| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
Bug Description: Unhandled error during setup: Could not import LDIF file
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: This doesn't allow you to re-prompt for the file, but this will at least cause setup to output a sensible error message if it detects that the given LDIF file is not readable.
Platforms tested: Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: rhds80 console - create new instance fails (only) after admin server restart
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: The problem was that the temp LDIF file used to init the new database was not created with the proper mode and ownership, so slapd could not load it. The fix is to make sure the ownership and mode is correct.
Platforms tested: RHEL5, Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: Cannot setup ds with remote config DS
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: This fix has two main parts. The first part is to fix setup. I took parts out of the 01nsroot template and put them into the templates that set up the directory server and admin server. So when those servers are registered, they will create those common entries if not present, or otherwise modify them to add the necessary information. I had to add uname_m and uname_a and some other items to the mapping files. I fixed a typo in one of the template files. I changed setup to create new directory server instances shutdown, so that when they are configured for the passthrough auth plugin, it will be working when started. Otherwise, directory servers you create with setup will not be manageable in the console until after they are restarted. This is the same way that ds_create works.
The second part of the fix is to allow people to fix "broken" installs. I added a -u (update) option to setup. This will scan for exsiting installations are re-register all servers found. The dialog flow is pretty simple - it just confirms that you want to run update mode, then asks for the config ds information, then re-registers all servers with the config ds, updating any information that is missing or outdated.
Platforms tested: RHEL5, Fedora 8, Fedora 9
Flag Day: no
Doc impact: Yes - need to document the new -u option.
|
| |
|
|
| |
Summary: Use default stack size on LP64 systems.
|
| |
|
|
|
|
|
|
|
| |
Summary: Directory server is caching string case for attributes with Directorystring syntax even after deletion
Description:
Introduced a new flag SLAPI_VALUE_FLAG_USENEWVALUE for valueset_remove_valuearr
to exchange the value in the deleted value set and the to be added value. With
this change, the newly added value is resurrected instead of the original
value.
|
| |
|
|
| |
Summary: Add CLI for dynamic reload schema file task
|
| |
|
|
| |
Summary: Redesigned algorithm used to update memberOf attribute.
|
| |
|
|
|
|
|
|
| |
Summary: attacker can tie up CPU in regex code
Description: when substring search is requested, sets the time limit based upon
the nsslapd-timelimit value. Pass the timelimit (time_up) to the regular
expression function. When the time is up, it returns the "Timelimit exceeded"
error. Note: timelimit is applied non-Directory Manager users.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: GER: allow GER for non-existing entries
Description:
[slapd/charray.c]
new: charray_merge_nodup -- merge 2 string arrays skipping the duplicates
modified: charray_remove -- introduced "freeit" flag. If true, the removed
string is freed. (The API is used only in chainingdb. The change is applied
to the plugin.)
[slapd/opshared.c]
modified: check OP_FLAG_GET_EFFECTIVE_RIGHTS in the iterate to support
"@<objectclass>". It's needed to do at the location since we have to call acl
plugin even
when no entries are returned from the search. If no entries are returned and
"@<objectclass>" is found in the attribute list, acl effective rights code
generates the corresponding template entry.
[slapd/pblock.c]
place to store gerattrs is added (SLAPI_SEARCH_GERATTRS), where gerattrs is an
array of strings which store "...@<objectclass>".
[slapd/result.c]
moved OP_FLAG_GET_EFFECTIVE_RIGHTS checking to iterate (opshared.c)
[slapd/schema.c]
new: slapi_schema_list_objectclass_attributes -- return the required and/or
allowed attributes belonging to the given objectclass. This is used to support
"*" and "+" in the get effective rights.
new: slapi_schema_get_superior_name -- return the superior objectclass name of
the given objectclass.
[slapd/search.c]
if "<attr>@<objectclass>" is found in the attribute list, cut the <attr> part
out and added to the attrs array (pblock SLAPI_SEARCH_ATTRS) and store the
original
string to the gerattrs (pblock SLAPI_SEARCH_GERATTRS).
[plugin/acl/acleffectiverights.c]
modified: _ger_g_permission_granted -- if the requester and the subject user
are
identical, give "g" permission
modified: _ger_parse_control -- replaced strcpy with memmove since strcpy does
not guarantee the result of the overlap copy.
modified: _ger_get_attrs_rights -- support "*" (all attributes belonging to the
object) and "+" (operational attributes). If repeated attributes are found in
the given attribute list, they are reduced to one.
new: _ger_generate_template_entry -- generate a template entry if
"@<objectclass>" is passed.
[pluginc/cb/*]
adjusted to the updated charray_remove.
Please see also this wiki page for the overview and test cases.
http://directory.fedoraproject.org/wiki/Get_Effective_Rights_for_non-present_attributes
|
| |
|
|
| |
Summary: Fixed infinite recursion issues in memberOf plug-in.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: MMR breaks with time skew errors
Reviewed by: nhosoi, nkinder (Thanks!)
Fix Description: CSN remote offset generation seems broken. We seem to accumulate a remote offset that keeps growing until we hit the limit of 1 day, then replication stops. The idea behind the remote offset is that servers may be seconds or minutes off. When replication starts, one of the itmes in the payload of the start extop is the latest CSN from the supplier. The CSN timestamp field is (sampled_time + local offset + remote offset). Sampled time comes from the time thread in the server that updates the time once per second. This allows the consumer, if also a master, to adjust its CSN generation so as not to generate duplicates or CSNs less than those from the supplier. However, the logic in csngen_adjust_time appears to be wrong:
remote_offset = remote_time - gen->state.sampled_time;
That is, remote_offset = (remote sampled_time + remote local offset + remote remote offset) - gen->state.sampled_time
It should be
remote_offset = remote_time - (sampled_time + local offset + remote offset)
Since the sampled time is not the actual current time, it may be off by 1 second. So the new remote_offset will be at least 1 second more than it should be. Since this is the same remote_offset used to generate the CSN to send back to the other master, this offset would keep increasing and increasing over time. The script attached to the bug helps measure this effect. The new code also attempts to refresh the sampled time while adjusting to make sure we have as current a sampled_time as possible. In the old code, the remote_offset is "sent" back and forth between the masters, carried along in the CSN timestamp generation. In the new code, this can happen too, but to a far less extent, and should max out at (real offset + N seconds) where N is the number of masters.
In the old code, you could only call csngen_adjust_time if you first made sure the remote timestamp >= local timestamp. I have removed this restriction and moved that logic into csngen_adjust_time. I also cleaned up the code in the consumer extop - I combined the checking of the CSN from the extop with the max CSN from the supplier RUV - now we only adjust the time once based on the max of all of these CSNs sent by the supplier.
Finally, I cleaned up the error handling in a few places that assumed all errors were time skew errors.
Follow up - I found a bug in my previous patch - _csngen_adjust_local_time must not be called when the sampled time == the current time. So I fixed that where I was calling _csngen_adjust_local_time, and I also changed _csngen_adjust_local_time so that time_diff == 0 is a no-op.
Platforms tested: RHEL5, F8, F9
Flag Day: no
Doc impact: no
QA impact: Should test MMR and use the script to measure the offset effect.
|
| |
|
|
|
|
|
| |
Summary: range search anomaly on the integer type
Description: Retro changelog plugin automatically creates an index for
changeNumber, which has an integer type. To support the reange search againt
changeNumber, the index should have the matching order "integerOrderingMatch".
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: rhds80 account accountunlocktime attribute breaks replication
Reviewed by: nhosoi (Thanks!)
Fix Description: We were not handling errors returned from the consumer correctly in the async replication code. The problem was that we were exiting the async read results thread immediately. However, we needed to wait for and read all of the outstanding responses, then exit the thread when all of them had been read. The new code handles this case correctly, allowing us to read all of the pending responses before exiting.
The flip side of this is that passwordIsGlobalPolicy only works on the _consumer_. It has no effect whatsoever on the _supplier_ side of replication. The fix for this is to configure fractional replication _always_ and to add the password policy op attrs to the list of attrs not to replicate. This should work fine with RHDS 8.0.0-14 and later.
Platforms tested: RHEL5
Flag Day: no
Doc impact: Yes. We will need to document exactly how passwordIsGlobalPolicy works and how to configure fractional replication.
QA impact: Will need to do more testing of MMR with account lockout to make sure this error does not blow up MMR anymore.
New Tests integrated into TET: Working on it.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: "DB_BUFFER_SMALL: User memory too small for return value" error when importing LDIF with replication active
Reviewed by: nkinder (Thanks!)
Fix Description: BDB 4.3 does not use ENOMEM if the given buffer is too small - it uses DB_BUFFER_SMALL. This fix allows us to use DB_BUFFER_SMALL in BDB 4.2 and earlier too. I also cleaned up some of the cl5 api return codes to return an appropriate error code to the higher levels rather than pass the ENOMEM up.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Indexing code needs to use new entry copy to search for subtypes when deleting an attribute value.
|
| |
|
|
| |
Summary: Make memberOf plug-in attributes configurable.
|
| | |
|
| |
|
|
| |
Summary: Added CLI for creating memberOf fix-up task entry.
|
| |
|
|
|
| |
Summary: Dynamically reload schema via task interface (comment #15)
Description: fixed the broken function declaration.
|
| |
|
|
| |
Summary: Fixed issues with cleanup task not adding indirect memberships.
|
| |
|
|
| |
Summary: Dynamically reload schema via task interface
|
| |
|
|
| |
Summary: Added memberOf plug-in config entry to dse.ldif template.
|
| |
|
|
|
| |
Summary: Dynamically reload schema via task interface
Description: slapi_validate_schema_files: call dse_destroy only when the previous validation was successful.
|
| |
|
|
|
|
| |
Summary: Dynamically reload schema via task interface
Description: implemented task based schema file reloading
(see also http://directory.fedoraproject.org/wiki/Dynamically_Reload_Schema)
|
| |
|
|
|
|
| |
Summary: Dynamically reload schema via task interface
Description: implemented task based schema file reloading
(see also http://directory.fedoraproject.org/wiki/Dynamically_Reload_Schema)
|
| | |
|
| |
|
|
|
|
| |
Summary: LDAPI: support auto-bind
Description: String representation of socktype was not set correctly when
the socktype was PR_AF_LOCAL.
|
| |
|
|
|
|
| |
Summary: LDAPI: introduce --enable-autobind to support AUTOBIND
Description: --enable-autobind is supported. Unless it's set, the auto-bind
code is not compiled in.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: LDAPI: support auto-bind
Description:
1) Debugged the basic code of slapd_get_socket_peer, which is used for Solaris9
and HP-UX. The recvmsg call returns an error immediately if no data is waiting
to be received since the socket is set PR_SockOpt_Nonblocking (O_NONBLOCK). To
make slapd_get_socket_peer more robust, we have to retry recvmsg if it returns
EAGAIN. But set a retry count not to hang there.
2) Introduced c_local_valid in the Connection handle to tell the autobind
code that the uid/gid pair is valid or not.
3) Stops the automagic/unconditional auto-bind (the code used to be in
daemon.c).
4) Auto-bind is effective only when the client passes the SASL/EXTERNAL request.
|
| |
|
|
|
|
| |
Summary: LDAPI: cleaning up template-ldapi-default.ldif.in and DSCreate.pm.in
Description: Separated auto-bind attributes from the ldapi attributes. Fixed
to store auto-bind attributes in dsel.dif only when auto-bind is enabled.
|
| |
|
|
|
|
|
|
|
|
|
| |
Summary: LDAPI: referral mode needs LDAPI socket
Problem Description: If you start the server with the referral mode, e.g.,
like this:
ns-slapd refer -D /etc/dirsrv/slapd-test -r ldap://laputa.example.com
UNIX socket for LDAPI was not opened since LDAPI configuration parameters are
not read from dse.ldif at that moment.
Fix Description: adding the code to process nsslapd-ldapifilepath and
nsslapd-ldapilisten in slapd_bootstrap_config.
|
| |
|
|
|
|
|
| |
Summary: Allow larger regex buffer to enable long substring filters
Description: Applying the patches provided by ulf.weltman@hp.com.
regex.c: use dynamically allocated regex buffer, use ptrdiff_t to store the offsets to be restored after the realloc, and use a constant for the value of "how much the NFA buffer can grow in one iteration on the pattern".
string.c: use dynamically allocated buffer if the prepared buffer is not large enough, used wrong pointer (pat instead of p) in a debug message, and performed an unneeded strcat of ".*"
|
| |
|
|
| |
Summary: Check for indirect memberships when removing memberOf attributes.
|
| |
|
|
|
|
|
|
| |
Summary: memory leaks in extensible filter code
Description: applying the patch provided by Ulf Weltman
1) type is not consumed in attrlist_merge
2) although dnattrs is a linked list, only the first item was released.
Test case filter: "(ou:dn:=groups)"
|
| |
|
|
| |
Summary: Fixed memory leaks in memberOf plug-in.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: simple password auth fails using NSS 3.11.99 or later
Reviewed by: nkinder (Thanks!)
Fix Description: The new softokn in NSS 3.11.99 and later requires that
the server calls NSS_Init() after forking, but before detaching from the
controlling terminal. In fact, this was always a requirement, but the
softokn in older NSS allow it. However, it's possible that some
hardware crypto devices do not allow this and may not work with older
directory servers. The fix is to move the nss/ssl initialization so
that it can be called at the right point, or from other points in cases
where the server does not fork (e.g. db2ldif).
Platforms tested: Fedora 9 i386, RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Fixed valrgind errors about use of unitialized values.
|
| |
|
|
| |
Summary: Enhanced SLAPI task API and ported existing tasks to use new API.
|
| |
|
|
| |
Resolves: 439450
|
| |
|
|
| |
Summary: Handle delete modify of all present member values. When doing a delete modify, we should treat it the same as a replace when no deletion values are specified.
|
| |
|
|
| |
Summary: Handle updates of memberOf attributes for indirect members when a group is renamed.
|
| |
|
|
| |
Summary: LDAPI: move default LDAPI UNIX socket from /var/run/dirsrv/slapd-ID.socket to /var/run/slapd-ID.socket
|
| |
|
|
|
|
|
|
| |
Summary: SASL IO functions set/get: argument mismatch
Fix description: When setting the IO functions in sasl_io_setup, use the local
memory to pass the IO functions. Plus, allocate the memory for backing up the
existing IO functions (real_iofns in the code), which is set in sasl_io_setup
and the area is released after setting it back in sasl_io_cleanup.
|
| |
|
|
| |
Summary: Allow fractional replication between masters.
|
| | |
|
| | |
|
| |
|
|
| |
640:9c57bd91b32f if ipa-memberof.c).
|
| |
|
|
| |
Summary: Fixed crash in replication during bulk import. Use bulk impport code more consistently.
|
| |
|
|
| |
Summary: Allow import fifo to clear out all finished entries.
|
| | |
|
