ds.git/m4, branch 573889 Unnamed repository; edit this file to name it for gitweb. openldap ldapsearch uses -LLL to suppress # version: N 2010-08-31T19:35:54+00:00 Rich Megginson rmeggins@redhat.com 2010-08-12T23:52:57+00:00 a5564abf94f8951a8a3ce6fa51b5e2f26b617711 mozldap uses -1 but openldap uses -LLL to suppress printing the in ldapsearch output - add a flag for this 
mozldap uses -1 but openldap uses -LLL to suppress printing the
in ldapsearch output - add a flag for this
Add -x option to ldap tools when using openldap 2010-08-31T19:35:53+00:00 Rich Megginson rmeggins@redhat.com 2010-06-07T18:50:17+00:00 36101b6491afc0a843ba50b7e506e622271e9177 We have many scripts that use ldapsearch, ldapmodify, etc. All of these currently use simple auth. When using the openldap versions of these scripts, we have to pass the -x argument to use simple auth. A new configure parameter ldaptool_opts is used to pass this down into the scripts. Reviewed by: nkinder (Thanks!) Platforms tested: Fedora 14 (rawhide) 
We have many scripts that use ldapsearch, ldapmodify, etc.  All of these
currently use simple auth.  When using the openldap versions of these
scripts, we have to pass the -x argument to use simple auth.  A new
configure parameter ldaptool_opts is used to pass this down into the
scripts.
Reviewed by: nkinder (Thanks!)
Platforms tested: Fedora 14 (rawhide)
Bug 480787 - Autoconf parameter --with and --without 2010-03-23T16:19:32+00:00 root root@buildsamba01.idm.lab.bos.redhat.com 2010-03-20T00:25:48+00:00 682529e7f8391744615b40a14852efd317936109 https://bugzilla.redhat.com/show_bug.cgi?id=480787 Resolves: bug 480787 Bug Description: Autoconf parameter --with and --without Fix Description: The configure script has been modified such that the --with-XXX and --without-XXX switches will work as --with-XXX=yes and --with-XXX=no, respectively. If the package is required and none of the switches are specified, it will default to "yes". The code that detects LDAPSDK and OpenLDAP conflicts has been updated. The help messages have been cleaned up. Reviewed by: rmeggins (and pushed by) 
https://bugzilla.redhat.com/show_bug.cgi?id=480787
Resolves: bug 480787
Bug Description: Autoconf parameter --with and --without

Fix Description: The configure script has been modified
such that the --with-XXX and --without-XXX switches will
work as --with-XXX=yes and --with-XXX=no, respectively.
If the package is required and none of the switches are
specified, it will default to "yes".

The code that detects LDAPSDK and OpenLDAP conflicts has
been updated. The help messages have been cleaned up.
Reviewed by: rmeggins (and pushed by)
Improve search for pcre header file 2010-02-09T20:21:34+00:00 Nathan Kinder nkinder@redhat.com 2010-02-09T20:21:34+00:00 f81e7eac08e2af16fa6b8d245525c4a5ac5eb6f7 Some platforms (RHEL4 for instance) put the pcre header file in a pcre subdirectory under /usr/include. This patch makes configure first search in /usr/include/pcre, then falls back to /usr/include. 
Some platforms (RHEL4 for instance) put the pcre header file in
a pcre subdirectory under /usr/include.  This patch makes configure
first search in /usr/include/pcre, then falls back to /usr/include.
Bug 519459 - Semi-hardcoded include and lib directories in db.m4 2010-01-22T19:13:27+00:00 Rich Megginson rmeggins@redhat.com 2010-01-22T16:17:33+00:00 1292eef3093c98a7f92ad9d7071c03ad76bb43db https://bugzilla.redhat.com/show_bug.cgi?id=519459 Resolves: bug 519459 Bug Description: Semi-hardcoded include and lib directories in db.m4 Reviewed by: nkinder (Thanks!) Branch: HEAD Fix Description: Added --with-db-inc and --with-db-lib to configure. For the default case, check first in /usr/include/db4, then in /usr/include. Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no 
https://bugzilla.redhat.com/show_bug.cgi?id=519459
Resolves: bug 519459
Bug Description: Semi-hardcoded include and lib directories in db.m4
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: Added --with-db-inc and --with-db-lib to configure.  For the
default case, check first in /usr/include/db4, then in /usr/include.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
Add selinux policy for ns-slapd 2009-09-09T16:59:07+00:00 Nathan Kinder nkinder@redhat.com 2009-09-09T16:59:07+00:00 39869a77cbeb1967acfa1354092c81d05dd79be7 This adds a "dirsrv" selinux policy module to confine the ns-slapd daemon. The setup and migration perl modules were changed to take care of any relabeling of installed files if selinux support was compiled in. The build system now takes a "--with-selinux" option that will compile the dirsrv policy module and enable any selinux specific setup code. To use the dirsrv policy module, the module will need to be loaded using the semodule utility. It is also necessary to relabel the installed files using restorecon after performing a make install. All of this will be taken care of in the spec file when in the case of using a RPM package. 
This adds a "dirsrv" selinux policy module to confine the ns-slapd
daemon.  The setup and migration perl modules were changed to take
care of any relabeling of installed files if selinux support was
compiled in.

The build system now takes a "--with-selinux" option that will
compile the dirsrv policy module and enable any selinux specific
setup code.

To use the dirsrv policy module, the module will need to be loaded
using the semodule utility.  It is also necessary to relabel the
installed files using restorecon after performing a make install.
All of this will be taken care of in the spec file when in the
case of using a RPM package.
fix pcre build issues 2009-08-12T15:10:43+00:00 Rich Megginson rmeggins@redhat.com 2009-08-12T15:03:32+00:00 65fef7efba36dd75d41344d423283047ce07e818 Reviewed by: nkinder (Thanks!) 
Reviewed by: nkinder (Thanks!)
OpenLDAP support 2009-07-07T14:32:42+00:00 Rich Megginson rmeggins@redhat.com 2009-07-06T18:11:01+00:00 209521323f731daad54682fd98715f7b22c88c78 These changes allow the server to be built with OpenLDAP (2.4.17+). A brief summary of the changes: * #defines not provided by OpenLDAP were copied into slapi-plugin.h and protected with #ifndef blocks * where it made sense, I created slapi wrapper functions for things like URL and LDIF processing to abstract way the differences in the APIs * I created a new file utf8.c which contains the UTF8 functions from MozLDAP - this is only compiled when using OpenLDAP * I tried to clean up the code - use the _ext versions of LDAP functions everywhere since the older versions should be considered deprecated * I removed some unused code NOTE that this should still be considered a work in progress since it depends on functionality not yet present in a released version of OpenLDAP, for NSS crypto and for the LDIF public API. 
These changes allow the server to be built with OpenLDAP (2.4.17+). A brief summary of the changes:
* #defines not provided by OpenLDAP were copied into slapi-plugin.h and protected with #ifndef blocks
* where it made sense, I created slapi wrapper functions for things like URL and LDIF processing to abstract way the differences in the APIs
* I created a new file utf8.c which contains the UTF8 functions from MozLDAP - this is only compiled when using OpenLDAP
* I tried to clean up the code - use the _ext versions of LDAP functions everywhere since the older versions should be considered deprecated
* I removed some unused code
NOTE that this should still be considered a work in progress since it depends on functionality not yet present in a released version of OpenLDAP, for NSS crypto and for the LDIF public API.
Use thread aware library for complex regex searches 2009-05-28T16:55:06+00:00 Noriko Hosoi nhosoi@kiki.usersys.redhat.com 2009-05-28T16:55:06+00:00 67aca96ae2c53f74f896439840a82cbccbeb34cf For more details, see the design doc at http://directory.fedoraproject.org/wiki/Thread_Aware_Regex Additional 2 unrelated changes are being made: 1) dbgen.pl.in: secretary and manager are having a dn format value "cn=...". 2) slapi_counter_sunos_sparcv9.S: adding "#define _ASM 1" to force to set an assembler code macro _ASM. 
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Thread_Aware_Regex

Additional 2 unrelated changes are being made:
1) dbgen.pl.in: secretary and manager are having a dn format value "cn=...".
2) slapi_counter_sunos_sparcv9.S: adding "#define _ASM 1" to force to set an assembler code macro _ASM.
Resolves: bug 469261 2008-11-04T18:23:08+00:00 Rich Megginson rmeggins@redhat.com 2008-11-04T18:23:08+00:00 42d4235a9cf49b9235f44e2a9965e820b629bd9f Bug Description: Support server-to-server SASL - part 1 Reviewed by: nkinder, nhosoi, ssorce (Thanks!) Fix Description: I've created two new functions to handle the client side of LDAP in the server - slapi_ldap_init_ext and slapi_ldap_bind. These two functions are designed to work with any connection type (ldap, ldaps, ldap+starttls, and eventually ldapi) and bind type (plain, sasl, client cert). The secure flag has been extended to use a value of 2 to mean use startTLS. One tricky part is that there is no place to store the startTLS flag in init to pass to bind, so we store that in the clientcontrols field which is currently unused. We do that because the semantics of ldap_init are not to do any network traffic, but defer that until the bind operation (or whatever the first actual operation is e.g. start_tls). I plan to replace all of the places in the code that do ldap init and bind with these functions. I started with replication. I extended the transport to add tls for startTLS and the bind method to add sasl/gssapi and sasl/digest-md5. I removed a lot of code from repl5_connection that is now done with just slapi_ldap_init_ext and slapi_ldap_bind. One tricky part of the replication code is that it polls the connection for write available, using some ldap sdk internals. I had to fix that code to work within the public ldap api since nspr and sasl muck with the internals in different incompatible ways. Finally, there is a lot of new kerberos code in the server. The way the server does sasl/gssapi auth with its keytab is similar to the way it does client cert auth with its ssl server cert. One big difference is that the server cannot pass the kerberos identity and credentials through the ldap/sasl/gssapi layers directly. Instead, we have to create a memory credentials cache and set the environment variable to point to it. This allows the sasl/gssapi layer to grab the credentials for use with kerberos. The way the code is written, it should also allow "external" kerberos auth e.g. if someone really wants to do some script which does a periodic kinit to refresh the file based cache, that should also work. I added some kerberos configure options. configure tries to first use krb5-config to get the compiler and linker information. If that fails, it just looks for some standard system libraries. Note that Solaris does not allow direct use of the kerberos api until Solaris 11, so most likely Solaris builds will have to use --without-kerberos (--with-kerberos is on by default). Fixed a bug in kerberos.m4 found by nkinder. ssorce has pointed out a few problems with my kerberos usage that will be addressed in the next patch. Changed the log level in ldap_sasl_get_val - pointed out by nkinder Platforms tested: Fedora 9, Fedora 8 Flag Day: yes Doc impact: oh yes 
Bug Description: Support server-to-server SASL - part 1
Reviewed by: nkinder, nhosoi, ssorce (Thanks!)
Fix Description: I've created two new functions to handle the client side of LDAP in the server - slapi_ldap_init_ext and slapi_ldap_bind.  These two functions are designed to work with any connection type (ldap, ldaps, ldap+starttls, and eventually ldapi) and bind type (plain, sasl, client cert).  The secure flag has been extended to use a value of 2 to mean use startTLS.  One tricky part is that there is no place to store the startTLS flag in init to pass to bind, so we store that in the clientcontrols field which is currently unused.  We do that because the semantics of ldap_init are not to do any network traffic, but defer that until the bind operation (or whatever the first actual operation is e.g. start_tls).  I plan to replace all of the places in the code that do ldap init and bind with these functions.
I started with replication.  I extended the transport to add tls for startTLS and the bind method to add sasl/gssapi and sasl/digest-md5.  I removed a lot of code from repl5_connection that is now done with just slapi_ldap_init_ext and slapi_ldap_bind.  One tricky part of the replication code is that it polls the connection for write available, using some ldap sdk internals.  I had to fix that code to work within the public ldap api since nspr and sasl muck with the internals in different incompatible ways.
Finally, there is a lot of new kerberos code in the server.  The way the server does sasl/gssapi auth with its keytab is similar to the way it does client cert auth with its ssl server cert.  One big difference is that the server cannot pass the kerberos identity and credentials through the ldap/sasl/gssapi layers directly.  Instead, we have to create a memory credentials cache and set the environment variable to point to it.  This allows the sasl/gssapi layer to grab the credentials for use with kerberos.  The way the code is written, it should also allow "external" kerberos auth e.g. if someone really wants to do some script which does a periodic kinit to refresh the file based cache, that should also work.
I added some kerberos configure options.  configure tries to first use krb5-config to get the compiler and linker information.  If that fails, it just looks for some standard system libraries.  Note that Solaris does not allow direct use of the kerberos api until Solaris 11, so most likely Solaris builds will have to use --without-kerberos (--with-kerberos is on by default).
Fixed a bug in kerberos.m4 found by nkinder.
ssorce has pointed out a few problems with my kerberos usage that will be addressed in the next patch.
Changed the log level in ldap_sasl_get_val - pointed out by nkinder
Platforms tested: Fedora 9, Fedora 8
Flag Day: yes
Doc impact: oh yes