| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
The new repl sesssion API will crash when adding a replication agreement.
It should check to see if there is a repl session api before attempting
to get the init function.
Reviewed by: nhosoi
Branch: HEAD
Platforms tested: RHEL5 x86_64
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=593899
Fix Description: There was a bug if an invalid syntax acl was given
(e.g., the value of userdn was not double quoted), normalize_nextACERule
mistakenly continued processing the acl and eventually tried to
allocate a huge size of memory (since the end address was less
than the start address, end - start became negative) and it made
the server quit. Added more error handling code to prevent such
failures.
|
| |
|
|
|
| |
The previous patch had a mangled function name in
the function prototype. This corrects the name.
|
| |
|
|
|
|
|
|
| |
This adds the ability to write a plug-in to register callbacks for
controlling when replication is allowed to occur. For details,
please see the design document at:
http://directory.fedoraproject.org/wiki/Replication_Session_Hooks
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=593110
Fix description:
ldap/servers/slapd/back-ldbm/dblayer.c -- A memory area that
stores nsslapd-directory was shared between 2 structures:
struct ldbminfo and dblayer_private. In dblayer_post_close,
dblayer_private is released but not struct ldbminfo. The
latter does not know the memory area is freed. This fix
changes it so that each structure has its own copy.
ldap/servers/plugins/acl/acl.c -- A variable result_status
had a chance to be evaluated w/o an initialization.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change description:
. adding upgradednformat utility to each server instance.
. adding 91upgradednformat.pl for in-place-upgrade.
. implementing ldbm_back_upgradednformat sharing the import/
reincexing codes.
. adding a new DBVERSION ID "dn-4514" for the upgraded db.
. fixing access logs (delete.c and modify.c)
. fixing compiler warnings.
. fixing memory leaks.
. fixing a bug in syntax plugin to free strings.
. adding templates for plugin id, version, vendor, and description,
which are needed for the online upgrade.
. dbversion_write takes an additional bit flags, which indicates
which extra DBVERSION strings are written to the DBVERSION file.
It was introduced for the upgrade tools not to intervene each
other's tasks (e.g., dn2rdn for converting entrydn to entryrdn
and upgradednformat for upgrading the DN format).
. fixing a bug in entryrdn index code which was missing to normalize
RDN.
See also:
https://bugzilla.redhat.com/show_bug.cgi?id=591336
http://directory.fedoraproject.org/wiki/Upgrade_to_New_DN_Format#Migration.2FUpgrade
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch allows one to set multiple dnaType attributes for a single
DNA range. This allows the same value to be used for each dnaType
(such as ensuring the uidNumber and gidNumber are the same value
from the range when ading a posixAccount).
There are some differences with the way DNA works for multi-type
ranges. For a value to be generated from a multi-type range, the
magic value must be specified to indicate which attributes should
use the newly generated value. This allows a range to be shared
across different entry types (such as having a uidNumber/gidNumber
range that is used or posixAccount and posixGroup entries). A
multi-type range will not generate a value for missing attributes
as DNA does for single-type ranges.
Since a range can have multiple types, the internal ordering of
config structs had to be changed to order by scope only. It was
previously ordered by type and then scope, which allowed us to
easily detect if we had already generated a value for a given type.
This change required a number of helper functions to be added for
tracking and checking which types we have already generated values
for.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=585905
Bug Description:
targattrfilters takes this format of value:
(targattrfilters="add=attr1:F1 && attr2:F2... &&
attrn:Fn,del=attr1:F1 && attr2:F2 ... && attrn:Fn")
The ACL plugin code had blindly expected the value contains
the operator "add" or "del" and '=' to concatenate the
attribute and filter pair. The plugin should have checked
the possibility that the value does not follow the format.
Fix Description:
If '=' is not included in the targattrfilters value, the
ACL parser returns ACL_SYNTAX_ERR. Also, adding a check
code for the returned pointer from strchr and strstr.
|
| |
|
|
| |
Removed unused format arguments from format string
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix Description:
. adding slapi_dn_normalize_ext and its siblings to normalize/validate
invalid DNs; deprecating slapi_dn_normalize and its siblings. (dn.c)
. replacing slapi_dn_normalize with new corresponding functions.
. normalizing hardcoded DNs (e.g., removing spaces around ',')
. setting correct DN syntax to nsslapd-suffix, nsslapd-ldapiautodnsuffix,
costemplatedn, nsslapd-changelogsuffix, nsBaseDN, nsBindDN
. if nsslapd-dn-validate-strict is enabled, incoming DN is examined and
rejected if it is invalid. Once approved, the DN is normalized.
. fixing compiler warnings and typos.
See also:
http://directory.fedoraproject.org/wiki/Upgrade_to_New_DN_Format
Related bugs:
Bug 199923 - subtree search fails to find items under a db containing special
characters
Bug 567968 - subtree/user level password policy created using 389-ds-console
doesn't work.
Bug 570107 - The import of LDIFs with base-64 encoded DNs fails, modrdn with
non-ASCII new rdn incorrect
Bug 570962 - ns-inactivate.pl does not work
Bug 572785 - DN syntax: old style of DN <type>="<DN>",<the_rest> is not
correctly normalized
Bug 573060 - DN normalizer: ESC HEX HEX is not normalized
Bug 574167 - An escaped space at the end of the RDN value is not handled
correctly
|
| |
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=584109
Resolves: bug 584109
Bug Description: Slapd crashes while parsing DNA configuration
Fix Description: The dna_parse_config_entry() has been modified to duplicate
the shared_cfg_base value to avoid freeing the same memory location twice.
Reviewed by: rmeggins (and pushed by)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
attribute returns all elements.
https://bugzilla.redhat.com/show_bug.cgi?id=572162
Resolves: bug 572162
Bug Description: the string "|*" within a search filter on a non-indexed attribute returns all elements.
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: PCRE interprets the '|' character as the start of
alternative branch. In the search filter, the other side of the '|' is
empty, which means match everything. The solution is to escape this and
other PCRE special chars before matching.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds a new managed entries plug-in. This plug-in allows
one to have the Directory Server automatically maintain a set
of entries that are based off of another type of entry (such
as user private group entries based off of user entries).
For more details, see the design document at:
http://directory.fedoraproject.org/wiki/Managed_Entry_Design
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
configuring via ConfigFile
https://bugzilla.redhat.com/show_bug.cgi?id=561575
Resolves: bug 561575
Bug Description: setup-ds-admin fails to supply nsds5ReplicaName when configuring via ConfigFile
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: The main problem was that the mod val was a berval, so we
needed |LDAP_MOD_BVALUES for the mod_op. The other problem is that the
mod and values were being used out of scope. While this seems to work, it's
better to make sure all of the values are in scope.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=455489
Resolves: bug 455489
Bug description: Address compiler warnings about strict-aliasing rules
Fix description: The codes that generate strict-aliasing warnings have
been changed.
Reviewed by: rmeggins (and pushed by)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=576074
Resolves: bug 576074
Bug Description: search filters with parentheses fail
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: PCRE requires '(' and ')' to be escaped to match a literal
parenthesis. Otherwise, it thinks the parenthesis is used for grouping.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=520151
Resolves: bug 520151
Bug description: Error when modifying userPassword with proxy user
Fix description: The acl_access_allowed() has been modified to
call aclplugin_preop_common() which will initialize the aclpb.
The aclplugin_preop_common() has been modified to check for the
ACLPB_INITIALIZED flag to avoid re-initializing aclpb.
Reviewed by: rmeggins (and pushed by)
|
| |
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=548533
Description: repl5_inc_delete and repl5_tot_delete to release the
incremental and total update protocol were not implemented. This
fix implemented them. Also, it fixed a leak of connection in
private_protocol_factory.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=470684
Resolves: bug 470684
Bug Description: Pam passthrough doesn't verify account activation
Reviewed by: rmeggins
Branch: HEAD
Fix Description: The check_account_lock() has been renamed to
slapi_check_account_lock() and moved into libslapd.so so any plugins
can use it. The account_inactivation_only parameter has been replaced
by check_password_policy. A new parameter send_result has been added
to determine whether to send LDAP results.
The pam_passthru plugin has been modified to use this function to
check account activation when the pamIDMapMethod is set to ENTRY.
The plugin will not check password policy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=572677
Resolves: bug 572677
Bug Description: Memory leak in searches including GER control
Reviewed by: Andrey Ivanov (Thanks!)
Branch: HEAD
Fix Description: The per-operation acl pblocks are cached. In order to
release the pblock back to the cache free list, the connection must be
provided. The connection comes from the pblock.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
containing special characters
https://bugzilla.redhat.com/show_bug.cgi?id=199923
Description: regression observed in the tests.
> as of March 04, 2010, this is happening again.
Fix Description:
dn.c: Based upon RFC 4514, the following characters in the RDN
values need to be escaped:
'+', ';', '<', '>', and '=' for the intermediate characters
'+', ';', '<', '>', '=', '#' and ' ' for leading characters
'+', ';', '<', '>', '=', and ' ' for trailing characters
validate.c: If an escaped character followed by another escaped
character, e.g., \#\<, the pointer was moved twice skipping '\'
before '<' and it makes the validation fail.
ldbm_add.c: a local variable addr was not initialized.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=559315
Resolves: bug 559315
Bug Description: Searching some attributes are now case sensitive when they were previously case-insensitive
Reviewed by: nhosoi (Thanks!)
Fix Description:
1) The 60qmail.ldif schema we ship used integerMatch and IA5 syntax
because we used not to support numericString syntax and matching rules -
these have been changed to use the standard qmail definitions
2) Allow IA5String syntax to use caseExactSubstringsMatch - this is required
by krbPrincipalName
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=570905
Resolves: bug 570905
Bug Description: postalAddress syntax should allow empty lines (should allow $$)
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: Even though RFC 4517 says a postal address syntax value
should not contain empty lines (e.g. $$), most, if not all, current
applications expect to be able to store $$. This adds an internal switch
to allow support for $$ for now.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
| |
This patch cleans up various build warnings found by compiling the code
with -Wall on RHEL5.
Reviewed by: nhosoi (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
deadlock and data loss
https://bugzilla.redhat.com/show_bug.cgi?id=570667
Description: In the MMR topology, if a master receives a total
update request to initialize the other master and being initialized
by the other master at the same time, the 2 replication threads hang
and the replicated backend instance could be wiped out.
To prevent the server running the total update supplier and the
consumer at the same time, REPLICA_TOTAL_EXCL_SEND and _RECV bits
have been introduced. If the server is sending the total update
to other replicas, the server rejects the total update request
on the backend. But the server can send multiple total updates
to other replicas at the same time. If the total update from
other master is in progress on the server, the server rejects
another total update from yet another master as well as a request
to initialize other replicas.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Reviewed by: nhosoi (Thanks!)
var/tmp/run_gssapi.vg.25032:Memory leak: 99 bytes duplicates: 5
> malloc() at vg_replace_malloc.c:207
> strdup() at /lib/libc-2.10.2.so
> slapi_ch_strdup() at ch_malloc.c:277
> ids_sasl_check_bind() at saslbind.c:924
> do_bind() at bind.c:382
> connection_threadmain() at connection.c:554
> --unknown-- at /lib/libnspr4.so
> start_thread() at /lib/libpthread-2.10.2.so
> clone() at /lib/libc-2.10.2.so
The problem is that ids_sasl_check_bind can reset SLAPI_BIND_TARGET to
a malloc'd value. The do_bind() code should check for this condition
and free it.
var/tmp/entryusn.vg.5997:Memory leak: 8 bytes duplicates: 8
> calloc() at vg_replace_malloc.c:397
> slapi_ch_calloc() at ch_malloc.c:243
> slapi_counter_new() at slapi_counter.c:95
> ldbm_usn_init() at ldbm_usn.c:86
> ldbm_back_start() at start.c:223
> plugin_call_func() at plugin.c:1417
> plugin_dependency_startall.clone.0() at plugin.c:1385
> main() at main.c:1138
The backend cleanup code should free be_usn_counter.
var/tmp/ipv6.vg.15561:Memory leak: 13 bytes duplicates: 3
> malloc() at vg_replace_malloc.c:207
> strdup() at /lib/libc-2.10.2.so
> slapi_ch_strdup() at ch_malloc.c:277
> config_get_listenhost() at libglobs.c:3674
> main() at main.c:874
var/tmp/ipv6.vg.15561:Memory leak: 13 bytes duplicates: 3
> malloc() at vg_replace_malloc.c:207
> strdup() at /lib/libc-2.10.2.so
> slapi_ch_strdup() at ch_malloc.c:277
> config_get_securelistenhost() at libglobs.c:3686
> main() at main.c:881
config_get_listenhost() and config_get_securelistenhost() return malloc'd
memory which must be freed.
var/tmp/dna_scen1.vg.4901:Memory leak: 248 bytes duplicates: 1
> malloc() at vg_replace_malloc.c:207
> nslberi_malloc() at io.c:1677
> ber_flatten() at io.c:1604
> create_NSDS50ReplicationExtopPayload() at repl_extop.c:218
> NSDS50EndReplicationRequest_new() at repl_extop.c:265
> release_replica() at repl5_protocol_util.c:469
> repl5_inc_run() at repl5_inc_protocol.c:1187
> prot_thread_main() at repl5_protocol.c:341
> --unknown-- at /lib/libnspr4.so
> start_thread() at /lib/libpthread-2.10.2.so
> clone() at /lib/libc-2.10.2.so
The payload was not being freed under all function exit conditions. So, just free it immediately after use.
var/tmp/dnarun.vg.2491:Memory leak: 27 bytes duplicates: 0
> malloc() at vg_replace_malloc.c:207
> slapi_ch_malloc() at ch_malloc.c:155
> slapi_entry_attr_get_charptr() at entry.c:2432
> dna_parse_config_entry() at dna.c:816
> dna_pre_op() at dna.c:2587
> plugin_call_func() at plugin.c:1417
> plugin_call_plugins() at plugin.c:1379
> op_shared_add() at add.c:606
> do_add() at add.c:232
> connection_threadmain() at connection.c:564
> --unknown-- at /lib/libnspr4.so
> start_thread() at /lib/libpthread-2.10.2.so
> clone() at /lib/libc-2.10.2.so
The value was not being freed under all conditions.
==9877== 1,890 (252 direct, 1,638 indirect) bytes in 3 blocks are definitely lost in loss record 1,628 of 1,725
==9877== at 0x47E0E5C: calloc (vg_replace_malloc.c:397)
==9877== by 0x4819D89: slapi_ch_calloc (ch_malloc.c:243)
==9877== by 0x48284A6: slapi_entry_alloc (entry.c:1686)
==9877== by 0x4829BA5: str2entry_dupcheck (entry.c:631)
==9877== by 0x482BB5D: slapi_str2entry_ext (entry.c:1194)
==9877== by 0xB2A8E9D: import_producer (import-threads.c:541)
==9877== by 0x72E1990: (within /lib/libnspr4.so)
==9877== by 0x731E8F4: start_thread (in /lib/libpthread-2.10.2.so)
==9877== by 0x75B2FCD: clone (in /lib/libc-2.10.2.so)
Make sure the entry or backentry are freed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=539618
Back off this commit:
commit 4205086e4f237a52eb9113cd95f9cf87b39e9ed4
Date: Mon Feb 22 08:49:49 2010 -0800
since this change could cause the deadlock between the thread
eventually calling prot_free, which acquired the agreement lock,
and other threads waiting for the agreement lock, which prevents
the protocol stop.
Instead of waiting for prot_thread_main done in prot_free, let
prot_thread_main check the existence of the protocol field in
the agreement. If it's not available, prot_thread_main quits.
|
| |
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=555970
Description: view read lock was missing in a view api called from
COS.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=516611
Resolves: bug 516611
Bug Description: 389 DS segfaults on libsyntax-plugin.so - part 3
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: bin_filter_ava should check for null bvals
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=516611
Resolves: bug 516611
Bug Description: 389 DS segfaults on libsyntax-plugin.so - part 1
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: Check for NULL bvals in the string syntax filter functions
ava, sub, and key generation
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
octet string ordering work correctly
https://bugzilla.redhat.com/show_bug.cgi?id=559315
Resolves: bug 559315
Bug Description: Searching some attributes are now case sensitive when they were previously case-insensitive
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: slapi_matchingrule_is_compat() was not checking for NULL; the matching rule syntax plugin was registering with the INTEGER syntax oid; the bin_filter_ava() function needs to be ordering aware to implement the octetStringOrderingMatch; in default_mr_filter_create(), make sure the requested matching rule is provided by the given plugin
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=539618
Descriptions: When a protocol is freed by prot_free, prot_close
is supposed to have been called to stop the main thread
prot_thread_main. But, there was no mechanism for the freeing
thread whether the prot_thread_main has already quitted or not,
it could have released the Repl_Protocol even though it was
still being in use. This fix is adding a checking method.
The same test revealed ldbm_back_modrdn had a chance to access
a field of NULL entry structure.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=527848
Change Description:
1. Replication Changelog
1-1. In the clean recover mode, transaction logs should not be removed.
1-2. When nsslapd-db-circular-logging is on (by default, it's on),
call log_archive function with DB_ARCH_REMOVE, which removes
log files that are no longer needed.
1-3. Call transaction checkpoint just before shutting down the server.
1-4. "From string" in the upbrade message had a flaw.
2. Backend dblayer
2-1. In checkpoint_threadmain, call log_archive with DB_ARCH_ABS,
which returns the absolute path of the transaction log files.
It eliminates the code which generates the absolute paths.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=559315
Resolves: 559315
Description: Searching some attributes are now case sensitive when they were previously case-insensitive
Reviewed by: nhosoi (Thanks!) - also added some suggested comments
I added code to allow the syntax plugins to register corresponding
matching rules. That is, the functions that the syntax plugins use
for filter matching and key generation can also be used for matching
rules with the new wrapper code. I added some convenience functions
and structures in the syntax plugin code to make it easier to add
matching rules in the future. I also added a new feature to the
matching rule code - in the LDAP spec definition of matching rule, the
syntax provided in the matching rule definition is the syntax for
the _assertion value_ used with the matching rule, which is not
necessarily the same as the syntax of the _attribute values_ to which
the matching rule can be applied. For example, matching rules that apply
to syntax DirectoryString can also be applied in some cases to
PrintableString, CountryString, and IA5String. There are several other
cases like this as well. I also introduced the concept of a compat
syntax that can be used with a matching rule. The server will now
check, when reading in the schema, if the syntax and matching rules
for an attribute are consistent.
Finally, for 05rfc4523.ldif, I changed the attributes to use
octetStringMatch instead of one of the unimplemented certificate
matching rules.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=557224
Fix Description: The referential integrity plugin has not supported
the subtree rename (modrdn with newsuperior). This patch is adding
the support.
There are 2 typical cases.
(case 1)
DN that modrdn modifies matches the value of attributes which is the
target of the referential integrity.
E.g.,
modrdn: uid=A,ou=B,o=C --> uid=AA,ou=BB,o=C
then,
member: uid=A,ou=B,ou=C --> uid=AA,ou=BB,ou=C
seeAlso: uid=A,ou=B,ou=C --> uid=AA,ou=BB,ou=C
(case 2)
DN that modrdn modifies is the ancestor of the value of attributes
which is the target of the referential integrity.
E.g.,
modrdn: ou=B,o=C --> ou=BB,o=C
then,
member: uid=A,ou=B,ou=C --> uid=A,ou=BB,ou=C
seeAlso: uid=A,ou=B,ou=C --> uid=A,ou=BB,ou=C
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are a number of attributes that AD defines as single-valued
that are multi-valued in the LDAP RFCs. We already had a few
special cases in the winsync code where we only send one attribute
to AD to allow the change to be accepted. We then simply check if
the value in AD is present in DS when comparing entries for further
changes.
This fix cleans up that old implementation a bit by adding a static
list of these single-valued attributes and a helper function to
check if a particular type is in that list. I also had to extend
the attr_compare_present() function to allow a length to be passed
in for limiting the comparison to a portion of the values. This is
needed for the initials attribute, which is single-valued and length
constrained in AD.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bitwise search filter
https://bugzilla.redhat.com/show_bug.cgi?id=543080
Resolves: bug 543080
Bug Description: Bitwise plugin fails to return the exact matched entries for Bitwise search filter
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: The Microsoft Windows AD bitwise filters do not work exactly
like the usual bitwise AND (&) and OR (|) operators.
For the AND case the matching rule is true only if all bits from the value
given in the filter value match the value from the entry.
For the OR case, the matching rule is true if any bits from the value given
in the filter match the value from the entry.
For the AND case, this means that even though (a & b) is True,
if (a & b) != b, the matching rule will return False.
For the OR case, this means that even though (a | b) is True,
this may be because there are bits in a. But we only care
about bits in a that are also in b. So we do (a & b) - this
will return what we want, which is to return True if any of
the bits in b are also in a.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
subtypes
Bug Description: Referential Integrity Plugin does not change the references
in subtyped attributes like "manager;en" or "ou;19"
Fix Description: The problem is in the way the function int update_integrity
(char **argv, char *origDN, char *newrDN, int logChanges) in referint.c makes
the changes. The initial search with the filter ldap_create_filter( filter,
filtlen, "(%a=%e)", NULL, NULL, argv[i], origDN, NULL) finds the entries with
attributes and with attribute subtypes. But after that when generating the
necessary changes (attribute1.mod_type = argv[i] and attribute2.mod_type =
argv[i]) the function takes care only of the "base" attributes listed in the
plugin arguments. We should parse each found entry to find all the attribute
subtypes with the value concerned and then make changes to them all.
Note: This bug was reported by andrey.ivanov@polytechnique.fr, and the bug
fix was also provided by him. The patch was reviewed by rmeggins@redhat.com
as well as nhosoi@redhat.com.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=558518
Resolves: bug 558518
Bug Description: several spelling errors
Reviewed by: ???
Branch: HEAD
Fix Description: Fix several spelling errors in error messages and man pages.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch includes
- replacing the entrydn index with the entryrdn index
- replacing a full DN in each entry in the DB with an RDN
- extending Slapi_Entry, entry2str, and str2entry to absorb the changes
made on the entry
- adding DN/RDN helper functions
- adding DN cache
- adding a utility and a migration script to convert the DN format database
to the RDN format
- extending a database dump utility dbscan to support the entryrdn
- slapi_dn_syntax_check by nkinder@redhat.com is added to check the dn before
modify operations
- big fix for 171338 - Enhancement: winsync modrdn not synced
In addition to the above, compile warnings and memory leaks found in testing
the new feature are fixed.
For more details, see the feature design document at:
http://directory.fedoraproject.org/wiki/Subtree_Rename
and bugzilla at:
https://bugzilla.redhat.com/show_bug.cgi?id=171338
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using winsync, setting a mapped DN attribute (such as seeAlso) to
a DN outside the scope of the sync agreement causes an empty modify
operation to be sent to AD. This causes AD to respond with LDAP error
89, which triggers the update to abort.
The problem is that windows_update_remote_entry() uses a flag to
determine if it has a modify to send to AD. This flag is set by
windows_generate_update_mods(), but the mods are empty since it is
detecting that the DN used in seeAlso is not in the scope of the sync
agreement.
The fix is to only set the modify flag if we actually have mods to send.
|
| |
|
|
|
|
|
|
| |
According to the strncpy() manual, if there is no null byte among the
first n bytes of src, the string placed in dest will not be null
terminated. To fix the problem the null byte should be added manually.
Reviewed by: rmeggins
Pushed by: rmeggins
|
| |
|
|
| |
This patch adds support for storing the target's nsUniqueId in change log record and renaming any additional attribute using an alias.
|
| |
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=554841 Resolves: bug 554841 Bug Description: Enabling Retro Changelog Plugin on a DS instance provisioned by Samba will crash slapd during startup. Branch: HEAD Fix Description: Apparently the retrocl_internal_lock is still NULL when it's used in retrocl_get_first_changenumber(). The solution is to initialize the lock in the retrocl_plugin_init(). Platforms tested: F12 i386
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=552421
Resolves: bug 552421
Bug Description: Cannot log into admin server after upgrade (fedora-ds-admin-1.1.6 -> 389-admin-1.1.9
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: Some older versions of setup encoded the admin password in SHA and added a trailing newline to the userPassword attribute when adding the admin entry. This changes the SHA passsword compare routine to ignore a trailing
newline character in the dbpwd. newline is not a valid base64 character.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=537956
Resolves: bug 537956
Bug Description: Password replication from 389DS to AD2008(64bit) fails, all other replication continues
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: Broken during adding support for openldap API. I added the
function slapi_ldap_bind which returns the result code. The old function
being used by the winsync code expected the function to return the msgid, which
is now returned as one of the function arguments instead.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
| |
This fixes three small memory leaks in the DNA plugin. We were
leaking the extended operation request data and response data for
range requests as well as an attribute value for ADD operations
when checking for the magic value.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using the retro changelog plugin, post-op plugins that perform
internal operations (such as memberOf) can result in the internal
operation preceeding the original operation in the changelog.
The fix is to give the retro changelog a higher precedence than the
other post-op plugins. This required some core server changes to
be made around the plugin precedence to allow an object plugin to
pass it's precedence into it's calls to slapi_register_plugin()
when it registers other plugin types.
I added an update LDIF to set the plugin precedence when running
"setup-ds.pl -u". I also noticed an AVC when restarting after the
update due to the schema.bak directory that is created. I've
adjusted the dirsrv SELinux policy to deal with this AVC.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
version 1.2.5.a1
Instead of changing configure.ac AC_INIT for each version change, there
is a new file - VERSION.sh. This file also contains support for creating
version numbers for pre-releases, and pre-release strings containing git
commit hashes.
One of the complications is that AC_INIT does not allow you to override the version and package tarname fields. We can override them after the fact everywhere
except in config.h. AC_INIT defines the following which we would like to override but cannot: PACKAGE_VERSION PACKAGE_TARNAME PACKAGE_STRING PACKAGE_BUGREPORT
Instead, we define DS_ versions of these e.g. DS_PACKAGE_VERSION etc. and make
these available with AC_DEFINE(DS_PACKAGE_VERSION,...) etc.
As an extra added precaution, we undefine these in Makefile.am like this:
DS_DEFINES = ... \
-UPACKAGE_VERSION -UPACKAGE_TARNAME -UPACKAGE_STRING -UPACKAGE_BUGREPORT
If someone tries to use PACKAGE_VERSION in C code, they will not be able to,
and will have to use DS_PACKAGE_VERSION instead. All of the DS code that used
PACKAGE_VERSION has been changed to use DS_PACKAGE_VERSION instead.
There is a new make target - git-archive - as a convenience for creating source
tarballs from git. By default, the source archive will be placed in the build
directory - you can specify SRCDISTDIR=/path/to/SOURCES to use an alternate
dir (e.g. make SRCDISTDIR=/path/to/rpmbuild/SOURCES git-archive to make a
source tarball for rpmbuild)
configure will print the branded package name and version
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
| |
If some sort of error occurs during the sending updates to AD phase
of an incremental winsync update, we still attempt to send the dirsync
control to AD. This can cause spurious error messages to be logged to
the errors log stating that we can't send the control since we are not
connected to AD anymore.
This patch simply skips sending the dirsync control if we encountered
an error sending updates to AD.
|
