| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
map_data_set_entry() passes pointers to the lengths of the key and the value
to map_data_save_list() which interpretes them as arrays of integers.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add {nis,schema-compat}-ignore-subtree (subtrees under which we ignore
contents and updates )and {nis,schema-compat}-restrict-subtree (subtrees
out of which we ignore contents and updates, if set) settings, and
default the former to "cn=tasks,cn=config".
This should avoid cases where we're looking through the ldbm backend for
entries which have a dangling reference to a newly-added task (which,
because it's in the DSE, means we acquire an ldbm lock after acquiring
our internal lock) while also updating a compat entry after its source
entry is modified (for example, by the memberOf plugin, which results in
us attempting to acquire our lock while the ldbm lock is already held).
|
|
|
|
|
|
|
|
|
|
| |
Add a schema-compat-relevant-subtree configuration option, listing the
only parts of the DIT that we should ever look at, either as source
entries or as other entries which contain data which might be pulled in
as part of computing the contents of compat entries.
This is more or less the whitelist to schema-compat-ignore-subtree's
blacklist.
|
|
|
|
|
|
|
| |
Add a schema-compat-ignore-subtree configuration option, listing parts
of the DIT that we should never look at, neither as source entries nor
as random other entries which contain data which might be pulled in as
part of computing the contents of compat entries.
|
| |
|
|
|
|
|
|
| |
Always use normalized RDNs as map keys, so that we can be sure that a
lookup using part of the DN will find the entry, even if it needed to be
escaped and/or normalized to something else at some point.
|
|
|
|
|
|
| |
Make the addition of extensibleObject to the list of objectclasses
conditional on there being a ipaNTSecurityIdentifier value in the source
entry.
|
|
|
|
| |
Handle cases where we fail to acquire locks.
|
|
|
|
|
|
| |
Don't depend on a text attribute in a synthetic entry to tell us where
it came from; just record it in the entry's backend_data and consult it
directly later.
|
|
|
|
|
| |
If we're sending a result, don't log that we're sending a closest match,
even if it's "(null)", if we're not sending a closest match.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
Rename backend_staged_data to backend_staged_search.
Fix some formatting.
Change how we walk the list of entries retrieved using a staged search
so that if the map's been removed since the search was staged, we still
free the temporary entry structures.
|
| |
|
|
|
|
|
| |
When we fail to obtain a read lock on the data, attempt to fail the
operation, so that it can be retried later.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since trusted domain users do not exist in the LDAP tree, their
authentication is handed over to PAM stack with the hope that PAM is set
up properly to authenticate them.
Additionally, this patch completely refactors authentication for the
original DNs that *are* located in the LDAP tree. Previous way to handle
it was through referrals being sent back. However, this method does not
work at all.
Instead, we set SLAPI_BIND_TARGET_DN to the entry's original DN and hand
over pre-bind processing to other directory server's plugins. If
slapi-nis set up with a higher precedence to them, authentication will
be handled by others.
|
|
|
|
|
|
|
|
|
|
|
| |
Schema-compat plugin can be configured to serve users and groups through
the plugin configuration entry in directory server:
schema-compat-lookup-nsswitch: <user|group>
schema-compat-nsswitch-min-id: <value>
Separate trees should be configured to look up users and groups. If
minimal id value is missing, it will default to 1000.
|
|
|
|
|
|
|
|
|
| |
consulted
When one instance of schema compat plugin is configured to consult
NSSWITCH, promote its configuration to the backend.
Default to not looking into NSSWITCH.
|
|
|
|
| |
NSSWITCH supporting code needs access to the schema-compat structures
|
|
|
|
|
| |
- add missing newlines at the end of a couple of messages
- make that one bit that we compare to zero unsigned instead of signed
|
| |
|
|
|
|
|
|
|
|
|
| |
* Check for BETXN support at build-time, provide options for disabling
or requiring that it be available for build to succeed.
* Track whether or not BETXN support is enabled in the plugin-local
state.
* Skip processing in post/internalpost callbacks if BETXN support is enabled.
* Skip work in betxnpost callbacks if BETXN support is disabled.
|
|
|
|
|
|
|
|
|
|
| |
When NIS Plugin and Schema Compatibility Plugin config entries include
nsslapd-pluginbetxn: on
(the value could be yes, true or 1, too),
the plugins' update callbacks (add, delete, modify, and modrdn) are
called at the betxn pre/postop timing. By default, the value of
nsslapd-pluginbetxn is off.
(See also https://fedorahosted.org/389/ticket/351)
|
|
|
|
|
|
|
| |
Transaction support the way we added it is an all-or-nothing proposition
for a server installation, which turned out to be problematic, so 389 is
going to pursue another strategy for that. The new way requires that we
not register as a betxn plugin, ever.
|
|
|
|
| |
entryUSN or the root DSE's lastUSN (if we have no source entry)
|
| |
|
|
|
|
| |
reported by Christian Neuhold
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
already have, so that we can pass the transaction ID around; this
includes additional parameters for a number of functions and a new
callback data type for backend_set_config_entry_add_cb()
|
|
|
|
|
|
| |
allocates internal state each time but doesn't clean up any that's
aready there if you reuse the block
- correctly free values we use when constructing compat entries
|
| |
|
| |
|
| |
|
|
|
|
| |
passing the TXN ID around, which means we deadlock if we actually do it
|
|
|
|
| |
data, and when we're later called for a modify request which doesn't modify any of those attributes, skip recalculating the entry contents (should make a dent in #771493).
|
| |
|
| |
|
|
|
|
| |
values (#692690)
|
| |
|
|
|
|
|
| |
entry as a search result if it's also the group entry (in which case
we already looked at the entry)
|
| |
|
|
|
|
| |
entries as direct subordinates of the group entry
|
|
|
|
| |
attempt to participate in a search request.
|
|
|
|
| |
to write requests
|
|
|
|
|
|
| |
say we should do
- use whether or not the plugin_base is initialized as in indicator of
whether the plugin's been started or not
|
|
|
|
| |
the duplicates don't show up in the constructed entry
|
|
|
|
| |
server doesn't know that the attribute should have DN syntax
|