The branch, v4-20-test has been updated
via 47eaf606a44 provision: always use a large transaction index cache
via 848cdca0b53 netcmd: Increase the transaction_index_cache_size to
200k for schemaupgrade
via 96e60f4f0ea s4:ldap_server: Consider ldapi connections to be
encrypted
via dda353c656c s4:ldap_server: Store whether an LDAP connection is
over ldapi
via 018bb7bbbc7 s4:ldap_server: Add copy of non‐privileged ops
specifically for ldapi connections
via 830d10c196f s4:ldap_server: Rename privileged ops to indicate they
are used for ldapi
via e95f6bc6d92 s4:ldap_server: Fix code spelling
via 529615128be s4:ldap_server: Remove trailing whitespace
from b4c8927881a mdssvc: support a few more attributes
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-20-test
- Log -----------------------------------------------------------------
commit 47eaf606a44ba3765b9375c033529f2e0463a88c
Author: Douglas Bagnall <[email protected]>
Date: Fri Jan 31 10:31:32 2025 +1300
provision: always use a large transaction index cache
A larger cache costs more per transaction, but makes a large number
of operations within a transaction faster. We expect to be dealing
with the latter case here, regardless of the batch_mode parameter
and the database size. 200000 is chosen because it is also used in
join and schemaupgrade, and should be sufficient in most cases.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15795
Signed-off-by: Douglas Bagnall <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
Autobuild-User(master): Douglas Bagnall <[email protected]>
Autobuild-Date(master): Tue Feb 4 22:47:35 UTC 2025 on atb-devel-224
(cherry picked from commit e705dbbc6765454813375fee9f6a3365b947e021)
Autobuild-User(v4-20-test): Jule Anger <[email protected]>
Autobuild-Date(v4-20-test): Wed Feb 26 09:40:17 UTC 2025 on atb-devel-224
commit 848cdca0b53debe6e539124460b170b3fbde067a
Author: Andréas Leroux <[email protected]>
Date: Thu May 2 10:29:52 2024 +0200
netcmd: Increase the transaction_index_cache_size to 200k for schemaupgrade
Increasing this value greatly improve the performances of schema
upgrade for large domains (>200k entries).
The value 200000 is chosen because it is already used in join.py, and
should be sufficient for known domains.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15795
Signed-off-by: Andréas Leroux <[email protected]>
Reviewed-by: Douglas Bagnall <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit 5092d7f46b8491e4a2d973a00aff4d6c0e77945e)
commit 96e60f4f0ea7856514d206d43b1976133b8ce3e9
Author: Jo Sutton <[email protected]>
Date: Tue Apr 16 14:28:43 2024 +1200
s4:ldap_server: Consider ldapi connections to be encrypted
Modifications to unicodePwd require an encrypted connection. This change
allows unicodePwd to be modified over an ldapi connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit ff8e98daf1c3fd99d4d880ddc2d47eeb0d99718c)
commit dda353c656cfbfc35c125f403a4b64c9fb4a5314
Author: Jo Sutton <[email protected]>
Date: Tue Apr 16 14:28:21 2024 +1200
s4:ldap_server: Store whether an LDAP connection is over ldapi
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit c63cabf1e09bb2d1416483767d1ca835abe017da)
commit 018bb7bbbc7caa4fbc1093d0e7fd6719c49de737
Author: Jo Sutton <[email protected]>
Date: Tue Apr 16 14:27:41 2024 +1200
s4:ldap_server: Add copy of non‐privileged ops specifically for ldapi
connections
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit c2378d0c6f3e2f6b10902dc40b4a28c1dc788042)
commit 830d10c196f714c71a0a33c9e369951b15e1755f
Author: Jo Sutton <[email protected]>
Date: Tue Apr 16 14:31:11 2024 +1200
s4:ldap_server: Rename privileged ops to indicate they are used for ldapi
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit ec6579829f9781d113428b8b3c603edd3e6c222d)
commit e95f6bc6d923fb09f75e44662be6a2b4a077a79c
Author: Jo Sutton <[email protected]>
Date: Tue Apr 16 14:17:33 2024 +1200
s4:ldap_server: Fix code spelling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit 7df4bdd0fe722da63862d46f809f7ac0498ebe59)
commit 529615128be3b6b401e4ba5aa629e93a69cbbdc7
Author: Jo Sutton <[email protected]>
Date: Tue Apr 16 14:17:02 2024 +1200
s4:ldap_server: Remove trailing whitespace
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15634
Signed-off-by: Jo Sutton <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit 1a6dbcfb1054a2f140a50a039e4f054c43cfb77d)
-----------------------------------------------------------------------
Summary of changes:
python/samba/netcmd/domain/schemaupgrade.py | 6 ++-
python/samba/provision/__init__.py | 9 ++---
source4/ldap_server/ldap_backend.c | 2 +-
source4/ldap_server/ldap_server.c | 60 +++++++++++++++++++++--------
source4/ldap_server/ldap_server.h | 9 +++--
5 files changed, 57 insertions(+), 29 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/netcmd/domain/schemaupgrade.py
b/python/samba/netcmd/domain/schemaupgrade.py
index ff00a771b20..33b942ca460 100644
--- a/python/samba/netcmd/domain/schemaupgrade.py
+++ b/python/samba/netcmd/domain/schemaupgrade.py
@@ -244,7 +244,11 @@ class cmd_domain_schema_upgrade(Command):
temp_folder = None
- samdb = SamDB(url=H, session_info=system_session(), credentials=creds,
lp=lp)
+ # we set the transaction_index_cache_size to 200,000 to ensure it is
+ # not too small, if it's too small the performance of the upgrade will
+ # be negatively impacted. (similarly to the join operation)
+ samdb = SamDB(url=H, session_info=system_session(), credentials=creds,
lp=lp,
+ options=['transaction_index_cache_size:200000'])
# we're not going to get far if the config doesn't allow schema updates
if lp.get("dsdb:schema update allowed") is None:
diff --git a/python/samba/provision/__init__.py
b/python/samba/provision/__init__.py
index 56ca7496407..b2e06350f34 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1294,12 +1294,9 @@ def setup_samdb(path, session_info, provision_backend,
lp, names,
options.append("lmdb_env_size:" + str(store_size))
if batch_mode:
options.append("batch_mode:1")
- if batch_mode:
- # Estimate the number of index records in the transaction_index_cache
- # Numbers chosen give the prime 202481 for the default backend size,
- # which works well for a 100,000 user database
- cache_size = int(store_size / 42423) + 1
- options.append("transaction_index_cache_size:" + str(cache_size))
+
+ # For bulk operations like this we use a large transaction index cache.
+ options.append("transaction_index_cache_size:200000")
# Load the database, but don's load the global schema and don't connect
# quite yet
diff --git a/source4/ldap_server/ldap_backend.c
b/source4/ldap_server/ldap_backend.c
index 1a906534a0a..b0369f8119a 100644
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -212,7 +212,7 @@ int ldapsrv_backend_Init(struct ldapsrv_connection *conn,
if (opaque_connection_state == NULL) {
return LDB_ERR_OPERATIONS_ERROR;
}
- opaque_connection_state->using_encrypted_connection = using_tls ||
using_seal;
+ opaque_connection_state->using_encrypted_connection = using_tls ||
using_seal || conn->is_ldapi;
ret = ldb_set_opaque(conn->ldb,
DSDB_OPAQUE_ENCRYPTED_CONNECTION_STATE_NAME,
opaque_connection_state);
diff --git a/source4/ldap_server/ldap_server.c
b/source4/ldap_server/ldap_server.c
index fe75093d77c..90316fd6b68 100644
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -1,4 +1,4 @@
-/*
+/*
Unix SMB/CIFS implementation.
LDAP server
@@ -300,9 +300,10 @@ static void ldapsrv_accept_tls_done(struct tevent_req
*subreq);
*/
static void ldapsrv_accept(struct stream_connection *c,
struct auth_session_info *session_info,
- bool is_privileged)
+ bool is_privileged,
+ bool is_ldapi)
{
- struct ldapsrv_service *ldapsrv_service =
+ struct ldapsrv_service *ldapsrv_service =
talloc_get_type(c->private_data, struct ldapsrv_service);
struct ldapsrv_connection *conn;
struct cli_credentials *server_credentials;
@@ -319,8 +320,9 @@ static void ldapsrv_accept(struct stream_connection *c,
return;
}
conn->is_privileged = is_privileged;
+ conn->is_ldapi = is_ldapi;
- conn->sockets.send_queue = tevent_queue_create(conn, "ldapsev send
queue");
+ conn->sockets.send_queue = tevent_queue_create(conn, "ldapsrv send
queue");
if (conn->sockets.send_queue == NULL) {
stream_terminate_connection(c,
"ldapsrv_accept:
tevent_queue_create failed");
@@ -400,7 +402,7 @@ static void ldapsrv_accept(struct stream_connection *c,
/* load limits from the conf partition */
ldapsrv_load_limits(conn); /* should we fail on error ? */
- /* register the server */
+ /* register the server */
irpc_add_name(c->msg_ctx, "ldap_server");
DLIST_ADD_END(ldapsrv_service->connections, conn);
@@ -1140,7 +1142,7 @@ static void ldapsrv_accept_nonpriv(struct
stream_connection *c)
"session info");
return;
}
- ldapsrv_accept(c, session_info, false);
+ ldapsrv_accept(c, session_info, false, false);
}
static const struct stream_server_ops ldap_stream_nonpriv_ops = {
@@ -1150,13 +1152,37 @@ static const struct stream_server_ops
ldap_stream_nonpriv_ops = {
.send_handler = ldapsrv_send,
};
+static void ldapsrv_accept_nonpriv_ldapi(struct stream_connection *c)
+{
+ struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
+ c->private_data, struct ldapsrv_service);
+ struct auth_session_info *session_info;
+ NTSTATUS status;
+
+ status = auth_anonymous_session_info(
+ c, ldapsrv_service->lp_ctx, &session_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ stream_terminate_connection(c, "failed to setup anonymous "
+ "session info");
+ return;
+ }
+ ldapsrv_accept(c, session_info, false, true);
+}
+
+static const struct stream_server_ops ldapi_stream_nonpriv_ops = {
+ .name = "ldap",
+ .accept_connection = ldapsrv_accept_nonpriv_ldapi,
+ .recv_handler = ldapsrv_recv,
+ .send_handler = ldapsrv_send,
+};
+
/* The feature removed behind an #ifdef until we can do it properly
* with an EXTERNAL bind. */
#define WITH_LDAPI_PRIV_SOCKET
#ifdef WITH_LDAPI_PRIV_SOCKET
-static void ldapsrv_accept_priv(struct stream_connection *c)
+static void ldapsrv_accept_priv_ldapi(struct stream_connection *c)
{
struct ldapsrv_service *ldapsrv_service = talloc_get_type_abort(
c->private_data, struct ldapsrv_service);
@@ -1168,12 +1194,12 @@ static void ldapsrv_accept_priv(struct
stream_connection *c)
"session info");
return;
}
- ldapsrv_accept(c, session_info, true);
+ ldapsrv_accept(c, session_info, true, true);
}
-static const struct stream_server_ops ldap_stream_priv_ops = {
+static const struct stream_server_ops ldapi_stream_priv_ops = {
.name = "ldap",
- .accept_connection = ldapsrv_accept_priv,
+ .accept_connection = ldapsrv_accept_priv_ldapi,
.recv_handler = ldapsrv_recv,
.send_handler = ldapsrv_send,
};
@@ -1375,7 +1401,7 @@ static void ldap_reload_certs(struct imessaging_context
*msg_ctx,
open the ldap server sockets
*/
static NTSTATUS ldapsrv_task_init(struct task_server *task)
-{
+{
char *ldapi_path;
#ifdef WITH_LDAPI_PRIV_SOCKET
char *priv_dir;
@@ -1385,11 +1411,11 @@ static NTSTATUS ldapsrv_task_init(struct task_server
*task)
switch (lpcfg_server_role(task->lp_ctx)) {
case ROLE_STANDALONE:
- task_server_terminate(task, "ldap_server: no LDAP server
required in standalone configuration",
+ task_server_terminate(task, "ldap_server: no LDAP server
required in standalone configuration",
false);
return NT_STATUS_INVALID_DOMAIN_ROLE;
case ROLE_DOMAIN_MEMBER:
- task_server_terminate(task, "ldap_server: no LDAP server
required in member server configuration",
+ task_server_terminate(task, "ldap_server: no LDAP server
required in member server configuration",
false);
return NT_STATUS_INVALID_DOMAIN_ROLE;
case ROLE_ACTIVE_DIRECTORY_DC:
@@ -1449,7 +1475,7 @@ static NTSTATUS ldapsrv_task_init(struct task_server
*task)
load_interface_list(task, task->lp_ctx, &ifaces);
num_interfaces = iface_list_count(ifaces);
- /* We have been given an interfaces line, and been
+ /* We have been given an interfaces line, and been
told to only bind to those interfaces. Create a
socket per interface and bind to only these.
*/
@@ -1490,8 +1516,8 @@ static NTSTATUS ldapsrv_task_init(struct task_server
*task)
}
status = stream_setup_socket(task, task->event_ctx, task->lp_ctx,
- task->model_ops, &ldap_stream_nonpriv_ops,
- "unix", ldapi_path, NULL,
+ task->model_ops, &ldapi_stream_nonpriv_ops,
+ "unix", ldapi_path, NULL,
lpcfg_socket_options(task->lp_ctx),
ldap_service, task->process_context);
talloc_free(ldapi_path);
@@ -1523,7 +1549,7 @@ static NTSTATUS ldapsrv_task_init(struct task_server
*task)
}
status = stream_setup_socket(task, task->event_ctx, task->lp_ctx,
- task->model_ops, &ldap_stream_priv_ops,
+ task->model_ops, &ldapi_stream_priv_ops,
"unix", ldapi_path, NULL,
lpcfg_socket_options(task->lp_ctx),
ldap_service,
diff --git a/source4/ldap_server/ldap_server.h
b/source4/ldap_server/ldap_server.h
index a56aa8f8c4a..4e833bea592 100644
--- a/source4/ldap_server/ldap_server.h
+++ b/source4/ldap_server/ldap_server.h
@@ -1,19 +1,19 @@
-/*
+/*
Unix SMB/CIFS implementation.
LDAP server
Copyright (C) Volker Lendecke 2004
Copyright (C) Stefan Metzmacher 2004
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
@@ -50,6 +50,7 @@ struct ldapsrv_connection {
bool global_catalog;
bool is_privileged;
+ bool is_ldapi;
enum ldap_server_require_strong_auth require_strong_auth;
bool authz_logged;
enum ldap_server_referral_scheme referral_scheme;
--
Samba Shared Repository
