| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
See also http://directory.fedoraproject.org/wiki/Entry_USN#Standalone.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adding "-e deref" option to ldclt.
Add mode (-e add): "-e deref" adds "secretary: <DN>" to the entry.
This is true when the entry's objectclass is
inetOrgPerson (-e inetOrgPerson").
Search mode (-e esearch): "-e deref" sets dereference control to the search,
where the dereference attribute and dereferenced
attribute are hardcoded to "secretary" and "cn",
respectively.
Usage:
ldclt [...] -e add -e random -e inetOrgPerson -e deref -f test_XX
ldclt [...] -e esearch -e random -e inetOrgPerson -e deref -f test_XX
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This cleans up the following warnings:
ds.git/ldap/servers/slapd/back-ldbm/ldbm_usn.c:102: warning: unused variable 'li'
ds.git/ldap/servers/plugins/replication/repl5_agmt.c:1184: warning: too many arguments for format
ds.git/ldap/servers/plugins/syntaxes/dn.c:143: warning: unused variable 'val_copy'
ds.git/ldap/servers/plugins/syntaxes/deliverymethod.c:264: warning: unused variable 'p'
ds.git/ldap/servers/plugins/syntaxes/facsimile.c:269: warning: unused variable 'p'
ds.git/ldap/servers/plugins/usn/usn.c:107: warning: value computed is not used
ds.git/ldap/servers/plugins/usn/usn.c:263: warning: control reaches end of non-void function
ds.git/ldap/servers/plugins/usn/usn.c:525: warning: control reaches end of non-void function
The only one I'm not sure about is changing usn_get_attr to always return a 0 - please review that usage.
With these fixes, I only see the llu and lld format warnings on RHEL5 with the default rpmbuild compiler flags.
Reviewed by: nhosoi (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Design doc:
http://directory.fedoraproject.org/wiki/Entry_USN#Plugin_Default_Config_Entr
New slapi APIs in libslapd:
int slapi_set_plugin_default_config(const char *type, Slapi_Value *value);
Description: Add given "type: value" to the plugin default config entry
(cn=plugin default config,cn=config) unless the same "type:
value" pair already exists in the entry.
Parameters: type - Attribute type to add to the default config entry
value - Attribute value to add to the default config entry
Return Value: 0 if the operation was successful
non-0 if the operation was not successful
int slapi_get_plugin_default_config(char *type, Slapi_ValueSet **valueset);
Description: Get attribute values of given type from the plugin default
config entry (cn=plugin default config,cn=config).
Parameters: type - Attribute type to get from the default config entry
valueset - Valueset holding the attribute values
Return Value: 0 if the operation was successful
non-0 if the operation was not successful
warning: Caller is responsible to free attrs by slapi_ch_array_free
Changes in the Replication plugin:
1) Functions to set replicated attributes
agmt_set_replicated_attributes_from_attr and
agmt_set_replicated_attributes_from_entry
call _agmt_set_default_fractional_attrs to sets the default excluded
attribute list from the plugin default config entry before setting
them from each replication agreement.
To support it, agmt_parse_excluded_attrs_config_attr is changed to be
re-entrant.
2) Fixed a minor memory leak in the fractional attributes (ra->frac_attrs).
3) Added a check for the duplicated fractional attributes.
Changes in the USN plugin:
1) usn_start calls slapi_set_plugin_default_config to add "entryusn" to
the EXCLUDE list of the value of nsds5ReplicatedAttributeList in the
plugin default config entry.
2) fix for the bug 518673 - entryusn: wrong lastusn value; When the entryusn
is not assigned yet, the next value to be set is 0. Lastusn is calculate
as (the next entryusn - 1). Although the entryusn is 64-bit unsigned
long, it should be printed as a 64-bit signed integer for lastusn.
Other:
Fixed a compiler error in ldap/servers/slapd/dse.c.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=504651
Resolves: 504651
Bug Description: Need to store additional attributes in Retro Changelog
Submitted by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed by: rmeggins (thanks!)
Platforms tested: FC10 x86_64
Fix Description: The fix allows recording some user-defined attributes
from the target entry of the operation (e.g. objectGUID) and built-in
attributes generated by the plugin (e.g. isReplicated) into the change
log entry. The attributes should be specified in the configuration entry:
dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
...
nsslapd-attribute: objectGUID
nsslapd-attribute: isReplicated
The change log entry will contain the additional attributes:
dn: changeNumber=...,cn=changelog
...
objectGUID: ...
isReplicated: ...
---
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=519065
Resolves: 519065
Bug Description: Fails to start if attrcrypt can't unwrap keys
Reviewed by: nhosoi (Thanks!)
Fix Description: If not using the attrcrypt feature, just return success
if the keys could not be unwrapped.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
Resolves: bug 487425
Bug Description: slapd crashes after changelog is moved
Reviewed by: rmeggins
Fix Description: Call clcache_set_config after the global changelog cache pool has been allocated.
Platforms tested: HPUX 11 (PA-RISC 2.0 64-bit)
Flag Day: no
Doc impact: no
<diffs>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=518544
Resolves: bug 518544
Bug Description: large entries cause server SASL responses to fail
Reviewed by: nhosoi (Thanks!)
Branch: HEAD and 1.2
Fix Description: The SASL server code was broken when we switched over to
use NSPR I/O for the SASL IO layer. If the entire encrypted buffer could
not be sent to the client, the server was just failing. Instead, the server
must keep track of how many encrypted bytes were sent. If all of the
encrypted bytes could not be sent, we must return the appropriate error
to the caller to let them know the operation would block. The caller in
this case is the write_function() which does a poll() to see if the socket
is available for writing again, then will attempt the send again.
I also cleaned up usage of the various Debug macros.
Finally, I discovered that the sasl init code was calling config_get_localhost()
before that value could be set. In most cases, it is ok, because it will
fall back to the default hostname from the system. However, if for some
reason you want to use a different localhost, it will fail. Now it will be
set in the boostrap config code.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Pre-hashed passwords may not use the standard internal salt length. The old
ldif base64 decode function would return the number of bytes in the decoded
string - the new NSPR function does not. We can't use strlen on the decoded
value since it is binary and may contain nulls. The solution is to use a
function to calculate exactly how many bytes the encode string will have
when decoded, taking into account padding. Since we know exactly how many
bytes are decoded, and we know exactly how many bytes of that decoded value
are the hash, the remainder must be the salt, however many bytes that is.
I tested this code with salt lengths from 1 to 99.
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
| |
The commit a26ba73fb5040383c27872997bc07ab0c2006459 made to fix the bug 509472
put the assertion at the wrong place. It should be applied just for the worker
thread.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds centralized start, stop, and restart scripts
for ns-slapd. These scripts live in the sbin directory
and will act upon all instances if an instance identifier
is not specified (similar to the init script). The
instance specific scripts have been modified to call the
new centralized scripts.
The instance specific parameters needed by the new scripts
are located in the instance specific initconfig scripts,
which are now created by setup-ds.pl with values mapped
from the inf file.
|
| |
|
|
|
|
|
|
|
|
|
| |
modifying attributes with subtypes
Andrey Ivanov (andrey.ivanov@polytechnique.fr) pointed out my previous
check-in for bug 506786 had an inefficient code. To determine whether
to delete an equality index key or not, the code checks the key still
exists in the value array having the same attribute type. The check
should be done as soon as one value is found in the value array instead
of checking through all of them.
|
| |
|
|
| |
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The vendor, brand, and capbrand are set in configure - we should use those
everywhere rather than have to run some sort of script over the code to
change vendor, brand, version, etc. I've added VENDOR, BRAND, CAPBRAND
to the default defines passed to the compiler, and changed the code to use
these defines. And instead of the unintuitively named PRODUCTTEXT macro,
we should use the already defined PRODUCT_VERSION.
This allowed me to get rid of some code. The version was from a generated
file called dirver.h which we don't need anymore, and we don't need the perl
script dirver.pl which generated it.
The vendor string was coming from the dirlite header file. So I also used this
as an excuse to get rid of all references to dirlite once and for all (yay!).
For the places in plain text files which are not substituted, I just used the
generic name Dirsrv or Directory Server instead of having an explicit brand
and/or version in there.
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
modifying attributes with subtypes
When there are identical attribute value pairs except subtypes exist
in an entry, if one of the pairs are deleted, it should not affect the
index the attribute value is the key.
e.g.,
mail: abc
mail;en: abc
mail;fr: xyz
removing mail=abc or mail;en=abc, should not remove =abc from the
mail.db#.
This fix uses the value array evals to determine if the equality key
in the index should be deleted or not. The value array evals stores
the values of the attribute in the entry after the deletion is done.
If evals is empty, it means the to-be-deleted attribute value pair is
the only pair in the entry. Thus, the equality key can be removed fom
the index.
If evals has values, then the to-be-deleted attribute (curr_attr,
which was retrieved from the old entry) value needs to be checked if
it's in evals or not. If it is in evals, the equality key is still
used by other pair(s). So, leave it. Otherwise, the key can be
removed.
In the above example, let's assume removing mail=abc. evals holds
{"abc", "xyz"}. curr_attr abc is in evals, thus =abc will not be
removed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
db2index all (internally, called upgradedb) reads through the main db
id2entry.db# and reindex all the associated indexed attributes. The
reindex borrows the import code where the entry id is newly assigned.
The new entry id's are connective. On the other hand, entry id's of the
entries in the db to be reindexed are not. The borrowed import code
assumes the entry id and the index of the fifo are tightly coupled and
the timing when the writing to and reading from the fifo are calculated
based upon the
assumption.
The assumption should have been revised so that the entry id which is
available up to is kept in ready_EID in the job structure and entry id from
each entry (entry->ep_id) is compared with ready_EID instead of ready_ID
that holds the sequential number.
Additionally, I eliminated unused variable "shift" from import_fifo_fetch.
Also, _dblayer_delete_instance_dir cleans up files and directories, recursively.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
estimate of total no of entries are same
The code processing search results were returning the PAGE END without
knowing there are more entries to return or not. To learn it, introduced
"read ahead" one entry when it comes to the PAGE END. If there are more
entries, the code undo the read ahead, which prompts for the next page
on the client side. If there is no more entries, it returns the status
SEARCH END instead of PAGE END.
In addition to the read ahead implementation to fix the bug 513916,
* supporting Simple Paged Results for chaining backend is added.
* fixed a bug in idl_new_fetch (idl_new.c) -- idlistscanlimit was not
checked when the cursor comes to the end of an index file.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
DNA doesn't handle multiple mods to a managed attribute
in the same modify operation properly. If an operation
such as deleting a managed value triggers generation, we
aren't checking if another mod in the same operation is
actually adding a new value. This triggers us to generate
a value when we really shouldn't. The fix is to unset the
generate flag if we find a subsequent mod to the same
managed type. It will be reset if we truly need to
generate a new value.
|
| |
|
|
|
|
|
|
| |
%rootdn% (Directory Manager) has all rights on every entry by nature.
Thus, it is not needed to give any acis. This template has several
groupOfUniqueNames objects which MUST have uniqueMember. At this
moment, there is no entry which could be a uniqueMember. Just to
satisfy the objectclass, set %rootdn% to uniqueMember of the objectclass.
|
| |
|
|
|
|
|
|
|
| |
syntax attributes.
The selfwrite ACI keyword currently only applies when writing to attributes
using the Distringuished Name syntax. It needs to also work with the Name And
Optional UID syntax since that is the syntax used for the uniqueMember
attribute.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If you have an ACI with multiple macros in it and the second attribtue does not
exist in the entry you are bound as, the in-memory list used for macro
substitution is free'd twice.
The code swaps hands the charray it plans to return after substitution over to
a working list, but it doesn't set the return list to NULL. When the second
macro attribute is not found, the working list is free'd, yet the address is
returned to the caller, who then tries to free the list a second time. The fix
is to set the list to be returned to NULL when the memory is handed over to the
working list.
|
| |
|
|
|
|
| |
Since per entry-response controls are ignored by the ldapsearch client,
we are getting rid of the unnecessary write_controls calls for Simple Paged
Results and GER.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds support for the newly proposed LDAP Dereference feature (not to
be confused with alias dereferencing). The details of the proposed feature
can be found here:
http://www.openldap.org/devel/cvsweb.cgi/~checkout~/doc/drafts/draft-masarati-ldap-deref-xx.txt
This adds a new deref plugin to the directory server. This is a pre op search
plugin. In order to allow the plugin to rewrite the controls sent back with
each entry, I changed the way pre-search and pre-entry plugins work. They now
have the ability to alter the entry and controls just before being sent back
to the client.
This plugin does not currently support internal operations. It should be easy
to add a call to register the plugin for internal ops if we need to do that.
The code supports real, computed (e.g. memberOf), and virtual attributes
both as the attibute to dereference and in the list of attributes to return
from each dereferenced entry. This will allow us to use attributes such as
nsRole as the derefattr.
Tested on RHEL5 x86_64 with various openldap 2.4.15+ and Net::LDAP clients.
valgrind output is clean
|
| |
|
|
| |
Based on RFC2252, NameAndOptionalUID = DistinguishedName [ "#" bitstring ]
|
| |
|
|
|
|
|
|
|
| |
The aci attribute is currently defined with a syntax of IA5 String.
This syntax only allows 7-bit characters. Now that the server has
support for syntax validation, this would prevent one from using
international characters in aci rules. This patch defines the aci
attribute with the Directory String syntax, which allows any valid
UTF8 character.
|
| |
|
|
|
|
|
|
| |
This reverts commit 1e3138f1d41562d6f42a8fdf0934af23219bb8e1.
Misunderstood nsslapd-lookthroughlimit. Regardless of the filter test result,
once hit the lookthroughlimit, search should be aborted there. That's what
the original code does and that is correct.
|
| |
|
|
|
| |
SPR returns one page in one operation. Let the search_result_set keep the
current sizelimit and make the sizelimit work beyond operations.
|
| |
|
|
|
| |
When sort request control is given, even if the search result is NULL,
sort response control should be created and passed to the client.
|
| |
|
|
|
|
|
|
| |
First cut for implementing Entry USN.
See http://directory.fedoraproject.org/wiki/Entry_USN for the design details.
This change includes a bug fix for "db2ldif -r"; event queue system was not
shutdown before the plugins are closed, which could have crashed the command
line utility.
|
| |
|
|
|
|
|
| |
When filter test is necessary against the search results and the test fails,
lookthroughcount attached to the search result structure should have been
decremented since the entry will not be sent to the client, but it was not.
This change fixes it.
|
| |
|
|
|
|
| |
The DN used by the ns-newpwpolicy script to refer to the pwpolicy
subentries are not legal. We need to escape ',' chars in the value
instead of just trying to use double-quotes around the value.
|
| |
|
|
|
|
|
| |
_cl5DBOpen removes a changelog db if there is no matching replica for the file.
The manner to remove the changelog db file was not good -- not using the API
that Berkeley DB provided, but removing it with NSPR delete function PR_Delete.
This fix replaces PR_Delete with the Berkeley DB API dbremove.
|
| |
|
|
|
|
|
|
| |
When importing an ldif with pre-encrypted attributes, we
need to skip the syntax check to avoid the import of those
entries being skipped. The fix makes a copy of an entry
with encrypted attributes, removes the encrypted attribtues,
and uses this trimmed copy for the syntax check.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch updates and reorganizes our core schema to follow
the most recently defined standards. The layout of the core
schema files is as follows:
00core.ldif - RFC 4512, RFC 4519, LDAP Subentry Internet Draft
01core389.ldif - 389 specific schema (required to start server)
02common.ldif - 389 specific schema (highly recommended,
Changelog Internet Draft, plug-in schema)
05rfc2927.ldif - MIME Directory Profile for LDAP Schema
05rfc4523.ldif - Schema Definitions for X.509 Certificates
05rfc4524.ldif - Cosine LDAP/X.500 Schema
06inetorgperson.ldif - RFC 2798 (pulls in RFC 2079 and part of
the obsolete RFC 1274 due to required attributes)
There are still a handful of syntaxes that we don't support, so
I've substituted syntaxes for about 15 attributes. The schema and
DIT related description syntaxes are not supported, so I've used
the "Directory String" syntax instead in 00core.ldif. The
certificate syntaxes defined in 4523 are not supported, so I've
used the "Octet String" syntax instead. All of these deviations
are commented with a "TODO" listing the syntax that we need to
implement.
I have also updated the Mozilla address book schema to the latest
from upstream for a minor bug fix. I changed the nsSymmetricKey
attribute to use the "Octet String" syntax since the "Binary"
syntax is deprecated.
|
| |
|
|
|
|
|
|
| |
Unsalted password comparison was broken by the switch from using the ldif base64 function to using the NSPR base64 function. The old function used to return the number of bytes. The new one does not. The code was assuming there was
always a salt, but this is not the case. Now, the code determines if there
is a salt by comparing the calculated length (hash_len) with the actual number
of bytes in the hash (shaLen).
Reviewed by: nhosoi (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds support for the following standard syntaxes, complete
with validation functions:
Bit String
Delivery Method
Enhanced Guide
Facsimile Telephone Number
Fax
Guide
Name And Optional UID
Printable String
Teletex Terminal Identifier
Telex Number
This patch does not change the schema to use any of these syntaxes
yet. That will come when we update to the current versions of the
standard schema from the LDAP RFCs.
I also fixed an error in makefile.am where Setup.pm was listed
twice in perl_DATA.
|
| |
|
|
|
|
|
|
|
|
|
| |
The current attrcrypt is failing because it attempts to store the encryption
symkey in the nsSymmetricKey attribute. This attribute is not defined in the
schema, so it defaults to DirectoryString syntax. Storing the value then fails
syntax validation because the binary values in the key do not conform to
DirectoryString. The code was poorly designed to handle and report errors of
this nature. The real fix is to add nsSymmetricKey as a BINARY syntax
attribute. I also cleaned up the error detection and reporting for this case.
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
valgrind is a very useful tool - however, the directory server produces a lot
of false positives that have to be suppressed in order to get to the useful
information. These patches attempt to reduce some of that noise.
1) aclparse - should calculate the length of the string _after_ trimming the
spaces
2) something about random number generation causes some of the bits to be uninitialized, and valgrind doesn't like it - this patch doesn't eliminate the error, just reduces it
3) use initialized memory when generating hashes - also remove "magic numbers"
4) bin.c - slapi_value_get_string must not be used with unterminated (binary) values
5) we get these odd valgrind reports from deep within bdb about invalid reads and uninitialized memory - I thought perhaps because we were initializing DBT structures with = {0} which the bdb docs says is not sufficient - they recommend memset or bzero
6) There are some small memory leaks during attrcrypt initialization and in error cases
7) error message in ldif2ldbm.c was attempting to print the Slapi_DN structure rather than getting the char *dn
8) After we call NSS_Initialize, we must call the NSS shutdown functions to clean up the caches and other data structures, otherwise NSS will leak memory. This is harmless since it happens at exit, but valgrind reports hundreds of memory leaks. The solution is to make sure we go through a single exit point after NSS_Initialize. This means many places that just called exit() must instead return with a real return value. This mostly affected main.c, detach.c, and a couple of other places called during startup.
9) minor memory leaks in mapping tree initialization
10) sasl_map.c - should not call this in referral mode
11) minor memory leaks during ssl init
Reviewed by: nkinder, nhosoi (Thanks!)
|
| |
|
|
|
|
| |
This cleans up all of the compiler warnings produced with -Wall on RHEL/Fedora platforms.
The warnings about the %lld and %llu formats are still produced and cannot be helped.
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
| |
These changes allow the server to be built with OpenLDAP (2.4.17+). A brief summary of the changes:
* #defines not provided by OpenLDAP were copied into slapi-plugin.h and protected with #ifndef blocks
* where it made sense, I created slapi wrapper functions for things like URL and LDIF processing to abstract way the differences in the APIs
* I created a new file utf8.c which contains the UTF8 functions from MozLDAP - this is only compiled when using OpenLDAP
* I tried to clean up the code - use the _ext versions of LDAP functions everywhere since the older versions should be considered deprecated
* I removed some unused code
NOTE that this should still be considered a work in progress since it depends on functionality not yet present in a released version of OpenLDAP, for NSS crypto and for the LDIF public API.
|
| |
|
|
|
|
|
|
| |
1) Commit 281f14adb012a54d8b10c9d51dbce6f5c6f3e549 was based on the wrong
observation and testing. Backing off the change.
2) Search result set is retrieved from pblock and used for simple paged results.
When the search result set is released, the address stashed in pblock should
have been set NULL not to access the address again.
|
| |
|
|
|
|
|
|
|
|
|
| |
When "dnaMaxValue" is set to "-1" or omitted from a range configuration entry
(which defautls to "-1" internally), the "dnaNextValue" attribute is not
updated in the range configuration entry when a value is allocated from that
range.
We were only updating the configuration entry if the new nextvalue was >=
the maxval plus the interval (1). We need to check if the maxval is -1
specifically, and update the config entry if so.
|
| |
|
|
|
|
| |
There was a contention between the connection table cleanup thread (main)
and the search thread. The cleanup code should have been protected by
the same mutex we do in the paged result code (c_mutex).
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bug description: If a group has more than 32767 members (max short),
a variable 'n' declared as short overflows. The value is used to calculate an
array size to store group member info, which memory is not properly allocated
and it ends up crashing up the server.
Fix description: Replaced the problematic short variable type with integer.
Plus, the each member info was storing a pointer pointing to an element inside
of the array. When the array is "realloc"ed, it's possible for the addresses
to be relocated. To solve the problem, the new code stores the index of array
instead of the address.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements a linked attribute plug-in. Details of the
plug-in features and design are available on the 389 wiki at:
http://directory.fedoraproject.org/wiki/Linked_Attributes_Design
In addition, I encountered a memory leak when testing the new plug-in
with valgrind. There was a fix to the dse add code for a double free
a few months back, which causes a leak in certain situations. This
previous fix was for bz#489763. The proper thing to do is to make
the dse backend add function consume the passed in entry upon success
and leave it for the caller to deal with upon failure. This is the
way the back-ldbm add function works.
|
| |
|
|
|
| |
Summary: Access log reports 'notes=U' for VLV indexed searches if there are no records to be found
Fix Description: VLV creates an empty IDL if no matched entries are found. To do so, VLV code was calling idl_alloc with argument 0, which generated ALLID. It's changed to call idl_alloc with 1. It creates a normal empty IDL.
|
| |
|
|
|
|
|
| |
Fix Description: unescape parenthesis in the regular expression.
E.g., ^u:\(.*\) ==> ^u:(.*)
This unescape is necessary for the new regex code using PCRE
to keep the backward compatibility.
|
| |
|
|
|
|
| |
This patch consolidates the functionality of read_function and secure_read_function into a single read_function that deals with NSPR PRFileDesc objects. It does the same for write_function and secure_write_function. Since there is only one write function, there is no need to push a separate secure read/write function to the lber layer - importing the prfd into ssl (SSL_ImportFd) does that.
I've also added some more debugging.
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is part of the port to OpenLDAP, to simplify the code that
interacts with the BER I/O layer. Ideally, since we only deal
with NSPR I/O, not raw I/O, in the directory server, we can push
any additional layers, such as SASL, as NSPR I/O layers. This
is how NSS works, to push the SSL codec layer on top of the regular
NSPR network I/O layer.
Only 3 functions are implemented - PR_Send (sasl_io_send), PR_Recv
(sasl_io_recv), and PR_Write (sasl_io_write).
This simplified the code in saslbind.c and connection.c, and removed
special handling for SASL connections - now they are just treated as
regular NSPR connections - the app has not nor does not need to know
the connection is a SASL connection.
In addition, this gives us the ability to use SASL and SSL at the same
time. The SASL I/O layer can be pushed on top of the SSL layer, so
that we can use SSL for connection encryption, and SASL for authentication,
without having to worry about mixing the two.
Reviewed by: nkinder (Thanks!)
Platforms tested: RHEL5 x86_64, Fedora 9 x86_64
|
| |
|
|
|
| |
1) Fixing compiler warnings on regex.c.
2) Adding dse_search_set_release to dse.c to support simple paged results on DSE.
|
