| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| | |
'FedoraDirSvr_1_1_3_20080924'.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Bug Description: The Windows Sync API should have plug-in points - part 3
Reviewed by: nkinder (Thanks!)
Fix Description: It turns out I was a little bit too aggressive in removing memory leaks, and broke outbound modify processing. I should not have freed new_dn since it is used elsewhere. There was an earlier memory leak related to the way new_dn was initialized, but that was fixed elsewhere. The real fix is this:
- slapi_sdn_free(&new_dn);
The other fixes are lots of log messages I added to help debug this problem.
Platforms tested: RHEL5
Flag Day: no
Doc impact: yes - plugin guide
|
|/
|
|
| |
Summary: Make DNA plug-in auto-extended exhausted ranges.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: The Windows Sync API should have plug-in points - part 2
Reviewed by: nkinder (Thanks!)
Fix Description: Some additional changes to the api
The modify callbacks were not sufficient to handle all cases. We need to have access to the DS entry. This changes the API to add the DS entry to the modify callbacks. I also had to change the handling of the userAccountControl - it cannot just overwrite the value, it must set the appropriate bit in the bit mask.
Platforms tested: RHEL5
Flag Day: no
Doc impact: yes - plugin guide
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: replica_generate_next_csn opcsn adjustment errors during concurrent MMR load
Reviewed by: nhosoi (Thanks!)
Fix Description: In csngen_adjust_time, even if the time diff <= remote_offset, we still need to
keep track of it and use it so that we generate CSNs that have the same
timestamp as the remote CSN. We use the local_offset to store that time diff.
This sort of fits the semantics of local_offset as the diff is usually caused
by the sampled time update thread running slightly behind, not in sync with the remote server.
The code in _csngen_adjust_local_time will take the local_offset into
consideration when updating the sampled time. One thing we have to be careful
of is to _not_ reset the sequence number if the new generated time will be the
same as the old generated time. If the old time is the same as the new time,
we have to preserve the sequence number so that the next CSN generated will be greater than the previous one.
The sequence number must be reset if
the time was increased. The right thing to do is set the sequence number to
the remote sequence number + 1, in the case where we have advanced the time.
If we have not advanced the time, we can't make the sequence number less,
because we would then issue CSNs less than or equal to CSNs already issued.
In csngen_adjust_time, we have to take care to reset the seqnum properly - if the new timestamp is greater than the old timestamp, we
set the sequence number to be the remote + 1, regardless of whether or not the
remote seq is < or > than the current seq.
With this patch, running the replication stress test, I do not see any time
skew, I do not see any generate_next_csn error messages, I do not see any
duplicate or retrograde CSN issuance.
Platforms tested: RHEL5, Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: various valgrind reported startup memory leaks
Reviewed by: nhosoi (Thanks!)
Files: see diff
Branch: HEAD
Fix Description: These memory leaks are not serious, but they do create a lot of noise in
valgrind.
Platforms tested: RHEL5, Fedora 8
Flag Day: no
Doc impact: no
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: The Windows Sync API should have plug-in points
Reviewed by: nkinder (Thanks!)
Fix Description: Some additional changes to the api
1) added plugin points for begin update, end update, and agreement destruction
2) added debugging code to allow a regular DS to stand in for AD
3) fixed a couple of minor memory leaks
4) added the rest of the SLAPI DSE code to the public API to allow plugins to do dynamic configuration using the SLAPI public API
Platforms tested: RHEL5
Flag Day: no
Doc impact: yes - plugin guide
|
|
|
|
| |
debugging tools
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Memory leaks in check_trivial_words, check_pw_storagescheme_value
Reviewed by: nkinder, nhosoi (Thanks!)
Branch: HEAD
Fix Description: The first leak happens when password policy is active and trivial words
checking is being used, and the password is being modified. When getting the
list of attribute from the existing entry in the modify case, the function
slapi_attr_get_valueset is used - this function makes a duplicate of the
valueset and overwrites the valueset argument. The fix is to move the allocation of vs until after the call to slapi_attr_get_valueset, and only allocate it if it is non NULL.
The second leak happens when the password storage scheme is changed. The
function check_pw_storagescheme_value uses pw_name2scheme to check the given
scheme - this function allocates a struct pw_scheme * which must be freed with
free_pw_scheme.
Platforms tested: RHEL5, Fedora 8
Flag Day: no
Doc impact: no
QA impact: already covered by acceptance tests
New Tests integrated into TET: none
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Memory leaks in index code doing indexed & range & matching rule searches
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: This leak occurs when doing ranged, indexed searches. The code calls
index2prefix to get the index prefix. In the case of a matching rule search,
this prefix is allocated. The function free_prefix was not being called in all
cases.
Platforms tested: RHEL5, Fedora 8
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Memory leaks in valueset code
Reviewed by: nkinder,nhosoi (Thanks!)
Branch: HEAD
Fix Description: The first leak occurs when you are using replication and you add values to an
attribute that were previously deleted - that is, the values that you want to
add are on the attribute's deleted values list and are being "resurrected".
This leak is caused by an improper bit test (foo & bar|baz). The or | has
higher precedence and is evaluated first. The fix is to use parentheses (foo &
(bar|baz)). Note that this issue was flagged by the compiler gcc with -Wall.
The second leak is caused when several values are being added to an attribute,
and the list contains non-sequential duplicate values (e.g. foo, bar, baz,
foo). The code uses an array of Slapi_Value* called keyvals. When a valid
value is found, the Slapi_Value* is moved from keyvals to valuetreep and the
keyvals array index is set to NULL. This array is passed to valuearray_free to
free the individual Slapi_Value* and the array itself. This works fine in the
non-error case because there are no Slapi_Value* elements to free, so it just
frees the array. However, in the duplicate value case, some of the elements
have already been set to NULL, so those are skipped over by valuearray_free.
The fix is to introduce a new function valuearray_free_ext that takes an
additional argument which is the array index to start freeing from. That way
the non-NULL Slapi_Value* elements can be freed along with the array itself.
Platforms tested: RHEL5, Fedora 8
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Memory leaks in ids_sasl_user_search
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: This leak occurs when we use the new regex based identity mapping to lookup the
user bind dn based on the given user and user realm. There is a pblock allocated but not freed.
Platforms tested: RHEL5, Fedora 8
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Memory leak setting password with passwd extop
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: 1) if the given dn is "", that 1 byte will be leaked when the dn is reassigned
to the bind dn - so free it first in that case before reassigning
2) calling slapi_pblock_get with SLAPI_CONN_DN does a strdup, which is
different than most uses of slapi_pblock_get. That memory must be freed. So we free it at the end.
3) If we set the ORIGINAL_TARGET to a dn other than the given dn, we must free
it - grab it and compare it to dn - if not the same, free dn first, then free the original target dn
Platforms tested: RHEL5, Fedora 8
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Memory leak setting new password storage scheme
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: In config_set_pw_storagescheme, new_schema is allocated in both the non apply
and the apply case, but it is only freed in the apply case. The solution is to free it in the non apply case.
Platforms tested: RHEL5, Fedora 8
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: SASL bind can leak credentials in some cases
Reviewed by: nkinder, nhosoi (Thanks!)
Branch: HEAD
Fix Description: There is this call in saslbind.c line 767:
/* can't do any harm */
if (cred->bv_len == 0) cred->bv_val = NULL;
apparently in some cases, cred bv_len is 0 but cred->bv_val is not-null. This
causes a leak of cred->bv_val.
The fix is to make sure cred->bv_val is freed if bv_len is 0. This should
catch all cases where this erroneous assumption is made.
Platforms tested: RHEL5, Fedora 8
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
|
|
|
|
|
|
|
|
| |
Bug Description: GER: allow GER for non-existing entries (phase 2)
Reviewed by: nhosoi (Thanks!)
Fix Description: There are a couple of memory leaks in the code. acleffectiverights.c line 617 calls slapi_attr_get_valueset to get the list of objectclass values in objclassvals - this function allocates memory (returns a dup of the list) but this is not freed. The fix is to call slapi_valueset_free() to free it. The allattrs and opattrs arrays are not freed in all conditions. The fix is to make sure they are freed in all conditions.
Platforms tested: RHEL5, Fedora 8
Flag Day: no
Doc impact: no
|
|
|
|
| |
Summary: Don't log SORT control message for internal operations.
|
|
|
|
|
|
|
|
|
| |
Description: approx search accidentally fails with timelimit although it hasn't hit timelimit.
Fix Description: string_filter_approx used to simply return the return value from
strcmp. The value could be evaluated as LDAP RETURN CODE.
string_filter_approx is a static function and it's called only from
string_filter_ava. The function returns -1 when it fails. Thus, adjusting the
return value of string_filter_approx to the caller function.
|
|
|
|
|
| |
Bug Description: The Windows Sync API should have plug-in points
Fix Description: forgot to add #include "winsync-plugin.h"
|
|
|
|
| |
Summary: Don't perform a sorted range search in the DNA plug-in if a prefix is configured.
|
|
|
|
|
| |
Summary: RFE: search optimization and single character substring searches
Fix Description: missing close comment
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: The Windows Sync API should have plug-in points
Reviewed by: nkinder (Thanks!)
Fix Description: Several plug-in points have been added to the windows sync code, available to regular plug-ins that register with the winsync api via the slapi api broker interface. winsync-plugin.h documents the use of these along with some example plug-in code. The windows private data structure has been extended to add two additional fields:
raw_entry - the raw entry read from AD - this is passed to several plug-in callbacks to allow them to have access to all of the attributes and values in the entry in case further processing is needed. This required a change to the function that reads the entry, to have it save the raw entry read each time from AD, in addition to the "cooked" entry it passes back to the caller.
api_cookie - this is the plug-in private data passed back to each plug-in callback and allows the plug-in to specify some additional context
Both of these are stored in the private data field in the agreement, so some of the existing functions had to be changed to pass in the connection object or the protocol object in order to gain access to the agreement object.
There were several small memory leaks in the existing code that have been fixed - these are the places where a free() function of some sort has been added. Also the usage of slapi_sdn_init_dn_byval leaked - slapi_sdn_new_dn_byval must be used here instead - cannot mix slapi_sdn_new with slapi_sdn_init*
I also cleaned up several compiler warnings.
The slapi changes are not strictly necessary, but they provide some conveniences to the winsync code and to plug-in writers. The good thing is that they were already private functions, so mostly just needed to have public api wrappers.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
|
|
|
|
|
|
|
| |
Summary: GER: allow GER for non-existing entries (phase 2) (comment #6)
Description: additional fix for the previous checkin.
Not just checking if dn is NULL or not, but also checking the length of dn is
greater than 0. If both conditions are satisfied, locate the template entry at
the dn.
|
|
|
|
|
|
|
|
| |
Summary: GER: allow GER for non-existing entries (phase 2) (comment #3)
Description: get the target dn from the pblock and add it to the template entry
dn if available. Plus a memory leak was found and fixed at the same time.
Following the suggestion from Nathan, the "dummy" attributes are replaced with
"(template_attribute)".
|
|
|
|
| |
Summary: Make better use of cached DNA config information
|
|
|
|
| |
Summary: Use a separate new value lock for each DNA managed range.
|
|
|
|
| |
Summary: Load the dnaFilter config attribute properly.
|
|
|
|
|
|
| |
Summary: DN Rename with case change only fails
Description: The modrdn operation allows the source dn and the target dn are
identical or the same except the cases.
|
|
|
|
|
|
|
|
|
| |
Summary: GER: supporting "dn" and extensible object class is missing
Description:
1. Extensible object class cannot use the schema info. Evaluate existing
attributes with no schema check.
2. dn is not an attribute belonging to an entry, but treat is as it is if it's
given as a part of the attribute list.
|
|
|
|
| |
Summary: Merge in DNA plug-in code from FreeIPA
|
|
|
|
|
|
|
| |
Summary: GER: attribute types which do not belong to an entry should not be returned with effective rights
Description: when an attribute was given to the search request and the attribute
in the list does not belong to the entry, it was returning "*:none", which was
not true. The star should be the attribute type.
|
|
|
|
|
|
|
|
|
| |
Bug Description: RFE: search optimization and single character substring searches
Reviewed by: nhosoi (Thanks!)
Fix Description: When generating the index keys for a filter assertion, the key length must correspond to the position of the key in the assertion string. That is, the filter mail=jreu* should generate the first key based on the key len for the initial key, then the remainder of the keys based on the substring key len. So if the initial key len is 2, and the middle key len is 3, these keys should be generated - "^j", "jre", "reu". Noriko found a problem with my original patch - I needed to increment the nsubs number rather than simple assignment. With this patch, the filter tests and spaceinsens tests pass.
Platforms tested: Fedora 8
Flag Day: no
Doc impact: no
|
|
|
|
|
|
|
|
| |
Summary: attacker can tie up CPU in regex code (comment #11)
Description: string_filter_sub always expected SLAPI_SEARCH_TIMELIMIT and
SLAPI_OPINITIATED_TIME were set in pblock, but it was not true. Fixed to check
the container of these values first, and retrieve them only if the container is
in the pblock. Otherwise, set -1 to timelimit (no timelimit).
|
|
|
|
| |
Summary: Don't use Slapi_Mod on the stack.
|
|
|
|
|
| |
Summary: Dynamically reload schema via task interface
Description: cleaned up compile warnings.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: RFE: search optimization and single character substring searches
Description: extended the substring key to have 3 types:
* begin (e.g., *^a)
* middle (e.g., *abc)
* end (e.g., *xy$)
* Usage: turn an index object to extensibleobject and set an integer value as
follows:
* dn: cn=sn, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
* objectClass: extensibleObject
* nsSubStrBegin: 2
* nsSubStrMiddle: 3
* nsSubStrEnd: 2
* [...]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: RFE: search optimization and single character substring searches
Description: extended the substring key to have 3 types:
* begin (e.g., *^a)
* middle (e.g., *abc)
* end (e.g., *xy$)
* Usage: turn an index object to extensibleobject and set an integer value as
follows:
* dn: cn=sn, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
* objectClass: extensibleObject
* nsSubStrBegin: 2
* nsSubStrMiddle: 3
* nsSubStrEnd: 2
* [...]
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Lack of manpages
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: This adds man pages for the command line utilities. The configure.ac diffs were a little bit tricky - apparently, mandir is not set to a correct default value, so we have to make sure we set a reasonable default value it if the user has not set it (e.g. rpmbuild will override it with --mandir=something).
Platforms tested: Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: leak in bitwise plugin
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: The bitwise plugin should first check to make sure the requested OID is one that it can handle.
Platforms tested: RHEL5, Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
|
|
|
|
|
|
|
|
| |
Branch: HEAD
Fix Description: Set SO_REUSEADDR to make sure the port is really available.
Platforms tested: RHEL5, Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: setup-ds.pl password prompt loops in Confirm prompt
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: Just make sure the prompt tells the user that they can hit Control-B Enter at any time to go back if they need to re-enter the password.
Platforms tested: RHEL5, Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Unhandled error during setup: Could not import LDIF file
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: This doesn't allow you to re-prompt for the file, but this will at least cause setup to output a sensible error message if it detects that the given LDIF file is not readable.
Platforms tested: Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: rhds80 console - create new instance fails (only) after admin server restart
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: The problem was that the temp LDIF file used to init the new database was not created with the proper mode and ownership, so slapd could not load it. The fix is to make sure the ownership and mode is correct.
Platforms tested: RHEL5, Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Cannot setup ds with remote config DS
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: This fix has two main parts. The first part is to fix setup. I took parts out of the 01nsroot template and put them into the templates that set up the directory server and admin server. So when those servers are registered, they will create those common entries if not present, or otherwise modify them to add the necessary information. I had to add uname_m and uname_a and some other items to the mapping files. I fixed a typo in one of the template files. I changed setup to create new directory server instances shutdown, so that when they are configured for the passthrough auth plugin, it will be working when started. Otherwise, directory servers you create with setup will not be manageable in the console until after they are restarted. This is the same way that ds_create works.
The second part of the fix is to allow people to fix "broken" installs. I added a -u (update) option to setup. This will scan for exsiting installations are re-register all servers found. The dialog flow is pretty simple - it just confirms that you want to run update mode, then asks for the config ds information, then re-registers all servers with the config ds, updating any information that is missing or outdated.
Platforms tested: RHEL5, Fedora 8, Fedora 9
Flag Day: no
Doc impact: Yes - need to document the new -u option.
|
|
|
|
| |
Summary: Use default stack size on LP64 systems.
|
|
|
|
|
|
|
|
|
| |
Summary: Directory server is caching string case for attributes with Directorystring syntax even after deletion
Description:
Introduced a new flag SLAPI_VALUE_FLAG_USENEWVALUE for valueset_remove_valuearr
to exchange the value in the deleted value set and the to be added value. With
this change, the newly added value is resurrected instead of the original
value.
|
|
|
|
| |
Summary: Add CLI for dynamic reload schema file task
|
|
|
|
| |
Summary: Redesigned algorithm used to update memberOf attribute.
|
|
|
|
|
|
|
|
| |
Summary: attacker can tie up CPU in regex code
Description: when substring search is requested, sets the time limit based upon
the nsslapd-timelimit value. Pass the timelimit (time_up) to the regular
expression function. When the time is up, it returns the "Timelimit exceeded"
error. Note: timelimit is applied non-Directory Manager users.
|