The branch, v4-16-test has been updated via 76fc517cc54 VERSION: Bump version up to Samba 4.16.11... via 32d0bb89272 VERSION: Disable GIT_SNAPSHOT for the 4.16.10 release. via 62390bac925 WHATSNEW: Add release notes for Samba 4.16.10. via 6736fc0cff0 CVE-2023-0922 set default ldap client sasl wrapping to seal via 4acabb3c285 CVE-2023-0614 ldb: Release LDB 2.5.3 via 3a38d702397 CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN via 19785d023e3 CVE-2023-0614 lib/ldb-samba: Add test for SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and ACL hidden attributes via 979997992a4 CVE-2023-0614 dsdb: Add pre-cleanup and self.addCleanup() of OU created in match_rules tests via c64b48b2b26 CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTED via 1cfaa078ffc CVE-2023-0614 s4-dsdb: Treat confidential attributes as unindexed via a74571b49f5 CVE-2023-0614 ldb: Filter on search base before redacting message via d60683e5e9d CVE-2023-0614 ldb: Centralise checking for inaccessible matches via 58b4a0e3eb7 CVE-2023-0614 ldb: Use binary search to check whether attribute is secret via 353d3df3dd5 CVE-2023-0614 s4-acl: Avoid calling dsdb_module_am_system() if we can help it via 9447c4e81e0 CVE-2023-0614 ldb: Prevent disclosure of confidential attributes via 134c659d402 CVE-2023-0614 s4-acl: Split out function to set up access checking variables via e46739cb897 CVE-2023-0614 s4-dsdb: Add samdb_result_dom_sid_buf() via 95be170f997 CVE-2023-0614 s4-acl: Split out logic to remove access checking attributes via 0b0d8a8ece6 CVE-2023-0614 ldb: Add ldb_parse_tree_get_attr() via 1c9736510f3 CVE-2023-0614 tests/krb5: Add test for confidential attributes timing differences via e3b8d0a650b CVE-2023-0614 schema_samba4.ldif: Allocate previously added OID via f8a674088ac schema_samba4.ldif: Allocate previously added OIDs via a4193a79035 CVE-2023-0614 s4:dsdb:tests: Fix <GUID={}> search in confidential attributes test via d096cd4ed92 CVE-2023-0614 s4:dsdb/extended_dn_in: Don't modify a search tree we don't own via 4bbdd6709bf CVE-2023-0614 ldb: Make use of ldb_filter_attrs_in_place() via 4addeaaf5da CVE-2023-0614 ldb: Make ldb_filter_attrs_in_place() work in place via 7c2d0e0a06e CVE-2023-0614 ldb: Add function to filter message in place via 7982090641e CVE-2023-0614 ldb: Add function to add distinguishedName to message via 873d4e465f3 CVE-2023-0614 ldb: Add function to remove excess capacity from an ldb message via 891ffeaf99d CVE-2023-0614 ldb: Add function to take ownership of an ldb message via 6519d1d8fa1 CVE-2023-0614 ldb:tests: Ensure all tests are accounted for via 7153af801e5 CVE-2023-0614 ldb:tests: Ensure ldb_val data is zero-terminated via c3419c288c6 CVE-2023-0614 s4-acl: Use ldb functions for handling inaccessible message elements via 0f8a3344501 CVE-2023-0614 ldb: Add functions for handling inaccessible message elements via 9469c41895a CVE-2023-0614 s4-acl: Make some parameters const via c91b81ecc92 CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more consistently via 26b79d2749b CVE-2023-0614 libcli/security: Make some parameters const via 8712a2dc972 CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py to be slower by matching on large objects via bf7b9d9d5e4 CVE-2023-0614 selftest: Use setUpClass() to reduce "make test TESTS=large_ldap" time via ae3d2737949 CVE-2023-0614 lib/ldb: Avoid allocation and memcpy() for every wildcard match candidate from f2461834bbc VERSION: Bump version up to Samba 4.16.10...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test - Log ----------------------------------------------------------------- commit 76fc517cc547a55586e22beffc17e0e17d7b0482 Author: Jule Anger <jan...@samba.org> Date: Wed Mar 29 16:33:02 2023 +0200 VERSION: Bump version up to Samba 4.16.11... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger <jan...@samba.org> ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 63 +- .../smbdotconf/ldap/clientldapsaslwrapping.xml | 27 +- lib/ldb-samba/ldb_matching_rules.c | 17 +- lib/ldb-samba/tests/match_rules.py | 135 +-- lib/ldb-samba/tests/match_rules_remote.py | 104 ++ lib/ldb/ABI/{ldb-2.5.2.sigs => ldb-2.5.3.sigs} | 10 + ...pyldb-util-2.1.0.sigs => pyldb-util-2.5.3.sigs} | 0 lib/ldb/common/ldb_match.c | 111 ++- lib/ldb/common/ldb_msg.c | 42 + lib/ldb/common/ldb_pack.c | 105 +- lib/ldb/common/ldb_parse.c | 25 + lib/ldb/include/ldb_module.h | 31 + lib/ldb/include/ldb_private.h | 21 + lib/ldb/ldb_key_value/ldb_kv.h | 6 +- lib/ldb/ldb_key_value/ldb_kv_index.c | 59 +- lib/ldb/ldb_key_value/ldb_kv_search.c | 115 ++- lib/ldb/tests/ldb_filter_attrs_in_place_test.c | 940 ++++++++++++++++++ lib/ldb/tests/ldb_filter_attrs_test.c | 171 ++-- lib/ldb/wscript | 13 +- lib/param/loadparm.c | 2 +- libcli/security/access_check.c | 10 +- libcli/security/access_check.h | 2 +- python/samba/tests/auth_log.py | 2 +- source3/param/loadparm.c | 2 +- source4/dsdb/common/util.c | 26 +- source4/dsdb/common/util.h | 1 + source4/dsdb/samdb/ldb_modules/acl.c | 183 +--- source4/dsdb/samdb/ldb_modules/acl_read.c | 1015 +++++++++++++------- source4/dsdb/samdb/ldb_modules/acl_util.c | 6 +- source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 50 +- source4/dsdb/samdb/ldb_modules/linked_attributes.c | 2 +- source4/dsdb/samdb/ldb_modules/password_hash.c | 2 +- source4/dsdb/samdb/samdb.h | 2 + source4/dsdb/schema/schema_description.c | 7 + source4/dsdb/schema/schema_init.c | 11 +- source4/dsdb/schema/schema_set.c | 9 +- source4/dsdb/tests/python/confidential_attr.py | 180 +++- source4/dsdb/tests/python/large_ldap.py | 85 +- source4/selftest/tests.py | 1 + source4/setup/schema_samba4.ldif | 4 + source4/torture/ldb/ldb.c | 12 +- 42 files changed, 2766 insertions(+), 845 deletions(-) create mode 100755 lib/ldb-samba/tests/match_rules_remote.py copy lib/ldb/ABI/{ldb-2.5.2.sigs => ldb-2.5.3.sigs} (97%) copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.5.3.sigs} (100%) create mode 100644 lib/ldb/tests/ldb_filter_attrs_in_place_test.c Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 0cac5f9d6ab..22fca36686e 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=16 -SAMBA_VERSION_RELEASE=10 +SAMBA_VERSION_RELEASE=11 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index b5b57e856d9..4ddfe2db83c 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,63 @@ + =============================== + Release Notes for Samba 4.16.10 + March 29, 2023 + =============================== + + +This is a security release in order to address the following defects: + +o CVE-2023-0922: The Samba AD DC administration tool, when operating against a + remote LDAP server, will by default send new or reset + passwords over a signed-only connection. + https://www.samba.org/samba/security/CVE-2023-0922.html + +o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 + Confidential attribute disclosure via LDAP filters was + insufficient and an attacker may be able to obtain + confidential BitLocker recovery keys from a Samba AD DC. + Installations with such secrets in their Samba AD should + assume they have been obtained and need replacing. + https://www.samba.org/samba/security/CVE-2023-0614.html + + +Changes since 4.16.9 +-------------------- + +o Andrew Bartlett <abart...@samba.org> + * BUG 15270: VE-2023-0614. + * BUG 15331: ldb wildcard matching makes excessive allocations. + * BUG 15332: large_ldap test is inefficient. + +o Rob van der Linde <r...@catalyst.net.nz> + * BUG 15315: CVE-2023-0922. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15270: CVE-2023-0614. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- ============================== Release Notes for Samba 4.16.9 February 16, 2023 @@ -72,8 +132,7 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- ============================== Release Notes for Samba 4.16.8 December 15, 2022 diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml index 3152f0682dd..21bd2090057 100644 --- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml +++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml @@ -18,25 +18,24 @@ </para> <para> - This option is needed in the case of Domain Controllers enforcing - the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher). - LDAP sign and seal can be controlled with the registry key - "<literal>HKLM\System\CurrentControlSet\Services\</literal> - <literal>NTDS\Parameters\LDAPServerIntegrity</literal>" - on the Windows server side. - </para> + This option is needed firstly to secure the privacy of + administrative connections from <command>samba-tool</command>, + including in particular new or reset passwords for users. For + this reason the default is <emphasis>seal</emphasis>.</para> - <para> - Depending on the used KRB5 library (MIT and older Heimdal versions) - it is possible that the message "integrity only" is not supported. - In this case, <emphasis>sign</emphasis> is just an alias for - <emphasis>seal</emphasis>. + <para>Additionally, <command>winbindd</command> and the + <command>net</command> tool can use LDAP to communicate with + Domain Controllers, so this option also controls the level of + privacy for those connections. All supported AD DC versions + will enforce the usage of at least signed LDAP connections by + default, so a value of at least <emphasis>sign</emphasis> is + required in practice. </para> <para> - The default value is <emphasis>sign</emphasis>. That implies synchronizing the time + The default value is <emphasis>seal</emphasis>. That implies synchronizing the time with the KDC in the case of using <emphasis>Kerberos</emphasis>. </para> </description> -<value type="default">sign</value> +<value type="default">seal</value> </samba:parameter> diff --git a/lib/ldb-samba/ldb_matching_rules.c b/lib/ldb-samba/ldb_matching_rules.c index 827f3920ae8..59d1385f4e3 100644 --- a/lib/ldb-samba/ldb_matching_rules.c +++ b/lib/ldb-samba/ldb_matching_rules.c @@ -67,7 +67,12 @@ static int ldb_eval_transitive_filter_helper(TALLOC_CTX *mem_ctx, * Note also that we don't have the original request * here, so we can not apply controls or timeouts here. */ - ret = dsdb_search_dn(ldb, tmp_ctx, &res, to_visit->dn, attrs, 0); + ret = dsdb_search_dn(ldb, + tmp_ctx, + &res, + to_visit->dn, + attrs, + DSDB_MARK_REQ_UNTRUSTED); if (ret != LDB_SUCCESS) { talloc_free(tmp_ctx); return ret; @@ -370,6 +375,11 @@ static int dsdb_match_for_dns_to_tombstone_time(struct ldb_context *ldb, return LDB_SUCCESS; } + if (ldb_msg_element_is_inaccessible(el)) { + *matched = false; + return LDB_SUCCESS; + } + session_info = talloc_get_type(ldb_get_opaque(ldb, "sessionInfo"), struct auth_session_info); if (session_info == NULL) { @@ -489,6 +499,11 @@ static int dsdb_match_for_expunge(struct ldb_context *ldb, return LDB_SUCCESS; } + if (ldb_msg_element_is_inaccessible(el)) { + *matched = false; + return LDB_SUCCESS; + } + session_info = talloc_get_type(ldb_get_opaque(ldb, DSDB_SESSION_INFO), struct auth_session_info); diff --git a/lib/ldb-samba/tests/match_rules.py b/lib/ldb-samba/tests/match_rules.py index abf485c9eab..2fe6c3e2264 100755 --- a/lib/ldb-samba/tests/match_rules.py +++ b/lib/ldb-samba/tests/match_rules.py @@ -20,22 +20,35 @@ from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL # Windows appear to preserve casing of the RDN and uppercase the other keys. -class MatchRulesTests(samba.tests.TestCase): +class MatchRulesTestsBase(samba.tests.TestCase): def setUp(self): - super(MatchRulesTests, self).setUp() - self.lp = lp - self.ldb = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp) + super().setUp() + self.lp = self.sambaopts.get_loadparm() + self.creds = self.credopts.get_credentials(self.lp) + + self.ldb = SamDB(self.host, credentials=self.creds, + session_info=system_session(self.lp), + lp=self.lp) self.base_dn = self.ldb.domain_dn() - self.ou = "OU=matchrulestest,%s" % self.base_dn + self.ou_rdn = "OU=matchrulestest" + self.ou = self.ou_rdn + "," + self.base_dn self.ou_users = "OU=users,%s" % self.ou self.ou_groups = "OU=groups,%s" % self.ou self.ou_computers = "OU=computers,%s" % self.ou + try: + self.ldb.delete(self.ou, ["tree_delete:1"]) + except LdbError as e: + pass + # Add a organizational unit to create objects self.ldb.add({ "dn": self.ou, "objectclass": "organizationalUnit"}) + self.addCleanup(self.ldb.delete, self.ou, controls=['tree_delete:0']) + + # Add the following OU hierarchy and set otherWellKnownObjects, # which has BinaryDN syntax: # @@ -204,6 +217,39 @@ class MatchRulesTests(samba.tests.TestCase): FLAG_MOD_ADD, "member") self.ldb.modify(m) + # Add a couple of ms-Exch-Configuration-Container to test forward-link + # attributes without backward link (addressBookRoots2) + # e1 + # |--> e2 + # | |--> c1 + self.ldb.add({ + "dn": "cn=e1,%s" % self.ou, + "objectclass": "msExchConfigurationContainer"}) + self.ldb.add({ + "dn": "cn=e2,%s" % self.ou, + "objectclass": "msExchConfigurationContainer"}) + + m = Message() + m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou) + m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers, + FLAG_MOD_ADD, "addressBookRoots2") + self.ldb.modify(m) + + m = Message() + m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou) + m["e1"] = MessageElement("cn=e2,%s" % self.ou, + FLAG_MOD_ADD, "addressBookRoots2") + self.ldb.modify(m) + + + +class MatchRulesTests(MatchRulesTestsBase): + def setUp(self): + self.sambaopts = sambaopts + self.credopts = credopts + self.host = host + super().setUp() + # The msDS-RevealedUsers is owned by system and cannot be modified # directly. Set the schemaUpgradeInProgress flag as workaround # and create this hierarchy: @@ -243,33 +289,6 @@ class MatchRulesTests(samba.tests.TestCase): m["e1"] = MessageElement("0", FLAG_MOD_REPLACE, "schemaUpgradeInProgress") self.ldb.modify(m) - # Add a couple of ms-Exch-Configuration-Container to test forward-link - # attributes without backward link (addressBookRoots2) - # e1 - # |--> e2 - # | |--> c1 - self.ldb.add({ - "dn": "cn=e1,%s" % self.ou, - "objectclass": "msExchConfigurationContainer"}) - self.ldb.add({ - "dn": "cn=e2,%s" % self.ou, - "objectclass": "msExchConfigurationContainer"}) - - m = Message() - m.dn = Dn(self.ldb, "cn=e2,%s" % self.ou) - m["e1"] = MessageElement("cn=c1,%s" % self.ou_computers, - FLAG_MOD_ADD, "addressBookRoots2") - self.ldb.modify(m) - - m = Message() - m.dn = Dn(self.ldb, "cn=e1,%s" % self.ou) - m["e1"] = MessageElement("cn=e2,%s" % self.ou, - FLAG_MOD_ADD, "addressBookRoots2") - self.ldb.modify(m) - - def tearDown(self): - super(MatchRulesTests, self).tearDown() - self.ldb.delete(self.ou, controls=['tree_delete:0']) def test_u1_member_of_g4(self): # Search without transitive match must return 0 results @@ -945,8 +964,12 @@ class MatchRulesTests(samba.tests.TestCase): class MatchRuleConditionTests(samba.tests.TestCase): def setUp(self): super(MatchRuleConditionTests, self).setUp() - self.lp = lp - self.ldb = SamDB(host, credentials=creds, session_info=system_session(lp), lp=lp) + self.lp = sambaopts.get_loadparm() + self.creds = credopts.get_credentials(self.lp) + + self.ldb = SamDB(host, credentials=self.creds, + session_info=system_session(self.lp), + lp=self.lp) self.base_dn = self.ldb.domain_dn() self.ou = "OU=matchruleconditiontests,%s" % self.base_dn self.ou_users = "OU=users,%s" % self.ou @@ -1745,32 +1768,30 @@ class MatchRuleConditionTests(samba.tests.TestCase): self.ou_groups, self.ou_computers)) self.assertEqual(len(res1), 0) +if __name__ == "__main__": -parser = optparse.OptionParser("match_rules.py [options] <host>") -sambaopts = options.SambaOptions(parser) -parser.add_option_group(sambaopts) -parser.add_option_group(options.VersionOptions(parser)) - -# use command line creds if available -credopts = options.CredentialsOptions(parser) -parser.add_option_group(credopts) -opts, args = parser.parse_args() -subunitopts = SubunitOptions(parser) -parser.add_option_group(subunitopts) + parser = optparse.OptionParser("match_rules.py [options] <host>") + sambaopts = options.SambaOptions(parser) + parser.add_option_group(sambaopts) + parser.add_option_group(options.VersionOptions(parser)) -if len(args) < 1: - parser.print_usage() - sys.exit(1) + # use command line creds if available + credopts = options.CredentialsOptions(parser) + parser.add_option_group(credopts) + opts, args = parser.parse_args() + subunitopts = SubunitOptions(parser) + parser.add_option_group(subunitopts) -host = args[0] + if len(args) < 1: + parser.print_usage() + sys.exit(1) -lp = sambaopts.get_loadparm() -creds = credopts.get_credentials(lp) + host = args[0] -if "://" not in host: - if os.path.isfile(host): - host = "tdb://%s" % host - else: - host = "ldap://%s" % host + if "://" not in host: + if os.path.isfile(host): + host = "tdb://%s" % host + else: + host = "ldap://%s" % host -TestProgram(module=__name__, opts=subunitopts) + TestProgram(module=__name__, opts=subunitopts) diff --git a/lib/ldb-samba/tests/match_rules_remote.py b/lib/ldb-samba/tests/match_rules_remote.py new file mode 100755 index 00000000000..122231f2a60 --- /dev/null +++ b/lib/ldb-samba/tests/match_rules_remote.py @@ -0,0 +1,104 @@ +#!/usr/bin/env python3 + +import optparse +import sys +import os +import samba +import samba.getopt as options + +from samba.tests.subunitrun import SubunitOptions, TestProgram + +from samba.samdb import SamDB +from samba.auth import system_session +from samba import sd_utils +from samba.ndr import ndr_unpack +from ldb import Message, MessageElement, Dn, LdbError +from ldb import FLAG_MOD_ADD, FLAG_MOD_REPLACE, FLAG_MOD_DELETE +from ldb import SCOPE_BASE, SCOPE_SUBTREE, SCOPE_ONELEVEL + +from match_rules import MatchRulesTestsBase + + +class MatchRulesTestsUser(MatchRulesTestsBase): + def setUp(self): + self.sambaopts = sambaopts + self.credopts = credopts + self.host = host + super().setUp() + self.sd_utils = sd_utils.SDUtils(self.ldb) + + self.user_pass = "samba123@" + self.match_test_user = "matchtestuser" + self.ldb.newuser(self.match_test_user, + self.user_pass, + userou=self.ou_rdn) + user_creds = self.insta_creds(template=self.creds, + username=self.match_test_user, + userpass=self.user_pass) + self.user_ldb = SamDB(host, credentials=user_creds, lp=self.lp) + token_res = self.user_ldb.search(scope=SCOPE_BASE, + base="", + attrs=["tokenGroups"]) + self.user_sid = ndr_unpack(samba.dcerpc.security.dom_sid, + token_res[0]["tokenGroups"][0]) + + self.member_attr_guid = "bf9679c0-0de6-11d0-a285-00aa003049e2" + + def test_with_denied_link(self): + + # add an ACE that denies the user Read Property (RP) access to + # the member attr (which is similar to making the attribute + # confidential) + ace = "(OD;;RP;{0};;{1})".format(self.member_attr_guid, + self.user_sid) + g2_dn = Dn(self.ldb, "CN=g2,%s" % self.ou_groups) + + # add the ACE that denies access to the attr under test + self.sd_utils.dacl_add_ace(g2_dn, ace) + + # Search without transitive match must return 0 results + res1 = self.ldb.search("cn=g4,%s" % self.ou_groups, + scope=SCOPE_BASE, + expression="member=cn=u1,%s" % self.ou_users) + self.assertEqual(len(res1), 0) + + # Search with transitive match must return 1 results + res1 = self.ldb.search("cn=g4,%s" % self.ou_groups, + scope=SCOPE_BASE, + expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users) + self.assertEqual(len(res1), 1) + self.assertEqual(str(res1[0].dn).lower(), ("CN=g4,%s" % self.ou_groups).lower()) + + # Search as a user match must return 0 results as the intermediate link can't be seen + res1 = self.user_ldb.search("cn=g4,%s" % self.ou_groups, + scope=SCOPE_BASE, + expression="member:1.2.840.113556.1.4.1941:=cn=u1,%s" % self.ou_users) + self.assertEqual(len(res1), 0) + + + +parser = optparse.OptionParser("match_rules_remote.py [options] <host>") +sambaopts = options.SambaOptions(parser) +parser.add_option_group(sambaopts) +parser.add_option_group(options.VersionOptions(parser)) + +# use command line creds if available +credopts = options.CredentialsOptions(parser) +parser.add_option_group(credopts) +opts, args = parser.parse_args() +subunitopts = SubunitOptions(parser) +parser.add_option_group(subunitopts) + +if len(args) < 1: + parser.print_usage() + sys.exit(1) + +host = args[0] + +if "://" not in host: + if os.path.isfile(host): + host = "tdb://%s" % host + else: + host = "ldap://%s" % host + +TestProgram(module=__name__, opts=subunitopts) diff --git a/lib/ldb/ABI/ldb-2.5.2.sigs b/lib/ldb/ABI/ldb-2.5.3.sigs similarity index 97% copy from lib/ldb/ABI/ldb-2.5.2.sigs copy to lib/ldb/ABI/ldb-2.5.3.sigs index 40388d9e330..b4c5e20e8c7 100644 --- a/lib/ldb/ABI/ldb-2.5.2.sigs +++ b/lib/ldb/ABI/ldb-2.5.3.sigs @@ -86,6 +86,7 @@ ldb_errstring: const char *(struct ldb_context *) ldb_extended: int (struct ldb_context *, const char *, void *, struct ldb_result **) ldb_extended_default_callback: int (struct ldb_request *, struct ldb_reply *) ldb_filter_attrs: int (struct ldb_context *, const struct ldb_message *, const char * const *, struct ldb_message *) +ldb_filter_attrs_in_place: int (struct ldb_message *, const char * const *) ldb_filter_from_tree: char *(TALLOC_CTX *, const struct ldb_parse_tree *) ldb_get_config_basedn: struct ldb_dn *(struct ldb_context *) ldb_get_create_perms: unsigned int (struct ldb_context *) @@ -125,6 +126,7 @@ ldb_match_message: int (struct ldb_context *, const struct ldb_message *, const ldb_match_msg: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope) ldb_match_msg_error: int (struct ldb_context *, const struct ldb_message *, const struct ldb_parse_tree *, struct ldb_dn *, enum ldb_scope, bool *) ldb_match_msg_objectclass: int (const struct ldb_message *, const char *) +ldb_match_scope: int (struct ldb_context *, struct ldb_dn *, struct ldb_dn *, enum ldb_scope) ldb_mod_register_control: int (struct ldb_module *, const char *) ldb_modify: int (struct ldb_context *, const struct ldb_message *) ldb_modify_default_callback: int (struct ldb_request *, struct ldb_reply *) @@ -149,6 +151,7 @@ ldb_modules_hook: int (struct ldb_context *, enum ldb_module_hook_type) ldb_modules_list_from_string: const char **(struct ldb_context *, TALLOC_CTX *, const char *) ldb_modules_load: int (const char *, const char *) -- Samba Shared Repository