| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Summary: Add access to RUV by users other than "cn=Directory Manager".
|
| |
|
|
|
|
|
| |
Summary: vlv: memory leak
Description: if the addresses of the passed key and the returned key don't
match, the space for the returned key is allocated in libdb. Thus, we have to
release the returned key.
|
| |
|
|
| |
Summary: Added validation for nsslapd-maxsasliosize value.
|
| |
|
|
|
|
|
|
|
|
| |
Summary: memory leaks after db "get" deadlocks, e.g. in CL5 trim
Description: Even if cursor->c_get returns non SUCCESS(==0), there is an
occasion that DBT data holds memory which is allocated in libdb. To release
the memory, put
slapi_ch_free ((void **)&key.data);
slapi_ch_free ((void **)&data.data);
just after the while loop, where we come to the point when cursor->c_get fails.
|
| |
|
|
| |
Summary: Add configuration parameter to limit maximum allowed incoming SASL IO packet size.
|
| |
|
|
| |
Summary: Fixed memory leak in collator plug-in.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: Specially crafted Server Side Sort crashes directory server or makes
it unresponsive
Description: The cause of the problem was a buffer overflow. The length of the
2 sort specs "-sn;2.16.840.1.113730.3.3.2.18.1.6 -givenName;2.16.840.1.113730.3.
3.2.18.1.6 " is just about the prepared buffer size, which is unfortunate since
there is no space for the candidate size, e.g., "(1944)" being added later. By
adding the "(1944)" to the static buffer, it caused buffer overflow and crashed
your server. The code to check the length of the candidate size before
calculating the buffer size is added.
|
| |
|
|
| |
Summary: Make password modify extop use fine-grained password policies correctly.
|
| |
|
|
| |
Summary: Changed the way we specify the memory offset in the slapi_counter_set_value() assembly code to make it work properly with gcc3.
|
| |
|
|
| |
Summary: Index nscpEntryDN attribute when importing tombstones.
|
| |
|
|
|
|
| |
Summary: Problems migrating from libdb-4.4 to libdb-4.7
Description: Removed the code to remove transaction logs for the db version
upgrade.
|
| |
|
|
|
|
|
|
|
|
|
| |
Summary: dbverify: support integer type index
Description:
1) changed dblayer_bt_compare to public (proto-back-ldbm.h, dblayer.c)
2) set dblayer_bt_compare by dbp->set_bt_compare if the attribute has a
comparison function set in ai->ai_key_cmp_fn (dbverify.c)
3) cleaned up the function dbverify_ext; set the right page size based upon the
idl type (new idl or old idl), also set dup compare function only when the idl
type is new. (dbverify.c)
|
| |
|
|
| |
Summary: LDCLT: add abandon to ldclt
|
| |
|
|
| |
Summary: Clean-up leftover changelog semaphore at startup.
|
| |
|
|
| |
Summary: Made replica_set_updatedn detect value add modify operations properly.
|
| |
|
|
| |
Summary: nsslapd-timelimit setting should accept a value of -1.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Support server-to-server SASL - kerberos improvements
Reviewed by: ssorce (Thanks!)
Fix Description: I made several improvements to the kerberos code at
Simo's suggestion
First look for the principal in the ccache. If not found, use the
username if it does not look like a DN. If still not found, construct a
principal using the krb5_sname_to_principal() function to construct
"ldap/fqdn@REALM".
Next, see if the credentials for this principal are still valid. In
order to grab the credentials from the ccache, I needed to construct the
server principal, which in this case is the TGS service principal (e.g.
krbtgt/REALM@REALM). If the credentials are present and not expired,
then the code assumes they are ok and does not acquire new credentials.
If the credentials are expired or not found, the code will then use the
keytab to authenticate.
Based on more feedback from Simo, I made some additional changes:
* Go ahead and reacquire the creds if they have expired or will expire in 30 seconds - this is not configurable but could be made to be - 30 seconds should be long enough so that the credentials will not expire by the time they are actually used deep in the ldap/sasl/gssapi/krb code, and short enough so that this won't cause unnecessary credential churn
* Retry the bind in the case of Ticket expired. There is no way that I can see to get the actual error code - fortunately the extended ldap error message has this information
Platforms tested: Fedora 8, Fedora 9
Flag Day: no
Doc impact: oh yes
|
| |
|
|
| |
Summary: Correct use of offset in counter ASM for passed in parameter.
|
| |
|
|
|
|
| |
Summary: (64bitcounters) rhds 7.1 - server stats use 32-bit integers - entrycachehitratio 1503%
Description: additional fix for #207457; e->ep_refcnt should have been
protected by cache->c_mutex, otherwise it breaks the lru list under the stress.
|
| |
|
|
|
|
|
|
|
|
| |
Bug Description: Support server-to-server SASL - part 4 - pta, winsync
Reviewed by: nhosoi (Thanks!)
Fix Description: Allow pass through auth (PTA) to use starttls. PTA uses the old style argv config params, so I just added an optional starttls (0, 1) to the end of the list, since there is currently no way to encode the startTLS extop in the LDAP URL. NOTE: adding support for true pass through auth for sasl or external cert auth will require a lot of work - not sure it's worth it - anyone other than console users can use chaining backend instead.
For windows sync, I just ported the same slapi_ldap_init/slapi_ldap_bind changes made to regular replication to the windows specific code. The Windows code still needs the do_simple_bind function to check the windows password, but it is not used for server to server bind anymore. NOTE: Windows does support startTLS, but I did not test the SASL mechanisms with Windows.
Platforms tested: Fedora 9
Flag Day: no
Doc impact: yes
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Support server-to-server SASL - part 3 - dna plugin
Reviewed by: nkinder (Thanks!)
Fix Description: Changed the DNA code to use the new slapi_ldap_init/slapi_ldap_bind code. Also changed the code to get the port number to use from the replication agreement. Added some more replication internal code knowledge to the DNA code (unfortunately).
Platforms tested: Fedora 9
Flag Day: no
Doc impact: yes
|
| |
|
|
| |
Summary: Add config setting to disable unauthenticated binds.
|
| |
|
|
|
|
|
|
|
|
|
| |
Summary: index files for database should be deleted when db is deleted.
Fix Description: The callback ldbm_instance_post_delete_instance_entry_callback
is called when the backend instance is removed. In the callback, there was a
code to cleanup the primary db (id2entry.db#), but no other index files nor the
instance directory. Also, the code included a bug to get the instance
directory path. The proposed code gets the right instance directory path and
cleans up all the files in the directory, then removes the backend instance
directory.
|
| |
|
|
|
| |
Summpary: Memory usage research: checking in the experimental code
Comment: added a missing line
|
| |
|
|
|
|
|
| |
Summary: SASL MAP: memory leak in sasl_map_init
Fix Description: sasl_map_done put just comments to free the map list and the
private structure, but not implemented them. Added the code to release the map
list and the private structure.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: vlvindex should not give an error message when the vlvindex is empty
Fix description: In ldbm_fetch_subtrees, if the parent entry to be vlvindexed
('ou=payroll,dc=example,dc=com' in this example) does not exist, then vlvindex
with the proposed code issues this warning but no further messages.
warning: entrydn not indexed on 'ou=payroll,dc=example,dc=com'; entry ou=payroll,dc=example,dc=com may not be added to the database yet.
If the parent entry exists (entry id 10 in this example), but no descendant
entries to be vlvindexed do not, then vlvindex with the proposed code issues
this warning but no further messages.
warning: ancestorid not indexed on 10; possibly, the entry id 10 has no descendants yet.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Support server-to-server SASL - part 2
Reviewed by: nhosoi (Thanks!)
Fix Description: This part focuses on chaining backend - allowing the mux server to use SASL to connect to the farm server, and allowing SASL authentication to chain. I had to add two new config parameters for chaining:
nsUseStartTLS - on or off - tell connection to use startTLS - default is off
nsBindMechanism - if absent, will just use simple auth. If present, this must be one of the supported mechanisms (EXTERNAL, GSSAPI, DIGEST-MD5) - default is absent (simple bind)
The chaining code uses a timeout, so I had to add a timeout to slapi_ldap_bind, and correct the replication code to pass in a NULL for the timeout parameter.
Fixed a bug in the starttls code in slapi_ldap_init_ext.
The sasl code uses an internal search to find the entry corresponding to the sasl user id. This search could not be chained due to the way it was coded. So I added a new chainable component called cn=sasl and changed the sasl internal search code to use this component ID. This allows the sasl code to work with a chained backend. In order to use chaining with sasl, this component must be set in the chaining configuration nsActiveChainingComponents. I also discovered that password policy must be configured too, in order for the sasl code to determine if the account is locked out.
I fixed a bug in the sasl mapping debug trace code.
Still to come - sasl mappings to work with all of this new code - kerberos code improvements - changes to pta and dna
Platforms tested: Fedora 8, Fedora 9
Flag Day: yes
Doc impact: yes
|
| |
|
|
|
| |
Description: ACL: support group filter
Fix Description: unset value for lud_scope is -1, not NULL
|
| |
|
|
| |
Summary: Use 64-bit specific SASL default plug-in path on 64-bit Linux machines.
|
| |
|
|
|
|
|
|
| |
Summary: Import of data does not record timestamps
Description: Added a static function import_add_created_attrs to add
ModifiersName, CreateTimestamp, ModifyTimestamp to each imported entry. I
also added a check if nsslapd-lastmod is on or off. It adds the created info
only if the lastmod is on.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Support server-to-server SASL - part 1
Reviewed by: nkinder, nhosoi, ssorce (Thanks!)
Fix Description: I've created two new functions to handle the client side of LDAP in the server - slapi_ldap_init_ext and slapi_ldap_bind. These two functions are designed to work with any connection type (ldap, ldaps, ldap+starttls, and eventually ldapi) and bind type (plain, sasl, client cert). The secure flag has been extended to use a value of 2 to mean use startTLS. One tricky part is that there is no place to store the startTLS flag in init to pass to bind, so we store that in the clientcontrols field which is currently unused. We do that because the semantics of ldap_init are not to do any network traffic, but defer that until the bind operation (or whatever the first actual operation is e.g. start_tls). I plan to replace all of the places in the code that do ldap init and bind with these functions.
I started with replication. I extended the transport to add tls for startTLS and the bind method to add sasl/gssapi and sasl/digest-md5. I removed a lot of code from repl5_connection that is now done with just slapi_ldap_init_ext and slapi_ldap_bind. One tricky part of the replication code is that it polls the connection for write available, using some ldap sdk internals. I had to fix that code to work within the public ldap api since nspr and sasl muck with the internals in different incompatible ways.
Finally, there is a lot of new kerberos code in the server. The way the server does sasl/gssapi auth with its keytab is similar to the way it does client cert auth with its ssl server cert. One big difference is that the server cannot pass the kerberos identity and credentials through the ldap/sasl/gssapi layers directly. Instead, we have to create a memory credentials cache and set the environment variable to point to it. This allows the sasl/gssapi layer to grab the credentials for use with kerberos. The way the code is written, it should also allow "external" kerberos auth e.g. if someone really wants to do some script which does a periodic kinit to refresh the file based cache, that should also work.
I added some kerberos configure options. configure tries to first use krb5-config to get the compiler and linker information. If that fails, it just looks for some standard system libraries. Note that Solaris does not allow direct use of the kerberos api until Solaris 11, so most likely Solaris builds will have to use --without-kerberos (--with-kerberos is on by default).
Fixed a bug in kerberos.m4 found by nkinder.
ssorce has pointed out a few problems with my kerberos usage that will be addressed in the next patch.
Changed the log level in ldap_sasl_get_val - pointed out by nkinder
Platforms tested: Fedora 9, Fedora 8
Flag Day: yes
Doc impact: oh yes
|
| |
|
|
| |
Summary: Fix crash caused by DNA shared config update event.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: ACL: support group filter
Fix Description:
. backoff the previous checkin
. check the value of groupdn is the full ldapurl or not by ldap_url_parse.
. if yes, run the search and get the search results.
otherwise, evaluate the bind dn for the value as usual.
. evaluate the bind dn against each group returned from the search.
. additionally, added the code to trim the beginning and trailig spaces from
the groupdn value, which is needed for ldap_url_parse.
|
| |
|
|
|
| |
Summary: ACL: support group filter
Description: extended userattr #GROUPDN value to support LDAPURL
|
| |
|
|
| |
Summary: Removed static specifier from __sync_*_8 atomic functions.
|
| |
|
|
| |
Summary: Added 64-bit atomic functions for platforms lacking built-ins.
|
| |
|
|
|
| |
Summary: rhds 7.1 - server stats use 32-bit integers - entrycachehitratio 1503%
Description: added '/' at the head of the semaphore name.
|
| | |
|
| | |
|
| |
|
|
| |
Summary: Convert counters to 64-bit capable Slapi_Counter type.
|
| |
|
|
| |
Summary: Convert counters to 64-bit capable Slapi_Counter type.
|
| |
|
|
|
|
|
| |
Summary: LDAPI: when nsslapd-ldapiautodnsuffix doesn't exist - Bind is incorrect
Description:
- introducing --enable-auto-dn-suffix option to configure (disabled by default)
- building the auto-dn-suffix code only when the option is set
|
| |
|
|
|
|
|
|
|
|
| |
Summary: LDAPI: when nsslapd-ldapiautodnsuffix doesn't exist - Bind is incorrect
Description:
- introducing --enable-auto-dn-suffix option to configure (disabled by default)
- building the auto-dn-suffix code only when the option is set
======================
autoconf version 2.59
automake version 1.9.6
|
| |
|
|
|
|
|
| |
Summary: LDAPI: when nsslapd-ldapiautodnsuffix doesn't exist - Bind is incorrect
Description:
- introducing --enable-auto-dn-suffix option to configure (disabled by default)
- building the auto-dn-suffix code only when the option is set
|
| |
|
|
|
|
|
| |
Summary: (64bitcounters) rhds 7.1 - server stats use 32-bit integers -
entrycachehitratio 1503%
Description: checking in autoconf derived files.
Ran autogen on RHEL5; autoconf version 2.59, automake version 1.9.6
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: (64bitcounters) rhds 7.1 - server stats use 32-bit integers -
entrycachehitratio 1503%
Change description:
1) Makefile.am: instead of the inline assembly langauge file .il, include an
independent .S file to the libslapd_la_SOURCES list.
2) add AM_PROG_AS to configure.ac to accept CCAS and CCASFLAGS.
3) slapi_counter.c: adjusted to slapi_counter_sunos_sparcv9.S.
4) add slapi_counter_sunos_sparcv9.S
5) remove slapi_counter_sunos_sparcv9.il
|
| | |
|
| |
|
|
| |
Summary: Add 64-bit counter support (phase 1).
|
| |
|
|
| |
Summary: Add support for 64-bit counters (phase 1).
|
| | |
|
