| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
The values for NIS hosts.byname and hosts.byaddr maps should start with
addresses, not names. Reported by Rik Megens.
|
| |
|
|
|
| |
Avoid calling strdup() in a situation where we don't need to, so that we
can better handle cases where it fails (static analysis).
|
| |
|
|
|
|
| |
Treat "schema-compat-lookup-nsswitch: passwd" in the configuration the
same as "schema-compat-lookup-nsswitch: user", to not fail for people
who forget and try to use the nsswitch database name.
|
| |
|
|
|
|
|
| |
If we hit out-of-memory (strdup() failures) while reading the
configuration, don't crash (static analysis). In some cases,
this means we proceed with garbage data until the copy_config()
function sanity-checks its input and output.
|
| |
|
|
|
| |
If we hit out-of-memory (strdup() failures) while reading the
configuration, don't crash (static analysis).
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
On domain or map removal, fill in gaps in the list of domains or maps
correctly.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Don't bother memmove()ing a 0-byte chunk of data. Found by static
analysis.
|
| |
|
|
|
| |
map_data_set_entry() passes pointers to the lengths of the key and the value
to map_data_save_list() which interpretes them as arrays of integers.
|
| |
|
|
|
|
|
| |
If the NIS server encounters an EPIPE while attempting to communicate
with the portmapper, try to reconnect before giving up on registering.
Depending on which RPC implementation is used, rpcbind may drop idle
clients after 30 seconds, and our startup can take longer than that.
|
| | |
|
| |
|
|
|
|
| |
Log errors encountered while talking to portmap/rpcbind at level
SLAPI_LOG_FATAL rather than at the previous SLAPI_LOG_PLUGIN, so that
they show up even when we're not actively debugging.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add {nis,schema-compat}-ignore-subtree (subtrees under which we ignore
contents and updates )and {nis,schema-compat}-restrict-subtree (subtrees
out of which we ignore contents and updates, if set) settings, and
default the former to "cn=tasks,cn=config".
This should avoid cases where we're looking through the ldbm backend for
entries which have a dangling reference to a newly-added task (which,
because it's in the DSE, means we acquire an ldbm lock after acquiring
our internal lock) while also updating a compat entry after its source
entry is modified (for example, by the memberOf plugin, which results in
us attempting to acquire our lock while the ldbm lock is already held).
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Add a schema-compat-relevant-subtree configuration option, listing the
only parts of the DIT that we should ever look at, either as source
entries or as other entries which contain data which might be pulled in
as part of computing the contents of compat entries.
This is more or less the whitelist to schema-compat-ignore-subtree's
blacklist.
|
| |
|
|
|
|
|
| |
Add a schema-compat-ignore-subtree configuration option, listing parts
of the DIT that we should never look at, neither as source entries nor
as random other entries which contain data which might be pulled in as
part of computing the contents of compat entries.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Use the amount of data that we could have read as the upper bound on
reasonable-looking request lengths.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Break out a backend_make_user_entry_from_nsswitch_passwd function for
converting a passwd structure to an entry, and rename the helper for
groups to match it.
|
| | |
|
| |
|
|
|
| |
Don't use the PAM handle before it's initialized or after it's freed
(static analysis).
|
| |
|
|
|
|
| |
The server's mainline code doesn't appear to log successful
authentication beyond what already shows up in the access log, so we
should probably behave ourselves.
|
| | |
|
| |
|
|
|
|
|
| |
Use a dummy user name if the one we get passed is NULL, which happens
when the bind target entry doesn't contain a "uid" attribute. Try to
avoid a timing attack by calling into PAM anyway. Switch to just
logging the detailed error information, and telling the client nothing.
|
| |
|
|
|
|
| |
Always use normalized RDNs as map keys, so that we can be sure that a
lookup using part of the DN will find the entry, even if it needed to be
escaped and/or normalized to something else at some point.
|
| |
|
|
|
|
| |
Make the addition of extensibleObject to the list of objectclasses
conditional on there being a ipaNTSecurityIdentifier value in the source
entry.
|
| | |
|
| | |
|
| | |
|
