| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=509201
Resolves: bug 509201
Bug Description: rhds81 hub with 71 master - err=32 on replica base search during replication
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: This patch doesn't fix the problem, but it makes it less likely to occur in the future. The problem is that we are not consistent about using normalized DNs everywhere. Without using a normalized DN, it is impossible to construct a DN containing another DN (e.g. cn="dc=example, dc=com", cn=mapping tree, cn=config) that another client can match on. This patch at least forces setup to use a normalized DN for the suffix.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: Yes - we will need to document what to do when running into this problem, as in the workaround in the bug report
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using the retro changelog plugin, post-op plugins that perform
internal operations (such as memberOf) can result in the internal
operation preceeding the original operation in the changelog.
The fix is to give the retro changelog a higher precedence than the
other post-op plugins. This required some core server changes to
be made around the plugin precedence to allow an object plugin to
pass it's precedence into it's calls to slapi_register_plugin()
when it registers other plugin types.
I added an update LDIF to set the plugin precedence when running
"setup-ds.pl -u". I also noticed an AVC when restarting after the
update due to the schema.bak directory that is created. I've
adjusted the dirsrv SELinux policy to deal with this AVC.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Named Pipe Log Script allows you to replace a log file with a named pipe attached to a script. The server can then send the log output to a script instead of to a log file. This allows you to do many different things such as:
* log only certain events e.g. failed binds, connections from certain ip addresses, etc.
* log only lines that match a certain pattern
* log only the last N lines - useful for enabling full error log debug levels in production environments
* send an email or other notification when a certain event is detected
The script is written in python, and allows plugins. By default, the script will log the last N lines (default 1000). There are two plugins provided - one to log only failed bind attempts, and one that will log only lines that match given regular expressions.
Reviewed by: nkinder (Thanks!) - found a bug in a comment
Resolves: bug 486171
Bug Description: [RFE] Access log - Failed binds
|
| |
|
|
|
| |
When removing an instance, we need to be sure to remove the
instance specific initconfig script.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Due to a previously fixed bug (bz 474254), standard schema may
have been duplicated in 99user.ldif. When running an upgrade, we
need to check the 99user.ldif file to see if any obsolete standard
schema is defined there and remove it.
This patch makes upgrade backup the original 99user.ldif, and
scans it to see if any of the obsolete attributeTypes or
objectClasses attributes that we are removing from the standard
schema exist in 99user.ldif. We trim the obsolete definitions
and write out a new 99user.ldif with the proper permissions.
|
| |
|
|
|
|
|
| |
This adds SMD5 password storage support to the existing password
storage plug-in. Add upgrade LDIF has been added to ensure that
this new functionality will be available to servers that are
upgraded from previous versions.
|
| |
|
|
|
|
|
|
|
|
| |
This adds a number of interface macros to the dirsrv SELinux policy
module. These macros are intended for use by the Administration
Server SELinux policy that is currently being developed.
I also made some changes to the setup code that labels newly created
directories. When the first instance is created, some top-level
directories are created that were not being labeled properly.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some older releases did not have nsslapd-rundir - upgrading from
those releases will cause the server not to start - we must add
nsslapd-rundir if it is missing
We also got rid of nsslapd-ldapiautodnsuffix, so remove that from
the config - it doesn't hurt anything to leave it, but the error
message is annoying
I also added back a mostly truncated version of 28pilot.ldif because
some apps still use pilotObject - those apps should change to
use a different objectclass ASAP.
Tested on Fedora 11 i386 and x86_64
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a new configuration setting to the cn=config entry named
nsslapd-minssf. This can be set to a non-negative integer representing
the minimum key strength required to process operations. The default
setting will be 0.
The SSF for a particular connection will be determined by the key
strength cipher used to protect the connection. If the SSF used for a
connection does not meet the minimum requirement, the operation will be
rejected with an error code of LDAP_UNWILLING_TO_PERFORM (53) along
with a message stating that the minimum SSF was not met. Notable
exceptions to this are operations that attempt to protect a connection.
These operations are:
* SASL BIND
* startTLS
These operations will be allowed to occur on a connection with a SSF
less than the minimum. If the results of these operations end up with
a SSF smaller than the minimum, they will be rejected. Additionally,
we allow UNBIND and ABANDON operations to go through.
I also corrected a few issues with the anonymous access switch code
that I noticed while testing. We need to allow the startTLS extended
operation to go through when sent by an anonymous user since it is
common to send startTLS prior to a BIND to protect the credentials.
I also noticed that we were using the authtype from the operation
struct to determine is a user was anonymous when we really should
have been using the DN. This was causing anonymous operations to
get through on SSL/TLS connections.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=520921
Resolves: bug 520921
Bug Description: Config schema not included in core schema
Reviewed by: nkinder (Thanks!)
Fix Description: Just had to move a few schema from 02common and 30ns-common into 01core389.ldif. I also added 01core389.ldif to the list of schema installed
when install_full_schema=0 is specified with setup-ds.pl. I also added these schema files to the list of schema files to upgrade.
With these changes, the server starts up fine. The only error is this:
[29/Sep/2009:16:47:53 -0600] - Entry "cn=PAM Pass Through Auth,cn=plugins,cn=config" has unknown object class "pamConfig"
This is because the pam pass through plugin is included in the default config. I'd rather not move that schema file. That plugin can be removed from the default config during setup by specifying a slapd.ConfigFile directive with contents like this:
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
changetype: delete
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds a new config switch (nsslapd-allow-anonymous-access) that
allows one to restrict all anonymous access. When this is enabled,
the connection displatch code will only allow BIND operations through
for an unauthenticated user. The BIND code will only allow the
operation through if it's not an anonymous or unauthenticated BIND.
I also fixed a missing capability in the SELinux policy that I ran
into while testing this patch.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=523476
Resolves: bug 523476
Bug Description: 389-ds-base/glibmm24: conflicting perl provides
Reviewed by: nhosoi (Thanks!)
Files: see diff
Fix Description: Rename "Util" to "DSUtil"
Platforms tested: Fedora 11 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updates are implemented in:
perl - code that plugs in to setup - scriptlets that are imported into
the setup perl interpreter and executed in process, giving access to all
of the packages and context provided by setup
ldif - applied to instances, in the same manner as ConfigFile directives
to setup
other - any executable file, shell script, etc. can be invoked, with a limited
amount of context from the setup process
An update directory is added to the package - /usr/share/dirsrv/update - this
directory contains the update files - the update filenames begin with two digits
and are executed in numeric order (00 first, then 01, etc. up to 99) which
should provide enough flexibility
In addition, there are 5 stages of update:
pre - invoked before any instance specific code
preinst, runinst, postinst - invoked for each instance
post - invoked after any instance specific code
Example files are provided which demonstrate how to get the context.
There are two different modes of operation for update:
online - must supply a bind dn and password for each instance - servers must
be up and running
offline - operates directly on the dse.ldif - servers must be shutdown first
A new section is added to the .inf file that can be passed in
[slapd-instancename]
RootDN = binddn
RootDNPwd = bindpw
The RootDN is optional - if not supplied, it will get the nsslapd-rootdn attribute from the dse.ldif for the instance.
I also fixed some problems with error messages.
The pam pta plugin entry was giving object class violations, so I added the
missing attributes - note that these are replaced by the plugin code when
the plugin is loaded - they are only needed during setup.
Fixed usage of $_ - $_ behaves like a dynamically scoped variable - which
means if you use it in an outer context, you cannot use it in an inner
context, even if it is used in a different function. Rather than attempting
to figure out how to use $_ safely in lower level functions, I just removed
the use of it altogether, which also makes the code easier to read.
Reviewed by: nhosoi (Thanks!) - fixed minor issues found
Platforms tested: Fedora 11
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a "dirsrv" selinux policy module to confine the ns-slapd
daemon. The setup and migration perl modules were changed to take
care of any relabeling of installed files if selinux support was
compiled in.
The build system now takes a "--with-selinux" option that will
compile the dirsrv policy module and enable any selinux specific
setup code.
To use the dirsrv policy module, the module will need to be loaded
using the semodule utility. It is also necessary to relabel the
installed files using restorecon after performing a make install.
All of this will be taken care of in the spec file when in the
case of using a RPM package.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds centralized start, stop, and restart scripts
for ns-slapd. These scripts live in the sbin directory
and will act upon all instances if an instance identifier
is not specified (similar to the init script). The
instance specific scripts have been modified to call the
new centralized scripts.
The instance specific parameters needed by the new scripts
are located in the instance specific initconfig scripts,
which are now created by setup-ds.pl with values mapped
from the inf file.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The vendor, brand, and capbrand are set in configure - we should use those
everywhere rather than have to run some sort of script over the code to
change vendor, brand, version, etc. I've added VENDOR, BRAND, CAPBRAND
to the default defines passed to the compiler, and changed the code to use
these defines. And instead of the unintuitively named PRODUCTTEXT macro,
we should use the already defined PRODUCT_VERSION.
This allowed me to get rid of some code. The version was from a generated
file called dirver.h which we don't need anymore, and we don't need the perl
script dirver.pl which generated it.
The vendor string was coming from the dirlite header file. So I also used this
as an excuse to get rid of all references to dirlite once and for all (yay!).
For the places in plain text files which are not substituted, I just used the
generic name Dirsrv or Directory Server instead of having an explicit brand
and/or version in there.
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
| |
%rootdn% (Directory Manager) has all rights on every entry by nature.
Thus, it is not needed to give any acis. This template has several
groupOfUniqueNames objects which MUST have uniqueMember. At this
moment, there is no entry which could be a uniqueMember. Just to
satisfy the objectclass, set %rootdn% to uniqueMember of the objectclass.
|
| |
|
|
|
|
|
|
| |
First cut for implementing Entry USN.
See http://directory.fedoraproject.org/wiki/Entry_USN for the design details.
This change includes a bug fix for "db2ldif -r"; event queue system was not
shutdown before the plugins are closed, which could have crashed the command
line utility.
|
| |
|
|
|
|
| |
The DN used by the ns-newpwpolicy script to refer to the pwpolicy
subentries are not legal. We need to escape ',' chars in the value
instead of just trying to use double-quotes around the value.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements a linked attribute plug-in. Details of the
plug-in features and design are available on the 389 wiki at:
http://directory.fedoraproject.org/wiki/Linked_Attributes_Design
In addition, I encountered a memory leak when testing the new plug-in
with valgrind. There was a fix to the dse add code for a double free
a few months back, which causes a leak in certain situations. This
previous fix was for bz#489763. The proper thing to do is to make
the dse backend add function consume the passed in entry upon success
and leave it for the caller to deal with upon failure. This is the
way the back-ldbm add function works.
|
| |
|
|
|
|
| |
Also added numericstring syntax support.
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Syntax_Validation_Design
|
| |
|
|
|
| |
Summary: Replication Bind Failure After Migration from DS 7.1 (comment #10)
Description: changed to trim trailing slashes of oldsroot and actualsroot at the beginning.
|
| |
|
|
| |
Summary: Fixup replicated schema during migration.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Replication Bind Failure After Migration from DS 7.1
Reviewed by: nkinder (Thanks!)
Fix Description: We have to quote shell metacharacters before passing them to the shell. I added a new function shellEscape to use for this purpose. We really should shell escape anything passed to system() or back ticks ``. Certainly passwords should contain shell meta characters so I changed places where we use passwords to use shellEscape to pass them to pwdhash or migratecred. I also chomp() the output of migratecred to remove the trailing newline. With the fix, I was able to run setup with a root password of `~!@#$%^&*()\\|[]{}:;<>?/"\ and successfully authenticate.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Description: Bug 480869 - DS console: Can not delete DS instance
Fix Description: Create instance was broken, so no instances could be created for purposes of deletion. Create instance was printing the following error:
Unable to find Pass Through Authentication Plug-In config entry.
This is because the search for this entry in AdminUtil.pm was getting an incorrect error message - something other than "Success"
This is because the FileConn->getErrorString() method was returning "0" instead of "Success".
Platforms tested: RHEL4
|
| |
|
|
| |
Summary: Use backend name from inf when importing during setup.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: DS console: Can not delete DS instance
Reviewed by: nkinder (Thanks!)
Fix Description: As it turns out, my assumption that ds_remove in CGI mode also did the unregistration was false. It is the console that does the unregistration, only after the ds_remove CGI returns success. So, ds_remove needs to run with AdminSDK off, just like the other "special" CGI programs. In addition, ds_remove needs to be more robust - if there is an error during ds_remove, you should be allowed to try again after fixing something. However, the way the error handling worked did not differentiate between fatal errors and errors that could be ignored. In order to do this properly, we need to propagate the errors back up to the top level (oh how I wish perl had real exception handling . . .). The main type of error we need to ignore is file not found or process not found. If we attempted to remove before and that attempt failed for some reason, and left a partial instance, we need to be able to run the remove command again, skipping over the things we shutdown or removed already, and clean up the stuff we need to remove. This can also happen if you use the console to create a ds instance, and remove-ds.pl to remove the instance. The instance will still show up in the console. We need to be able to use the Remove Server in the console to remove the instance from the console, even through there is no physical instance on disk any more. Since the console will only do the unregistration if the CGI returns success, we need to make sure the CGI returns success even though there is no instance on disk. When ds_remove is run via ds_removal, it will do the unregistration.
I also took this opportunity to refactor the remove code, creating a removeDSInstance method in DSCreate.pm, and moving some of the other removal helper functions to Util.pm. That simplified the code in both ds_remove and remove-ds.pl.
I added a remove-ds-admin.pl script - one of the problems that users have is that they run setup-ds-admin.pl, then hit some error (e.g. bad DNS setup), then find that they cannot restore the system to the state before they ran setup-ds-admin.pl. remove-ds-admin.pl does this.
Finally, I added some man pages to the admin package for those commonly used commands.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: overriding arguments to setup causes setup to fail
Reviewed by: ulf.weltman, nkinder (Thanks!)
Fix Description: Parameters specified on the command line should override and replace (not add to) any parameters specified in a given .inf file. I refactored the code a little too - I moved the argv processing into the Inf module out of the Setup and Migration modules. The code will first process the args and store the values in a temporary hash ref. Then it will process the temp hash ref, replacing the values in the main inf with the values from the hash.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: migration results in incomplete admin server sie
Reviewed by: nkinder (Thanks!)
Fix Description: This is a redesign of one of the core pieces of the setup/migration code - the code that adds the LDAP entries in various places. For starters, I removed the code that would implicitly delete existing trees. This is the root cause of this bug, and other similar problems with setup/instance creation that have been reported. We should never implicitly delete entries. Instead, we should explicitly delete entries by using the changetype: delete in an LDIF template file.
Another source of problems was that to update an entry, we would delete it and add it back. This caused some configuration settings to be wiped out (e.g. encryption settings). We cannot do this any more. The LDIF template entries have been modified to have two sets of information for each entry that requires update - the entry to add if no entry exists (the full entry) or the changes to make to the entry if it does exist. The code in Util.pm has been changed to ignore duplicate entries and to ignore changes made to entries that do not exist.
Another source of problems with migration is that the error checking was not adequate, especially with FileConn and dse.ldif reading. The fix is to add better error checking and reporting in these areas of code, including error messages.
Yet another problem is the run_dir handling. On many platforms the run_dir is shared among all DS instances and the admin server. Older versions of the software allowed you to run the servers as root. We have to make sure run_dir is usable by the least privileged user of all of the servers.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Cross Platform Migration Fails with: Unable to access
nsslapd-rundir: Bad address
Reviewed by: nkinder (Thanks!)
Fix Description: Need to add any new attributes added in 8.0 and 8.1 to
the ignoreOld hash table in the migration script. The way migration
works, it assumes an attribute is supported in both the old version and
the new version. So if the attribute is absent in the old entry and
present in the new entry, it assumes the user removed the attribute in
the old entry, so removes it in the new entry. The ignoreOld hash table
holds the list of attributes that we should ignore for the purposes of
attribute comparison. These are the attributes we just want to pass
through.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Added new remove-ds.pl script and manpage.
|
| |
|
|
| |
Summary: Remove dependency on Term::ReadKey for password prompting in Perl scripts.
|
| |
|
|
| |
Summary: Make "back" reponse in setup code work correctly.
|
| |
|
|
| |
Summary: Fix undefined subroutine error when trying to display usage message in setup scripts.
|
| |
|
|
| |
Summary: Ensure directories created by installer get the requested mode applied.
|
| |
|
|
| |
Summary: Make repl-monitor.pl a template to pass in correct perl environment.
|
| |
|
|
|
|
|
| |
Summary: LDAPI: when nsslapd-ldapiautodnsuffix doesn't exist - Bind is incorrect
Description:
- introducing --enable-auto-dn-suffix option to configure (disabled by default)
- building the auto-dn-suffix code only when the option is set
|
| |
|
|
| |
debugging tools
|
| |
|
|
|
|
|
|
| |
Branch: HEAD
Fix Description: Set SO_REUSEADDR to make sure the port is really available.
Platforms tested: RHEL5, Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
| |
Bug Description: setup-ds.pl password prompt loops in Confirm prompt
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: Just make sure the prompt tells the user that they can hit Control-B Enter at any time to go back if they need to re-enter the password.
Platforms tested: RHEL5, Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
| |
Bug Description: Unhandled error during setup: Could not import LDIF file
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: This doesn't allow you to re-prompt for the file, but this will at least cause setup to output a sensible error message if it detects that the given LDIF file is not readable.
Platforms tested: Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: rhds80 console - create new instance fails (only) after admin server restart
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: The problem was that the temp LDIF file used to init the new database was not created with the proper mode and ownership, so slapd could not load it. The fix is to make sure the ownership and mode is correct.
Platforms tested: RHEL5, Fedora 8, Fedora 9
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: Cannot setup ds with remote config DS
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: This fix has two main parts. The first part is to fix setup. I took parts out of the 01nsroot template and put them into the templates that set up the directory server and admin server. So when those servers are registered, they will create those common entries if not present, or otherwise modify them to add the necessary information. I had to add uname_m and uname_a and some other items to the mapping files. I fixed a typo in one of the template files. I changed setup to create new directory server instances shutdown, so that when they are configured for the passthrough auth plugin, it will be working when started. Otherwise, directory servers you create with setup will not be manageable in the console until after they are restarted. This is the same way that ds_create works.
The second part of the fix is to allow people to fix "broken" installs. I added a -u (update) option to setup. This will scan for exsiting installations are re-register all servers found. The dialog flow is pretty simple - it just confirms that you want to run update mode, then asks for the config ds information, then re-registers all servers with the config ds, updating any information that is missing or outdated.
Platforms tested: RHEL5, Fedora 8, Fedora 9
Flag Day: no
Doc impact: Yes - need to document the new -u option.
|
| |
|
|
| |
Summary: Add CLI for dynamic reload schema file task
|
| |
|
|
| |
Summary: Added CLI for creating memberOf fix-up task entry.
|
| |
|
|
|
|
| |
Summary: LDAPI: cleaning up template-ldapi-default.ldif.in and DSCreate.pm.in
Description: Separated auto-bind attributes from the ldapi attributes. Fixed
to store auto-bind attributes in dsel.dif only when auto-bind is enabled.
|
| |
|
|
| |
Summary: LDAPI: move default LDAPI UNIX socket from /var/run/dirsrv/slapd-ID.socket to /var/run/slapd-ID.socket
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: migrate-ds-admin.pl spins at 100% cpu
Reviewed by: nkinder (Thanks!)
Fix Description: It was spinning because inst_dir was not being set, so it kept trying to find the parent directory of a non-existent directory. In migration, the old instance has no instance dir - we will fill that in during instance creation, so just skip it if not set. I also found and fixed another bug in migration with the usage of file_name_is_absolute - have to use the full module name and function name.
Platforms tested: RHEL4 32bit and 64bit
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Instance creation through console is broken
Reviewed by: nhosoi (Thanks!)
Fix Description: This was caused by my fix for bug 420751. When I added the as_uid to fix the ACI for the admin user, I did not add the mapping everywhere it was used. Unfortunately, I found that the code I added it to could only be used with a live connection to the new directory server, not a FileConn to the dse.ldif. So I had to add a new function to add this ACI to the new root suffix after the server had been started.
Another problem with instance creation was that the org entries were not being added when creating a new instance in the console. The default should be to create them if nothing else was specified.
Another problem was that instance creation was leaving temp ldif files around.
I also had to make sure ServerAdminID was specified everywhere it was needed by dirserver.map, or this would also have broken ds_remove.
Platforms tested: RHEL5 x86_64
Flag Day: Yes - autotool file change in adminserver
Doc impact: no
|
