| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=552421
Resolves: bug 552421
Bug Description: Cannot log into admin server after upgrade (fedora-ds-admin-1.1.6 -> 389-admin-1.1.9
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: Some older versions of setup encoded the admin password in SHA and added a trailing newline to the userPassword attribute when adding the admin entry. This changes the SHA passsword compare routine to ignore a trailing
newline character in the dbpwd. newline is not a valid base64 character.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
| |
If a local password policy is set that does not have a storage
scheme specified, the server can crash since it tries to dereference
a NULL pointer to access the hashing function. This fix simply
checks if the storage scheme is set before trying to access the
hashing function.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=537956
Resolves: bug 537956
Bug Description: Password replication from 389DS to AD2008(64bit) fails, all other replication continues
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: Broken during adding support for openldap API. I added the
function slapi_ldap_bind which returns the result code. The old function
being used by the winsync code expected the function to return the msgid, which
is now returned as one of the function arguments instead.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
| |
This fixes three small memory leaks in the DNA plugin. We were
leaking the extended operation request data and response data for
range requests as well as an attribute value for ADD operations
when checking for the magic value.
|
| |
|
|
|
| |
The fix for bug 518084 was missing a paran on one line of source
for the pblock functions. This corrects the syntax error.
|
| |
|
|
|
| |
This patch adds Doxygen comment blocks for the DN related functions
in slapi-plugin.h.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using the retro changelog plugin, post-op plugins that perform
internal operations (such as memberOf) can result in the internal
operation preceeding the original operation in the changelog.
The fix is to give the retro changelog a higher precedence than the
other post-op plugins. This required some core server changes to
be made around the plugin precedence to allow an object plugin to
pass it's precedence into it's calls to slapi_register_plugin()
when it registers other plugin types.
I added an update LDIF to set the plugin precedence when running
"setup-ds.pl -u". I also noticed an AVC when restarting after the
update due to the schema.bak directory that is created. I've
adjusted the dirsrv SELinux policy to deal with this AVC.
|
| |
|
|
|
|
|
|
|
|
|
| |
When an unknown attribute type is used (when adding an entry using
the extensibleObject objectclass for example), the syntax of the
attribute defaults to "Directory String". This places syntax
restrictions on the attribute, limiting the attribtues use to
specific types of values. This patch changes the syntax for
unknown attribute to "Octet String", which allows 0 or more UTF-8
bytes. This will allow unknown attributes to store binary or empty
values.
|
| |
|
|
|
|
|
|
|
|
| |
If a slot from the connection table had previously been used for
an LDAPI connection, it would cause serious performance degradation
(20 times worse on my system) to a TCP connection that reused the
same slot. The problem was that we were not clearing the flag
that indicates that a connection is a UNIX local socket in the
connection cleanup function. Clearing this flag makes the reused
slots perform as expected.
|
| |
|
|
|
|
| |
The previous fix for bug 195302 caused a crash during import. We
need to check if sdn is NULL before trying to get the dn member
from it in pw_encodevals_ext().
|
| |
|
|
|
|
|
|
| |
This patch makes SASL EXTERNAL binds obey the account lock. The
previous code was allowing the bind through even if the account
was locked.
This patch was contributed by Ulf Weltman of Hewlett Packard.
|
| |
|
|
|
|
|
| |
This patch makes SASL binds call the pre-op and post-op plug-ins.
The previous code was not calling the plug-ins for SASL binds.
This fix was contributed by Ulf Weltman of Hewlett Packard.
|
| |
|
|
|
|
|
|
|
| |
This patch makes the server use the password storage scheme set in
the appropriate fine-grained password policy (if it is set). The
previous code was always using the global storage scheme.
This fix was based off of a fix contributed by Ulf Weltman of
Hewlett Packard.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Named Pipe Log Script allows you to replace a log file with a named pipe attached to a script. The server can then send the log output to a script instead of to a log file. This allows you to do many different things such as:
* log only certain events e.g. failed binds, connections from certain ip addresses, etc.
* log only lines that match a certain pattern
* log only the last N lines - useful for enabling full error log debug levels in production environments
* send an email or other notification when a certain event is detected
The script is written in python, and allows plugins. By default, the script will log the last N lines (default 1000). There are two plugins provided - one to log only failed bind attempts, and one that will log only lines that match given regular expressions.
Reviewed by: nkinder (Thanks!) - found a bug in a comment
Resolves: bug 486171
Bug Description: [RFE] Access log - Failed binds
|
| |
|
|
|
|
|
| |
My previous patch for bug 504817 could cause us to read past the
end of the RDN string if it ended with a single escape character.
This fix adds a bounds check to ensure that we don't read past
the end of the string.
|
| |
|
|
|
|
| |
My previous patch for removing the fixed length buffer used in
the password history checking code introduced a problem where we
could attempt to free a NULL pointer.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When performing operations with multiple mods to the same multi-valued
attribute on a single modify operation, a replica was not resolving
the attribute values correctly. This would lead to an inconsistency
between the master the change was initially performed against and the
replicas. The problem would occur with a modify operation such as
this:
dn: uid=testuser,dc=example,dc=com
changetype: modify
add: cn
cn: 2
-
replace: cn
cn: 3
The problem is that we use the CSNs from the attribute state data
to determine which values should remain after the operation (this is
done to merge with later occuring changes from other masters). The
CSN for all mods within the same modify operation is exactly the same.
The old code was looking for attributes older than the deletion that
occurs as a part of the replace, then deleting those values. This
would cause the value of "2" in the above example to remain. Simply
changing this comparision to look for values with the same or older
CSN to delete would cause the new value of "3" to be removed as well
when we get around to resolving the attribute after the second half
of the replace operation.
The fix is to use a different CSN comparison when we are removing all
values of an attribute during attribute resolution (remove values with
the same or older CSN). This is safe becuse the only present values
at this time are older values or values added in a previous mod in the
same modify operation. When processing other mods that are not
removing all values of an attribute, we only want to remove values
with a CSN older that that of the current modify operation. This
prevents us from removing a newly added value, such as "3" in the
example above. This is safe since we resolve the attribute after
each mod in the modify operation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
version 1.2.5.a1
Instead of changing configure.ac AC_INIT for each version change, there
is a new file - VERSION.sh. This file also contains support for creating
version numbers for pre-releases, and pre-release strings containing git
commit hashes.
One of the complications is that AC_INIT does not allow you to override the version and package tarname fields. We can override them after the fact everywhere
except in config.h. AC_INIT defines the following which we would like to override but cannot: PACKAGE_VERSION PACKAGE_TARNAME PACKAGE_STRING PACKAGE_BUGREPORT
Instead, we define DS_ versions of these e.g. DS_PACKAGE_VERSION etc. and make
these available with AC_DEFINE(DS_PACKAGE_VERSION,...) etc.
As an extra added precaution, we undefine these in Makefile.am like this:
DS_DEFINES = ... \
-UPACKAGE_VERSION -UPACKAGE_TARNAME -UPACKAGE_STRING -UPACKAGE_BUGREPORT
If someone tries to use PACKAGE_VERSION in C code, they will not be able to,
and will have to use DS_PACKAGE_VERSION instead. All of the DS code that used
PACKAGE_VERSION has been changed to use DS_PACKAGE_VERSION instead.
There is a new make target - git-archive - as a convenience for creating source
tarballs from git. By default, the source archive will be placed in the build
directory - you can specify SRCDISTDIR=/path/to/SOURCES to use an alternate
dir (e.g. make SRCDISTDIR=/path/to/rpmbuild/SOURCES git-archive to make a
source tarball for rpmbuild)
configure will print the branded package name and version
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The bug fix for bug 438139 introduced a regression that causes the
server to not handle LDAPv2 quoted RDN values correctly. We were
including the '"' characters used to contain an unescaped value in
the actual value itself.
The proper thing to do is to eliminate any '"' characters that are
not escaped when we unescape the value. I have tested this new fix
with the oringinal issue from bug 438139 to ensure that it does not
introduce a regression for that bug.
|
| |
|
|
|
|
|
|
|
|
|
| |
If some sort of error occurs during the sending updates to AD phase
of an incremental winsync update, we still attempt to send the dirsync
control to AD. This can cause spurious error messages to be logged to
the errors log stating that we can't send the control since we are not
connected to AD anymore.
This patch simply skips sending the dirsync control if we encountered
an error sending updates to AD.
|
| |
|
|
|
|
|
| |
This option will accept format like "-e deref=derefAttr:attr"
to ldclt when "-e esearch" is requested.
example: -e esearch -e deref=secretary:mail
search will dereference the "secretary" attribute and then return the "mail" attribute value
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The password history code was using a fixed length array to store
the historical password values that are used to compare to the new
password. The array was hardcoded to 25 values. The server will
allow a maximum 24 password history values to be kept by limiting
the passwordInHistory configuration value, though it would be
possible to do something such as import an LDIF with more than 24
historical password values in an entry, causing the server to crash
when the next password change occurs.
This patch eliminates the fixed length array and dynamically
allocates the array based off of the number of values that exist
in the entry whose password is being modified.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The AD tombstone mapping code is not behaving correctly if a
cn contains a comma (such as a "last, first" type value). The
code is supposed to locate the first ":" in the tombstone DN,
then scan for the first "," after that. Everything between is
the GUID. The problem is that the code is starting at the
beginning of the string when searching for the "," instead of
starting at the ":" that was previously found. This causes the
"," in the cn to be found instead, which makes us fail to find
the GUID.
The fix is to simply start searching for the "," from the ":"
in the tombstone DN.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for assigning a precedence to each plugin.
This precedence value is used to determine what order the plugins
should be called in within a given plugin type.
The precedence value is an integer between 1 and 99. The value is
set in the nsslapd-pluginPrecedence attribute in a plugin config
entry in "cn=config". If a plugin does not have a precedence
value set, the plugin is treated as if it has a precedence of 50.
For more details, see the feature design document at:
http://directory.fedoraproject.org/wiki/Plugin_Ordering
I also removed an incorrect log message in the linked attrs plugin
that I noticed while debugging this patch.
|
| |
|
|
|
|
| |
This option will accept format like "-e attreplacefile=jpegPhoto:/some/binary.file"
to ldclt. The content of the given file will be used to replace the attribute
"jpegPhoto" (in this case). The given file could be plain text or binary file.
|
| |
|
|
|
| |
When removing an instance, we need to be sure to remove the
instance specific initconfig script.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Due to a previously fixed bug (bz 474254), standard schema may
have been duplicated in 99user.ldif. When running an upgrade, we
need to check the 99user.ldif file to see if any obsolete standard
schema is defined there and remove it.
This patch makes upgrade backup the original 99user.ldif, and
scans it to see if any of the obsolete attributeTypes or
objectClasses attributes that we are removing from the standard
schema exist in 99user.ldif. We trim the obsolete definitions
and write out a new 99user.ldif with the proper permissions.
|
| |
|
|
|
|
|
|
| |
There is an unnecessary blank line in 00core.ldif in the middle
of an entry. This isn't causing any server issues since the line
does have a space, making it count at part of the previous attribute,
but it does through off Mozilla::LDAP::LDIF. The blank line should
really be removed.
|
| |
|
|
|
|
|
| |
This adds SMD5 password storage support to the existing password
storage plug-in. Add upgrade LDIF has been added to ensure that
this new functionality will be available to servers that are
upgraded from previous versions.
|
| |
|
|
|
|
|
|
|
|
| |
This adds a number of interface macros to the dirsrv SELinux policy
module. These macros are intended for use by the Administration
Server SELinux policy that is currently being developed.
I also made some changes to the setup code that labels newly created
directories. When the first instance is created, some top-level
directories are created that were not being labeled properly.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some older releases did not have nsslapd-rundir - upgrading from
those releases will cause the server not to start - we must add
nsslapd-rundir if it is missing
We also got rid of nsslapd-ldapiautodnsuffix, so remove that from
the config - it doesn't hurt anything to leave it, but the error
message is annoying
I also added back a mostly truncated version of 28pilot.ldif because
some apps still use pilotObject - those apps should change to
use a different objectclass ASAP.
Tested on Fedora 11 i386 and x86_64
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new config setting named nsslapd-anonlimitsdn
that one can set to the DN of an entry containing the bind-based
resource limit attributes to use for operations performed by an
anonymous user. This allows the defaults to still be used for
all other actual bound users who do not have any user specific
resource settings.
This implementation approach allows any resource limits that
are registered via the reslimit API to work with this anonymous
limits template entry.
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds a new ssf bind rule keyword to the access control
plug-in. This allows you to write ACIs that require a specific
level of encryption for the rule to apply. The new keyword can
be used with '=', '!=', '<', '>', '<=' and '>=' comparators.
I added code that stores the SSF in effect for an operation into
the operation struct. The value that we store is the higher of
the two between the SASL SSF and the SSL/TLS SSF.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a new configuration setting to the cn=config entry named
nsslapd-minssf. This can be set to a non-negative integer representing
the minimum key strength required to process operations. The default
setting will be 0.
The SSF for a particular connection will be determined by the key
strength cipher used to protect the connection. If the SSF used for a
connection does not meet the minimum requirement, the operation will be
rejected with an error code of LDAP_UNWILLING_TO_PERFORM (53) along
with a message stating that the minimum SSF was not met. Notable
exceptions to this are operations that attempt to protect a connection.
These operations are:
* SASL BIND
* startTLS
These operations will be allowed to occur on a connection with a SSF
less than the minimum. If the results of these operations end up with
a SSF smaller than the minimum, they will be rejected. Additionally,
we allow UNBIND and ABANDON operations to go through.
I also corrected a few issues with the anonymous access switch code
that I noticed while testing. We need to allow the startTLS extended
operation to go through when sent by an anonymous user since it is
common to send startTLS prior to a BIND to protect the credentials.
I also noticed that we were using the authtype from the operation
struct to determine is a user was anonymous when we really should
have been using the DN. This was causing anonymous operations to
get through on SSL/TLS connections.
|
| | |
|
| |
|
|
|
| |
the standard definitions of groupOfNames and groupOfUniqueNames
to allow empty groups.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=526141
Resolves: bug 526141
Bug Description: allow empty groups
Reviewed by: nhosoi (Thanks!)
Fix Description: Change groupOfNames and groupOfUniqueNames to allow empty
groups by changing the member/uniqueMember attribute from MUST to MAY.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=520921
Resolves: bug 520921
Bug Description: Config schema not included in core schema
Reviewed by: nkinder (Thanks!)
Fix Description: Just had to move a few schema from 02common and 30ns-common into 01core389.ldif. I also added 01core389.ldif to the list of schema installed
when install_full_schema=0 is specified with setup-ds.pl. I also added these schema files to the list of schema files to upgrade.
With these changes, the server starts up fine. The only error is this:
[29/Sep/2009:16:47:53 -0600] - Entry "cn=PAM Pass Through Auth,cn=plugins,cn=config" has unknown object class "pamConfig"
This is because the pam pass through plugin is included in the default config. I'd rather not move that schema file. That plugin can be removed from the default config during setup by specifying a slapd.ConfigFile directive with contents like this:
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
changetype: delete
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=526319
Resolves: bug 526319
Bug Description: SASL IO sometimes loops with "error: would block"
Reviewed by: nkinder (Thanks!)
Fix Description: The semantics for recv() are that it returns -1 for errors, 0 for connection closed, and non-zero for some bytes received. The sasl code was not using those semantics - it was returning 0 for successful read and -1 for error. Although I have not been able to reproduce the exact failure, what I believe is happening is that the initial read of the packet length in sasl_io_start_packet() works, and the sasl IO is received. At some point, the connection is
closed by the client, and the PR_Recv return of 0 is not handled correctly, and somehow the errno gets set to EWOULDBLOCK. From this point on, PR_Recv() will return -1 (since the socket has been closed) and errno is not reset from EWOULDBLOCK.
The fix is to make sure the sasl IO code handles the PR_Recv() return value
correctly.
Note that with CONNS (8) error log level, you may still occasionally see "would block" errors, but as long as they are not endlessly repeating, this should
be ok.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix contributed by Ulf Weltman (ulf.weltman@hp.com)
Description From Ulf Weltman (ulf.weltman@hp.com)
In previous releases, if LDIF being imported contained createTimestamp,
creatorsName, modifyTimestamp, or modifiersName, those values would be kept in
the imported entries. BZ# 462922 added code to insert those attributes during
import but it clobbers any values existing in the LDIF being imported. I think
the imported values should take precedence, this would be useful during
migration for example.
If anyone wants to take advantage of the new behavior where the server
provisions new values, they can strip out the values from the LDIF before
importing or they can set nsslapd-exclude-from-export to not export those
attributes before importing.
See also https://bugzilla.redhat.com/show_bug.cgi?id=525007
Reviewed by richm, nkinder, and nhosoi
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
multi-valued
http://bugzilla.redhat.com/show_bug.cgi?id=518514
Resolves: bug 518514
Bug Description: Bitwise Plugin: Bitwise filter doesn't return except the first entry if its multi-valued
Reviewed by: nhosoi (Thanks!)
Fix Description: Get the values as a char ** - look through each one until
we find one that matches.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds a new config switch (nsslapd-allow-anonymous-access) that
allows one to restrict all anonymous access. When this is enabled,
the connection displatch code will only allow BIND operations through
for an unauthenticated user. The BIND code will only allow the
operation through if it's not an anonymous or unauthenticated BIND.
I also fixed a missing capability in the SELinux policy that I ran
into while testing this patch.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=516305
Resolves: bug 516305
Bug Description: MODIFY/replace with empty values does not ignore missing or unknown attributes
Reviewed by: nhosoi (Thanks!)
Fix Description: The function mods_have_effect() did not work correctly. It
would set the flag have_effect = 0 the first time a type was not found.
Then if a subsequent mod would apply, it would still return have_effect = 0.
What it should do is keep looking for all mod types in the list of mods to
see if any of them would apply, and return have_effect = 1 if at least one
of them would apply. This corresponds to RFC 4511 section 4.6:
replace: replace all existing values of the modification
attribute with the new values listed, creating the attribute
if it did not already exist. A replace with no value will
delete the entire attribute if it exists, and it is ignored
if the attribute does not exist.
So the proper behavior is to ignore attributes that do not exist, and to
apply the rest.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=513308
Resolves: bug 513308
Bug Description: empty principal name used when using server to server sasl for db chaining
Reviewed by: nhosoi (Thanks!)
Fix Description: Change the logic to check if the username is a valid principal name. A valid principal name in this context will be a non-empty string that
does not contain the '=' character (which will be a bind DN in this context).
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=519455
Resolves: bug 519455
Bug Description: Should not attempt to pop SASL IO layer if not using SASL IO
Reviewed by: nkinder (Thanks!)
Fix Description: Before attempting to pop the SASL IO layer from the prfd,
first make sure we are using sasl IO, the prfd is not NULL, and the prfd
has a SASL IO layer on it.
This also fixes a bug with setting nsslapd-localhost in the bootstrap code -
if you are using a system that does not have DNS configured correctly, you
may want to force the SASL code to use the nsslapd-localhost for the FQDN.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=518279
Resolves: bug 518279
Bug Description: logs created at startup can get wrong file mode
Reviewed by: nkinder (Thanks!)
Fix Description: Try to apply the mode using chmod() if a log file has been specified. If and only if the log file has not been set, or if the chmod() succeeds, apply the changes to the internal config.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=523476
Resolves: bug 523476
Bug Description: 389-ds-base/glibmm24: conflicting perl provides
Reviewed by: nhosoi (Thanks!)
Files: see diff
Fix Description: Rename "Util" to "DSUtil"
Platforms tested: Fedora 11 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updates are implemented in:
perl - code that plugs in to setup - scriptlets that are imported into
the setup perl interpreter and executed in process, giving access to all
of the packages and context provided by setup
ldif - applied to instances, in the same manner as ConfigFile directives
to setup
other - any executable file, shell script, etc. can be invoked, with a limited
amount of context from the setup process
An update directory is added to the package - /usr/share/dirsrv/update - this
directory contains the update files - the update filenames begin with two digits
and are executed in numeric order (00 first, then 01, etc. up to 99) which
should provide enough flexibility
In addition, there are 5 stages of update:
pre - invoked before any instance specific code
preinst, runinst, postinst - invoked for each instance
post - invoked after any instance specific code
Example files are provided which demonstrate how to get the context.
There are two different modes of operation for update:
online - must supply a bind dn and password for each instance - servers must
be up and running
offline - operates directly on the dse.ldif - servers must be shutdown first
A new section is added to the .inf file that can be passed in
[slapd-instancename]
RootDN = binddn
RootDNPwd = bindpw
The RootDN is optional - if not supplied, it will get the nsslapd-rootdn attribute from the dse.ldif for the instance.
I also fixed some problems with error messages.
The pam pta plugin entry was giving object class violations, so I added the
missing attributes - note that these are replaced by the plugin code when
the plugin is loaded - they are only needed during setup.
Fixed usage of $_ - $_ behaves like a dynamically scoped variable - which
means if you use it in an outer context, you cannot use it in an inner
context, even if it is used in a different function. Rather than attempting
to figure out how to use $_ safely in lower level functions, I just removed
the use of it altogether, which also makes the code easier to read.
Reviewed by: nhosoi (Thanks!) - fixed minor issues found
Platforms tested: Fedora 11
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds SELinux policy to confine the SNMP subagent (ldap-agent).
There were some changes required around the aubagent to make it
work in a more standard fashion.
I moved the ldap-agent binary and wrapper to sbindir. It was
previously in bindir, yet it is not a user command. The location
really should be sbindir per FHS.
I added init scripts for the subagent, so it can now be managed
using "service dirsrv-snmp [start|stop|restart|condrestart|status]".
While doing this, I found that the parent process was exiting with
1 on success instead of 0, so I fixed that.
I added a default config file for the subagent as well. When using
the init script, the config file is hardcoded into this standard
location. Having this config template should also hopefully cut
down on configuration errors since it's self documenting.
The pid file location was also changed to go into /var/run per FHS.
Previously, it was written to the same directory as the log file.
There are a few notes in the policy .te file about some bugs that
we are working around for now. These bugs are mainly minor issues
in the snmp policy that is a part of the selinux-policy pacakge.
Once those bugs are fixed, we can clean our policy .te file up.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a "dirsrv" selinux policy module to confine the ns-slapd
daemon. The setup and migration perl modules were changed to take
care of any relabeling of installed files if selinux support was
compiled in.
The build system now takes a "--with-selinux" option that will
compile the dirsrv policy module and enable any selinux specific
setup code.
To use the dirsrv policy module, the module will need to be loaded
using the semodule utility. It is also necessary to relabel the
installed files using restorecon after performing a make install.
All of this will be taken care of in the spec file when in the
case of using a RPM package.
|
