| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds support for the following standard syntaxes, complete
with validation functions:
Bit String
Delivery Method
Enhanced Guide
Facsimile Telephone Number
Fax
Guide
Name And Optional UID
Printable String
Teletex Terminal Identifier
Telex Number
This patch does not change the schema to use any of these syntaxes
yet. That will come when we update to the current versions of the
standard schema from the LDAP RFCs.
I also fixed an error in makefile.am where Setup.pm was listed
twice in perl_DATA.
|
|
|
|
|
|
|
|
|
|
|
| |
The current attrcrypt is failing because it attempts to store the encryption
symkey in the nsSymmetricKey attribute. This attribute is not defined in the
schema, so it defaults to DirectoryString syntax. Storing the value then fails
syntax validation because the binary values in the key do not conform to
DirectoryString. The code was poorly designed to handle and report errors of
this nature. The real fix is to add nsSymmetricKey as a BINARY syntax
attribute. I also cleaned up the error detection and reporting for this case.
Reviewed by: nkinder (Thanks!)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
valgrind is a very useful tool - however, the directory server produces a lot
of false positives that have to be suppressed in order to get to the useful
information. These patches attempt to reduce some of that noise.
1) aclparse - should calculate the length of the string _after_ trimming the
spaces
2) something about random number generation causes some of the bits to be uninitialized, and valgrind doesn't like it - this patch doesn't eliminate the error, just reduces it
3) use initialized memory when generating hashes - also remove "magic numbers"
4) bin.c - slapi_value_get_string must not be used with unterminated (binary) values
5) we get these odd valgrind reports from deep within bdb about invalid reads and uninitialized memory - I thought perhaps because we were initializing DBT structures with = {0} which the bdb docs says is not sufficient - they recommend memset or bzero
6) There are some small memory leaks during attrcrypt initialization and in error cases
7) error message in ldif2ldbm.c was attempting to print the Slapi_DN structure rather than getting the char *dn
8) After we call NSS_Initialize, we must call the NSS shutdown functions to clean up the caches and other data structures, otherwise NSS will leak memory. This is harmless since it happens at exit, but valgrind reports hundreds of memory leaks. The solution is to make sure we go through a single exit point after NSS_Initialize. This means many places that just called exit() must instead return with a real return value. This mostly affected main.c, detach.c, and a couple of other places called during startup.
9) minor memory leaks in mapping tree initialization
10) sasl_map.c - should not call this in referral mode
11) minor memory leaks during ssl init
Reviewed by: nkinder, nhosoi (Thanks!)
|
|
|
|
|
|
| |
This cleans up all of the compiler warnings produced with -Wall on RHEL/Fedora platforms.
The warnings about the %lld and %llu formats are still produced and cannot be helped.
Reviewed by: nkinder (Thanks!)
|
|
|
|
|
|
|
|
|
|
| |
These changes allow the server to be built with OpenLDAP (2.4.17+). A brief summary of the changes:
* #defines not provided by OpenLDAP were copied into slapi-plugin.h and protected with #ifndef blocks
* where it made sense, I created slapi wrapper functions for things like URL and LDIF processing to abstract way the differences in the APIs
* I created a new file utf8.c which contains the UTF8 functions from MozLDAP - this is only compiled when using OpenLDAP
* I tried to clean up the code - use the _ext versions of LDAP functions everywhere since the older versions should be considered deprecated
* I removed some unused code
NOTE that this should still be considered a work in progress since it depends on functionality not yet present in a released version of OpenLDAP, for NSS crypto and for the LDIF public API.
|
|
|
|
|
|
|
|
| |
1) Commit 281f14adb012a54d8b10c9d51dbce6f5c6f3e549 was based on the wrong
observation and testing. Backing off the change.
2) Search result set is retrieved from pblock and used for simple paged results.
When the search result set is released, the address stashed in pblock should
have been set NULL not to access the address again.
|
|
|
|
|
|
|
|
|
|
|
| |
When "dnaMaxValue" is set to "-1" or omitted from a range configuration entry
(which defautls to "-1" internally), the "dnaNextValue" attribute is not
updated in the range configuration entry when a value is allocated from that
range.
We were only updating the configuration entry if the new nextvalue was >=
the maxval plus the interval (1). We need to check if the maxval is -1
specifically, and update the config entry if so.
|
|
|
|
|
|
| |
There was a contention between the connection table cleanup thread (main)
and the search thread. The cleanup code should have been protected by
the same mutex we do in the paged result code (c_mutex).
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug description: If a group has more than 32767 members (max short),
a variable 'n' declared as short overflows. The value is used to calculate an
array size to store group member info, which memory is not properly allocated
and it ends up crashing up the server.
Fix description: Replaced the problematic short variable type with integer.
Plus, the each member info was storing a pointer pointing to an element inside
of the array. When the array is "realloc"ed, it's possible for the addresses
to be relocated. To solve the problem, the new code stores the index of array
instead of the address.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements a linked attribute plug-in. Details of the
plug-in features and design are available on the 389 wiki at:
http://directory.fedoraproject.org/wiki/Linked_Attributes_Design
In addition, I encountered a memory leak when testing the new plug-in
with valgrind. There was a fix to the dse add code for a double free
a few months back, which causes a leak in certain situations. This
previous fix was for bz#489763. The proper thing to do is to make
the dse backend add function consume the passed in entry upon success
and leave it for the caller to deal with upon failure. This is the
way the back-ldbm add function works.
|
|
|
|
|
| |
Summary: Access log reports 'notes=U' for VLV indexed searches if there are no records to be found
Fix Description: VLV creates an empty IDL if no matched entries are found. To do so, VLV code was calling idl_alloc with argument 0, which generated ALLID. It's changed to call idl_alloc with 1. It creates a normal empty IDL.
|
|
|
|
|
|
|
| |
Fix Description: unescape parenthesis in the regular expression.
E.g., ^u:\(.*\) ==> ^u:(.*)
This unescape is necessary for the new regex code using PCRE
to keep the backward compatibility.
|
|
|
|
|
|
| |
This patch consolidates the functionality of read_function and secure_read_function into a single read_function that deals with NSPR PRFileDesc objects. It does the same for write_function and secure_write_function. Since there is only one write function, there is no need to push a separate secure read/write function to the lber layer - importing the prfd into ssl (SSL_ImportFd) does that.
I've also added some more debugging.
Reviewed by: nkinder (Thanks!)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is part of the port to OpenLDAP, to simplify the code that
interacts with the BER I/O layer. Ideally, since we only deal
with NSPR I/O, not raw I/O, in the directory server, we can push
any additional layers, such as SASL, as NSPR I/O layers. This
is how NSS works, to push the SSL codec layer on top of the regular
NSPR network I/O layer.
Only 3 functions are implemented - PR_Send (sasl_io_send), PR_Recv
(sasl_io_recv), and PR_Write (sasl_io_write).
This simplified the code in saslbind.c and connection.c, and removed
special handling for SASL connections - now they are just treated as
regular NSPR connections - the app has not nor does not need to know
the connection is a SASL connection.
In addition, this gives us the ability to use SASL and SSL at the same
time. The SASL I/O layer can be pushed on top of the SSL layer, so
that we can use SSL for connection encryption, and SASL for authentication,
without having to worry about mixing the two.
Reviewed by: nkinder (Thanks!)
Platforms tested: RHEL5 x86_64, Fedora 9 x86_64
|
|
|
|
|
| |
1) Fixing compiler warnings on regex.c.
2) Adding dse_search_set_release to dse.c to support simple paged results on DSE.
|
|
|
|
|
| |
To avoid unnecessary ldap_mods_free for the early error_returns
which could be called before mods are set to smods.
|
|
|
|
|
|
|
|
|
| |
Our schema parser requires a space after the opening paran
when multiple SUP objectclasses are listed in the definition
of an objectclass. The RFCs show that a space is not required.
This patch simply removes the requirement that a space be
present after the opening paran.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a new configuration attribute named
nsslapd-require-secure-binds. When enabled, a simple bind
will only be allowed over a secure transport (SSL/TLS or a
SASL privacy layer). An attempt to do a simple bind over
an insecure transport will return a LDAP result of
LDAP_CONFIDENTIALITY_REQUIRED. This new setting will not
affect anonymous or unauthenticated binds.
The default setting is to have this option disabled.
|
|
|
|
|
|
|
|
| |
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Thread_Aware_Regex
Additional 2 unrelated changes are being made:
1) dbgen.pl.in: secretary and manager are having a dn format value "cn=...".
2) slapi_counter_sunos_sparcv9.S: adding "#define _ASM 1" to force to set an assembler code macro _ASM.
|
|
|
|
|
|
| |
Added the file LICENSE.GPLv2 which contains the full text
of the GPLv2 license - the file LICENSE refers to this
file.
|
|
|
|
|
|
|
|
|
| |
Reviewed by: nhosoi (Thanks!)
The problem is when the views code calls views_cache_discover_children()
and there are no children. The code should check to see if the child_count
is 0, and only attempt to alloc space for the pChildren array if the
child_count is greater than 0.
Platforms tested: RHEL5 x86_64
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) Make sure we use "const" consistently
2) Make sure we use "unsigned char" consistently
for some reason (unsigned char)*p did not compare to '\xHH' literals unless the literal was also cast to (unsigned char)
3) added some missing function prototypes
4) removed some unused variables/functions, or commented out for use when debugging
5) various other compiler warnings
With all of these, the code compiles cleanly on RHEL5 x86_64 using
gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-44)
and
CFLAGS="-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic"
The only warning now is the spurious message about %llu or %lld having the wrong format argument.
Reviewed by: nhosoi (Thanks!)
|
| |
|
| |
|
|\ |
|
| |
| |
| |
| | |
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Simple_Paged_Results_Design
|
|\| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The DN syntax has become more restrictive over time, and the
current rules are quite strict. Strict adherence to the rules
defined in RFC 4514, section 3, would likely cause some pain to
client applications. Things such as spaces between the RDN
components are not allowed, yet many people use them still since
they were allowed in the previous specification outlined in RFC
1779.
To deal with the special circumstances around validation of the DN
syntax, a configuration attribute is provided named
nsslapd-dn-validate-strict. This configuration attribute will
ensure that the value strictly adheres to the rules defined in RFC
4514, section 3 if it is set to on. If it is set to off, the server
will normalize the value before checking it for syntax violations.
Our current normalization function was designed to handle DN values
adhering to RFC 1779 or RFC 2253
|
|/
|
|
|
|
|
|
|
| |
changed brand and capbrand to 389
changed vendor to "389 Project"
I had to redo my earlier patch - I should have used the newer
automake and autoconf to reduce the size of the patch
This commit uses automake 1.10.1 and autoconf 2.63 from F10
Reviewed by nkinder (Thanks!)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This starts the effort to be able to use Doxygen to
auto-generate the SLAPI documentation.
I started documenting everything in slapi-plugin.h
from the top down. There is a TODO comment indicating
where the effort needs to be picked up from in the
header file.
To build the SLAPI docs, run "doxygen slapi.doxy" in
the top of the source tree. The resulting doc files
will be in a subdirectory named "docs". The build of
the docs still needs to be integrated with the rest of
the build.
|
|
|
|
|
|
|
| |
A change was also made to Makefile.am to avoid library versioning
for our C++ plug-in libraries. This change should allow us to use
autogen.sh on recent platforms without running into issues during
build-time.
|
|
|
|
|
|
| |
Also added numericstring syntax support.
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Syntax_Validation_Design
|
|
|
|
| |
Summary: Corrected semaphore name used in SNMP subagent.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: LOG: the intenal type of maxlogsize, maxdiskspace and minfreespace should be 64-bit integer (comment #20)
Description: In log_reverse_convert_time, by initializing "struct tm" with
NULLs:
struct tm tm = {0};
tm_isdst is also set to 0, which means no daylight saving. mktime thinks when
converting struct tm to time_t, use the knowledge "the time that the time_t
represents is not in the daylight saving period". Instead, we should have set
"tm.tm_isdst = -1;". That means, we don't have the knowledge, calculate it in
mktime.
I also fixed a silly bug in generating a rotated log file name which I
introduced in my previous checkin.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: LOG: the intenal type of maxlogsize, maxdiskspace and minfreespace should be 64-bit integer (comment #20)
Description:
1) replaced PR_GetOpenFileInfo with PR_GetOpenFileInfo64 in log_getfilesize.
PR_GetOpenFileInfo does not return the correct file size if the size is
larger than 2GB.
2) when a rotation info file is missing and recreated, the file size stored
in the file was not correct.
3) rotated file name is created with the time stamp when rotated. The reverse
conversion function had a problem and the file name in the rotation info and
the real one could mismatch.
|
|
|
|
| |
NOTE: We do not have support for atomic 64-bit counters on ppc - ppc platorms use the mutex approach instead
|
| |
|
|
|
|
| |
Summary: Ensure we exit with the return code for the status command in the init script.
|
| |
|
|
|
|
|
| |
Summary: homePhone is not RFC 1274 compliant
Description: added "homeTelephoneNumber" to the NAME list of "homePhone".
|
|
|
|
|
| |
Summary: Replication Bind Failure After Migration from DS 7.1 (comment #10)
Description: changed to trim trailing slashes of oldsroot and actualsroot at the beginning.
|
|
|
|
| |
Summary: Fixup replicated schema during migration.
|
|
|
|
|
|
| |
Summary: mmldif crashes in PK11_CreateDigestContext
Description: NSS was not initialized. Since cert db, key db, or secmod db are
not needed, changed to call NSS_NoDB_Init to initialize NSS.
|
|
|
|
|
| |
Summary: move perl on solaris to a <TBD> path
Description: Changing Solaris perl path (perlexec) to /usr/lib/sparcv9/dirsec/perl5x/bin/perl.
|
|
|
|
|
|
|
|
|
| |
Bug Description: Configuring Replication Server to Server GSSAPI over TLS - attempts replication and can't stop servers
Reviewed by: nhosoi (Thanks!)
Fix Description: The agreement add code did not check the transport and bind method for compatability.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
|
|
|
|
|
|
|
|
| |
Summary: log module issues unnecessary/inaccurate syslog errors
Description:
1) don't log "Exceeded max number of logs allowed" in syslog messages. It's an
info level log, which is not appropriate to log in syslog messages.
2) when deleting an error log file failed, a wrong file name (audit log) was
printed. I also added the error code and the message why the deletion failed.
|
|
|
|
|
|
|
| |
Summary: If an independent process db2ldif rotates the error log, it crashes the server.
Description: PR_Rename failure due to the FILE_EXIST is benign. Ignore the
error and goes forward. The procedure is extended to all the log type: error,
access, and audit.
|
|
|
|
|
|
|
|
|
| |
Bug Description: Replication Bind Failure After Migration from DS 7.1
Reviewed by: nkinder (Thanks!)
Fix Description: We have to quote shell metacharacters before passing them to the shell. I added a new function shellEscape to use for this purpose. We really should shell escape anything passed to system() or back ticks ``. Certainly passwords should contain shell meta characters so I changed places where we use passwords to use shellEscape to pass them to pwdhash or migratecred. I also chomp() the output of migratecred to remove the trailing newline. With the fix, I was able to run setup with a root password of `~!@#$%^&*()\\|[]{}:;<>?/"\ and successfully authenticate.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
|
|
|
|
|
|
|
|
| |
Description: Bug 480869 - DS console: Can not delete DS instance
Fix Description: Create instance was broken, so no instances could be created for purposes of deletion. Create instance was printing the following error:
Unable to find Pass Through Authentication Plug-In config entry.
This is because the search for this entry in AdminUtil.pm was getting an incorrect error message - something other than "Success"
This is because the FileConn->getErrorString() method was returning "0" instead of "Success".
Platforms tested: RHEL4
|
|
|
|
|
| |
Summary: rhds80 64b el5.3 - db2ldif lock case
Description: Fixed double free, which confused the server operation and eventually crashed the server.
|