samba.git/source4/libcli/ldap, branch master Unnamed repository; edit this file 'description' to name the repository. ldb: add "policy hints" controls to be used by password_hash module 2026-01-15T01:48:37+00:00 Douglas Bagnall douglas.bagnall@catalyst.net.nz 2025-09-24T23:45:30+00:00 b003beb85a648eae5bfe7e38362abd8d798e8f86 These won't have any effect yet, but soon they will allow a privileged account to perform a password reset that respects constraints on password history, age, and length, as if the reset was an ordinary password change (that is, where the user provides the old password). A normal user can't reset their own password using this, if the organisation is using a remote service (e.g. Entra ID or Keycloak) to manage passwords, that service can use a policy hints control to ensure it follows AD password policy. Entra ID Self Service Password Reset (SSPR) uses the deprecated OID. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
These won't have any effect yet, but soon they will allow a privileged
account to perform a password reset that respects constraints on
password history, age, and length, as if the reset was an ordinary
password change (that is, where the user provides the old password).

A normal user can't reset their own password using this, if the
organisation is using a remote service (e.g. Entra ID or Keycloak) to
manage passwords, that service can use a policy hints control to
ensure it follows AD password policy.

Entra ID Self Service Password Reset (SSPR) uses the deprecated OID.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
lib: Don't call a function to initialize an empty DATA_BLOB 2026-01-07T09:57:40+00:00 Volker Lendecke vl@samba.org 2025-12-24T08:41:02+00:00 ff627b2b41eba26a0dbe7744b6a027e001583828 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Anoop C S <anoopcs@samba.org> 
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Anoop C S <anoopcs@samba.org>
dsdb: Prepare to handle smartcard password rollover 2024-06-10T04:27:30+00:00 Andrew Bartlett abartlet@samba.org 2024-05-20T01:51:23+00:00 09ae48b415b2b50dbf4600e9c7f9cb4ec65a6263 We do this by allowing the password change control to indicate that the password is to be randomised, bypassing the quality checks (as true random passwords often fail these) and re-randomising with the same code as is used for the KDC. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz> 
We do this by allowing the password change control to indicate
that the password is to be randomised, bypassing the quality
checks (as true random passwords often fail these) and
re-randomising with the same code as is used for the KDC.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
s4:libcli: Add more controls to our list of known controls 2024-05-16T02:11:36+00:00 Jo Sutton josutton@catalyst.net.nz 2024-04-29T05:03:39+00:00 170dd47eae5ece962262814d05bfcedb3426b433 Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:libcli: Fix code spelling 2024-05-16T02:11:36+00:00 Jo Sutton josutton@catalyst.net.nz 2024-04-29T05:48:01+00:00 526652d162f929426bdefac57ca346dd1c9c5d95 Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:libcli/ldap: add support for ADS_AUTH_SASL_{STARTTLS,LDAPS} 2024-04-23T23:50:34+00:00 Stefan Metzmacher metze@samba.org 2024-01-24T09:43:42+00:00 0122c0a6986e28355ca22545fa40442afc0c43e2 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:libcli/ldap: add tls channel binding support for ldap_bind_sasl() 2024-04-23T23:50:34+00:00 Stefan Metzmacher metze@samba.org 2023-09-28T15:11:03+00:00 7acb15a53c061344ffdbd58f9b2f01f8b0233f4e We still allow 'ldap_testing:tls_channel_bindings = no' and 'ldap_testing:channel_bound = no' for testing the old behavior in order to have expected failures in our tests. And we have 'ldap_testing:forced_channel_binding = somestring' in order to force invalid bindings. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
We still allow 'ldap_testing:tls_channel_bindings = no' and
'ldap_testing:channel_bound = no' for testing
the old behavior in order to have expected failures in our tests.

And we have 'ldap_testing:forced_channel_binding = somestring'
in order to force invalid bindings.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:libcli/ldap: make use of tstream_tls_params_client_lpcfg() 2024-04-23T23:50:33+00:00 Stefan Metzmacher metze@samba.org 2024-02-13T15:53:15+00:00 c200cf1b5f430f686b39df8513a6b7e3c592ed43 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:libcli/ldap: force GSS-SPNEGO in ldap_bind_sasl() 2024-04-23T23:50:33+00:00 Stefan Metzmacher metze@samba.org 2024-01-26T17:04:57+00:00 68f6a461e1706f03007d3c5cfc68c71383b4ff28 There's no point in asking the server for supportedSASLMechanisms, every server (we care about) supports GSS-SPNEGO. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
There's no point in asking the server for supportedSASLMechanisms,
every server (we care about) supports GSS-SPNEGO.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
s4:libcli/ldap: fix no memory error code in ldap_bind_sasl() 2024-04-23T23:50:33+00:00 Stefan Metzmacher metze@samba.org 2024-01-26T17:07:53+00:00 8deba427e2697501f10e80a2ac0325a657635b92 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>