| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Summary: LOG: the intenal type of maxlogsize, maxdiskspace and minfreespace
should be 64-bit integer
Description: support nsslapd-*log-maxlogsize, nsslapd-*log-logmaxdiskspace and
nsslapd-*log-logminfreediskspace larger than 2GB.
|
|
|
|
|
|
| |
Summary: RFE: search optimization and single character substring searches
(comment #20)
Description: update the comments to adjust to the program.
|
|
|
|
|
|
| |
Summray: MMR: intensive conflict test crashes the server
Description: values2keys functions in the syntax plugin did not check the
existence of the input and output variable.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Need to address 64-bit compiler warnings - again
Reviewed by: nhosoi (Thanks!)
Fix Description: This patch cleans up most of the other remaining compiler warnings. I compiled the directory server code with these flags on RHEL5 x86_64: -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
I also enabled argument/format match checking for most of the commonly used varadic functions. Most of the problems I found fell into these categories:
1) Too many or not enough arguments e.g. most everything that uses or did use LDAPDebug had extra 0,0 arguments. If they had been switched to use slapi_log_error, I removed the extra arguments - for those places still using LDAPDebug, I introduced more macros to handle the number of arguments, since C macros cannot be varadic.
2) When using NSPR formatting functions, we have to use %llu or %lld for 64-bit values, even on 64-bit systems. However, for regular system formatting functions, we have to use %ld or %lu. I introduced two new macros NSPRIu64 and NSPRI64 to handle cases where we are passing explicit 64-bit values to NSPR formatting functions, so that we can use the regular PRIu64 and PRI64 macros for regular system formatting functions. I also made sure we used NSPRI* only with NSPR functions, and used PRI* only with system functions.
3) use %lu for size_t and %ld for time_t
I did find a few "real" errors, places that the code was doing something definitely not right:
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/acl/aclinit.c_sec4
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/acl/acllas.c_sec17
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/http/http_impl.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/memberof/memberof.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/pam_passthru/pam_ptimpl.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/replication/cl5_api.c_sec5
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/replication/cl5_clcache.c_sec2
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/replication/replutil.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/slapd/libglobs.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/slapd/back-ldbm/dbverify.c_sec2
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/slapd/back-ldbm/ldif2ldbm.c_sec3
This is why it's important to use this compiler checking, and why it's important to fix compiler warnings, if for no other reason than the sheer noise from so many warnings can mask real errors.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
|
|
|
|
|
|
|
|
| |
Summary: Unindexed search does not get logged with "notes=U"
Fix Description: In each <index-type> candidates function, check if the
attribute is indexed by calling index_read_ext instead of index_read. The
function index_read_ext takes a variable to return whether the attribute is
indexed or not. Once it's determined, set SLAPI_OP_NOTE_UNINDEXED to the
pblock, which is used when logging the result.
|
|
|
|
| |
Summary: Avoid replicating default schema when DESC element is an empty string.
|
|
|
|
|
|
|
| |
Summary: schema replication op error logs wrong error
Description:
As suggested by Ulf in his original comment, put break in the case
CONN_OPERATION_FAILED and set the macro to return_value for the readability.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: db2ldif -s "suffix" issues confusing warnings when sub suffix exists
[main.c]
* if -s <dn> is passed to db2ldif, the <dn> is used to look up the instance
name the <dn> belongs to with the base dn "cn=mapping tree,cn=config" and the
filter "(&(objectclass=nsmappingtree)(|(cn=*<dn>\")(cn=*<dn>)))". If the <dn>
is not the suffix, but the sub node, it fails to find out the instance which
contains the <dn>. To solve the problem, going upward the DIT until the
instance is found.
* If multiple backends are specified to export, all the names are printed.
[ldif2ldbm.c]
* ldbm_fetch_subtrees: when -s <dn> is passsed to db2ldif, added a logic to
avoid the further process if the <dn> does not belong to the backend.
* When multiple backends are exported, dse was loaded each time. Changed not
to do so.
* Export counter was not decremented when the entry was not to be exported.
|
|
|
|
|
|
|
|
|
|
| |
Summary: Replica crashes in the consumer initialization if the backend to be
replicated does not exist
Description:
. mapping_tree.c: if NULL mapping tree state is passed, return an error.
. repl_extop.c: if mapping tree node state is NULL, don't reset the mapping
tree state.
. replutil.c: if NULL mapping tree state is passed, log it and return.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: Slow import post-processing with large number of non-leaf entries
Description:
Building the ancestorid index does not need to be so expensive, since the
information is available from the parentid index. The cost is associated with
general overhead in maintaining the IDLists in memory, and in particular to the
constant unions done on them to add children. When these lists may contain
millions of entries, the time spent copying the existing data when inserting
children is prohibitively expensive. This does not affect all layouts equally,
but does cause problems when large numbers of children are dispersed throughout
the tree.
BDB can usually handle inserts efficiently on its own, so it is not necessary
to maintain complete IDLists in memory for all the entries and write them out
in total. Updates can be performed directly to the DB instead.
Note: checking in the patch on behalf of Thomas Lackey
|
|
|
|
| |
Summary: A number of the default attribute and objectclass definitions end up in 99user.ldif if you add any custom schema over LDAP.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Support server-to-server SASL - console chaining, server cleanup
Reviewed by: nkinder (Thanks!)
Fix Description: There are two sets of diffs here. The first set adds tls, gssapi, and digest to the chaining database (aka database link) panels in the console. I had to add support for revert to some of the code to make the Reset button work without having to retrieve the values from the server each time. We already store the original values locally in the _origModel - I added code to allow the use of that in the Reset button.
The second set of diffs is for the server.
1) I had to add support for "SIMPLE" for bindMechanism - this translates to LDAP_SASL_SIMPLE for the actual mechanism. This value is NULL, so I had to add handling for NULL values in the cb config code (slapi_ch_* work fine with NULL values).
2) Added some more debugging/tracing code
3) The server to server SSL code would only work if the server were configured to be an SSL server. But for the server to be an SSL client, it only needs NSS initialized and to have the CA cert. It also needs to configured some of the SSL settings and install the correct policy. I changed the server code to do this.
Platforms tested: RHEL5
Flag Day: no
Doc impact: Yes
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: log expiration policy broken in some cases
Description:
1. set default values to loginfo.log_*_rotationtime, log_*_rotationunit,
log_*_rotationtime_secs, log_*_exptime, log_*_exptimeunit, log_*_exptime_secs,
where * matches access, error, or audit.
2. log_set_expirationtime: if the given exptime is 0 or less than 0, -1 (no
expire) is set to the internal expiration time. If log_set_expirationtimeunit
is not called at this moment, the default value is used.
3. log_set_expirationtimeunit: set the given expunit value to
loginfo.log_*_exptimeunit, which was missing. If exptime is -1 at this moment
(i.e., log_set_expirationtime is not called yet or set "no expire"), the
internal expiration time is set to -1 (no expire).
|
|
|
|
| |
Summary: Add access to RUV by users other than "cn=Directory Manager".
|
|
|
|
|
|
|
| |
Summary: vlv: memory leak
Description: if the addresses of the passed key and the returned key don't
match, the space for the returned key is allocated in libdb. Thus, we have to
release the returned key.
|
|
|
|
| |
Summary: Added validation for nsslapd-maxsasliosize value.
|
|
|
|
|
|
|
|
|
|
| |
Summary: memory leaks after db "get" deadlocks, e.g. in CL5 trim
Description: Even if cursor->c_get returns non SUCCESS(==0), there is an
occasion that DBT data holds memory which is allocated in libdb. To release
the memory, put
slapi_ch_free ((void **)&key.data);
slapi_ch_free ((void **)&data.data);
just after the while loop, where we come to the point when cursor->c_get fails.
|
|
|
|
| |
Summary: Add configuration parameter to limit maximum allowed incoming SASL IO packet size.
|
|
|
|
| |
Summary: Fixed memory leak in collator plug-in.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: Specially crafted Server Side Sort crashes directory server or makes
it unresponsive
Description: The cause of the problem was a buffer overflow. The length of the
2 sort specs "-sn;2.16.840.1.113730.3.3.2.18.1.6 -givenName;2.16.840.1.113730.3.
3.2.18.1.6 " is just about the prepared buffer size, which is unfortunate since
there is no space for the candidate size, e.g., "(1944)" being added later. By
adding the "(1944)" to the static buffer, it caused buffer overflow and crashed
your server. The code to check the length of the candidate size before
calculating the buffer size is added.
|
|
|
|
| |
Summary: Make password modify extop use fine-grained password policies correctly.
|
|
|
|
| |
Summary: Changed the way we specify the memory offset in the slapi_counter_set_value() assembly code to make it work properly with gcc3.
|
|
|
|
| |
Summary: Index nscpEntryDN attribute when importing tombstones.
|
|
|
|
|
|
| |
Summary: Problems migrating from libdb-4.4 to libdb-4.7
Description: Removed the code to remove transaction logs for the db version
upgrade.
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: dbverify: support integer type index
Description:
1) changed dblayer_bt_compare to public (proto-back-ldbm.h, dblayer.c)
2) set dblayer_bt_compare by dbp->set_bt_compare if the attribute has a
comparison function set in ai->ai_key_cmp_fn (dbverify.c)
3) cleaned up the function dbverify_ext; set the right page size based upon the
idl type (new idl or old idl), also set dup compare function only when the idl
type is new. (dbverify.c)
|
|
|
|
| |
Summary: LDCLT: add abandon to ldclt
|
|
|
|
| |
Summary: Clean-up leftover changelog semaphore at startup.
|
|
|
|
| |
Summary: Made replica_set_updatedn detect value add modify operations properly.
|
|
|
|
| |
Summary: nsslapd-timelimit setting should accept a value of -1.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Support server-to-server SASL - kerberos improvements
Reviewed by: ssorce (Thanks!)
Fix Description: I made several improvements to the kerberos code at
Simo's suggestion
First look for the principal in the ccache. If not found, use the
username if it does not look like a DN. If still not found, construct a
principal using the krb5_sname_to_principal() function to construct
"ldap/fqdn@REALM".
Next, see if the credentials for this principal are still valid. In
order to grab the credentials from the ccache, I needed to construct the
server principal, which in this case is the TGS service principal (e.g.
krbtgt/REALM@REALM). If the credentials are present and not expired,
then the code assumes they are ok and does not acquire new credentials.
If the credentials are expired or not found, the code will then use the
keytab to authenticate.
Based on more feedback from Simo, I made some additional changes:
* Go ahead and reacquire the creds if they have expired or will expire in 30 seconds - this is not configurable but could be made to be - 30 seconds should be long enough so that the credentials will not expire by the time they are actually used deep in the ldap/sasl/gssapi/krb code, and short enough so that this won't cause unnecessary credential churn
* Retry the bind in the case of Ticket expired. There is no way that I can see to get the actual error code - fortunately the extended ldap error message has this information
Platforms tested: Fedora 8, Fedora 9
Flag Day: no
Doc impact: oh yes
|
|
|
|
| |
Summary: Correct use of offset in counter ASM for passed in parameter.
|
|
|
|
|
|
| |
Summary: (64bitcounters) rhds 7.1 - server stats use 32-bit integers - entrycachehitratio 1503%
Description: additional fix for #207457; e->ep_refcnt should have been
protected by cache->c_mutex, otherwise it breaks the lru list under the stress.
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Support server-to-server SASL - part 4 - pta, winsync
Reviewed by: nhosoi (Thanks!)
Fix Description: Allow pass through auth (PTA) to use starttls. PTA uses the old style argv config params, so I just added an optional starttls (0, 1) to the end of the list, since there is currently no way to encode the startTLS extop in the LDAP URL. NOTE: adding support for true pass through auth for sasl or external cert auth will require a lot of work - not sure it's worth it - anyone other than console users can use chaining backend instead.
For windows sync, I just ported the same slapi_ldap_init/slapi_ldap_bind changes made to regular replication to the windows specific code. The Windows code still needs the do_simple_bind function to check the windows password, but it is not used for server to server bind anymore. NOTE: Windows does support startTLS, but I did not test the SASL mechanisms with Windows.
Platforms tested: Fedora 9
Flag Day: no
Doc impact: yes
|
|
|
|
|
|
|
|
|
| |
Bug Description: Support server-to-server SASL - part 3 - dna plugin
Reviewed by: nkinder (Thanks!)
Fix Description: Changed the DNA code to use the new slapi_ldap_init/slapi_ldap_bind code. Also changed the code to get the port number to use from the replication agreement. Added some more replication internal code knowledge to the DNA code (unfortunately).
Platforms tested: Fedora 9
Flag Day: no
Doc impact: yes
|
|
|
|
| |
Summary: Add config setting to disable unauthenticated binds.
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: index files for database should be deleted when db is deleted.
Fix Description: The callback ldbm_instance_post_delete_instance_entry_callback
is called when the backend instance is removed. In the callback, there was a
code to cleanup the primary db (id2entry.db#), but no other index files nor the
instance directory. Also, the code included a bug to get the instance
directory path. The proposed code gets the right instance directory path and
cleans up all the files in the directory, then removes the backend instance
directory.
|
|
|
|
|
| |
Summpary: Memory usage research: checking in the experimental code
Comment: added a missing line
|
|
|
|
|
|
|
| |
Summary: SASL MAP: memory leak in sasl_map_init
Fix Description: sasl_map_done put just comments to free the map list and the
private structure, but not implemented them. Added the code to release the map
list and the private structure.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: vlvindex should not give an error message when the vlvindex is empty
Fix description: In ldbm_fetch_subtrees, if the parent entry to be vlvindexed
('ou=payroll,dc=example,dc=com' in this example) does not exist, then vlvindex
with the proposed code issues this warning but no further messages.
warning: entrydn not indexed on 'ou=payroll,dc=example,dc=com'; entry ou=payroll,dc=example,dc=com may not be added to the database yet.
If the parent entry exists (entry id 10 in this example), but no descendant
entries to be vlvindexed do not, then vlvindex with the proposed code issues
this warning but no further messages.
warning: ancestorid not indexed on 10; possibly, the entry id 10 has no descendants yet.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Support server-to-server SASL - part 2
Reviewed by: nhosoi (Thanks!)
Fix Description: This part focuses on chaining backend - allowing the mux server to use SASL to connect to the farm server, and allowing SASL authentication to chain. I had to add two new config parameters for chaining:
nsUseStartTLS - on or off - tell connection to use startTLS - default is off
nsBindMechanism - if absent, will just use simple auth. If present, this must be one of the supported mechanisms (EXTERNAL, GSSAPI, DIGEST-MD5) - default is absent (simple bind)
The chaining code uses a timeout, so I had to add a timeout to slapi_ldap_bind, and correct the replication code to pass in a NULL for the timeout parameter.
Fixed a bug in the starttls code in slapi_ldap_init_ext.
The sasl code uses an internal search to find the entry corresponding to the sasl user id. This search could not be chained due to the way it was coded. So I added a new chainable component called cn=sasl and changed the sasl internal search code to use this component ID. This allows the sasl code to work with a chained backend. In order to use chaining with sasl, this component must be set in the chaining configuration nsActiveChainingComponents. I also discovered that password policy must be configured too, in order for the sasl code to determine if the account is locked out.
I fixed a bug in the sasl mapping debug trace code.
Still to come - sasl mappings to work with all of this new code - kerberos code improvements - changes to pta and dna
Platforms tested: Fedora 8, Fedora 9
Flag Day: yes
Doc impact: yes
|
|
|
|
|
| |
Description: ACL: support group filter
Fix Description: unset value for lud_scope is -1, not NULL
|
|
|
|
| |
Summary: Use 64-bit specific SASL default plug-in path on 64-bit Linux machines.
|
|
|
|
|
|
|
|
| |
Summary: Import of data does not record timestamps
Description: Added a static function import_add_created_attrs to add
ModifiersName, CreateTimestamp, ModifyTimestamp to each imported entry. I
also added a check if nsslapd-lastmod is on or off. It adds the created info
only if the lastmod is on.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Support server-to-server SASL - part 1
Reviewed by: nkinder, nhosoi, ssorce (Thanks!)
Fix Description: I've created two new functions to handle the client side of LDAP in the server - slapi_ldap_init_ext and slapi_ldap_bind. These two functions are designed to work with any connection type (ldap, ldaps, ldap+starttls, and eventually ldapi) and bind type (plain, sasl, client cert). The secure flag has been extended to use a value of 2 to mean use startTLS. One tricky part is that there is no place to store the startTLS flag in init to pass to bind, so we store that in the clientcontrols field which is currently unused. We do that because the semantics of ldap_init are not to do any network traffic, but defer that until the bind operation (or whatever the first actual operation is e.g. start_tls). I plan to replace all of the places in the code that do ldap init and bind with these functions.
I started with replication. I extended the transport to add tls for startTLS and the bind method to add sasl/gssapi and sasl/digest-md5. I removed a lot of code from repl5_connection that is now done with just slapi_ldap_init_ext and slapi_ldap_bind. One tricky part of the replication code is that it polls the connection for write available, using some ldap sdk internals. I had to fix that code to work within the public ldap api since nspr and sasl muck with the internals in different incompatible ways.
Finally, there is a lot of new kerberos code in the server. The way the server does sasl/gssapi auth with its keytab is similar to the way it does client cert auth with its ssl server cert. One big difference is that the server cannot pass the kerberos identity and credentials through the ldap/sasl/gssapi layers directly. Instead, we have to create a memory credentials cache and set the environment variable to point to it. This allows the sasl/gssapi layer to grab the credentials for use with kerberos. The way the code is written, it should also allow "external" kerberos auth e.g. if someone really wants to do some script which does a periodic kinit to refresh the file based cache, that should also work.
I added some kerberos configure options. configure tries to first use krb5-config to get the compiler and linker information. If that fails, it just looks for some standard system libraries. Note that Solaris does not allow direct use of the kerberos api until Solaris 11, so most likely Solaris builds will have to use --without-kerberos (--with-kerberos is on by default).
Fixed a bug in kerberos.m4 found by nkinder.
ssorce has pointed out a few problems with my kerberos usage that will be addressed in the next patch.
Changed the log level in ldap_sasl_get_val - pointed out by nkinder
Platforms tested: Fedora 9, Fedora 8
Flag Day: yes
Doc impact: oh yes
|
|
|
|
| |
Summary: Fix crash caused by DNA shared config update event.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: ACL: support group filter
Fix Description:
. backoff the previous checkin
. check the value of groupdn is the full ldapurl or not by ldap_url_parse.
. if yes, run the search and get the search results.
otherwise, evaluate the bind dn for the value as usual.
. evaluate the bind dn against each group returned from the search.
. additionally, added the code to trim the beginning and trailig spaces from
the groupdn value, which is needed for ldap_url_parse.
|
|
|
|
|
| |
Summary: ACL: support group filter
Description: extended userattr #GROUPDN value to support LDAPURL
|
|
|
|
| |
Summary: Removed static specifier from __sync_*_8 atomic functions.
|
|
|
|
| |
Summary: Added 64-bit atomic functions for platforms lacking built-ins.
|
|
|
|
|
| |
Summary: rhds 7.1 - server stats use 32-bit integers - entrycachehitratio 1503%
Description: added '/' at the head of the semaphore name.
|