| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The DN syntax has become more restrictive over time, and the
current rules are quite strict. Strict adherence to the rules
defined in RFC 4514, section 3, would likely cause some pain to
client applications. Things such as spaces between the RDN
components are not allowed, yet many people use them still since
they were allowed in the previous specification outlined in RFC
1779.
To deal with the special circumstances around validation of the DN
syntax, a configuration attribute is provided named
nsslapd-dn-validate-strict. This configuration attribute will
ensure that the value strictly adheres to the rules defined in RFC
4514, section 3 if it is set to on. If it is set to off, the server
will normalize the value before checking it for syntax violations.
Our current normalization function was designed to handle DN values
adhering to RFC 1779 or RFC 2253
|
| |
|
|
|
|
| |
Also added numericstring syntax support.
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Syntax_Validation_Design
|
| |
|
|
| |
Summary: Add config setting to disable unauthenticated binds.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Support server-to-server SASL - part 2
Reviewed by: nhosoi (Thanks!)
Fix Description: This part focuses on chaining backend - allowing the mux server to use SASL to connect to the farm server, and allowing SASL authentication to chain. I had to add two new config parameters for chaining:
nsUseStartTLS - on or off - tell connection to use startTLS - default is off
nsBindMechanism - if absent, will just use simple auth. If present, this must be one of the supported mechanisms (EXTERNAL, GSSAPI, DIGEST-MD5) - default is absent (simple bind)
The chaining code uses a timeout, so I had to add a timeout to slapi_ldap_bind, and correct the replication code to pass in a NULL for the timeout parameter.
Fixed a bug in the starttls code in slapi_ldap_init_ext.
The sasl code uses an internal search to find the entry corresponding to the sasl user id. This search could not be chained due to the way it was coded. So I added a new chainable component called cn=sasl and changed the sasl internal search code to use this component ID. This allows the sasl code to work with a chained backend. In order to use chaining with sasl, this component must be set in the chaining configuration nsActiveChainingComponents. I also discovered that password policy must be configured too, in order for the sasl code to determine if the account is locked out.
I fixed a bug in the sasl mapping debug trace code.
Still to come - sasl mappings to work with all of this new code - kerberos code improvements - changes to pta and dna
Platforms tested: Fedora 8, Fedora 9
Flag Day: yes
Doc impact: yes
|
| |
|
|
| |
Summary: Make DNA plug-in auto-extended exhausted ranges.
|
| |
|
|
| |
Summary: Redesigned algorithm used to update memberOf attribute.
|
| |
|
|
| |
Summary: Make memberOf plug-in attributes configurable.
|
| |
|
|
| |
Summary: Added memberOf plug-in config entry to dse.ldif template.
|
| |
|
|
|
|
| |
Summary: Dynamically reload schema via task interface
Description: implemented task based schema file reloading
(see also http://directory.fedoraproject.org/wiki/Dynamically_Reload_Schema)
|
| |
|
|
|
|
| |
Summary: LDAPI: cleaning up template-ldapi-default.ldif.in and DSCreate.pm.in
Description: Separated auto-bind attributes from the ldapi attributes. Fixed
to store auto-bind attributes in dsel.dif only when auto-bind is enabled.
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: migration : encryption key entries missing when source is 6.21
Reviewed by: self
Fix Description: Just always create those entries when creating the backend. The server does this at startup, but I guess for this case that occurs too late in the startup process.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
| |
Description: tmpwatch whacks stats
Reviewed by: nkinder (Thanks!)
Fix Description: move the snmp slapd.stats file to run_dir (/var/run/dirsrv) and rename to slapd-instance.stats. Had to add nsslapd-rundir to cn=config in order for ldap-agent to be able to get it.
Doc: Yes, we need to document the new attribute nsslapd-rundir.
|
| |
|
|
| |
Summary: Added container entries for sasl mappings.
|
| |
|
|
| |
Summary: Remove hard-coded SASL mappings and use config based regex mappings instead.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: cn equality index missing by default
Reviewed by: nhosoi (Thanks!)
Fix Description: When creating the database instance during dse.ldif processing, we do not create the user defined indexes from the defaults for this backend. This used to work in the old setup code because that code would always add the configuration for the indexes for the new instance. The way it is supposed to work is that a new instance should just copy the default indexes for that backend. This works fine when adding an instance via LDAP but not during startup. I just added a call to have this done during startup. I also removed some obsolete indexes from the default indexes.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Replace ds_newinst binary with perl script
Reviewed by: nhosoi (Thanks!)
Fix Description: The time has come. We can finally get rid of the instance creation C code
once and for all. I've created a DSCreate module that has all of the functionality of the old
create_instance.c code, along with a few items from ldap/admin/lib. The way it works is
this: it first creates the dse.ldif file using template-dse.ldif and the suffix-db template to
create the initial db and suffix. It then adds additional optional configuration depending
on what optional features have been enabled. It creates other config files and copies in
the schema. It then initializes the database. It uses a template file based on the type of
entry implied by the suffix, then adds the default ACIs. If the user chose to do so, it
will also create the ou=people, ou=groups, etc. entries. The user can also supply an LDIF
file which will be used to populate the initial database, in which case none of the default
entries or ACIs will be used. It then starts the server (if desired).
I had to create a function makePaths that works like mkdir -p except that it will chown,
chgrp, and chmod all paths created.
I had to change the other places where instance creation was called to use the new
calling semantics. ds_create changed quite a bit, since it can just use an Inf to pass in the
information instead of calling ds_newinst as a CGI program.
I had to change FileConn to add support for namingContexts (i.e. entries with no parent),
and to have it write each change each time, and to return copies of entries when searching,
to avoid modifying the tree in place. This makes it act much more like LDAP.
I found and fixed a few bugs in Migration along the way that were revealed while integrating
the new DSCreate code.
Platforms tested: RHEL4, FC6
Flag Day: Yes. New instance creation code and autotool changes.
Doc impact: no
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Description: Move DS Admin Code into Admin Server - ldif templates, pwdhash
Reviewed by: nhosoi (Thanks!)
Fix Description: These changes are primarily to allow the admin server setup to run completely in perl with no more setuputil code.
1) Added LDIF templates for DS config. template-dse.ldif is the core minimal directory server configuration. Values can be replaced with parameters in the same style as used with register_server.pl - %token%. For the plugin entries, the plugin shared library name is now just a name. There is no more full path. The code in dynalib.c handles this case by using the compiled in PLUGINDIR. The NSPR function PR_GetLibraryName knows the correct shared lib suffix for the platform. All of this allows us to do 2).
2) Added ability to run pwdhash with no server configuration. If no configuration is given, it uses the template-dse.ldif above. And instead of having to worry about where the plugins are installed and the shared lib suffix, it just depends on the above changes. This allows us to generate password hashes during setup before the directory server instance is created, and also to keep clear text password usage to a minimum.
3) Added defaultuser and defaultgroup.
4) Added support for continuation lines in Inf files.
5) All user visible messages during setup should be localizable
Platforms tested: RHEL4
Flag Day: Yes, autotool file changes.
Doc impact: Yes, along with the previous fixes for this bug.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
. removed the dependency on DBM
. Updated components' RELDATEs.
. Console jar file name adjustment: <brand>-<comp>-<dotversion>.jar
. Fix for HP-UX IPF
. Use non-branded SetupUtil; add resource file to change branding
. Updated the code to call createSIE so that the right brand is passed to SetupUtil.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Change ldapserver version to 1.0
Reviewed by: Noriko (Thanks!)
Fix Description: This also fixes some lingering build issues involving
perldap, which is no longer a separate setup package, but just gets
included into DS in a similar manner to nspr, nss, etc.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Get rid of nsperl; use perldap with system perl
Reviewed by: Noriko, Rob, Nathan (Thanks!)
Branch: HEAD
Fix Description: All perl scripts are made executable by using the
#!/usr/bin/env perl *nix trick. This means that the correct version of
perl must be in the user's PATH e.g. 5.6.1 or later. This version is
either shipped with the OS or available on all platforms. On HP/ux, it
is available as a depot which is installed in /opt/perl. For CGI perl
scripts, the PATH can be set in the admserv.conf, so we may have to do
that for HP/ux. To make perldap work, some ugly hacks are involved.
Each perl script that uses perldap has a BEGIN section that figures out
where it is in the server root, sets a server root variable, and sets
LD_LIBRARY_PATH and SHLIB_PATH to point to serverroot/shared/lib.
Perldap will be installed under serverroot/lib/perl. This directory
will have 3 subdirectories: arch - containing the binary files; auto -
containing autoloaded perl modules; and Mozilla - containing the base
perldap .pm files. The BEGIN section also sets the perl INC path to
find those modules. The directory gets rid of nsperl plus a lot of old
crufty perl building code that we do not use anymore. Those are the
removed files. The admin server code also gets rid of the perl.c wrapper.
Noriko pointed out that this does not take care of upgrade install, so I
added several more files and diffs to take care of that case.
Basically, go through the tasks in o=netscaperoot and replace
perl?scriptname with just scriptname. Also, go through all of the
template generated scripts and replace the shebang line with
#!/usr/bin/env perl, and make sure they are chmod +x. I also found a
few more places that referenced nsperl and removed them.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
1) Brandx -> Fedora
2) Pick up new internal component set (Admin SDK, Setup SDK, Admin Server)
3) Use JRE from the Admin Server package
4) Docs
a) Componentize Docs
b) Rebrand Docs
c) Drop packaging Administration Guide in the external version
|
| | |
|
| | |
|
|
|
(foxworth)
|
