| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Summary: Consistently deal with attr syntax info struct ref count when fetcvhing and returning them to the global hashtables.
|
| |
|
|
| |
Summary: Allow attribute aliases to be used as SUP attribute in attributetype definitions.
|
| |
|
|
| |
Summary: Fixed assertion when improperly deleting syntaxinfo.
|
| |
|
|
| |
Summary: Reject pre-hashed password from unprivileged users when password syntax checking is enabled. Don't check password syntax for pre-hashed password from privileged users.
|
| |
|
|
| |
Summary: Make password modify extended operation reset expired passwords.
|
| |
|
|
|
|
|
|
| |
Summary: Slow import post-processing with large number of non-leaf entries (comment #15)
Change description:
Fixed ldbm_ancestorid_new_idl_create_index so that the ancestor key has the
value including all the descendent ids in the IDlist. The code checked in
previously only stores the direct children and their children.
|
| |
|
|
| |
Description: aRecord not defined
|
| |
|
|
| |
Summary: Make password modify extop work properly with the password policy control.
|
| |
|
|
| |
Summary: Make init script status command exit codes follow LSB standard.
|
| |
|
|
|
| |
Description: add sudo and hostObject schemas by default
Fix Description: added 60nss-ldap.ldif for the hostObject and other nss ldap schema
|
| |
|
|
| |
Summary: Clean up formatting of init script output.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: DirSync interval should be configurable
Reviewed by: nhosoi (Thanks!)
Fix Description: Added a new config attribute - winSyncInterval - this is how often to run the dirsync search, in seconds. The default is 600 (5 minutes) which was the old hard coded value. Due to the way it's coded, the change only takes effect when the agreement is created or restarted, so the value cannot really be dynamically changed.
Platforms tested: RHEL5
Flag Day: no
Doc impact: yes - document the new attribute
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Server to Server SASL - DIGEST/MD5 - Can not Stop server
Reviewed by: nhosoi (Thanks!)
Fix Description: Using ldap_set_option with LDAP_OPT_X_SASL_SECPROPS is not thread safe. ldap_set_option acquires the OPTION lock, but using LDAP_OPT_X_SASL_SECPROPS just calls return rather than calling break to exit the switch and unlock the lock. A mozilla bug has been filed https://bugzilla.mozilla.org/show_bug.cgi?id=473438. The fix is to use LDAP_OPT_X_SASL_SSF_MAX.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Acceptance test: mmrepl {accept,chainonupdate} : slapd dumps core during accept_cleanup()
Reviewed by: nkinder (Thanks!)
Fix Description: Have to call ldapssl_set_option(ld, SSL_NO_CACHE, PR_TRUE) after setting up the connection for client auth
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: WinSync ignores entry if NT attributes are added later.
Reviewed by: nkinder (Thanks!)
Fix Description: If we are replaying a modify operation, we need to check if the ntUser objectclass is being added along with the other attributes that tell the sync service to sync this entry. If the objectclass is being added or replaced, we check the existing entry to see if it is still a sync-able entry. If it is, we call process_replay_add to add the entry. I changed this function to accept a Slapi_Entry to add rather than the operation structure. Finally, I had to change the way we send the Account Control flags to take into account an entry that may have been added as a result of a modify operation.
I fixed a memory leak when setting the Slapi_Attr attribute type, and cleaned up a compiler warning.
NOTE: There will be no clear text password to send (unless the userPassword was modified in the same modify operation). This means the account will be added to Windows, and will be enabled, but will be essentially unusable - the user cannot login - until either the user modifies the password on the directory server side, or the administrator resets the password.
Platforms tested: RHEL5
Flag Day: no
Doc impact: yes - we will have to document the new winsync behavior
|
| |
|
|
| |
Summary: Add AUXILIARY keyword to domainRelatedObject and simpleSecurityObject definitions.
|
| |
|
|
|
|
|
|
|
| |
Summary: Approximate Search '~=' Returns unexpected result
Change description: increasing the maximum length of "phonetic" string from 4
to 6. The length 4 is sometimes too short to distinguish long words. For
instance, the sample string Queensland is converted to KNSLNT if there is no
limitation; Consulting is to KNSLTNK. By cutting them at the 5th character,
the 2 strings are considered to sound like each other.
|
| |
|
|
| |
Summary: Make regex filter code handle empty values properly.
|
| |
|
|
| |
Summary: Remove dependency on Term::ReadKey for password prompting in Perl scripts.
|
| |
|
|
| |
Summary: Expose internal operation flag via SLAPI.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: ldapsearch with size limit (-z) doesn't work with OR filter and range search
Description:
SIZELIMIT is checked in index_range_read to eliminate the unnecessary data
retrieval. But when the filter contains a range search which is connected by
AND, then we should not do sizelimit. There was a bug in the function which
sets is_and. The flag should have been cleared only when the function set it
to 1. Instead, it was cleared each time the function is called. It let
index_range_read stop reading when it reaches sizelimit even though it should
not have.
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: winsync doesn't recognize some changes
Reviewed by: nkinder (Thanks!)
Fix Description: Before sending updates to AD, first check to see if the updates still apply. For modify/add operations, check to make sure the value to add doesn't exist. If it does, remove it from the list of values in the mod. If all values are removed, then just skip the modify/add op altogether. For modify/del ops, check to see if the attribute exists. If not, just skip the op. If it does exist, check to see if the values exist, and remove the values from the mod/del op that do not exist anymore. If all values have been removed, just skip the mod/del op.
I added a new slapi function - slapi_mod_init_valueset_byval - which will init a Slapi_Mod and init the list of values using a valueset. Fortunately there was already a function for converting a Slapi_Value** to a berval**.
I also fixed a few compiler warnings.
Platforms tested: RHEL5
Flag Day: no
Doc impact: yes - add new function to slapi docs
|
| |
|
|
| |
Summary: Optimized fetching of remote entry when checking if a rename is needed with winsync.
|
| |
|
|
| |
Summary: Add support for synchronizing the cn attribute between DS and AD.
|
| |
|
|
|
|
|
| |
Summary: Memory leak in ns-slapd's Class Of Service
Fix Description: When all the necessary values for the template cache are not
available, the allocated memory should be discarded. One of them pCosPriority
was missed to release.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: rhds accounts are disabled in ad after full sync
Reviewed by: nkinder (Thanks!)
Fix Description: The incremental sync code calls send_accountcontrol_modify after adding an entry, but the total update code does not. I modified the code to do that. I also changed the send_accountcontrol_modify to force the account to be enabled if adding it. I tried just adding userAccountContro:512 to the default user add template, but AD does not like this - gives operations error. So you have to modify userAccountControl after adding the entry. I also cleaned up a couple of minor memory leaks.
Platforms tested: RHEL5
Flag Day: no
Doc impact: Yes - we need to document the fact that new accounts will now be created in AD enabled
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Server to Server SASL/DIGEST-MD5 not Supported over SSL/TLS
Reviewed by: nkinder (Thanks!)
Fix Description: If using TLS/SSL, we don't need to use a sasl security layer, so just set the maxssf to 0.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Only check permissions on nsslapd-rundir in normal execution mode.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: DN with antislash('\') rename (modrdn) problem
Problem description:
Unescape codes in the DS (strcpy_special_undo in ava.c and
strcpy_unescape_dnvalue in dn.c) were "unescaping" more than the escape code
(e.g., escape_dn_value in NET LDAP) does escaping. The test string
'BeforeSlash\AfterSlash' fortunately/unfortunately contains '\Af', which is
considered '\##' (where # is hex number) by the DS unescape functions even
though it was not meant to be escaped. As long as using UTF-8, there is no
chance for the server to receive "\af".
Change description:
1) There were identical static functions: strcpy_special_undo (ava.c) and
strcpy_special_undo (dn.c). Merged them to strcpy_unescape_value and put it in
util.c.
2) In the unescape/normalize functions for dn (strcpy_unescape_value in util.c
and substr_dn_normalize in dn.c), added a check for the first hex number in
'\##'. If the 8th bit is on, we don't do unescaping but store it as is since
the unescaped character is not UTF-8.
3) If 2 consecutive '\'s are passed to the unescape/normalize functions, keep
one of them.
|
| |
|
|
| |
Summary: Don't allow auto-generated attributes to be used in RDN.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Replication: Server to Server Connection Error: SASL(-1): generic failure: All-whitespace username.
Reviewed by: nkinder (Thanks!)
Fix Description: My earlier fix for this bug broke GSSAPI - it would cause the username and authid to only be freed under certain conditions e.g. if the krb creds were still valid, the code would not free the username and authid, so they would be passed via SASL instead of the principal name. This fix just makes sure username and authid are always freed, under all circumstances.
Platforms tested: RHEL5, Fedora 9
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Add missing parent objectclasses for all operations (replicated or not).
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: Replication: Server to Server Connection Error: SASL(-1): generic failure: All-whitespace username.
Reviewed by: nkinder (Thanks!)
Fix Description: 1) SASL/DIGEST-MD5 needs both username and authid
2) The username and authid in this context are always a bind DN - they must have the "dn:" prefix in order for the SASL mapping to work
3) gssapi (kerberos) sets both username and authid to NULL
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Make "back" reponse in setup code work correctly.
|
| |
|
|
| |
Summary: Fix undefined subroutine error when trying to display usage message in setup scripts.
|
| |
|
|
| |
Summary: Ensure directories created by installer get the requested mode applied.
|
| |
|
|
| |
Summary: Add check for permissions on nsslapd-rundir at startup.
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: rhds80 seg fault - pass sync - entry missing userPassword ?
Reviewed by: nkinder (Thanks!)
Fix Description: The fix is pretty obvious - just make sure we don't deref a NULL. The reason for the NULL is due to a sequence of more than one modify for the userPassword attribute, where one of the mods is a replace with no value or a delete of the attribute. The bug has the details about how to reproduce. One thing I don't know is what client is generating this sequence of operations . . .
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
| |
Summary: Log error to errors log when we have a problem writing stats file.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: db backend entry cache settings field "Memory available for cache" boundaries
Fix Description:
db_strtoul: check the input string. If the string starts with '-', returning
the error ERANGE -- the same error as the larger the upper limit is passed.
cache.c: the minimum entry cache size defined in cache.c was 200000, which is
different from the info on the Configuration Command File Reference Guide:
Valid Range: 500 kilobytes to 4 gigabytes for 32-bit platforms and 500
kilobytes to 2^64-1 for 64-bit platforms
Adjusting the define to the doc.
|
| |
|
|
| |
Summary: Make repl-monitor.pl a template to pass in correct perl environment.
|
| |
|
|
|
|
| |
Summary: extensible filter having range operation crashes the server (comment#7)
Description: As Rich suggested, set the pb->pb_op to glob_pb->pb_op to catch
the abandon request in case the underlying operation is interrupted.
|
| |
|
|
|
|
|
|
| |
Summary: spurious errors logged when specifying default locale
Description:
As Ulf Weltman pointed out, U_USING_FALLBACK_WARNING is not an error. (So is
not U_USING_DEFAULT_WARNING.) When U_USING_FALLBACK_WARNING or
U_USING_DEFAULT_WARNING is returned, suppressed printing the error messages.
|
| |
|
|
| |
Summary: Allow password modify extop when password reset is needed.
|
| |
|
|
|
| |
Summary: extensible filter having range operation crashes the server
Description: we should prevent accessing the inside of NULL pointer.
|
| |
|
|
|
|
|
| |
Summary: LOG: the intenal type of maxlogsize, maxdiskspace and minfreespace
should be 64-bit integer
Description: support nsslapd-*log-maxlogsize, nsslapd-*log-logmaxdiskspace and
nsslapd-*log-logminfreediskspace larger than 2GB.
|
| |
|
|
|
|
| |
Summary: RFE: search optimization and single character substring searches
(comment #20)
Description: update the comments to adjust to the program.
|
| |
|
|
|
|
| |
Summray: MMR: intensive conflict test crashes the server
Description: values2keys functions in the syntax plugin did not check the
existence of the input and output variable.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Need to address 64-bit compiler warnings - again
Reviewed by: nhosoi (Thanks!)
Fix Description: This patch cleans up most of the other remaining compiler warnings. I compiled the directory server code with these flags on RHEL5 x86_64: -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
I also enabled argument/format match checking for most of the commonly used varadic functions. Most of the problems I found fell into these categories:
1) Too many or not enough arguments e.g. most everything that uses or did use LDAPDebug had extra 0,0 arguments. If they had been switched to use slapi_log_error, I removed the extra arguments - for those places still using LDAPDebug, I introduced more macros to handle the number of arguments, since C macros cannot be varadic.
2) When using NSPR formatting functions, we have to use %llu or %lld for 64-bit values, even on 64-bit systems. However, for regular system formatting functions, we have to use %ld or %lu. I introduced two new macros NSPRIu64 and NSPRI64 to handle cases where we are passing explicit 64-bit values to NSPR formatting functions, so that we can use the regular PRIu64 and PRI64 macros for regular system formatting functions. I also made sure we used NSPRI* only with NSPR functions, and used PRI* only with system functions.
3) use %lu for size_t and %ld for time_t
I did find a few "real" errors, places that the code was doing something definitely not right:
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/acl/aclinit.c_sec4
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/acl/acllas.c_sec17
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/http/http_impl.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/memberof/memberof.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/pam_passthru/pam_ptimpl.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/replication/cl5_api.c_sec5
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/replication/cl5_clcache.c_sec2
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/replication/replutil.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/slapd/libglobs.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/slapd/back-ldbm/dbverify.c_sec2
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/slapd/back-ldbm/ldif2ldbm.c_sec3
This is why it's important to use this compiler checking, and why it's important to fix compiler warnings, if for no other reason than the sheer noise from so many warnings can mask real errors.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Summary: Unindexed search does not get logged with "notes=U"
Fix Description: In each <index-type> candidates function, check if the
attribute is indexed by calling index_read_ext instead of index_read. The
function index_read_ext takes a variable to return whether the attribute is
indexed or not. Once it's determined, set SLAPI_OP_NOTE_UNINDEXED to the
pblock, which is used when logging the result.
|
