| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: ACI targetattr list parser is whitespace sensitive
Reviewed by: nkinder, nhosoi (Thanks!)
Files: see diff
Branch: HEAD
Fix Description: Need to trim trailing whitespace from the targetattr clause. I noticed that targetattrfilters had the same problem, except it returned ACL_SYNTAX_ERR in that case, so I changed targetattr to do the same.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: HP-UX: warnings reported by the HP-UX compiler
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Netscape Console allows instance directory to be set as change log
Reviewed by: nkinder (Thanks!)
Fix Description: 1) When removing the changelog files and directories, only remove the actual db related files - version, guardian, *db4, log.*, and __db.* - This should take care of the cases where the changelog was already created in an existing directory.
2) Disallow adding/changing a changelog db directory if it already exists and is not empty
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
| |
Summary: Don't add mailGroup objectclass when sync'ing new group entries from AD.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: "nested" filtered roles result in deadlock (Comment #12)
Description:
1. Changed cache_lock to the read-write lock.
2. Instead of using the local vattr_context in vattr_test_filter, use the one
set in pblock as much as possible. To achieve the goal, introduced
pb_vattr_context to pblock.
3. Increased VATTR_LOOP_COUNT_MAX from 50 to 256.
4. When the loop count hit VATTR_LOOP_COUNT_MAX, it sets
LDAP_UNWILLING_TO_PERFORM and returns it to the client.
|
| |
|
|
| |
Summary: Remove changelog db file when replica config is removed.
|
| |
|
|
|
|
|
|
|
|
| |
Bug Description: add an view object inside a view object that has an improper nsviewfilter crashes the server
Reviewed by: nhosoi (Thanks!)
Fix Description: I could not reproduce the problem by simply adding the bogus nsviewfilter. The server seemed to run fine, but I didn't stress it. However, if I restarted the server, the server would core during startup. The last message in the error log would say something about recovering the database, which is probably why the bug reporter said that it will not recover the database. The problem doesn't appear to be with views specifically, but with any internal search which uses the search_internal_callback_pb() (as opposed to the non callback internal search) and there are search base rewriters (such as the views code). The aci code uses this type of search at startup to find the acis, and that's where I saw the crash. I could crash the server at startup regardless of whether the view filter was bogus or not. The problem is that we are not passing in the address of new_base to slapi_ch_free. The fix is to use slapi_ch_free_string and pass in the address of the string. That fixes the crash.
I also cleaned up a few places in the views code which was not checking to see if slapi_str2filter returned NULL, which would happen in the case of the bogus search filter. I also added an error message which will tell the user that filter X in entry Y is bogus.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Avoid double free of controls in passthrough plugin.
|
| |
|
|
| |
Summary: Handle poorly formatted DN's when normalizing. Also only check modify values against authenticated DN for DN syntax attributes.
|
| |
|
|
|
|
| |
Summary: miscellaneous memory leaks
Description: 1) fixed memory leaks
2) cleaned up normalize_path code with fixing memory leaks
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: rhds71 - search filters returns too many entries on integer attributes value greater than 2 to the power of 31
Reviewed by: nkinder, nhosoi (Thanks!)
Fix Description: The way >= and <= searches are supposed to work in LDAP is that you are supposed to define an ORDERING matching rule for the attribute you want to use in the search filter. The way our code is written, most strings "just work" as a side effect of the way bdb sorts the keys by default - so you can do (uid>=jvedder) and get what you would expect, even though LDAP says this is illegal because the schema definition of the uid attribute does not have an ORDERING matching rule. And INTEGER worked with the old binary format for the same reason. The only attribute definitions we use with ORDERING are attributes that use Generalized Time syntax (e.g. createTimestamp, et. al.) and numSubordinates (which uses INTEGER, but this is a special case handled internally by the db code).
The way it works now is that the indexing code will honor the ORDERING matching rule specified in the schema definition. Or, if ORDERING is not specified, the user can use the nsMatchingRule index configuration. This will allow an existing customer that depends all integer syntax attributes (e.g. uidNumber) to allow range searches by default to enable range searches without editing the schema. The syntax definition for the attribute must also specify a compare function. This compare function will be used by the bdb bt_compare() function.
I also fixed a bug in the integer normalize code - a string of all zeros should normalize to a single "0". In all other cases, the leading zeros should be removed.
Platforms tested: RHEL5 x86_64
Flag Day: Yes. Integer indexes will need to be rebuilt (except for numsubordinates).
Doc impact: Yes - document slapi API additions
QA impact: Pay close attention to tests that use >= or <= search filters, both with and without index attributes. Also, pay close attention to greater/less than searches using i18n collations.
New Tests integrated into TET: Forthcoming
|
| |
|
|
|
|
| |
Summary: server crash after deleting supposedly deleted attribute
Description:
index.c: if there is no attribute to delete, don't call index_addordel_values_svstring.c: changed string_values2keys to handle NULL bvals
|
| |
|
|
| |
Summary: Fixed PTA config parsing to use a comma delimiter instread of a space.
|
| |
|
|
| |
Summary: Fractional replication log statement needed a newline.
|
| |
|
|
| |
Summary: Don't replay AD originated password changes back to AD.
|
| |
|
|
| |
Summary: Make sync total update deal with an empty changelog.
|
| |
|
|
| |
Summary: Make dbscan handle special RUV related changelog entries.
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: Migration script does not migrate nsDS5ReplicaCredentials correctly.
Reviewed by: nkinder (Thanks!)
Fix Description: 7.1 and earlier chaining and replication credentials were stored incorrectly on little endian machines (x86 and itanium). They were "accidentally" stored correctly on big endian machines (sparc, pa-risc) because val == ntohl(val) on those platforms. When migrating from a little endian machine, we need to decode the password using the broken algorithm and re-encode it using the good method. We determine if the password is encode incorrectly by the following method: we use migratecred to decode and encode using the old path. If the values are equal, this means the password was already encoded correctly and we don't need to fix it. Otherwise, we set the flag that tells migratecred to fix it. In order to decode the broken password correctly on big endian machines, we have to swap the byte order to convert the values to little endian.
Platforms tested: RHEL5 x86_64, RHEL5 i386, Solaris 9
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
| |
Summary: Handle initials and streetAddress attributes when doing a sync total update.
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: Migration script does not migrate nsDS5ReplicaCredentials correctly.
Reviewed by: nhosoi (Thanks!)
Fix Description: We still need to be able to decrypt passwords using the broken method. I guess it works on Solaris and HP because the values are already in network byte order. But when the values were encrypted on x86, they were encrypted the wrong way. It is safe to use MIGRATE_BROKEN_PWD on Solaris and HP because it is essentially a no-op. But this allows us to decrypt x86 passwords and store them correctly.
Platforms tested: RHEL4 i386, RHEL5 x86_64
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: rhds71 - search filters returns too many entries on interger attributes value greater than 231
Reviewed by: nhosoi (Thanks!)
Fix Description: The problem is that the current code uses atol() to convert the string value to an integer. long is 4 bytes or 8 bytes depending on the underlying platform. These binary values are stored in the index as 4 or 8 byte values. Finally, the behavior of atol() is different on the platform in overflow cases. Instead of dealing with binary values, we must store the values in string format, and perform string comparison, string normalization, and string key generation on INTEGER syntax values. I added another syntax type to the list in syntax.h. The code in string.c and value.c was mostly usable. I had to add some code in value_normalize to handle cases like " -00000001" -> "-1" to make it work like atol(), and I had to add some code to value_cmp to handle the sign (e.g. positive is always greater than negative, no other comparison is necessary) and magnitude (longer number is larger/smaller than shorter number, depending on sign). Otherwise, strcmp() does the right thing (e.g. "50" > "49", the same as int(50) > int(49)). One problem I ran into was that the value_normalize code takes just a char *, rather than a berval* or a char * + size_t length. To be efficient, this function should return the new length of the normalized string. Fortunately, none of the existing code cares about the length, but I needed the length for magnitude comparison, so I just used strlen for those cases. Which should be fine. value_normalize always produces a correctly null terminated string. I rewrote the value_cmp code to use a simple if rather than the switch statement. This makes it much clearer - if syntax is case insensitive, use slapi_utf8casecmp - if case sensitive, use strcmp - otherwise, error.
I also found a problem with the ldif2db code, which I uncovered because I added my integer indexes online and did an online import. The db2index code will correctly clear the INDEX_OFFLINE bit after the index is completed, but the ldif2db code will not.
Platforms tested: RHEL5 x86_64
Flag Day: Yes, if you are upgrading and you have integer valued indexes, you will have to remove them and recreate them.
Doc impact: We will have to document this in the release notes.
|
| |
|
|
| |
Summary: Performance cleanup of sync code. Improve tombstone search performance.
|
| |
|
|
| |
Summary: Handle syncing add opererations that have a ntuniqueid present.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: MMR: Directory updates on same object
Reviewed by: nhosoi (Thanks!)
Fix Description: The problem does appear to be concurrency. I think the original intention of
the urp fixup code was that it should only be run inside the database lock, so
that the database could be restored to a consistent state before the next
operation was processed. However, this requires the database code to know when
the database is already locked, so that if e.g. a modrdn operation needs to
call an internal delete, the database should not be locked again. The flag
OP_FLAG_REPL_FIXUP is used to denote both that the operation is such an
internal operation, and that the database should not be locked again.
There are a couple of cases where these operations can be called from outside
of the database lock:
urp_fixup_rename_entry is called from multimaster_postop_modrdn and
multimaster_postop_delete, both of which are front end post op plugins, not
called from within the database lock. Same with urp_fixup_delete_entry and
urp_fixup_modify_entry. In other cases, such as urp_fixup_add_entry, and other
places where urp_fixup_rename_entry and urp_fixup_modify_entry are called, they
are called from a bepostop plugin function, which is called after the original
database operation has been processed, within the database lock. So the
solution appears to be to move the urp_* functions to the bepostop plugin
functions. One of these functions does an internal search -
urp_get_min_naming_conflict_entry - but it does not appear that search locks
the database, so there was nothing to be done to make it "reentrant".
Without this patch, I can crash the server in a matter of minutes (x86_64
rhel5) using the latest Fedora DS 1.1 code. With the patch, the server runs
for several hours (maybe longer, I had to stop the test).
Also, to really exercise the urp code, I added a rename operation between the
add and delete e.g.
add("ou=test");
rename("ou=test", "ou=test2");
delete("ou=test2");
The server still runs for several hours with no problems.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Corrected search scope used to find entries to sync in winsync total update protocol.
|
| |
|
|
| |
Summary: Handle syncing multi-valued street attribute to AD.
|
| |
|
|
| |
Summary: Check if passwords are already hashed before sync'ing with AD.
|
| |
|
|
| |
Summary: Trim initials attribute value when sync'ing to AD.
|
| | |
|
| |
|
|
|
|
|
|
| |
Summary: Use mozldap6 ldif_parse_line API
Changes:
1) Removed ldif.h from the DS tree.
2) Eliminated the 5-th arg of ldif_parse_line (errmsg) and the errmsg related
code.
|
| |
|
|
|
|
|
|
|
|
|
| |
Description: bitwise matching plugin
Fix Description: Samba requires backend LDAP servers to support bitwise operations. This is to support search filters like this:
(|(|(&(!(groupType:1.2.840.113556.1.4.803:=1))(groupType:1.2.840.113556.1.4.803:=2147483648)(groupType:1.2.840.113556.1.4.804:=10))(samAccountType=805306368))(samAccountType=805306369))
Note: This patch works for Samba's tests, but hasn't been more broadly or specifically tested.
This commit also adds an --enable-bitwise option to configure (enabled by default - use --disable-bitwise to disable it) and adds the plugin entry to the configuration during new instance creation.
Platforms tested: FC5/FC6
|
| |
|
|
| |
Summary: Remove obsolete makefiles
|
| |
|
|
|
|
|
|
| |
Summary: Change format of DBVERSION and guardian files (Comment #6)
1) introduced new strings for DBVERSION
2) added the logic to compare the new DBVERSION strings
note: we don't store the current db version string in the replication
code any more. Instead, we get it from Berkeley DB header file db.h.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: PAM passthru ENTRY method not working
Reviewed by: prowley (Thanks!)
Fix Description: There are several problems.
1) For the ENTRY method to perform the internal search to get the entry for the bind DN, it must have a component ID (aka plugin identity). The code was already there to get/set it, but it was never initialized in the init function.
2) You cannot mix slapi_sdn_new* with slapi_sdn_init* - slapi_sdn_init will erase the knowledge that the Slapi_DN was allocated with malloc and it will not free it in slapi_sdn_free().
3) People may assume they can specify a subtree (e.g. ou=people,dc=example,dc=com) instead of a suffix for the list of included/excluded suffixes. The error message will not print a list of valid suffixes for the admin to use.
4) slapi_be_exist was failing because the database does not notify the mapping tree code that the backend is started during startup. This works fine under normal conditions because most all of the code in mapping_tree.c will lookup the backend if the mtn_be pointer in the mapping tree node is NULL. However, slapi_be_exist and slapi_be_select do not do this. The proper solution is to call slapi_mtn_be_started() at database startup time. This is the same thing that happens when a backend is added at runtime.
Platforms tested: FC6
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Allow building with bdb 4.4 or later
Reviewed by: nkinder (Thanks!)
Fix Description: db.m4 already had code to detect and use the correct version of db headers and libraries. There have been some minor api changes since 4.3, so not much code changes were required. Note that this merely allows the server to build and run with db4.4 or later, not to take advantage of the newer features of the API.
Platforms tested: FC7
Flag Day: no
Doc impact: no
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Summary: referential integrity plugin does not stack with Class of Service appliance (Comment #11)
Changes:
1) registered cos_post_op and roles_post_op as SLAPI_PLUGIN_INTERNAL_POST_op_FN
functions.
2) changed the plugin type of CoS and Roles from "postoperation" to "object".
|
| |
|
|
| |
Summary: Fix inconsistent clear password storage and ensure that SASL authentication uses passwords properly.
|
| |
|
|
|
| |
Summary: replica initialization: random failure (Comment #1)
Change: if acquire_replica is called for replica initialization, log REPLICA_BUSY.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: integrating db43 into ds70
Reviewed by: nkinder (Thanks!)
Fix Description: I took the original diffs posted by Ulf and merged them in with our code which has changed slightly since the diffs were originally generated. I also put #if directives like the following:
#if 1000*DB_VERSION_MAJOR + 100*DB_VERSION_MINOR >= 4300
... db43 features ...
#else
... db42 features ...
#endif
so that we can use both db42 and db43.
Platforms tested: RHEL4/FC5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
| |
Summary: configure needs to support --with-fhs (Comment #6)
Changes: Added the following include next to the end of the copyright block.
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+
|
| |
|
|
|
| |
Summary: Cleaning up obsolete macros in the build
Changes: eliminated macro NSPR20 (Comment #9)
|
| |
|
|
|
| |
Summary: Cleaning up obsolete macros in the build
Changes: eliminated macro NET_SSL (Comment #5)
|
| |
|
|
|
| |
Summary: subtree search fails to find items under a db containing special characters (Comment#16)
Description: When dn contains rdn which includes '\\', it was escaped twice to generate a key for entrydn and caused mismatch in forming ancestorid index. It ends up the subtree search fail.
|
| |
|
|
|
| |
Summary: parameterizing the hardcoded paths (phase 3. installed binaries, change log, setup)
Comment #23
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
cert, and instance dir)
1) introduced these 3 new config attributes:
nsslapd-lockdir, nsslapd-tmpdir, nsslapd-certdir,
and eliminated: nsslapd-instancedir.
2) replaced the hardcoded paths with the corresponding attribute value in the
server as well as in the create/remove instance codes.
3) moved snmp stats file to the nsslapd-tmpdir
4) moved the server instance dir to <prefix>/lib/<brand>-ds/slapd-<id>
|
