| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=523476
Resolves: bug 523476
Bug Description: 389-ds-base/glibmm24: conflicting perl provides
Reviewed by: nhosoi (Thanks!)
Files: see diff
Fix Description: Rename "Util" to "DSUtil"
Platforms tested: Fedora 11 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updates are implemented in:
perl - code that plugs in to setup - scriptlets that are imported into
the setup perl interpreter and executed in process, giving access to all
of the packages and context provided by setup
ldif - applied to instances, in the same manner as ConfigFile directives
to setup
other - any executable file, shell script, etc. can be invoked, with a limited
amount of context from the setup process
An update directory is added to the package - /usr/share/dirsrv/update - this
directory contains the update files - the update filenames begin with two digits
and are executed in numeric order (00 first, then 01, etc. up to 99) which
should provide enough flexibility
In addition, there are 5 stages of update:
pre - invoked before any instance specific code
preinst, runinst, postinst - invoked for each instance
post - invoked after any instance specific code
Example files are provided which demonstrate how to get the context.
There are two different modes of operation for update:
online - must supply a bind dn and password for each instance - servers must
be up and running
offline - operates directly on the dse.ldif - servers must be shutdown first
A new section is added to the .inf file that can be passed in
[slapd-instancename]
RootDN = binddn
RootDNPwd = bindpw
The RootDN is optional - if not supplied, it will get the nsslapd-rootdn attribute from the dse.ldif for the instance.
I also fixed some problems with error messages.
The pam pta plugin entry was giving object class violations, so I added the
missing attributes - note that these are replaced by the plugin code when
the plugin is loaded - they are only needed during setup.
Fixed usage of $_ - $_ behaves like a dynamically scoped variable - which
means if you use it in an outer context, you cannot use it in an inner
context, even if it is used in a different function. Rather than attempting
to figure out how to use $_ safely in lower level functions, I just removed
the use of it altogether, which also makes the code easier to read.
Reviewed by: nhosoi (Thanks!) - fixed minor issues found
Platforms tested: Fedora 11
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a "dirsrv" selinux policy module to confine the ns-slapd
daemon. The setup and migration perl modules were changed to take
care of any relabeling of installed files if selinux support was
compiled in.
The build system now takes a "--with-selinux" option that will
compile the dirsrv policy module and enable any selinux specific
setup code.
To use the dirsrv policy module, the module will need to be loaded
using the semodule utility. It is also necessary to relabel the
installed files using restorecon after performing a make install.
All of this will be taken care of in the spec file when in the
case of using a RPM package.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Replication Bind Failure After Migration from DS 7.1
Reviewed by: nkinder (Thanks!)
Fix Description: We have to quote shell metacharacters before passing them to the shell. I added a new function shellEscape to use for this purpose. We really should shell escape anything passed to system() or back ticks ``. Certainly passwords should contain shell meta characters so I changed places where we use passwords to use shellEscape to pass them to pwdhash or migratecred. I also chomp() the output of migratecred to remove the trailing newline. With the fix, I was able to run setup with a root password of `~!@#$%^&*()\\|[]{}:;<>?/"\ and successfully authenticate.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: DS console: Can not delete DS instance
Reviewed by: nkinder (Thanks!)
Fix Description: As it turns out, my assumption that ds_remove in CGI mode also did the unregistration was false. It is the console that does the unregistration, only after the ds_remove CGI returns success. So, ds_remove needs to run with AdminSDK off, just like the other "special" CGI programs. In addition, ds_remove needs to be more robust - if there is an error during ds_remove, you should be allowed to try again after fixing something. However, the way the error handling worked did not differentiate between fatal errors and errors that could be ignored. In order to do this properly, we need to propagate the errors back up to the top level (oh how I wish perl had real exception handling . . .). The main type of error we need to ignore is file not found or process not found. If we attempted to remove before and that attempt failed for some reason, and left a partial instance, we need to be able to run the remove command again, skipping over the things we shutdown or removed already, and clean up the stuff we need to remove. This can also happen if you use the console to create a ds instance, and remove-ds.pl to remove the instance. The instance will still show up in the console. We need to be able to use the Remove Server in the console to remove the instance from the console, even through there is no physical instance on disk any more. Since the console will only do the unregistration if the CGI returns success, we need to make sure the CGI returns success even though there is no instance on disk. When ds_remove is run via ds_removal, it will do the unregistration.
I also took this opportunity to refactor the remove code, creating a removeDSInstance method in DSCreate.pm, and moving some of the other removal helper functions to Util.pm. That simplified the code in both ds_remove and remove-ds.pl.
I added a remove-ds-admin.pl script - one of the problems that users have is that they run setup-ds-admin.pl, then hit some error (e.g. bad DNS setup), then find that they cannot restore the system to the state before they ran setup-ds-admin.pl. remove-ds-admin.pl does this.
Finally, I added some man pages to the admin package for those commonly used commands.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: migration results in incomplete admin server sie
Reviewed by: nkinder (Thanks!)
Fix Description: This is a redesign of one of the core pieces of the setup/migration code - the code that adds the LDAP entries in various places. For starters, I removed the code that would implicitly delete existing trees. This is the root cause of this bug, and other similar problems with setup/instance creation that have been reported. We should never implicitly delete entries. Instead, we should explicitly delete entries by using the changetype: delete in an LDIF template file.
Another source of problems was that to update an entry, we would delete it and add it back. This caused some configuration settings to be wiped out (e.g. encryption settings). We cannot do this any more. The LDIF template entries have been modified to have two sets of information for each entry that requires update - the entry to add if no entry exists (the full entry) or the changes to make to the entry if it does exist. The code in Util.pm has been changed to ignore duplicate entries and to ignore changes made to entries that do not exist.
Another source of problems with migration is that the error checking was not adequate, especially with FileConn and dse.ldif reading. The fix is to add better error checking and reporting in these areas of code, including error messages.
Yet another problem is the run_dir handling. On many platforms the run_dir is shared among all DS instances and the admin server. Older versions of the software allowed you to run the servers as root. We have to make sure run_dir is usable by the least privileged user of all of the servers.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Ensure directories created by installer get the requested mode applied.
|
| |
|
|
|
|
|
|
| |
Branch: HEAD
Fix Description: Set SO_REUSEADDR to make sure the port is really available.
Platforms tested: RHEL5, Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: migrate-ds-admin.pl spins at 100% cpu
Reviewed by: nkinder (Thanks!)
Fix Description: It was spinning because inst_dir was not being set, so it kept trying to find the parent directory of a non-existent directory. In migration, the old instance has no instance dir - we will fill that in during instance creation, so just skip it if not set. I also found and fixed another bug in migration with the usage of file_name_is_absolute - have to use the full module name and function name.
Platforms tested: RHEL4 32bit and 64bit
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
| |
Description: migrate-ds-admin.pl script - not working
Fix Description: Was getting this output - GLOB(0x9d908d8)inst_dir = - forgot a comma
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: unable to restart configDS via console
Reviewed by: nhosoi (Thanks!)
Fix Description: We were using the old format for the ldapStart directive, which assumed everything was under a serverroot, so it just stored the relative path. We need the absolute path. During regular setup, we can get this from the directory server instance. During migration, we need to update the ldapStart directive to use the absolute path, so we need to get that information from the directory server code.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: '.' (dot) in the server ID
Reviewed by: nkinder (Thanks!)
Fix Description: Remove . and , from the characters allowed in the server ID. Also use the more descriptive error message.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Show-Stopper - Migration from HP-PARISC DS 6.21 to DS80 on HP-Itaninum
Reviewed by: nhosoi (Thanks!)
Fix Description: 1) The temp file created to fix nsroot was not owned by the server user, and ldif2db could not open it.
2) The perldap LDIF parser/writer did not correctly handle the version: 1 line in the LDIF file. It outputs dn\nversion: 1 which causes ldif2db to crash.
3) The migrate script could not start the server because it wasn't looking in the fhs-opt location. The real solution is to just have migration start the servers after it migrates them. This assumes the old servers are all shutdown first, which they must be, in order to have a consistent database for migration.
These last two were found and fixed by nhosoi
4) If we transform an attribute to an empty value, this means we want to remove it from the migrated entry. We use the remove method to remove the attribute.
5) The remove method in FileConn was not working. We have to make a clone of the entry that we have removed the attribute from. The process of iterating over the attributes skips deleted ones because of the way the Tie::Hash functions in the Entry class work.
Platforms tested: HP-UX 11.23 IPF64
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: 7.1 to 8.0 Migration Bug
Reviewed by: nhosoi (Thanks!)
Fix Description: Lots of issues
1) Instead of using Net::Domain::hostname() for the hostname to use for server identifiers, we must use the leftmost component of the FullMachineName specified by the user. One of the reasons is that hostname() and hostfqdn() can give different results such that hostname() is not the leftmost component of hostfqdn(). And we should just use whatever the user specifies. This required several changes to the mapfiles, and a change to the maptable processing, to process the perl code to eval last, so that we can use token substitutions from the inf file and from hard coded strings.
2) We need to add the global preferences stuff, during migration, in order for the console to function. We cannot rely on the migrated o=NetscapeRoot data because we have to make sure we specify the new jar files to use. In addition, we need to migrate over any customizations that the user has made to these preferences. This is handled by the new updateConsoleInfo function called during admin server migration.
3) There were several resources for messages missing. These have been added.
4) With the new perl only ds instance creation code, there will actually be data in the database even though the server is not started. This is what I believe was causing the error_removing_temp_db_files error. So now, the code will only attempt to remove plain files, not directories that could be globbed.
5) Use /opt/brand-ds for the old server root instead of /opt/pkgname.
6) The migration log should use [Migration} not [Setup]
7) migration should not report a fatal error upon success
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
| |
Bug Description: quick install failed when login userid doesn't match install user's id
Reviewed by: me
Fix Description: getlogin returns the _login_ ID which is the initial login id (from utmp). We want the username of the effective user ID, so I just needed to change getLogin to do that.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
| |
Bug Description: Replace ds_newinst binary with perl script
Reviewed by: nhosoi (Thanks!)
Fix Description: 1) Inf needs to be able to read the .inf file from stdin. This is what ds_newinst.pl does currently.
2) getlogin seems not to work in all cases, so add a more robust replacement.
Platforms tested: RHEL4, FC6
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Replace ds_newinst binary with perl script
Reviewed by: nhosoi (Thanks!)
Fix Description: The time has come. We can finally get rid of the instance creation C code
once and for all. I've created a DSCreate module that has all of the functionality of the old
create_instance.c code, along with a few items from ldap/admin/lib. The way it works is
this: it first creates the dse.ldif file using template-dse.ldif and the suffix-db template to
create the initial db and suffix. It then adds additional optional configuration depending
on what optional features have been enabled. It creates other config files and copies in
the schema. It then initializes the database. It uses a template file based on the type of
entry implied by the suffix, then adds the default ACIs. If the user chose to do so, it
will also create the ou=people, ou=groups, etc. entries. The user can also supply an LDIF
file which will be used to populate the initial database, in which case none of the default
entries or ACIs will be used. It then starts the server (if desired).
I had to create a function makePaths that works like mkdir -p except that it will chown,
chgrp, and chmod all paths created.
I had to change the other places where instance creation was called to use the new
calling semantics. ds_create changed quite a bit, since it can just use an Inf to pass in the
information instead of calling ds_newinst as a CGI program.
I had to change FileConn to add support for namingContexts (i.e. entries with no parent),
and to have it write each change each time, and to return copies of entries when searching,
to avoid modifying the tree in place. This makes it act much more like LDAP.
I found and fixed a few bugs in Migration along the way that were revealed while integrating
the new DSCreate code.
Platforms tested: RHEL4, FC6
Flag Day: Yes. New instance creation code and autotool changes.
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: DS Admin Migration framework - cross platform support
Reviewed by: nhosoi (Thanks!)
Fix Description: There are basically three parts to cross platform support
1) Allow a different physical server root than the logical server root. This allows you to copy the old server root directory to the target machine, either by making a tarball or by a network mount. Then you can migrate from e.g. /mnt/opt/fedora-ds, and specify that the real old server root was /opt/fedora-ds. This is the distinction between the --oldsroot and --actualsroot parameters.
2) Cross platform database migration requires the old data is converted to LDIF first. Migration makes the simplifying assumption that the database LDIF file is in the old db directory and has the name of <old backend name>.ldif e.g. userRoot.ldif
3) Cross platform replication migration doesn't preserve the state, so the changelog nor other associated state information can be migrated.
I rewrote the old migration script to use the FileConn - this theoretically will allow us to support migration using an LDAP::Conn as well.
I had to make some fixes to FileConn, primarily to support the root DSE.
Platforms tested: RHEL4
Flag Day: no
Doc impact: Yes, along with the rest of the new migration framework.
|
| |
|
|
|
|
| |
Summary: Reimplement ds_remove without setuputil code (comment #1)
Description: 1) introduced delete entry operation.
2) cleaned up check_and_add code
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Reimplement ds_create without setuputil code
Reviewed by: nhosoi (Thanks!)
Fix Description: ds_create was a CGI program that would create a new instance, set it up to be managed by console, and register it with the config ds. The new ds_create CGI perl script does just that. One tricky part was that, rather than enabling the pass through auth plugin and having to restart the server, the new server is created without being started, then the modification is done to the new server dse.ldif file directly, using the new FileConn.pm module, which simulates a Mozilla::LDAP::Conn on an LDIF file. This also allows us to create a new instance with a pre-hashed rootdn password, rather than having to send the cleartext password.
I had to move around some code in AdminServer and AdminUtil so that I could use it from ds_create. I also implemented support for the admin server PASSWORD_PIPE in perl so we could use it in other CGI perl scripts.
Finally, the error handling was not consistent in our code, so I made explicit the passing of error messages up and down the stack. Oh how I wish we could just do this in python and use exception handling . . .
I added a test for ds_create.
Platforms tested: RHEL4
Flag Day: Yes - autotool changes
Doc impact: No. Should work the same way as the old ds_create.
|
| |
|
|
|
|
|
|
|
|
|
| |
Description: DS Admin Migration framework
Reviewed by: nhosoi (Thanks!)
Fix Description: Created a Migration class that is very similar to the Setup class - to act as a sort of global context for the migration process. Moved most of the guts of migrateTo11 into the new DSMigration class and the new migrate-ds.pl - we should deprecate migrateTo11 in favor of migrate-ds.pl. I had to enhance the check_and_add_entry function to handle pseudo-LDIF change records - pseudo because mozilla perldap LDIF has no real LDIF change record support.
Fixed a bug in create_instance.c - creating an instance without starting it was not working if the port number of an existing directory server was supplied.
Added a new method createDSInstance to Util - this just wraps ds_newinst.pl for now.
Platforms tested: RHEL4
Doc: Yes. We will need to document the migration procedures.
Flag day: Yes. Autotool file changes.
|
| |
|
|
|
|
|
|
| |
Summary: Configure Pass Thru Auth (comment #8, #9)
Description: 1) Introducing BaseVersion (*.inf files) via PACKAGE_BASE_VERSION
(configure.ac) to generate #.# format version number from #.#.#. The #.#
format version number is used in the jar file names
2) Updated Util.pm.in to include ACIs to the search result.
|
| |
|
|
|
|
| |
Summary: Configure Pass Thru Auth (comment #4)
Description: modifying check_and_add_entry to support ldifmodify format.
plus added minor fixes for comparing entries
|
|
|
Description: Move DS Admin Code into Admin Server - ldif templates, pwdhash
Reviewed by: nhosoi (Thanks!)
Fix Description: These changes are primarily to allow the admin server setup to run completely in perl with no more setuputil code.
1) Added LDIF templates for DS config. template-dse.ldif is the core minimal directory server configuration. Values can be replaced with parameters in the same style as used with register_server.pl - %token%. For the plugin entries, the plugin shared library name is now just a name. There is no more full path. The code in dynalib.c handles this case by using the compiled in PLUGINDIR. The NSPR function PR_GetLibraryName knows the correct shared lib suffix for the platform. All of this allows us to do 2).
2) Added ability to run pwdhash with no server configuration. If no configuration is given, it uses the template-dse.ldif above. And instead of having to worry about where the plugins are installed and the shared lib suffix, it just depends on the above changes. This allows us to generate password hashes during setup before the directory server instance is created, and also to keep clear text password usage to a minimum.
3) Added defaultuser and defaultgroup.
4) Added support for continuation lines in Inf files.
5) All user visible messages during setup should be localizable
Platforms tested: RHEL4
Flag Day: Yes, autotool file changes.
Doc impact: Yes, along with the previous fixes for this bug.
|
