| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=633168
Description: previous commit was missing the upgrade script 81changelog.pl
|
| |
|
|
|
|
| |
The script was looking for 1 and only 1 line returned by the ldapsearch
to see if the given entry is a role. openldap ldapsearch returns an empty
line as the last line. So just change the check to look for 1 or more lines.
|
| |
|
|
|
| |
mozldap uses -1 but openldap uses -LLL to suppress printing the
in ldapsearch output - add a flag for this
|
| |
|
|
|
|
|
|
|
|
| |
We have many scripts that use ldapsearch, ldapmodify, etc. All of these
currently use simple auth. When using the openldap versions of these
scripts, we have to pass the -x argument to use simple auth. A new
configure parameter ldaptool_opts is used to pass this down into the
scripts.
Reviewed by: nkinder (Thanks!)
Platforms tested: Fedora 14 (rawhide)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=194531
Description: Introduced "-q" option to suppress the backing up/
restoring message for each db file.
Usage: db2bak [archivedir] [-q] [-h]
Usage: bak2db archivedir [-n backendname] [-q] | [-h]
If "-q" is specified, the verbose messages are not prited to
the standard error, but just to the errors log.
In addition, new log level SLAPI_LOG_BACKLDBM/LDAP_DEBUG_BACKLDBM
has been introduced.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=617013
Resolves: bug 617013
Bug Description: repl-monitor.pl use cpu upto 90%
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: The script recursively looks for servers - looks at servers
in replication agreements, adds them, then looks for replication agreements
on those servers, etc. When it added the servers, the logic was faulty for
seeing if the server was already in the list. So it just kept recursing
forever. One of the problems was that the script did not like a hostname
with a non \w char in it, such as the "-" char. There was another problem
with matching a server without a shadowport.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit 7de9007936a790625258967bfb959bc5989d25f2)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=616618
Change Description:
. renamed 91upgradednformat.pl to 80upgradednformat.pl to run
upgradednformat before 90subtreerename.pl.
. ported following patches applied to Directory_Server_8_2_Branch
to master and 389-ds-base-1.2.6.
612771 - RHDS 8.1/389 v1.2.5 accepts 2 identical entries with
different DN formats
* commit 50bb2ee6676e10cdda704982dfa831efa4011037
Fix Description:
This patch fixes the upgradednformat utility to eliminate the
duplicated DNs found in the upgrading period. Assuming DN:
attr0=value0,attr1=value1,...,attrn=valuen exists in the DB
and another identical DN is found, the second DN is renamed to
nsuniqueid=<uuid>+attr0=value0,attr1=value1,...,attrn=valuen
, where the <uuid> is the unique id assigned to the entry when
the entry is added to the server. The modification is logged
in the error log.
In addition, there was a bug to handle multi-valued RDNs in
slapi_dn_normalize_ext. In case multi-valued RDN appears with
DN value (e.g., nsuniqueid=<uuid>+cn=uid\=<uid>\,o\=<org>,dc=<dc>),
it was not normalized properly. Introduced second rdn_av_stack
(subinitial_rdn_av_stack) for the nested DN value.
See also:
http://directory.fedoraproject.org/wiki/Upgrade_to_New_DN_Format#Another_Upgrade_Scenario
* commit ebaa18adaf201f75c709e078abd8e32605eddb81
Fix Description:
1) In the previous commit 50bb2ee6676e10cdda704982dfa831efa4011037,
there were 3 places to miss replacing rdn_av_count with subrdn_av_count.
2) A variable subtypestart is used to keep the head of nested
multivalued RDNs. For instance,
seeAlso=cn\=<CN>\+l\=<L>\,o\=<O>,dc=examle,dc=com
^ or ^ or ^
There was a bug to set the first position ("cn" in the above example).
In addition, fixed a warning assigning "const char *" to "char *" in
import_foreman (import-threads.c).
* commit 472a2c0f2f21205390ba87c31c498b4419a932ba
Fix Description:
When newly creating an ancestorid index file, instead of
opening the index file with DB_TRUNCATE option, delete
the file then create it.
616135 - Upgrade failure on Solaris :
tar: db/NetscapeRoot/{DBVERSION,*.db4}:
No such file or directory
* commit e6723421e6dc69408edb2a396eb22da361cff206
Fix Description:
.../'{'DBVERSION,*.db4'}' is not a shell syntax. Process DBVERSION
and *.db4 individually.
Cherry-picked 700d7c1a199db4a690740636b8bd3e612304ce1e and
0b6ddc9b06845bdf385e749f2c5a99497df20d98 from
389-ds-base-1.2.6 branch.
|
| |
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=605827
Description: 70upgradednformat.pl does nothing if the server is up.
The upgrade script is effective only when it's called in the Off-
line mode.
(cherry picked from commit a109da80a8eae4400b42a27bb5de604f9aee344d)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=593392
Resolves: bug 593392
Bug Description: setup-ds-admin.pl -k creates world readable file
Reviewed by: thoger (Thanks!)
Branch: HEAD
Fix Description: Use umask to make sure we create a .inf file that is
only viewable by the user. In addition, only create the temp file and
filename when necessary. In some places, the code was creating a .inf
file on disk when it could just create one in memory. The code should
check to see if the Inf object has a file associated with it before
attemtping to unlink it. Make sure we do not unlink a .inf file given
with -f on the command line. If the user specified -k, always write to
a temp file using __temp__ as the keyword to tell Inf->write to generate
a temp file.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change description:
. adding upgradednformat utility to each server instance.
. adding 91upgradednformat.pl for in-place-upgrade.
. implementing ldbm_back_upgradednformat sharing the import/
reincexing codes.
. adding a new DBVERSION ID "dn-4514" for the upgraded db.
. fixing access logs (delete.c and modify.c)
. fixing compiler warnings.
. fixing memory leaks.
. fixing a bug in syntax plugin to free strings.
. adding templates for plugin id, version, vendor, and description,
which are needed for the online upgrade.
. dbversion_write takes an additional bit flags, which indicates
which extra DBVERSION strings are written to the DBVERSION file.
It was introduced for the upgrade tools not to intervene each
other's tasks (e.g., dn2rdn for converting entrydn to entryrdn
and upgradednformat for upgrading the DN format).
. fixing a bug in entryrdn index code which was missing to normalize
RDN.
See also:
https://bugzilla.redhat.com/show_bug.cgi?id=591336
http://directory.fedoraproject.org/wiki/Upgrade_to_New_DN_Format#Migration.2FUpgrade
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=586571
Resolves: bug 586571
Bug Description: DS Console shows escaped DNs
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: In order for the console fixed to be used to manage the
correct directory server, the directory server needs to be able to specify
the ds console jar file version down to 3 digits, as opposed to the current
two digits. To support this, instead of overriding PACKAGE_BASE_VERSION,
a new configure macro is introduced - CONSOLE_VERSION. This value is
set in VERSION.sh, so it can be easily updated, and it is used to set
the value for BaseVersion in slapd.inf, which is what the admin server
setup uses to set the ds console jar file version corresponding to the
directory server.
Platforms tested: RHEL5 x86_64, Fedora 12
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=542570
Resolves: bug 542570
Bug Description: Directory Server port number is not validated in the beginning.
Fix Description: The code has been modified to validate the port value from the
beginning of the string to the end to ensure that it only contains digits and to
generate the appropriate error message.
Reviewed by: rmeggins (and pushed)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix Description:
. adding slapi_dn_normalize_ext and its siblings to normalize/validate
invalid DNs; deprecating slapi_dn_normalize and its siblings. (dn.c)
. replacing slapi_dn_normalize with new corresponding functions.
. normalizing hardcoded DNs (e.g., removing spaces around ',')
. setting correct DN syntax to nsslapd-suffix, nsslapd-ldapiautodnsuffix,
costemplatedn, nsslapd-changelogsuffix, nsBaseDN, nsBindDN
. if nsslapd-dn-validate-strict is enabled, incoming DN is examined and
rejected if it is invalid. Once approved, the DN is normalized.
. fixing compiler warnings and typos.
See also:
http://directory.fedoraproject.org/wiki/Upgrade_to_New_DN_Format
Related bugs:
Bug 199923 - subtree search fails to find items under a db containing special
characters
Bug 567968 - subtree/user level password policy created using 389-ds-console
doesn't work.
Bug 570107 - The import of LDIFs with base-64 encoded DNs fails, modrdn with
non-ASCII new rdn incorrect
Bug 570962 - ns-inactivate.pl does not work
Bug 572785 - DN syntax: old style of DN <type>="<DN>",<the_rest> is not
correctly normalized
Bug 573060 - DN normalizer: ESC HEX HEX is not normalized
Bug 574167 - An escaped space at the end of the RDN value is not handled
correctly
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The ldapi socket file is only removed when ns-slapd is started
since the server does not have permission to remove it at shutdown.
The causes issues when upgrading to a recetn version that has
SELinux policy since the newly confined ns-slapd daemon will not
be allowed to remove the old ldapi socket file since it doesn't
have a dirsrv specific label. To deal with this, I've added an
upgrade scriptlet that will remove the ldapi socket file. When
the newly confined ns-slapd starts up, it will create a new
socket file with the proper label.
|
| |
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=566043
Resolves: bug 566043
Bug description: startpid file is only cleaned by initscript runs
Fix description: The start-dirsrv script has been modified to remove
the startpid file if the server starts successfully.
Reviewed by: rmeggins (and pushed by)
|
| |
|
|
|
|
|
| |
The instance files and ports need to be labelled with the proper
SELinux contexts during an upgrade. This patch exports the routine
used to update the policy during regular setup so we can use it
when upgrading.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The admin server CGIs need to be able to easily parse the
instance name from the start-slapd script. Recent format
changes have caused the existing parsing to break, so this
patch makes the parsing of the instance name easier.
To deal with the change in start-slapd format for an upgraded
instance, I have changed the setup code to regenerate all of
the instance scripts during an upgrade instead of simply adding
missing scripts. This is needed for any bug fix that modifies
a script template to work for an upgraded instance. I also
added code to write the instance sysconfig script during upgrade
if it doesn't exist already. We don't want to overwrite this
file if it already exists since it's designed for local changes
to be made to it.
|
| |
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=570542
Resolves: bug 570542
Bug Description: Root password cannot contain matching curly braces
Branch: HEAD
Fix Description: The scripts have been modified to check for matching
curly braces only at the beginning of the password. Matching curly
braces anywhere else would be accepted as a valid password.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=538525
Resolves: bug 538525
Bug Description: Ability to create instance as non-root user
Branch: HEAD
Fix Description: By default for root user the init config file
will be stored in /etc/sysconfig and for non-root user it will
be stored in $HOME/.dirsrv folder.
A new parameter [slapd] initconfig_dir is added to the .inf file
to specify a non-default folder for the init config folder. This
folder must exist prior to running the DS tools. The folder can
also be specified via setup-ds.pl command-line parameter
slapd.initconfig_dir.
A new parameter -d is added to the start-dirsrv, restart-dirsrv,
and stop-dirsrv to specify the non-default init config folder.
A new parameter --initconfig_dir is added to remove-ds.pl to
specify the non-default init config folder.
The templates for start-slapd, restart-slapd, stop-slapd scripts
have been modified to specify the init config folder.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=571514
Resolves: bug 571514
Bug Description: upgrade to 1.2.6 should upgrade 05rfc4523.ldif (cert schema)
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: Added 05rfc4523.ldif to the list of schema to upgrade.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=545620
Previously getopt would interpret initial '-' in root password
as an option which could lead to setup failure. Now a special
argument '--' has been added before the password to distinguish
it from other options.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=568196
Resolves: bug 568196
Bug Description: Install DS8.2 on Solaris fails - part 2
Reviewed by: self
Branch: HEAD
Fix Description: Add pcre_libdir to all script wrappers that
call ns-slapd, such as ldif2db, etc.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit 24245075d03955f26b6c827b123ac002ff16c012)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=568196
Resolves: bug 568196
Bug Description: Install DS8.2 on Solaris fails
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: Add pcre_libdir to script wrappers for programs that use pcre
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit 3d27198f45b4b25df667d3f86dce66a44f4bc65d)
|
| |
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=560827
Description: adding a perl subroutine dnEscape to escape special
characters and eliminate spaces around ',', which is to make
the given dn compliant with RFC4514.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch includes
- replacing the entrydn index with the entryrdn index
- replacing a full DN in each entry in the DB with an RDN
- extending Slapi_Entry, entry2str, and str2entry to absorb the changes
made on the entry
- adding DN/RDN helper functions
- adding DN cache
- adding a utility and a migration script to convert the DN format database
to the RDN format
- extending a database dump utility dbscan to support the entryrdn
- slapi_dn_syntax_check by nkinder@redhat.com is added to check the dn before
modify operations
- big fix for 171338 - Enhancement: winsync modrdn not synced
In addition to the above, compile warnings and memory leaks found in testing
the new feature are fixed.
For more details, see the feature design document at:
http://directory.fedoraproject.org/wiki/Subtree_Rename
and bugzilla at:
https://bugzilla.redhat.com/show_bug.cgi?id=171338
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=509201
Resolves: bug 509201
Bug Description: rhds81 hub with 71 master - err=32 on replica base search during replication
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: This patch doesn't fix the problem, but it makes it less likely to occur in the future. The problem is that we are not consistent about using normalized DNs everywhere. Without using a normalized DN, it is impossible to construct a DN containing another DN (e.g. cn="dc=example, dc=com", cn=mapping tree, cn=config) that another client can match on. This patch at least forces setup to use a normalized DN for the suffix.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: Yes - we will need to document what to do when running into this problem, as in the workaround in the bug report
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using the retro changelog plugin, post-op plugins that perform
internal operations (such as memberOf) can result in the internal
operation preceeding the original operation in the changelog.
The fix is to give the retro changelog a higher precedence than the
other post-op plugins. This required some core server changes to
be made around the plugin precedence to allow an object plugin to
pass it's precedence into it's calls to slapi_register_plugin()
when it registers other plugin types.
I added an update LDIF to set the plugin precedence when running
"setup-ds.pl -u". I also noticed an AVC when restarting after the
update due to the schema.bak directory that is created. I've
adjusted the dirsrv SELinux policy to deal with this AVC.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Named Pipe Log Script allows you to replace a log file with a named pipe attached to a script. The server can then send the log output to a script instead of to a log file. This allows you to do many different things such as:
* log only certain events e.g. failed binds, connections from certain ip addresses, etc.
* log only lines that match a certain pattern
* log only the last N lines - useful for enabling full error log debug levels in production environments
* send an email or other notification when a certain event is detected
The script is written in python, and allows plugins. By default, the script will log the last N lines (default 1000). There are two plugins provided - one to log only failed bind attempts, and one that will log only lines that match given regular expressions.
Reviewed by: nkinder (Thanks!) - found a bug in a comment
Resolves: bug 486171
Bug Description: [RFE] Access log - Failed binds
|
| |
|
|
|
| |
When removing an instance, we need to be sure to remove the
instance specific initconfig script.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Due to a previously fixed bug (bz 474254), standard schema may
have been duplicated in 99user.ldif. When running an upgrade, we
need to check the 99user.ldif file to see if any obsolete standard
schema is defined there and remove it.
This patch makes upgrade backup the original 99user.ldif, and
scans it to see if any of the obsolete attributeTypes or
objectClasses attributes that we are removing from the standard
schema exist in 99user.ldif. We trim the obsolete definitions
and write out a new 99user.ldif with the proper permissions.
|
| |
|
|
|
|
|
| |
This adds SMD5 password storage support to the existing password
storage plug-in. Add upgrade LDIF has been added to ensure that
this new functionality will be available to servers that are
upgraded from previous versions.
|
| |
|
|
|
|
|
|
|
|
| |
This adds a number of interface macros to the dirsrv SELinux policy
module. These macros are intended for use by the Administration
Server SELinux policy that is currently being developed.
I also made some changes to the setup code that labels newly created
directories. When the first instance is created, some top-level
directories are created that were not being labeled properly.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some older releases did not have nsslapd-rundir - upgrading from
those releases will cause the server not to start - we must add
nsslapd-rundir if it is missing
We also got rid of nsslapd-ldapiautodnsuffix, so remove that from
the config - it doesn't hurt anything to leave it, but the error
message is annoying
I also added back a mostly truncated version of 28pilot.ldif because
some apps still use pilotObject - those apps should change to
use a different objectclass ASAP.
Tested on Fedora 11 i386 and x86_64
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a new configuration setting to the cn=config entry named
nsslapd-minssf. This can be set to a non-negative integer representing
the minimum key strength required to process operations. The default
setting will be 0.
The SSF for a particular connection will be determined by the key
strength cipher used to protect the connection. If the SSF used for a
connection does not meet the minimum requirement, the operation will be
rejected with an error code of LDAP_UNWILLING_TO_PERFORM (53) along
with a message stating that the minimum SSF was not met. Notable
exceptions to this are operations that attempt to protect a connection.
These operations are:
* SASL BIND
* startTLS
These operations will be allowed to occur on a connection with a SSF
less than the minimum. If the results of these operations end up with
a SSF smaller than the minimum, they will be rejected. Additionally,
we allow UNBIND and ABANDON operations to go through.
I also corrected a few issues with the anonymous access switch code
that I noticed while testing. We need to allow the startTLS extended
operation to go through when sent by an anonymous user since it is
common to send startTLS prior to a BIND to protect the credentials.
I also noticed that we were using the authtype from the operation
struct to determine is a user was anonymous when we really should
have been using the DN. This was causing anonymous operations to
get through on SSL/TLS connections.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=520921
Resolves: bug 520921
Bug Description: Config schema not included in core schema
Reviewed by: nkinder (Thanks!)
Fix Description: Just had to move a few schema from 02common and 30ns-common into 01core389.ldif. I also added 01core389.ldif to the list of schema installed
when install_full_schema=0 is specified with setup-ds.pl. I also added these schema files to the list of schema files to upgrade.
With these changes, the server starts up fine. The only error is this:
[29/Sep/2009:16:47:53 -0600] - Entry "cn=PAM Pass Through Auth,cn=plugins,cn=config" has unknown object class "pamConfig"
This is because the pam pass through plugin is included in the default config. I'd rather not move that schema file. That plugin can be removed from the default config during setup by specifying a slapd.ConfigFile directive with contents like this:
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
changetype: delete
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds a new config switch (nsslapd-allow-anonymous-access) that
allows one to restrict all anonymous access. When this is enabled,
the connection displatch code will only allow BIND operations through
for an unauthenticated user. The BIND code will only allow the
operation through if it's not an anonymous or unauthenticated BIND.
I also fixed a missing capability in the SELinux policy that I ran
into while testing this patch.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=523476
Resolves: bug 523476
Bug Description: 389-ds-base/glibmm24: conflicting perl provides
Reviewed by: nhosoi (Thanks!)
Files: see diff
Fix Description: Rename "Util" to "DSUtil"
Platforms tested: Fedora 11 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updates are implemented in:
perl - code that plugs in to setup - scriptlets that are imported into
the setup perl interpreter and executed in process, giving access to all
of the packages and context provided by setup
ldif - applied to instances, in the same manner as ConfigFile directives
to setup
other - any executable file, shell script, etc. can be invoked, with a limited
amount of context from the setup process
An update directory is added to the package - /usr/share/dirsrv/update - this
directory contains the update files - the update filenames begin with two digits
and are executed in numeric order (00 first, then 01, etc. up to 99) which
should provide enough flexibility
In addition, there are 5 stages of update:
pre - invoked before any instance specific code
preinst, runinst, postinst - invoked for each instance
post - invoked after any instance specific code
Example files are provided which demonstrate how to get the context.
There are two different modes of operation for update:
online - must supply a bind dn and password for each instance - servers must
be up and running
offline - operates directly on the dse.ldif - servers must be shutdown first
A new section is added to the .inf file that can be passed in
[slapd-instancename]
RootDN = binddn
RootDNPwd = bindpw
The RootDN is optional - if not supplied, it will get the nsslapd-rootdn attribute from the dse.ldif for the instance.
I also fixed some problems with error messages.
The pam pta plugin entry was giving object class violations, so I added the
missing attributes - note that these are replaced by the plugin code when
the plugin is loaded - they are only needed during setup.
Fixed usage of $_ - $_ behaves like a dynamically scoped variable - which
means if you use it in an outer context, you cannot use it in an inner
context, even if it is used in a different function. Rather than attempting
to figure out how to use $_ safely in lower level functions, I just removed
the use of it altogether, which also makes the code easier to read.
Reviewed by: nhosoi (Thanks!) - fixed minor issues found
Platforms tested: Fedora 11
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a "dirsrv" selinux policy module to confine the ns-slapd
daemon. The setup and migration perl modules were changed to take
care of any relabeling of installed files if selinux support was
compiled in.
The build system now takes a "--with-selinux" option that will
compile the dirsrv policy module and enable any selinux specific
setup code.
To use the dirsrv policy module, the module will need to be loaded
using the semodule utility. It is also necessary to relabel the
installed files using restorecon after performing a make install.
All of this will be taken care of in the spec file when in the
case of using a RPM package.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds centralized start, stop, and restart scripts
for ns-slapd. These scripts live in the sbin directory
and will act upon all instances if an instance identifier
is not specified (similar to the init script). The
instance specific scripts have been modified to call the
new centralized scripts.
The instance specific parameters needed by the new scripts
are located in the instance specific initconfig scripts,
which are now created by setup-ds.pl with values mapped
from the inf file.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The vendor, brand, and capbrand are set in configure - we should use those
everywhere rather than have to run some sort of script over the code to
change vendor, brand, version, etc. I've added VENDOR, BRAND, CAPBRAND
to the default defines passed to the compiler, and changed the code to use
these defines. And instead of the unintuitively named PRODUCTTEXT macro,
we should use the already defined PRODUCT_VERSION.
This allowed me to get rid of some code. The version was from a generated
file called dirver.h which we don't need anymore, and we don't need the perl
script dirver.pl which generated it.
The vendor string was coming from the dirlite header file. So I also used this
as an excuse to get rid of all references to dirlite once and for all (yay!).
For the places in plain text files which are not substituted, I just used the
generic name Dirsrv or Directory Server instead of having an explicit brand
and/or version in there.
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
| |
%rootdn% (Directory Manager) has all rights on every entry by nature.
Thus, it is not needed to give any acis. This template has several
groupOfUniqueNames objects which MUST have uniqueMember. At this
moment, there is no entry which could be a uniqueMember. Just to
satisfy the objectclass, set %rootdn% to uniqueMember of the objectclass.
|
| |
|
|
|
|
|
|
| |
First cut for implementing Entry USN.
See http://directory.fedoraproject.org/wiki/Entry_USN for the design details.
This change includes a bug fix for "db2ldif -r"; event queue system was not
shutdown before the plugins are closed, which could have crashed the command
line utility.
|
| |
|
|
|
|
| |
The DN used by the ns-newpwpolicy script to refer to the pwpolicy
subentries are not legal. We need to escape ',' chars in the value
instead of just trying to use double-quotes around the value.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements a linked attribute plug-in. Details of the
plug-in features and design are available on the 389 wiki at:
http://directory.fedoraproject.org/wiki/Linked_Attributes_Design
In addition, I encountered a memory leak when testing the new plug-in
with valgrind. There was a fix to the dse add code for a double free
a few months back, which causes a leak in certain situations. This
previous fix was for bz#489763. The proper thing to do is to make
the dse backend add function consume the passed in entry upon success
and leave it for the caller to deal with upon failure. This is the
way the back-ldbm add function works.
|
| |
|
|
|
|
| |
Also added numericstring syntax support.
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Syntax_Validation_Design
|
| |
|
|
|
| |
Summary: Replication Bind Failure After Migration from DS 7.1 (comment #10)
Description: changed to trim trailing slashes of oldsroot and actualsroot at the beginning.
|
| |
|
|
| |
Summary: Fixup replicated schema during migration.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Replication Bind Failure After Migration from DS 7.1
Reviewed by: nkinder (Thanks!)
Fix Description: We have to quote shell metacharacters before passing them to the shell. I added a new function shellEscape to use for this purpose. We really should shell escape anything passed to system() or back ticks ``. Certainly passwords should contain shell meta characters so I changed places where we use passwords to use shellEscape to pass them to pwdhash or migratecred. I also chomp() the output of migratecred to remove the trailing newline. With the fix, I was able to run setup with a root password of `~!@#$%^&*()\\|[]{}:;<>?/"\ and successfully authenticate.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
