| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
These changes allow the server to be built with OpenLDAP (2.4.17+). A brief summary of the changes:
* #defines not provided by OpenLDAP were copied into slapi-plugin.h and protected with #ifndef blocks
* where it made sense, I created slapi wrapper functions for things like URL and LDIF processing to abstract way the differences in the APIs
* I created a new file utf8.c which contains the UTF8 functions from MozLDAP - this is only compiled when using OpenLDAP
* I tried to clean up the code - use the _ext versions of LDAP functions everywhere since the older versions should be considered deprecated
* I removed some unused code
NOTE that this should still be considered a work in progress since it depends on functionality not yet present in a released version of OpenLDAP, for NSS crypto and for the LDIF public API.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements a linked attribute plug-in. Details of the
plug-in features and design are available on the 389 wiki at:
http://directory.fedoraproject.org/wiki/Linked_Attributes_Design
In addition, I encountered a memory leak when testing the new plug-in
with valgrind. There was a fix to the dse add code for a double free
a few months back, which causes a leak in certain situations. This
previous fix was for bz#489763. The proper thing to do is to make
the dse backend add function consume the passed in entry upon success
and leave it for the caller to deal with upon failure. This is the
way the back-ldbm add function works.
|
|
|
|
|
|
|
|
| |
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Thread_Aware_Regex
Additional 2 unrelated changes are being made:
1) dbgen.pl.in: secretary and manager are having a dn format value "cn=...".
2) slapi_counter_sunos_sparcv9.S: adding "#define _ASM 1" to force to set an assembler code macro _ASM.
|
| |
|
|\ |
|
| |
| |
| |
| | |
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Simple_Paged_Results_Design
|
|/
|
|
|
|
|
|
|
| |
changed brand and capbrand to 389
changed vendor to "389 Project"
I had to redo my earlier patch - I should have used the newer
automake and autoconf to reduce the size of the patch
This commit uses automake 1.10.1 and autoconf 2.63 from F10
Reviewed by nkinder (Thanks!)
|
|
|
|
|
|
|
| |
A change was also made to Makefile.am to avoid library versioning
for our C++ plug-in libraries. This change should allow us to use
autogen.sh on recent platforms without running into issues during
build-time.
|
|
|
|
|
| |
Summary: move perl on solaris to a <TBD> path
Description: Changing Solaris perl path (perlexec) from /opt/perl5x/bin/perl to /usr/lib/sparcv9/dirsrv/perl5x/bin/perl.
|
|
|
|
| |
Summary: Added new remove-ds.pl script and manpage.
|
|
|
|
|
| |
Description: add sudo and hostObject schemas by default
Fix Description: added 60nss-ldap.ldif for the hostObject and other nss ldap schema
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Support server-to-server SASL - part 1
Reviewed by: nkinder, nhosoi, ssorce (Thanks!)
Fix Description: I've created two new functions to handle the client side of LDAP in the server - slapi_ldap_init_ext and slapi_ldap_bind. These two functions are designed to work with any connection type (ldap, ldaps, ldap+starttls, and eventually ldapi) and bind type (plain, sasl, client cert). The secure flag has been extended to use a value of 2 to mean use startTLS. One tricky part is that there is no place to store the startTLS flag in init to pass to bind, so we store that in the clientcontrols field which is currently unused. We do that because the semantics of ldap_init are not to do any network traffic, but defer that until the bind operation (or whatever the first actual operation is e.g. start_tls). I plan to replace all of the places in the code that do ldap init and bind with these functions.
I started with replication. I extended the transport to add tls for startTLS and the bind method to add sasl/gssapi and sasl/digest-md5. I removed a lot of code from repl5_connection that is now done with just slapi_ldap_init_ext and slapi_ldap_bind. One tricky part of the replication code is that it polls the connection for write available, using some ldap sdk internals. I had to fix that code to work within the public ldap api since nspr and sasl muck with the internals in different incompatible ways.
Finally, there is a lot of new kerberos code in the server. The way the server does sasl/gssapi auth with its keytab is similar to the way it does client cert auth with its ssl server cert. One big difference is that the server cannot pass the kerberos identity and credentials through the ldap/sasl/gssapi layers directly. Instead, we have to create a memory credentials cache and set the environment variable to point to it. This allows the sasl/gssapi layer to grab the credentials for use with kerberos. The way the code is written, it should also allow "external" kerberos auth e.g. if someone really wants to do some script which does a periodic kinit to refresh the file based cache, that should also work.
I added some kerberos configure options. configure tries to first use krb5-config to get the compiler and linker information. If that fails, it just looks for some standard system libraries. Note that Solaris does not allow direct use of the kerberos api until Solaris 11, so most likely Solaris builds will have to use --without-kerberos (--with-kerberos is on by default).
Fixed a bug in kerberos.m4 found by nkinder.
ssorce has pointed out a few problems with my kerberos usage that will be addressed in the next patch.
Changed the log level in ldap_sasl_get_val - pointed out by nkinder
Platforms tested: Fedora 9, Fedora 8
Flag Day: yes
Doc impact: oh yes
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: LDAPI: when nsslapd-ldapiautodnsuffix doesn't exist - Bind is incorrect
Description:
- introducing --enable-auto-dn-suffix option to configure (disabled by default)
- building the auto-dn-suffix code only when the option is set
======================
autoconf version 2.59
automake version 1.9.6
|
|
|
|
|
|
|
| |
Summary: (64bitcounters) rhds 7.1 - server stats use 32-bit integers -
entrycachehitratio 1503%
Description: checking in autoconf derived files.
Ran autogen on RHEL5; autoconf version 2.59, automake version 1.9.6
|
| |
|
|
|
|
| |
Summary: Add support for 64-bit counters (phase 1).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: RFE: include RFC4876 schema - Autofs does not include
LDAP schema for Fedora Directory Server
Reviewed by: nkinder (Thanks!)
Fix Description: Pieter D.J. Krul has contributed many schema files that
have been tested in production environments. They are divided into two
groups - those that conflict with existing schema in DS, CertSys, and
IPA, and those which do not. The latter are installed in the default
schema directory to be available for new instances - the former are
installed in the data directory just as the rfc2307bis schema. The
schema provided cover autofs and rfc4876, as in the bug reports, and
more. Here is the full list of new files:
60trust.ldif 60pureftpd.ldif 60sudo.ldif 60nis.ldif 60samba.ldif
60mozilla.ldif
60samba3.ldif 60krb5kdc.ldif 60sabayon.ldif 60kerberos.ldif
60rfc4876.ldif 60inetmail.ldif 60rfc3712.ldif 60eduperson.ldif
60rfc2739.ldif 60changelog.ldif 60radius.ldif 60autofs.ldif 60qmail.ldif
Platforms tested: RHEL5
Flag Day: no
Doc impact: yes - document the new schema
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Lack of manpages
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: This adds man pages for the command line utilities. The configure.ac diffs were a little bit tricky - apparently, mandir is not set to a correct default value, so we have to make sure we set a reasonable default value it if the user has not set it (e.g. rpmbuild will override it with --mandir=something).
Platforms tested: Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
|
|
|
|
| |
Summary: Add CLI for dynamic reload schema file task
|
|
|
|
| |
Summary: Make memberOf plug-in attributes configurable.
|
|
|
|
| |
Summary: Added CLI for creating memberOf fix-up task entry.
|
|
|
|
|
|
| |
Summary: Dynamically reload schema via task interface
Description: implemented task based schema file reloading
(see also http://directory.fedoraproject.org/wiki/Dynamically_Reload_Schema)
|
| |
|
|
|
|
|
|
| |
Summary: LDAPI: introduce --enable-autobind to support AUTOBIND
Description: --enable-autobind is supported. Unless it's set, the auto-bind
code is not compiled in.
|
| |
|
| |
|
|
|
|
| |
640:9c57bd91b32f if ipa-memberof.c).
|
|
|
|
|
| |
Description: Need to support mail server schema
Fix Description: There are customers who are using the mail schema, so we need to keep it in the product.
|
|
|
|
| |
Summary: Don't define _XOPEN_SOURCE_EXTENDED on HP-UX.
|
|
|
|
| |
Summary: HP-UX: warnings reported by the HP-UX compiler
|
|
|
|
|
|
| |
Added rfc2307bis schema, but in the data directory. It is not compatible with the older rfc2307 schema included with the directory server.
Users will need to upgrade their database to fix posixGroup entries in order
to use this schema
|
|
|
|
| |
Summary: Install SNMP subagent mibs.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: init script modification needed for kerberos auth
Reviewed by: nhosoi (Thanks!)
Fix Description: I just took Simo's initial patch and ran with it. The initconfigdir parameter is the directory containing the config file for the init script. configure will first try to use $(sysconfdir)/sysconfig, then $(sysconfdir)/default (Solaris and Debian, among others), then the package config directory (the default on HP-UX), for this parameter. The init script and startup script will look in the initconfigdir to find the init config file to source. For directory server, an instance specific file can be used, named e.g. dirsrv-localhost which will apply to the slapd-localhost instance only.
A default init config file is provided for dirsrv and dirsrv-admin, with some examples of how it could be used.
Platforms tested: RHEL5 x86_64
Flag Day: Yes - autotool file changes
Doc impact: Yes. We will need to document how the user can supply environment to the servers at startup time without having to edit the init scripts or the startup scripts.
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
|
|
|
| |
Summary: Set SASL_PATH in ldclt wrapper script.
|
| |
|
|
|
|
|
| |
Summary: Installation failed. template files not found.
Description: Added template-sasl.ldif to Makefile.am
|
| |
|
|
|
|
|
|
|
|
| |
Summary: verify-db.pl (db_verify) does not work on a little endian machine
(comment #1-#4)
Description: 1) introducing dbverify mode to ns-slapd.
2) providing new script dbverify to call "ns-slapd dbverify"
3) fixing verify-db.pl to call dbverify instead of db_verify from BDB
|
| |
|
|
|
|
| |
those first in the link line, so that the build finds the dirsec versions of those components and not the mozilla/seamonkey ones in libdir
|
|
|
|
| |
be ignored, which causes rpm packaging errors
|
| |
|
|
|
|
| |
Summary: Changed ldap-agent to find location of stats file dynamically.
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: improve perldap script execution ability on bundled platforms
Reviewed by: nkinder (Thanks!)
Fix Description: Most platforms will just use perl from PATH. However, on Solaris and HP-UX, we have to use special 64 bit versions to execute perldap, since perldap is 64 bit on those platforms. Also, if bundling all of the dependent components into the single package, we need to make sure the perl library path is set correctly to find perldap.
The last step will be to build our version of perldap on the bundled platforms to use rpath to point to the correct runtime library location.
Platforms tested: RHEL4, HP-UX 11.23 IPF 64 bit
Flag Day: no
Doc impact: no
|
| |
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: Replace ds_newinst binary with perl script - remove dead code
Reviewed by: nhosoi (Thanks!)
Fix Description: This is my favorite part - removing all of the now dead code. I also had to fix the exit code so that you could use $? to test for the success or failure of the new setup scripts.
Platforms tested: RHEL4, FC6
Flag Day: no
Doc impact: no
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Replace ds_newinst binary with perl script
Reviewed by: nhosoi (Thanks!)
Fix Description: The time has come. We can finally get rid of the instance creation C code
once and for all. I've created a DSCreate module that has all of the functionality of the old
create_instance.c code, along with a few items from ldap/admin/lib. The way it works is
this: it first creates the dse.ldif file using template-dse.ldif and the suffix-db template to
create the initial db and suffix. It then adds additional optional configuration depending
on what optional features have been enabled. It creates other config files and copies in
the schema. It then initializes the database. It uses a template file based on the type of
entry implied by the suffix, then adds the default ACIs. If the user chose to do so, it
will also create the ou=people, ou=groups, etc. entries. The user can also supply an LDIF
file which will be used to populate the initial database, in which case none of the default
entries or ACIs will be used. It then starts the server (if desired).
I had to create a function makePaths that works like mkdir -p except that it will chown,
chgrp, and chmod all paths created.
I had to change the other places where instance creation was called to use the new
calling semantics. ds_create changed quite a bit, since it can just use an Inf to pass in the
information instead of calling ds_newinst as a CGI program.
I had to change FileConn to add support for namingContexts (i.e. entries with no parent),
and to have it write each change each time, and to return copies of entries when searching,
to avoid modifying the tree in place. This makes it act much more like LDAP.
I found and fixed a few bugs in Migration along the way that were revealed while integrating
the new DSCreate code.
Platforms tested: RHEL4, FC6
Flag Day: Yes. New instance creation code and autotool changes.
Doc impact: no
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Reimplement ds_create without setuputil code
Reviewed by: nhosoi (Thanks!)
Fix Description: ds_create was a CGI program that would create a new instance, set it up to be managed by console, and register it with the config ds. The new ds_create CGI perl script does just that. One tricky part was that, rather than enabling the pass through auth plugin and having to restart the server, the new server is created without being started, then the modification is done to the new server dse.ldif file directly, using the new FileConn.pm module, which simulates a Mozilla::LDAP::Conn on an LDIF file. This also allows us to create a new instance with a pre-hashed rootdn password, rather than having to send the cleartext password.
I had to move around some code in AdminServer and AdminUtil so that I could use it from ds_create. I also implemented support for the admin server PASSWORD_PIPE in perl so we could use it in other CGI perl scripts.
Finally, the error handling was not consistent in our code, so I made explicit the passing of error messages up and down the stack. Oh how I wish we could just do this in python and use exception handling . . .
I added a test for ds_create.
Platforms tested: RHEL4
Flag Day: Yes - autotool changes
Doc impact: No. Should work the same way as the old ds_create.
|