ds.git/ldap/schema, branch existingdir Unnamed repository; edit this file to name it for gitweb. change syntax plugins to register required matching rule plugins 2010-02-17T22:05:40+00:00 Rich Megginson rmeggins@redhat.com 2010-02-16T22:56:59+00:00 ecf93e699b04d45fdfa07b12094adaab0233c47a https://bugzilla.redhat.com/show_bug.cgi?id=559315 Resolves: 559315 Description: Searching some attributes are now case sensitive when they were previously case-insensitive Reviewed by: nhosoi (Thanks!) - also added some suggested comments I added code to allow the syntax plugins to register corresponding matching rules. That is, the functions that the syntax plugins use for filter matching and key generation can also be used for matching rules with the new wrapper code. I added some convenience functions and structures in the syntax plugin code to make it easier to add matching rules in the future. I also added a new feature to the matching rule code - in the LDAP spec definition of matching rule, the syntax provided in the matching rule definition is the syntax for the _assertion value_ used with the matching rule, which is not necessarily the same as the syntax of the _attribute values_ to which the matching rule can be applied. For example, matching rules that apply to syntax DirectoryString can also be applied in some cases to PrintableString, CountryString, and IA5String. There are several other cases like this as well. I also introduced the concept of a compat syntax that can be used with a matching rule. The server will now check, when reading in the schema, if the syntax and matching rules for an attribute are consistent. Finally, for 05rfc4523.ldif, I changed the attributes to use octetStringMatch instead of one of the unimplemented certificate matching rules. 
https://bugzilla.redhat.com/show_bug.cgi?id=559315
Resolves: 559315
Description: Searching some attributes are now case sensitive when they were previously case-insensitive
Reviewed by: nhosoi (Thanks!) - also added some suggested comments
I added code to allow the syntax plugins to register corresponding
matching rules.  That is, the functions that the syntax plugins use
for filter matching and key generation can also be used for matching
rules with the new wrapper code.  I added some convenience functions
and structures in the syntax plugin code to make it easier to add
matching rules in the future.  I also added a new feature to the
matching rule code - in the LDAP spec definition of matching rule, the
syntax provided in the matching rule definition is the syntax for
the _assertion value_ used with the matching rule, which is not
necessarily the same as the syntax of the _attribute values_ to which
the matching rule can be applied.  For example, matching rules that apply
to syntax DirectoryString can also be applied in some cases to
PrintableString, CountryString, and IA5String.  There are several other
cases like this as well.  I also introduced the concept of a compat
syntax that can be used with a matching rule.  The server will now
check, when reading in the schema, if the syntax and matching rules
for an attribute are consistent.
Finally, for 05rfc4523.ldif, I changed the attributes to use
octetStringMatch instead of one of the unimplemented certificate
matching rules.
Remove blank line from 00core.ldif. 2009-10-27T23:07:01+00:00 Nathan Kinder nkinder@redhat.com 2009-10-27T23:07:01+00:00 de638561197aedf3cd9197cc47a5acaddfc77117 There is an unnecessary blank line in 00core.ldif in the middle of an entry. This isn't causing any server issues since the line does have a space, making it count at part of the previous attribute, but it does through off Mozilla::LDAP::LDIF. The blank line should really be removed. 
There is an unnecessary blank line in 00core.ldif in the middle
of an entry.  This isn't causing any server issues since the line
does have a space, making it count at part of the previous attribute,
but it does through off Mozilla::LDAP::LDIF.  The blank line should
really be removed.
more updates - add missing rundir - remove ldapiautodnsuffix 2009-10-07T15:06:21+00:00 Rich Megginson rmeggins@redhat.com 2009-10-01T21:56:20+00:00 d1214317ca2bcefd18db4e1a7414ac2a8408e5a9 Some older releases did not have nsslapd-rundir - upgrading from those releases will cause the server not to start - we must add nsslapd-rundir if it is missing We also got rid of nsslapd-ldapiautodnsuffix, so remove that from the config - it doesn't hurt anything to leave it, but the error message is annoying I also added back a mostly truncated version of 28pilot.ldif because some apps still use pilotObject - those apps should change to use a different objectclass ASAP. Tested on Fedora 11 i386 and x86_64 Reviewed by: nkinder (Thanks!) 
Some older releases did not have nsslapd-rundir - upgrading from
those releases will cause the server not to start - we must add
nsslapd-rundir if it is missing
We also got rid of nsslapd-ldapiautodnsuffix, so remove that from
the config - it doesn't hurt anything to leave it, but the error
message is annoying
I also added back a mostly truncated version of 28pilot.ldif because
some apps still use pilotObject - those apps should change to
use a different objectclass ASAP.
Tested on Fedora 11 i386 and x86_64
Reviewed by: nkinder (Thanks!)
Add comment to 00core.ldif to explain why we changed 2009-09-30T15:15:18+00:00 Rich Megginson rmeggins@redhat.com 2009-09-30T15:15:18+00:00 5d918968b89eb5230bbea4dc76ef36a266898c86 the standard definitions of groupOfNames and groupOfUniqueNames to allow empty groups. 
the standard definitions of groupOfNames and groupOfUniqueNames
to allow empty groups.
allow empty groups 2009-09-30T15:00:52+00:00 Rich Megginson rmeggins@redhat.com 2009-09-30T02:45:54+00:00 263e072493ec249ee0176193ee8bcb1b72255720 https://bugzilla.redhat.com/show_bug.cgi?id=526141 Resolves: bug 526141 Bug Description: allow empty groups Reviewed by: nhosoi (Thanks!) Fix Description: Change groupOfNames and groupOfUniqueNames to allow empty groups by changing the member/uniqueMember attribute from MUST to MAY. Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no 
https://bugzilla.redhat.com/show_bug.cgi?id=526141
Resolves: bug 526141
Bug Description: allow empty groups
Reviewed by: nhosoi (Thanks!)
Fix Description: Change groupOfNames and groupOfUniqueNames to allow empty
groups by changing the member/uniqueMember attribute from MUST to MAY.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
Config schema not included in core schema 2009-09-30T01:50:36+00:00 Rich Megginson rmeggins@redhat.com 2009-09-29T22:55:32+00:00 de006310079abf5c93caed26d33455e22d7c7eb4 https://bugzilla.redhat.com/show_bug.cgi?id=520921 Resolves: bug 520921 Bug Description: Config schema not included in core schema Reviewed by: nkinder (Thanks!) Fix Description: Just had to move a few schema from 02common and 30ns-common into 01core389.ldif. I also added 01core389.ldif to the list of schema installed when install_full_schema=0 is specified with setup-ds.pl. I also added these schema files to the list of schema files to upgrade. With these changes, the server starts up fine. The only error is this: [29/Sep/2009:16:47:53 -0600] - Entry "cn=PAM Pass Through Auth,cn=plugins,cn=config" has unknown object class "pamConfig" This is because the pam pass through plugin is included in the default config. I'd rather not move that schema file. That plugin can be removed from the default config during setup by specifying a slapd.ConfigFile directive with contents like this: dn: cn=PAM Pass Through Auth,cn=plugins,cn=config changetype: delete Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no 
https://bugzilla.redhat.com/show_bug.cgi?id=520921
Resolves: bug 520921
Bug Description: Config schema not included in core schema
Reviewed by: nkinder (Thanks!)
Fix Description: Just had to move a few schema from 02common and 30ns-common into 01core389.ldif.  I also added 01core389.ldif to the list of schema installed
when install_full_schema=0 is specified with setup-ds.pl.  I also added these schema files to the list of schema files to upgrade.
With these changes, the server starts up fine.  The only error is this:
[29/Sep/2009:16:47:53 -0600] - Entry "cn=PAM Pass Through Auth,cn=plugins,cn=config" has unknown object class "pamConfig"
This is because the pam pass through plugin is included in the default config.  I'd rather not move that schema file.  That plugin can be removed from the default config during setup by specifying a slapd.ConfigFile directive with contents like this:
 dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
 changetype: delete
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
Need to store additional attributes in Retro Changelog 2009-08-25T19:24:12+00:00 Rich Megginson rmeggins@redhat.com 2009-08-25T19:23:16+00:00 177f772ec3d596028eb2a633f3ed360186df42fc https://bugzilla.redhat.com/show_bug.cgi?id=504651 Resolves: 504651 Bug Description: Need to store additional attributes in Retro Changelog Submitted by: Endi Sukma Dewata <edewata@redhat.com> Reviewed by: rmeggins (thanks!) Platforms tested: FC10 x86_64 Fix Description: The fix allows recording some user-defined attributes from the target entry of the operation (e.g. objectGUID) and built-in attributes generated by the plugin (e.g. isReplicated) into the change log entry. The attributes should be specified in the configuration entry: dn: cn=Retro Changelog Plugin,cn=plugins,cn=config ... nsslapd-attribute: objectGUID nsslapd-attribute: isReplicated The change log entry will contain the additional attributes: dn: changeNumber=...,cn=changelog ... objectGUID: ... isReplicated: ... --- 
https://bugzilla.redhat.com/show_bug.cgi?id=504651
Resolves: 504651
Bug Description: Need to store additional attributes in Retro Changelog
Submitted by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed by: rmeggins (thanks!)
Platforms tested: FC10 x86_64
Fix Description: The fix allows recording some user-defined attributes
from the target entry of the operation (e.g. objectGUID) and built-in
attributes generated by the plugin (e.g. isReplicated) into the change
log entry. The attributes should be specified in the configuration entry:

dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
...
nsslapd-attribute: objectGUID
nsslapd-attribute: isReplicated

The change log entry will contain the additional attributes:

dn: changeNumber=...,cn=changelog
...
objectGUID: ...
isReplicated: ...
---
Change default branding to 389 - remove lite code 2009-08-11T21:17:44+00:00 Rich Megginson rmeggins@redhat.com 2009-08-11T20:37:44+00:00 886d9b9f4fd9bfd72c2c9728f13b8db1ff2793b7 The vendor, brand, and capbrand are set in configure - we should use those everywhere rather than have to run some sort of script over the code to change vendor, brand, version, etc. I've added VENDOR, BRAND, CAPBRAND to the default defines passed to the compiler, and changed the code to use these defines. And instead of the unintuitively named PRODUCTTEXT macro, we should use the already defined PRODUCT_VERSION. This allowed me to get rid of some code. The version was from a generated file called dirver.h which we don't need anymore, and we don't need the perl script dirver.pl which generated it. The vendor string was coming from the dirlite header file. So I also used this as an excuse to get rid of all references to dirlite once and for all (yay!). For the places in plain text files which are not substituted, I just used the generic name Dirsrv or Directory Server instead of having an explicit brand and/or version in there. Reviewed by: nkinder (Thanks!) 
The vendor, brand, and capbrand are set in configure - we should use those
everywhere rather than have to run some sort of script over the code to
change vendor, brand, version, etc.  I've added VENDOR, BRAND, CAPBRAND
to the default defines passed to the compiler, and changed the code to use
these defines.  And instead of the unintuitively named PRODUCTTEXT macro,
we should use the already defined PRODUCT_VERSION.
This allowed me to get rid of some code.  The version was from a generated
file called dirver.h which we don't need anymore, and we don't need the perl
script dirver.pl which generated it.
The vendor string was coming from the dirlite header file.  So I also used this
as an excuse to get rid of all references to dirlite once and for all (yay!).
For the places in plain text files which are not substituted, I just used the
generic name Dirsrv or Directory Server instead of having an explicit brand
and/or version in there.

Reviewed by: nkinder (Thanks!)
Change aci syntax to Directory String. 2009-07-27T22:09:04+00:00 Nathan Kinder nkinder@boraras.localdomain 2009-07-27T22:09:04+00:00 f3719fb98f0a04f4c4b4d87fd1e01ac4b3c03c7c The aci attribute is currently defined with a syntax of IA5 String. This syntax only allows 7-bit characters. Now that the server has support for syntax validation, this would prevent one from using international characters in aci rules. This patch defines the aci attribute with the Directory String syntax, which allows any valid UTF8 character. 
The aci attribute is currently defined with a syntax of IA5 String.
This syntax only allows 7-bit characters.  Now that the server has
support for syntax validation, this would prevent one from using
international characters in aci rules.  This patch defines the aci
attribute with the Directory String syntax, which allows any valid
UTF8 character.
Bug: 479753 - Update core schema 2009-07-15T23:17:33+00:00 Nathan Kinder nkinder@brigittae.localdomain 2009-07-15T21:04:40+00:00 f1b25be262ac07cd366814e4920a22f1852d737f This patch updates and reorganizes our core schema to follow the most recently defined standards. The layout of the core schema files is as follows: 00core.ldif - RFC 4512, RFC 4519, LDAP Subentry Internet Draft 01core389.ldif - 389 specific schema (required to start server) 02common.ldif - 389 specific schema (highly recommended, Changelog Internet Draft, plug-in schema) 05rfc2927.ldif - MIME Directory Profile for LDAP Schema 05rfc4523.ldif - Schema Definitions for X.509 Certificates 05rfc4524.ldif - Cosine LDAP/X.500 Schema 06inetorgperson.ldif - RFC 2798 (pulls in RFC 2079 and part of the obsolete RFC 1274 due to required attributes) There are still a handful of syntaxes that we don't support, so I've substituted syntaxes for about 15 attributes. The schema and DIT related description syntaxes are not supported, so I've used the "Directory String" syntax instead in 00core.ldif. The certificate syntaxes defined in 4523 are not supported, so I've used the "Octet String" syntax instead. All of these deviations are commented with a "TODO" listing the syntax that we need to implement. I have also updated the Mozilla address book schema to the latest from upstream for a minor bug fix. I changed the nsSymmetricKey attribute to use the "Octet String" syntax since the "Binary" syntax is deprecated. 
This patch updates and reorganizes our core schema to follow
the most recently defined standards.  The layout of the core
schema files is as follows:

  00core.ldif - RFC 4512, RFC 4519, LDAP Subentry Internet Draft
  01core389.ldif - 389 specific schema (required to start server)
  02common.ldif - 389 specific schema (highly recommended,
      Changelog Internet Draft, plug-in schema)
  05rfc2927.ldif - MIME Directory Profile for LDAP Schema
  05rfc4523.ldif - Schema Definitions for X.509 Certificates
  05rfc4524.ldif - Cosine LDAP/X.500 Schema
  06inetorgperson.ldif - RFC 2798 (pulls in RFC 2079 and part of
      the obsolete RFC 1274 due to required attributes)

There are still a handful of syntaxes that we don't support, so
I've substituted syntaxes for about 15 attributes.  The schema and
DIT related description syntaxes are not supported, so I've used
the "Directory String" syntax instead in 00core.ldif.  The
certificate syntaxes defined in 4523 are not supported, so I've
used the "Octet String" syntax instead.  All of these deviations
are commented with a "TODO" listing the syntax that we need to
implement.

I have also updated the Mozilla address book schema to the latest
from upstream for a minor bug fix.  I changed the nsSymmetricKey
attribute to use the "Octet String" syntax since the "Binary"
syntax is deprecated.