >> ldb = ldb_module_get_ctx(ac->module);
> >> @@ -561,6 +565,7 @@ static int objectclass_do_add(struct oc_context *ac)
> >> talloc_free(mem_ctx);
> >> return ldb_oom(ldb);
> >> }
> >> +
> >> ret = ldb_msg_add_string(msg, "objectClass", value);
> >> if (ret != LDB_SUCCESS) {
> >> ldb_set_errstring(ldb,
> >> @@ -587,11 +592,25 @@ static int objectclass_do_add(struct oc_context
> >> *ac)
> >> }
> >>
> >> rdn_name = ldb_dn_get_rdn_name(msg->dn);
> >> - if (objectclass->rDNAttID
> >> - && ldb_attr_cmp(rdn_name, objectclass->rDNAttID) != 0) {
> >> + if (rdn_name == NULL) {
> >> + return ldb_operr(ldb);
> >> + }
> >> + found = false;
> >> + for (i = 0; (!found)&& (i< objectclass_element->num_values);
> >> + i++) {
> >> + const struct dsdb_class *tmp_class =
> >> + dsdb_class_by_lDAPDisplayName_ldb_val(ac->schema,
> >> + &objectclass_element->values[i]);
> >> +
> >> + if (tmp_class == NULL) continue;
> >> +
> >> + if (ldb_attr_cmp(rdn_name, tmp_class->rDNAttID) == 0)
> >> + found = true;
> >> + }
> >> + if (!found) {
> >> ldb_asprintf_errstring(ldb,
> >> - "RDN %s is not correct for most specific
> >> structural objectclass %s, should be %s",
> >> - rdn_name, objectclass->lDAPDisplayName,
> >> objectclass->rDNAttID);
> >> + "objectclass: Invalid RDN '%s' for
> >> objectclass '%s'!",
> >> + rdn_name, objectclass->lDAPDisplayName);
> >> return LDB_ERR_NAMING_VIOLATION;
> >> }
> >>
> >> @@ -616,7 +635,6 @@ static int objectclass_do_add(struct oc_context *ac)
> >> = ldb_msg_find_element(ac->search_res->message,
> >> "objectClass");
> >>
> >> bool allowed_class = false;
> >> - unsigned int i, j;
> >> for (i=0; allowed_class == false&& oc_el&& i<
> >> oc_el->num_values; i++) {
> >> const struct dsdb_class *sclass;
> >>
> >> @@ -1256,6 +1274,7 @@ static int objectclass_do_rename2(struct
> >> oc_context *ac)
> >> const char *rdn_name;
> >> bool allowed_class = false;
> >> unsigned int i, j;
> >> + bool found;
> >>
> >> oc_el_entry = ldb_msg_find_element(ac->search_res->message,
> >> "objectClass");
> >> @@ -1270,13 +1289,24 @@ static int objectclass_do_rename2(struct
> >> oc_context *ac)
> >> }
> >>
> >> rdn_name = ldb_dn_get_rdn_name(ac->req->op.rename.newdn);
> >> - if ((objectclass->rDNAttID != NULL)&&
> >> - (ldb_attr_cmp(rdn_name, objectclass->rDNAttID) != 0)) {
> >> + if (rdn_name == NULL) {
> >> + return ldb_operr(ldb);
> >> + }
> >> + found = false;
> >> + for (i = 0; (!found)&& (i< oc_el_entry->num_values); i++) {
> >> + const struct dsdb_class *tmp_class =
> >> + dsdb_class_by_lDAPDisplayName_ldb_val(ac->schema,
> >> + &oc_el_entry->values[i]);
> >> +
> >> + if (tmp_class == NULL) continue;
> >> +
> >> + if (ldb_attr_cmp(rdn_name, tmp_class->rDNAttID) == 0)
> >> + found = true;
> >> + }
> >> + if (!found) {
> >> ldb_asprintf_errstring(ldb,
> >> - "objectclass: RDN %s is not correct for
> >> most specific structural objectclass %s, should be %s",
> >> - rdn_name,
> >> - objectclass->lDAPDisplayName,
> >> - objectclass->rDNAttID);
> >> + "objectclass: Invalid RDN '%s' for
> >> objectclass '%s'!",
> >> + rdn_name, objectclass->lDAPDisplayName);
> >> return LDB_ERR_UNWILLING_TO_PERFORM;
> >> }
> >>
> >> diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c
> >> b/source4/dsdb/samdb/ldb_modules/password_hash.c
> >> index 83bee2f..9b6cf8c 100644
> >> --- a/source4/dsdb/samdb/ldb_modules/password_hash.c
> >> +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
> >> @@ -33,19 +33,16 @@
> >> */
> >>
> >> #include "includes.h"
> >> -#include "libcli/ldap/ldap_ndr.h"
> >> #include "ldb_module.h"
> >> -#include "librpc/gen_ndr/misc.h"
> >> -#include "librpc/gen_ndr/samr.h"
> >> +#include "auth/session.h"
> >> #include "libcli/auth/libcli_auth.h"
> >> #include "libcli/security/security.h"
> >> +#include "libcli/security/session.h"
> >> #include "system/kerberos.h"
> >> #include "auth/kerberos/kerberos.h"
> >> -#include "system/time.h"
> >> #include "dsdb/samdb/samdb.h"
> >> -#include "../libds/common/flags.h"
> >> +#include "dsdb/samdb/ldb_modules/util.h"
> >> #include "dsdb/samdb/ldb_modules/password_modules.h"
> >> -#include "librpc/ndr/libndr.h"
> >> #include "librpc/gen_ndr/ndr_drsblobs.h"
> >> #include "../lib/crypto/crypto.h"
> >> #include "param/param.h"
> >> @@ -1633,6 +1630,68 @@ static int check_password_restrictions(struct
> >> setup_password_fields_io *io)
> >> return LDB_SUCCESS;
> >> }
> >>
> >> +/*
> >> + * This is intended for use by the "password_hash" module since there
> >> + * password changes can be specified through one message element
> >> with the
> >> + * new password (to set) and another one with the old password (to
> >> unset).
> >> + *
> >> + * The first which sets a password (new value) can have flags
> >> + * (LDB_FLAG_MOD_ADD, LDB_FLAG_MOD_REPLACE) but also none (on "add"
> >> operations
> >> + * for entries). The latter (old value) has always specified
> >> + * LDB_FLAG_MOD_DELETE.
> >> + *
> >> + * Returns LDB_ERR_CONSTRAINT_VIOLATION and
> >> LDB_ERR_UNWILLING_TO_PERFORM if
> >> + * matching message elements are malformed in respect to the
> >> set/change rules.
> >> + * Otherwise it returns LDB_SUCCESS.
> >> + */
> >> +static int msg_find_old_and_new_pwd_val(const struct ldb_message *msg,
> >> + const char *name,
> >> + enum ldb_request_type operation,
> >> + const struct ldb_val **new_val,
> >> + const struct ldb_val **old_val)
> >> +{
> >> + unsigned int i;
> >> +
> >> + *new_val = NULL;
> >> + *old_val = NULL;
> >> +
> >> + if (msg == NULL) {
> >> + return LDB_SUCCESS;
> >> + }
> >> +
> >> + for (i = 0; i< msg->num_elements; i++) {
> >> + if (ldb_attr_cmp(msg->elements[i].name, name) != 0) {
> >> + continue;
> >> + }
> >> +
> >> + if ((operation == LDB_MODIFY)&&
> >> + (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) ==
> >> LDB_FLAG_MOD_DELETE)) {
> >> + /* 0 values are allowed */
> >> + if (msg->elements[i].num_values == 1) {
> >> + *old_val =&msg->elements[i].values[0];
> >> + } else if (msg->elements[i].num_values> 1) {
> >> + return LDB_ERR_CONSTRAINT_VIOLATION;
> >> + }
> >> + } else if ((operation == LDB_MODIFY)&&
> >> + (LDB_FLAG_MOD_TYPE(msg->elements[i].flags) ==
> >> LDB_FLAG_MOD_REPLACE)) {
> >> + if (msg->elements[i].num_values> 0) {
> >> + *new_val
> >> =&msg->elements[i].values[msg->elements[i].num_values - 1];
> >> + } else {
> >> + return LDB_ERR_UNWILLING_TO_PERFORM;
> >> + }
> >> + } else {
> >> + /* Add operations and LDB_FLAG_MOD_ADD */
> >> + if (msg->elements[i].num_values> 0) {
> >> + *new_val
> >> =&msg->elements[i].values[msg->elements[i].num_values - 1];
> >> + } else {
> >> + return LDB_ERR_CONSTRAINT_VIOLATION;
> >> + }
> >> + }
> >> + }
> >> +
> >> + return LDB_SUCCESS;
> >> +}
> >> +
> >> static int setup_io(struct ph_context *ac,
> >> const struct ldb_message *orig_msg,
> >> const struct ldb_message *searched_msg,
> >> @@ -1687,11 +1746,10 @@ static int setup_io(struct ph_context *ac,
> >> }
> >>
> >> if (ac->userPassword) {
> >> - ret = samdb_msg_find_old_and_new_ldb_val(orig_msg,
> >> - "userPassword",
> >> - ac->req->operation,
> >> - &io->n.cleartext_utf8,
> >> - &io->og.cleartext_utf8);
> >> + ret = msg_find_old_and_new_pwd_val(orig_msg, "userPassword",
> >> + ac->req->operation,
> >> + &io->n.cleartext_utf8,
> >> + &io->og.cleartext_utf8);
> >> if (ret != LDB_SUCCESS) {
> >> ldb_asprintf_errstring(ldb,
> >> "setup_io: "
> >> @@ -1700,10 +1758,10 @@ static int setup_io(struct ph_context *ac,
> >> }
> >> }
> >>
> >> - ret = samdb_msg_find_old_and_new_ldb_val(orig_msg,
> >> "clearTextPassword",
> >> - ac->req->operation,
> >> - &io->n.cleartext_utf16,
> >> - &io->og.cleartext_utf16);
> >> + ret = msg_find_old_and_new_pwd_val(orig_msg, "clearTextPassword",
> >> + ac->req->operation,
> >> + &io->n.cleartext_utf16,
> >> + &io->og.cleartext_utf16);
> >> if (ret != LDB_SUCCESS) {
> >> ldb_asprintf_errstring(ldb,
> >> "setup_io: "
> >> @@ -1724,10 +1782,10 @@ static int setup_io(struct ph_context *ac,
> >> that would then be treated as a UTF16 password rather than
> >> a nthash */
> >>
> >> - ret = samdb_msg_find_old_and_new_ldb_val(orig_msg, "unicodePwd",
> >> - ac->req->operation,
> >> - "ed_utf16,
> >> - &old_quoted_utf16);
> >> + ret = msg_find_old_and_new_pwd_val(orig_msg, "unicodePwd",
> >> + ac->req->operation,
> >> + "ed_utf16,
> >> + &old_quoted_utf16);
> >> if (ret != LDB_SUCCESS) {
> >> ldb_asprintf_errstring(ldb,
> >> "setup_io: "
> >> @@ -1841,9 +1899,9 @@ static int setup_io(struct ph_context *ac,
> >>
> >> /* Handles the "dBCSPwd" attribute (LM hash) */
> >> io->n.lm_hash = NULL; io->og.lm_hash = NULL;
> >> - ret = samdb_msg_find_old_and_new_ldb_val(orig_msg, "dBCSPwd",
> >> - ac->req->operation,
> >> - &lm_hash,&old_lm_hash);
> >> + ret = msg_find_old_and_new_pwd_val(orig_msg, "dBCSPwd",
> >> + ac->req->operation,
> >> + &lm_hash,&old_lm_hash);
> >> if (ret != LDB_SUCCESS) {
> >> ldb_asprintf_errstring(ldb,
> >> "setup_io: "
> >> @@ -2232,7 +2290,7 @@ static int password_hash_add(struct ldb_module
> >> *module, struct ldb_request *req)
> >> *ntAttr, *lmAttr;
> >> int ret;
> >> struct ldb_control *bypass = NULL;
> >> - bool userPassword = true;
> >> + bool userPassword = dsdb_user_password_support(module, req);
> >>
> >>
> >
> >
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20101113/c15087a8/attachment.pgp>
More information about the samba-technical
mailing list