| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
| |
Bug Description: PAM passthru plugin causes directory server to crash
Reviewed by: nhosoi (Thanks!)
Fix Description: If the DN given in the BIND request is bogus i.e. not a valid DN (at least not one that ldap_explode_dn can parse), we should just skip the PAM processing and just report a reasonable error to the client. Similarly, if the map method says to lookup the pam ID from the bind DN entry, and the entry cannot be found, just report an error and skip pam processing.
Platforms tested: FC5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: incorrect base64 encoding of SHA passwords crashes server
Reviewed by: nkinder (Thanks!)
Fix Description: Check the return value of ldif_base64_decode to see if it is less than zero first before the other comparisons. This is the error condition, so we can just return an error. Additionally, the other comparisons with the unsigned should be ok since we know that the hash_len is a positive number.
Platforms tested: FC5
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Fixed a problem that ldapsearch reports random timeouts on 64-bit machine.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: PAM passthru: ENTRY map method not working and schema incorrect
Reviewed by: nhosoi (Thanks!)
Fix Description:
1) Rename all occurrences of pamMapMethod to pamIDMapMethod
2) The parsing code for the map method was just plain wrong - it wasn't
incrementing the pointer correctly.
3) This code: if (one == two == three == PAMPT_MAP_METHOD_NONE) - is not correct.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
| |
Description: Enable DS Core build/install on HP-UX
Fix Description: remove some bogus adminutil and nsdshttpd stuff from the plugin makefiles
Reviewed by: nhosoi (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Enable core DS build
Reviewed by: nkinder, nhosoi (Thanks!)
Fix Description: I turned off all of the other components in the build,
such as adminserver, setuputil, clients, etc. and enabled the packaging
step when building just the core DS. Now, when you build just the core
DS, you get a slapd.tar.gz which you unpack in the server root you
create e.g. mkdir /opt/rhds ; cd /opt/rhds ; tar xfz slapd.tar.gz
In order to create an instance, you have to use the ds_newinst.pl script
as described here -
http://directory.fedora.redhat.com/wiki/Install_Guide#Installing_just_the_core_directory_server
I also got rid of several references to adminutil that are not needed
anymore.
Platforms tested: RHEL4 64
Flag Day: Yes. In order to build the full setuputil/adminserver
package, you must specify USE_SETUPUTIL=1 USE_ADMINSERVER=1 etc. on the
make/gmake command line.
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: I need to change the acceptance tests to
be able to test just the core DS package.
|
| | |
|
| | |
|
| |
|
|
| |
fallback and secure config attrs
|
| |
|
|
|
|
| |
password always remembers initial password on (part 2)]
acl_access_allowed: changed to check the given entry address with the one in aclpb. If they don't match, even if the sdn's match, let acl re-evaluate.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: ldapserver: Close potential security vulnerabilities in CGI code
Reviewed by: Nathan, Noriko, and Pete (Thanks!)
Fix Description: Clean up usage of sprintf, strcpy, fgets instead of
gets, fixed buffer usage, etc., mostly in the CGI code and other user
facing code (i.e. setup). Also, Steve Grubb told me about a GCC trick
to force it to check printf style varargs functions, to check the format
string against the argument string, for type mismatches, missing
arguments, and too many arguments.
In the CGI form argument parsing code, we needed to be more careful
about checking for bad input - good input is supposed to look like this:
name=value&name=value&.....
&name=value. I don't think the original code
was checking properly for something like name&name=value.
There was another place where we were not checking to see if a buffer
had enough room before appending a string to it.
I had to change a couple of functions to allow passing in the size of
the buffer.
Fixed some issues raised by Noriko and Nathan.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: memory leaks using ber_scanf when handling bad BER packets
Reviewed by: All (Thanks!)
Files: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=123783
Branch: HEAD
Fix Description:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179135#c0
I basically did a search through our code for all calls to ber_scanf,
ber_get_stringa, and ber_get_stringal and made sure we properly free any
arguments that may have been allocated. There was a bug in the ldapsdk
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179135 that causes
us to free uninitialized memory when trying to clean up the result of
ber_get_stringal (or ber_scanf with 'V'). I had to initialize some
variables to NULL so that we could properly clean them up, and added
some additional clean ups that were missing. Also, in repl_extop.c, we
were calling free on an array that we should have been calling
ch_array_free on. Yet another lesson in the evils of slapi_ch_free and
disabling compiler type checks in general.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: If you delete an attribute from an entry on AD, the attribute
doesn't get deleted on the DS side. The replication code doesn't even notice
that the entry changed.
Reviewed by: Rich, Noriko, Pete (thanks!)
Files: see diffs
Branch: HEAD, Directory71Branch
Fix Description: The dirsync search control passes back deleted attributes with no
values. If you try to add a Slapi_Attr with no values to a Slapi_Entry, it doesn't
get added. This fix stuffs the deleted attributes into the deleted attributes list
in the Slapi_Entry and checks for them when creating the modification
operations to be performed on the local entry.
Flag Day: no
Doc impact: no
QA impact: A regression test needs to be added
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RHEL4_x86_64_gcc3_OPT.OBJ
The makefiles were assuming that if the string 86 was found in uname -m
it should use x86 for the arch. However, it should only do this if
uname -m is not x86_64. Also, for RHEL/Linux, we do not have to add the
NS64TAG just before the _OPT (or _DBG) since it's already in the arch.
Other platforms continue to use the other naming convention. The
default naming convention for the mozilla components is
Linux2.6_x86_64_glibc_PTH_64_OPT.OBJ. I considered using Wan-Teh's
instructions about source builds, but that would cause many changes to
be made to our makefiles, so I just changed the way we calculate the
mozilla OBJDIR name from the regular OBJDIR name. These changes are
pretty much the same for adminutil, setuputil, adminserver, and ldapserver.
For ldapserver, I had to change nsarch (adminserver changed nsarch in a
different way). I also got rid of the 32 bit specific setup stuff. I
assume this was due to 32 bit NES admin server, so we can get rid of
this for the future, because we will have all native 64 bit apps. I also
went ahead and rolled in the gcc4 changes since they are safe for gcc3
as well.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Chain BIND requests with chain on update + global pw policy
Reviewed by: Nathan, Pete (Thanks!)
Fix Description: When using global password policy, we need to chain the
BIND request back to a master so that it can update the pw policy op
attrs in the user's entry and replicate them to all other servers. The
call to config_get_pw_is_global_policy() is expensive (acquires a lock)
so we delay it as long as possible.
The reason we have to use config_get_pw_is_global_policy() is because the entry distribution plugin interface is poor - we have no way to register an init or start function to get the config, and no way to register a statechange callback to be notified of changes to the global password policy.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: crash in PTA plugin when bind returned controls
Reviewed by: Pete (Thanks!)
Fix Description: Fix by Ulf. We are passing the ***LDAPControl when it
needs the **LDAPControl.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
| |
Checking in Ulf's proposal; should not get connid from pid if the op is internal. (plus the value is just for debug print which is disabled now)
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
the contents. I'm not sure why we haven't caught this earlier, but
I believe it has something to do with the patch to make ds build on
Fedora Core 4 with gcc4. To do that, we turn off the -fwriteable-strings
argument to gcc. I suppose with it on, it moves those strings to
some sort of writeable memory location. With it off, constant strings
are definitely in the data section. There was one place in views that
used a constant string, and a couple of places in the windows sync code.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Change ldapserver version to 1.0
Reviewed by: Noriko (Thanks!)
Fix Description: This also fixes some lingering build issues involving
perldap, which is no longer a separate setup package, but just gets
included into DS in a similar manner to nspr, nss, etc.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
| |
duplicate values for system-only multivalued attributes. This change just skips the dscorepropagationdata attibute when receiving a change from DirSync.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
improper use of ldap_get_next.
|
| |
|
|
| |
certain changes to not get synched.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: Directory Server crashes when deleting a view
Reviewed by: Nathan (Thanks!)
Fix Description: Needed to pass in the _address_ of theCache.pCacheViews to views_cache_add_ll_entry. Yet another lesson in using the compiler to catch type errors rather than casting to void*.
Platforms tested: RHEL3
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: Adding multiple attributes using a single ldapmodify crashes ns-slapd
Reviewed by: Nathan (Thanks!)
Fix Description: In C, the array '[]' dereference operator takes precedence over the '*' deref operator. In this case, I needed to put parentheses around the pointer dereference to avoid having array dereferenced first. modary is a pointer to an array, not an array, so I can't dereference it with the array operator until I first dereference the pointer.
Platforms tested: RHEL3
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
| |
subtrees that the operation applies to
|
| |
|
|
|
| |
in a critical section. This fix creates a mutex at init time and uses that
mutex to create a critical section around all PAM API access.
|
| |
|
|
|
|
|
| |
Coding done by David Irving, Fred Brittain, and Aaron Gagnon
Reviewed by Rich Megginson - minor changes to md5_pwd.c
Tested on RHEL3 with FDS post-7.1
Does not include the OpenLDAP migration script - that will be handled separately
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: Reliab 05: chaining backend test core dumped on HPUX backend
Reviewed by: Noriko (Thanks!)
Fix Description: This is a 64 bit issue. For ber_scanf, the "i" and "e" flags require a pointer to a long. There were a couple of places in the chaining backend code where we were passing in an int instead. This works fine on 32 bit where ints and longs are both 32 bits. I did a quick check through the code - these were the only places not using longs. The only way you would see this bug is in a "hub" chaining backend - one that gets requests from a mux and chains them to another farm server, or possibly on a mux in certain conditions.
Platforms tested: HP-UX 11.i 64 bit
Flag Day: no
Doc impact: no
QA impact: rerun chaining tests
New Tests integrated into TET: none
|
| |
|
|
| |
replication. Add an error string returned to clients if an illegal attribute is configured
|
| |
|
|
| |
the acquire process has been successful thus far.
|
| |
|
|
| |
failed when it failed due to attempting to do fractional replication to another master.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: RL16: Server core dumped while configuring replication agreements
Reviewed by: David (Thanks!)
Fix Description: The code for handling bad agreements was wrong. It was not returning the correct error code. The result of this is that the client did not receive an appropriate error code/message from the server. The reason for the core dump was that, even though the agreement was not created, the DSE entry was still there, causing the server to become very confused. Returning the correct error code causes the server to refuse to create the bad DSE entry.
Platforms tested: RHEL3
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
| |
with 'streetaddress'
|
| |
|
|
| |
agreements
|
| | |
|
| | |
|
| | |
|
| | |
|
