| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
Bug Description: The Windows Sync API should have plug-in points
Fix Description: forgot to add #include "winsync-plugin.h"
|
| |
|
|
| |
Summary: Don't perform a sorted range search in the DNA plug-in if a prefix is configured.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: The Windows Sync API should have plug-in points
Reviewed by: nkinder (Thanks!)
Fix Description: Several plug-in points have been added to the windows sync code, available to regular plug-ins that register with the winsync api via the slapi api broker interface. winsync-plugin.h documents the use of these along with some example plug-in code. The windows private data structure has been extended to add two additional fields:
raw_entry - the raw entry read from AD - this is passed to several plug-in callbacks to allow them to have access to all of the attributes and values in the entry in case further processing is needed. This required a change to the function that reads the entry, to have it save the raw entry read each time from AD, in addition to the "cooked" entry it passes back to the caller.
api_cookie - this is the plug-in private data passed back to each plug-in callback and allows the plug-in to specify some additional context
Both of these are stored in the private data field in the agreement, so some of the existing functions had to be changed to pass in the connection object or the protocol object in order to gain access to the agreement object.
There were several small memory leaks in the existing code that have been fixed - these are the places where a free() function of some sort has been added. Also the usage of slapi_sdn_init_dn_byval leaked - slapi_sdn_new_dn_byval must be used here instead - cannot mix slapi_sdn_new with slapi_sdn_init*
I also cleaned up several compiler warnings.
The slapi changes are not strictly necessary, but they provide some conveniences to the winsync code and to plug-in writers. The good thing is that they were already private functions, so mostly just needed to have public api wrappers.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
| |
Summary: GER: allow GER for non-existing entries (phase 2) (comment #6)
Description: additional fix for the previous checkin.
Not just checking if dn is NULL or not, but also checking the length of dn is
greater than 0. If both conditions are satisfied, locate the template entry at
the dn.
|
| |
|
|
|
|
|
|
| |
Summary: GER: allow GER for non-existing entries (phase 2) (comment #3)
Description: get the target dn from the pblock and add it to the template entry
dn if available. Plus a memory leak was found and fixed at the same time.
Following the suggestion from Nathan, the "dummy" attributes are replaced with
"(template_attribute)".
|
| |
|
|
| |
Summary: Make better use of cached DNA config information
|
| |
|
|
| |
Summary: Use a separate new value lock for each DNA managed range.
|
| |
|
|
| |
Summary: Load the dnaFilter config attribute properly.
|
| |
|
|
|
|
|
|
|
| |
Summary: GER: supporting "dn" and extensible object class is missing
Description:
1. Extensible object class cannot use the schema info. Evaluate existing
attributes with no schema check.
2. dn is not an attribute belonging to an entry, but treat is as it is if it's
given as a part of the attribute list.
|
| |
|
|
| |
Summary: Merge in DNA plug-in code from FreeIPA
|
| |
|
|
|
|
|
| |
Summary: GER: attribute types which do not belong to an entry should not be returned with effective rights
Description: when an attribute was given to the search request and the attribute
in the list does not belong to the entry, it was returning "*:none", which was
not true. The star should be the attribute type.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: RFE: search optimization and single character substring searches
Reviewed by: nhosoi (Thanks!)
Fix Description: When generating the index keys for a filter assertion, the key length must correspond to the position of the key in the assertion string. That is, the filter mail=jreu* should generate the first key based on the key len for the initial key, then the remainder of the keys based on the substring key len. So if the initial key len is 2, and the middle key len is 3, these keys should be generated - "^j", "jre", "reu". Noriko found a problem with my original patch - I needed to increment the nsubs number rather than simple assignment. With this patch, the filter tests and spaceinsens tests pass.
Platforms tested: Fedora 8
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
| |
Summary: attacker can tie up CPU in regex code (comment #11)
Description: string_filter_sub always expected SLAPI_SEARCH_TIMELIMIT and
SLAPI_OPINITIATED_TIME were set in pblock, but it was not true. Fixed to check
the container of these values first, and retrieve them only if the container is
in the pblock. Otherwise, set -1 to timelimit (no timelimit).
|
| |
|
|
| |
Summary: Don't use Slapi_Mod on the stack.
|
| |
|
|
|
| |
Summary: Dynamically reload schema via task interface
Description: cleaned up compile warnings.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: RFE: search optimization and single character substring searches
Description: extended the substring key to have 3 types:
* begin (e.g., *^a)
* middle (e.g., *abc)
* end (e.g., *xy$)
* Usage: turn an index object to extensibleobject and set an integer value as
follows:
* dn: cn=sn, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
* objectClass: extensibleObject
* nsSubStrBegin: 2
* nsSubStrMiddle: 3
* nsSubStrEnd: 2
* [...]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: RFE: search optimization and single character substring searches
Description: extended the substring key to have 3 types:
* begin (e.g., *^a)
* middle (e.g., *abc)
* end (e.g., *xy$)
* Usage: turn an index object to extensibleobject and set an integer value as
follows:
* dn: cn=sn, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
* objectClass: extensibleObject
* nsSubStrBegin: 2
* nsSubStrMiddle: 3
* nsSubStrEnd: 2
* [...]
|
| |
|
|
|
|
|
|
|
|
| |
Bug Description: leak in bitwise plugin
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: The bitwise plugin should first check to make sure the requested OID is one that it can handle.
Platforms tested: RHEL5, Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Use default stack size on LP64 systems.
|
| |
|
|
| |
Summary: Redesigned algorithm used to update memberOf attribute.
|
| |
|
|
|
|
|
|
| |
Summary: attacker can tie up CPU in regex code
Description: when substring search is requested, sets the time limit based upon
the nsslapd-timelimit value. Pass the timelimit (time_up) to the regular
expression function. When the time is up, it returns the "Timelimit exceeded"
error. Note: timelimit is applied non-Directory Manager users.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: GER: allow GER for non-existing entries
Description:
[slapd/charray.c]
new: charray_merge_nodup -- merge 2 string arrays skipping the duplicates
modified: charray_remove -- introduced "freeit" flag. If true, the removed
string is freed. (The API is used only in chainingdb. The change is applied
to the plugin.)
[slapd/opshared.c]
modified: check OP_FLAG_GET_EFFECTIVE_RIGHTS in the iterate to support
"@<objectclass>". It's needed to do at the location since we have to call acl
plugin even
when no entries are returned from the search. If no entries are returned and
"@<objectclass>" is found in the attribute list, acl effective rights code
generates the corresponding template entry.
[slapd/pblock.c]
place to store gerattrs is added (SLAPI_SEARCH_GERATTRS), where gerattrs is an
array of strings which store "...@<objectclass>".
[slapd/result.c]
moved OP_FLAG_GET_EFFECTIVE_RIGHTS checking to iterate (opshared.c)
[slapd/schema.c]
new: slapi_schema_list_objectclass_attributes -- return the required and/or
allowed attributes belonging to the given objectclass. This is used to support
"*" and "+" in the get effective rights.
new: slapi_schema_get_superior_name -- return the superior objectclass name of
the given objectclass.
[slapd/search.c]
if "<attr>@<objectclass>" is found in the attribute list, cut the <attr> part
out and added to the attrs array (pblock SLAPI_SEARCH_ATTRS) and store the
original
string to the gerattrs (pblock SLAPI_SEARCH_GERATTRS).
[plugin/acl/acleffectiverights.c]
modified: _ger_g_permission_granted -- if the requester and the subject user
are
identical, give "g" permission
modified: _ger_parse_control -- replaced strcpy with memmove since strcpy does
not guarantee the result of the overlap copy.
modified: _ger_get_attrs_rights -- support "*" (all attributes belonging to the
object) and "+" (operational attributes). If repeated attributes are found in
the given attribute list, they are reduced to one.
new: _ger_generate_template_entry -- generate a template entry if
"@<objectclass>" is passed.
[pluginc/cb/*]
adjusted to the updated charray_remove.
Please see also this wiki page for the overview and test cases.
http://directory.fedoraproject.org/wiki/Get_Effective_Rights_for_non-present_attributes
|
| |
|
|
| |
Summary: Fixed infinite recursion issues in memberOf plug-in.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: MMR breaks with time skew errors
Reviewed by: nhosoi, nkinder (Thanks!)
Fix Description: CSN remote offset generation seems broken. We seem to accumulate a remote offset that keeps growing until we hit the limit of 1 day, then replication stops. The idea behind the remote offset is that servers may be seconds or minutes off. When replication starts, one of the itmes in the payload of the start extop is the latest CSN from the supplier. The CSN timestamp field is (sampled_time + local offset + remote offset). Sampled time comes from the time thread in the server that updates the time once per second. This allows the consumer, if also a master, to adjust its CSN generation so as not to generate duplicates or CSNs less than those from the supplier. However, the logic in csngen_adjust_time appears to be wrong:
remote_offset = remote_time - gen->state.sampled_time;
That is, remote_offset = (remote sampled_time + remote local offset + remote remote offset) - gen->state.sampled_time
It should be
remote_offset = remote_time - (sampled_time + local offset + remote offset)
Since the sampled time is not the actual current time, it may be off by 1 second. So the new remote_offset will be at least 1 second more than it should be. Since this is the same remote_offset used to generate the CSN to send back to the other master, this offset would keep increasing and increasing over time. The script attached to the bug helps measure this effect. The new code also attempts to refresh the sampled time while adjusting to make sure we have as current a sampled_time as possible. In the old code, the remote_offset is "sent" back and forth between the masters, carried along in the CSN timestamp generation. In the new code, this can happen too, but to a far less extent, and should max out at (real offset + N seconds) where N is the number of masters.
In the old code, you could only call csngen_adjust_time if you first made sure the remote timestamp >= local timestamp. I have removed this restriction and moved that logic into csngen_adjust_time. I also cleaned up the code in the consumer extop - I combined the checking of the CSN from the extop with the max CSN from the supplier RUV - now we only adjust the time once based on the max of all of these CSNs sent by the supplier.
Finally, I cleaned up the error handling in a few places that assumed all errors were time skew errors.
Follow up - I found a bug in my previous patch - _csngen_adjust_local_time must not be called when the sampled time == the current time. So I fixed that where I was calling _csngen_adjust_local_time, and I also changed _csngen_adjust_local_time so that time_diff == 0 is a no-op.
Platforms tested: RHEL5, F8, F9
Flag Day: no
Doc impact: no
QA impact: Should test MMR and use the script to measure the offset effect.
|
| |
|
|
|
|
|
| |
Summary: range search anomaly on the integer type
Description: Retro changelog plugin automatically creates an index for
changeNumber, which has an integer type. To support the reange search againt
changeNumber, the index should have the matching order "integerOrderingMatch".
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: rhds80 account accountunlocktime attribute breaks replication
Reviewed by: nhosoi (Thanks!)
Fix Description: We were not handling errors returned from the consumer correctly in the async replication code. The problem was that we were exiting the async read results thread immediately. However, we needed to wait for and read all of the outstanding responses, then exit the thread when all of them had been read. The new code handles this case correctly, allowing us to read all of the pending responses before exiting.
The flip side of this is that passwordIsGlobalPolicy only works on the _consumer_. It has no effect whatsoever on the _supplier_ side of replication. The fix for this is to configure fractional replication _always_ and to add the password policy op attrs to the list of attrs not to replicate. This should work fine with RHDS 8.0.0-14 and later.
Platforms tested: RHEL5
Flag Day: no
Doc impact: Yes. We will need to document exactly how passwordIsGlobalPolicy works and how to configure fractional replication.
QA impact: Will need to do more testing of MMR with account lockout to make sure this error does not blow up MMR anymore.
New Tests integrated into TET: Working on it.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: "DB_BUFFER_SMALL: User memory too small for return value" error when importing LDIF with replication active
Reviewed by: nkinder (Thanks!)
Fix Description: BDB 4.3 does not use ENOMEM if the given buffer is too small - it uses DB_BUFFER_SMALL. This fix allows us to use DB_BUFFER_SMALL in BDB 4.2 and earlier too. I also cleaned up some of the cl5 api return codes to return an appropriate error code to the higher levels rather than pass the ENOMEM up.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Make memberOf plug-in attributes configurable.
|
| |
|
|
| |
Summary: Fixed issues with cleanup task not adding indirect memberships.
|
| |
|
|
|
|
| |
Summary: Dynamically reload schema via task interface
Description: implemented task based schema file reloading
(see also http://directory.fedoraproject.org/wiki/Dynamically_Reload_Schema)
|
| |
|
|
|
|
|
| |
Summary: Allow larger regex buffer to enable long substring filters
Description: Applying the patches provided by ulf.weltman@hp.com.
regex.c: use dynamically allocated regex buffer, use ptrdiff_t to store the offsets to be restored after the realloc, and use a constant for the value of "how much the NFA buffer can grow in one iteration on the pattern".
string.c: use dynamically allocated buffer if the prepared buffer is not large enough, used wrong pointer (pat instead of p) in a debug message, and performed an unneeded strcat of ".*"
|
| |
|
|
| |
Summary: Check for indirect memberships when removing memberOf attributes.
|
| |
|
|
| |
Summary: Fixed memory leaks in memberOf plug-in.
|
| |
|
|
| |
Summary: Fixed valrgind errors about use of unitialized values.
|
| |
|
|
| |
Summary: Enhanced SLAPI task API and ported existing tasks to use new API.
|
| |
|
|
| |
Resolves: 439450
|
| |
|
|
| |
Summary: Handle delete modify of all present member values. When doing a delete modify, we should treat it the same as a replace when no deletion values are specified.
|
| |
|
|
| |
Summary: Handle updates of memberOf attributes for indirect members when a group is renamed.
|
| |
|
|
| |
Summary: Allow fractional replication between masters.
|
| |
|
|
| |
640:9c57bd91b32f if ipa-memberof.c).
|
| |
|
|
| |
Summary: Fixed crash in replication during bulk import. Use bulk impport code more consistently.
|
| |
|
|
|
|
|
|
|
|
| |
Bug Description: MMR breaks from master that has been reinited
Reviewed by: nkinder (Thanks!)
Fix Description: This problem occurs when you have two or more masters, and you have updates that have originated at a master that have been sent to other masters (so that the other masters have a valid min/max csn for that replica in the ruv). If that master needs to be reinitialized for some reason (crash, etc.) the reinit will erase the changelog. The RUV for that master will now contain CSNs that are not in the changelog. If that master attempts to update another master, it will first look at the RUV from the consumer, which will contain the old CSNs, and it will look for those CSNs in the changelog, fail, and abort the update process, meaning this master can no longer send updates to other servers.
The solution is for the master to just use the min CSN in its own RUV as the new starting point, if it has not been purged. In the case of purging, if the CSN is not found, this means the consumer is too far behind and must be reinitialized.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: PTA config parsing broken
Reviewed by: nhosoi (Thanks!)
Fix Description: The problem is that it is very difficult to use a comma as a delimiter between the url and the optional settings. This is because the suffix may contain many commas. The argument string may look like this:
ldap://host1:port1 host2:port2 .... hostN:portN/a,long,suffix1:a,long,suffix2;....;a,long,suffixN optional,numeric,settings
The ldap url may not contain any spaces after the hostlist - the suffixlist part must contain only url encoded spaces if the suffix actually has a space in it. So the solution is to use a space to separate the url from the options list. The parser looks for the first space after the last "/" in the url. This should be ok - at least it will not break the most common use of pta, which is to allow the config DS admin user to log into servers that do not have the o=NetscapeRoot. setup will use something like this:
ldap://configdshost:configdsport/o=NetscapeRoot
with not optional settings - this should parse just fine with the new code.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
| |
Summary: rhds71sp1 rhel3u6 - ns-slapd process dies with segmentation fault
Description: ldap_utf8prev, LDAP_UTF8PREV, and LDAP_UTF8DEC were sometimes
used without checking the returned pointer going back beyond the beginning
of the string.
|
| |
|
|
|
| |
Description: ACI targetattr list parser is whitespace sensitive
Fix Description: In addition to the previous fixes, test for quote at end of string before incrementing s - otherwise test will always fail.
|
| |
|
|
|
| |
Description: ACI targetattr list parser is whitespace sensitive
Fix Description: I made it too sensitive. The parser should allow simple unquoted strings. However, if it begins with a quote, it must end with a quote.
|
| |
|
|
|
|
| |
Description: rhds71 Malformed Dynamic Authorization Group makes Directory Server Crash
Reviewed by: supplemental
Fix Description: In some cases, it is ok if the filter is NULL. So just allow NULL in those cases. slapi_str2filter must take either NULL or a writable string, so make sure we pass those in correctly.
|
| |
|
|
| |
Summary: Solaris: warnings reported by the Solaris compiler
|
| |
|
|
|
|
|
|
|
| |
Summary: MMR: Supplier does not respond anymore after many operations (deletes)
Description: introduce OP_FLAG_REPL_RUV. It's set in repl5_replica.c if the
entry is RUV. The operation should not be blocked at the backend SERIAL lock
(this is achieved by having OP_FLAG_REPL_FIXUP set in the operation flag).
But updating RUV has nothing to do with VLV, thus if the flag is set, it skips
the VLV indexing.
|
| |
|
|
|
|
|
|
|
|
| |
Bug Description: rhds71 Malformed Dynamic Authorization Group makes Directory Server Crash
Reviewed by: nhosoi (Thanks!)
Fix Description: The problem was that we were not checking the return value of slapi_str2filter(). I added a check at the crash site, and it will not print out a helpful error message. I did a search through the code looking for other similar places and found a couple. I added similar code in those places.
I added an initialization of a buffer to null, as suggested by nhosoi.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
