samba.git/lib/ldb/include, branch master Unnamed repository; edit this file 'description' to name the repository. ldb: add "policy hints" controls to be used by password_hash module 2026-01-15T01:48:37+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-09-24T23:45:30+00:00 b003beb85a648eae5bfe7e38362abd8d798e8f86 These won't have any effect yet, but soon they will allow a privileged account to perform a password reset that respects constraints on password history, age, and length, as if the reset was an ordinary password change (that is, where the user provides the old password). A normal user can't reset their own password using this, if the organisation is using a remote service (e.g. Entra ID or Keycloak) to manage passwords, that service can use a policy hints control to ensure it follows AD password policy. Entra ID Self Service Password Reset (SSPR) uses the deprecated OID. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
These won't have any effect yet, but soon they will allow a privileged
account to perform a password reset that respects constraints on
password history, age, and length, as if the reset was an ordinary
password change (that is, where the user provides the old password).

A normal user can't reset their own password using this, if the
organisation is using a remote service (e.g. Entra ID or Keycloak) to
manage passwords, that service can use a policy hints control to
ensure it follows AD password policy.

Entra ID Self Service Password Reset (SSPR) uses the deprecated OID.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
ldb: remove unused sqlite backend 2025-03-05T02:37:39+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-03-03T22:02:01+00:00 25502486b1cc7465470c794422724f14968a8ebc Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Martin Schwenke <mschwenke@ddn.com> 
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
Reviewed-by: Martin Schwenke <mschwenke@ddn.com>
ldb: Attach appropriate ldb context to returned result 2024-06-11T04:32:30+00:00 Jo Sutton josutton@catalyst.net.nz 2024-05-01T04:54:01+00:00 4e8ca6140aff0cac534d2ea2e370c1dc70a73b21 This is done by adding a new API that avoids the problems of ldb_dn_copy() and makes it clear that a struct ldb_context * pointer will be stored in the new copy. Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This is done by adding a new API that avoids the problems of
ldb_dn_copy() and makes it clear that a struct ldb_context *
pointer will be stored in the new copy.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ldb_wrap: Provide a way to avoid Samba using ldb_wrap() 2024-06-10T04:27:30+00:00 Andrew Bartlett abartlet@samba.org 2024-05-29T23:23:01+00:00 e178f6b0e962b0ac96d447196765c21c770ede63 ldb_wrap is a caching mechansim, and it should probably be removed but for now provide a way to avoid it in specific cases where we know it is harmful. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz> 
ldb_wrap is a caching mechansim, and it should probably be removed
but for now provide a way to avoid it in specific cases where we
know it is harmful.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
ldb: move struct ldb_debug_ops to ldb_private.h 2024-05-23T00:19:30+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2024-05-22T21:40:00+00:00 d6581d213d5f625da493f14620e1a12e79a8e195 Only accessed through struct ldb_context -> debug_ops, which is already private. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu May 23 00:19:30 UTC 2024 on atb-devel-224 
Only accessed through struct ldb_context -> debug_ops, which is already private.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu May 23 00:19:30 UTC 2024 on atb-devel-224
ldb: move struct ldb_utf8_fns to ldb_private.h 2024-05-22T23:12:32+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2024-05-22T21:36:57+00:00 6dd68d897865bd2518a6a71753ca0bc76d51b37e It is only accessed via ldb functions that find it on the already-private struct ldb_context. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
It is only accessed via ldb functions that find it on the already-private
struct ldb_context.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ldb: deprecate ldb_set_utf8_fns 2024-05-22T23:12:32+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2024-05-16T23:35:01+00:00 4a6a1d1f0afa830a679781a522d724bd861a3601 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ldb: add ldb_comparison_fold_ascii() for default comparisons 2024-05-22T23:12:32+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2024-05-15T08:51:08+00:00 92275e27947989706561292f47789a8d715a11d1 This function is made from the ASCII-only bits of the old ldb_comparison_fold() -- that is, what you get if you never follow a `goto utf8str` jump. It comparse the bytes, but collapses spaces and maps [a-z] to [A-Z]. This does exactly what ldb_comparison_fold_utf8_broken() would do in situations where ldb_casfold() calls ldb_casefold_default(). That means SSSD. The comparison is probably using signed char, so high bytes are actually low bytes. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This function is made from the ASCII-only bits of the old
ldb_comparison_fold() -- that is, what you get if you never follow a
`goto utf8str` jump. It comparse the bytes, but collapses spaces and
maps [a-z] to [A-Z].

This does exactly what ldb_comparison_fold_utf8_broken() would do in
situations where ldb_casfold() calls ldb_casefold_default(). That
means SSSD.

The comparison is probably using signed char, so high bytes are
actually low bytes.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ldb: add ldb_set_utf8_functions() for setting casefold functions 2024-05-22T23:12:32+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2024-05-16T23:34:35+00:00 ae7ca36830be7823dde17bcaeae74b5f46b1aa3d This replaces ldb_set_utf8_fns(), which will be deprecated really soon. The reason for this, as shown in surrounding commits, is that without an explicit case-insensitive comparison we need to rely on the casefold, and if the casefold can fail (because, e.g. bad utf-8) the comparison ends up being a bit chaotic. The strings being compared are generally user controlled, and a malicious user might find ways of hiding values or perhaps fooling a binary search. A case-insensitive comparisons that works gradually through the string without an all-at-once casefold is better placed to deal with problems where they happen, and we are able to separately specialise for the ASCII case (used by SSSD) and the UTF-8 case (Samba). Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This replaces ldb_set_utf8_fns(), which will be deprecated really soon.

The reason for this, as shown in surrounding commits, is that without
an explicit case-insensitive comparison we need to rely on the casefold,
and if the casefold can fail (because, e.g. bad utf-8) the comparison
ends up being a bit chaotic. The strings being compared are generally
user controlled, and a malicious user might find ways of hiding values
or perhaps fooling a binary search.

A case-insensitive comparisons that works gradually through the string
without an all-at-once casefold is better placed to deal with problems
where they happen, and we are able to separately specialise for the
ASCII case (used by SSSD) and the UTF-8 case (Samba).

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
ldb: add a utf-8 comparison fold callback 2024-05-22T23:12:32+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2024-05-09T04:52:53+00:00 278a3c7f7c6506134e0e1d15126f55b444f37fbc This isn't used yet, but it will allow library users to select a case-insensitive comparison function that matches their chosen casefold. This will allow the comparisons to be consistent when the strings are bad, whereas currently we kind of guess. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This isn't used yet, but it will allow library users to select a
case-insensitive comparison function that matches their chosen casefold.

This will allow the comparisons to be consistent when the strings are bad,
whereas currently we kind of guess.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>