| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
If the openldap_read_function has returned all of the buffered data,
it needs to set errno to EWOULDBLOCK to let the code know that it needs
to read more data into the buffer.
|
| |
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=616500
coverity ID 12099
Comment:
When connection_threadmain receives SHUTDOWN, the function was
returning without destroying the pblock. This patch destroys
it before calling return.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=547503
Resolves: bug 547503
Bug Description: replication broken again, with 389 MMR replication and TCP errors
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: When turbo mode is used for the connection, the server does
not poll for read ready status in the main loop, nor go through the code in
handle_pr_read_ready that updates conn->c_idlesince. So while the conn is in
turbo mode, the c_idlesince is not updated. If the conn gets a timeout while
reading, a flag will be set on the connection that will put it back in the
main loop. When it then hits handle_pr_read_ready, if there is still no
activity on the connection, it will go through idle timeout processing. It
may have been a long time since c_idlesince was updated, so the connection
may be closed wrongly.
The solution is to have c_idlesince updated in connection_threadmain() in
turbo mode if the connection really isn't idle.
In addition, the conn private turbo_mode flag was not being used correctly -
in the timeout case, the local variable was being updated but not the
conn private turbo_flag. Since the conn private turbo_flag is not used
anywhere else, it can be removed, and just use the local variable.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit 9d638b3fc25fbc57884a511744943499c7102f40)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=609590
Resolves: bug 609590
Bug Description: fix coverity Defect Type: Memory - corruptions issues
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: The point of this code is to copy the conn authtype to
the operation authtype, so just do that.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
failure in PR_Poll
https://bugzilla.redhat.com/show_bug.cgi?id=604453
Resolves: bug 604453
Bug Description: SASL Stress and Server crash: Program quits with the assertion failure in PR_Poll
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: When the server pushes the SASL IO layer on to the connection
it must do so when there are no other references to the connection. The only
way to do this without introducing more locking is to have the saslbind code
just register the intent to push SASL IO at the next available time. This
cannot be done in the sasl bind code (or any operation code for that matter)
because connection_threadmain() will enable the connection for reading
(and polling) after reading the PDU and before calling the operation
function. Therefore, during the operation function, the connection may be
being actively polled, so we must not access the conn c_prfd.
The best place to push the IO layer is in connection_threadmain, after the
server has notified that there is read ready on the connection, but before
we have actually attempted to read anything. At this point,
connection_threadmain is the only thread that will be accessing the
connection, and if we push or pop the IO layer before calling the read
function, we are guaranteed to have the correct IO layer to use.
The code has been made generic enough to allow for use by the startTLS code
if the need arises.
I also added some more locking in the saslbind code, and changed the sasl IO
code to more closely resemble the way that the NSS code deals with IO
layer push/pop.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit c28fcadfc7812108573e40f13624e11a5a8609e5)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
failure in PR_Poll
https://bugzilla.redhat.com/show_bug.cgi?id=604453
Resolves: bug 604453
Description: SASL Stress and Server crash: Program quits with the assertion failure in PR_Poll
Branch: master
Reviewed by: nhosoi (Thanks!)
Fix Description: We usually do not have to pop the IO layer from the SASL
connection. This is usually handled by PR_Close() on the PRFD, which should
only happen when the connection is not being referenced by the main PR_Poll()
call. The only time we need to explicitly pop the SASL IO layer is if the
client re-negotiates the SASL bind with a different ssf e.g. going from
clear to protected or vice versa.
Platforms tested: RHEL5 x86_64
(cherry picked from commit ac6ce0947d9b2d5ec3649948bca861f0e318d708)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=567429
Resolves: bug 567429
Bug Description: slapd didn't close connection and get into CLOSE_WAIT state
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: The JNDI code attached to the bug uses persistent search.
The connection pool code handles persistent searches differently than
regular connections. The connection pool code was acquiring a reference
to a conn, but was not releasing it in the persistent search case, assuming
the persistent search code did not also have a reference, but it does. This
caused connection_table_move_connection_out_of_active_list() to not move
the connection out of the active list, and therefore available for closing,
because there was an outstanding reference. The solution is for the
connection pool code to release its reference.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=551198
Resolves: bug 551198
Bug Description: LDAPI: incorrect logging to access log
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: The connection logging code was not ldapi/unix socket
aware. Now we check for the socket type, and check to see if there is
a proper path name in the path field. The "server" side of the socket
seems not to get the path name set correctly - not sure why, but it doesn't
really matter, since the client side path name does seem to be set
correctly. The access log will contain the server side path and the client
side path, so something like "from local to /var/run/slapd-foo.socket"
Platforms tested: RHEL5 x86_64, Fedora 11 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=558518
Resolves: bug 558518
Bug Description: several spelling errors
Reviewed by: ???
Branch: HEAD
Fix Description: Fix several spelling errors in error messages and man pages.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
| |
If a slot from the connection table had previously been used for
an LDAPI connection, it would cause serious performance degradation
(20 times worse on my system) to a TCP connection that reused the
same slot. The problem was that we were not clearing the flag
that indicates that a connection is a UNIX local socket in the
connection cleanup function. Clearing this flag makes the reused
slots perform as expected.
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds a new ssf bind rule keyword to the access control
plug-in. This allows you to write ACIs that require a specific
level of encryption for the rule to apply. The new keyword can
be used with '=', '!=', '<', '>', '<=' and '>=' comparators.
I added code that stores the SSF in effect for an operation into
the operation struct. The value that we store is the higher of
the two between the SASL SSF and the SSL/TLS SSF.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a new configuration setting to the cn=config entry named
nsslapd-minssf. This can be set to a non-negative integer representing
the minimum key strength required to process operations. The default
setting will be 0.
The SSF for a particular connection will be determined by the key
strength cipher used to protect the connection. If the SSF used for a
connection does not meet the minimum requirement, the operation will be
rejected with an error code of LDAP_UNWILLING_TO_PERFORM (53) along
with a message stating that the minimum SSF was not met. Notable
exceptions to this are operations that attempt to protect a connection.
These operations are:
* SASL BIND
* startTLS
These operations will be allowed to occur on a connection with a SSF
less than the minimum. If the results of these operations end up with
a SSF smaller than the minimum, they will be rejected. Additionally,
we allow UNBIND and ABANDON operations to go through.
I also corrected a few issues with the anonymous access switch code
that I noticed while testing. We need to allow the startTLS extended
operation to go through when sent by an anonymous user since it is
common to send startTLS prior to a BIND to protect the credentials.
I also noticed that we were using the authtype from the operation
struct to determine is a user was anonymous when we really should
have been using the DN. This was causing anonymous operations to
get through on SSL/TLS connections.
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds a new config switch (nsslapd-allow-anonymous-access) that
allows one to restrict all anonymous access. When this is enabled,
the connection displatch code will only allow BIND operations through
for an unauthenticated user. The BIND code will only allow the
operation through if it's not an anonymous or unauthenticated BIND.
I also fixed a missing capability in the SELinux policy that I ran
into while testing this patch.
|
| |
|
|
|
|
|
|
|
|
| |
These changes allow the server to be built with OpenLDAP (2.4.17+). A brief summary of the changes:
* #defines not provided by OpenLDAP were copied into slapi-plugin.h and protected with #ifndef blocks
* where it made sense, I created slapi wrapper functions for things like URL and LDIF processing to abstract way the differences in the APIs
* I created a new file utf8.c which contains the UTF8 functions from MozLDAP - this is only compiled when using OpenLDAP
* I tried to clean up the code - use the _ext versions of LDAP functions everywhere since the older versions should be considered deprecated
* I removed some unused code
NOTE that this should still be considered a work in progress since it depends on functionality not yet present in a released version of OpenLDAP, for NSS crypto and for the LDIF public API.
|
| |
|
|
|
|
| |
This patch consolidates the functionality of read_function and secure_read_function into a single read_function that deals with NSPR PRFileDesc objects. It does the same for write_function and secure_write_function. Since there is only one write function, there is no need to push a separate secure read/write function to the lber layer - importing the prfd into ssl (SSL_ImportFd) does that.
I've also added some more debugging.
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is part of the port to OpenLDAP, to simplify the code that
interacts with the BER I/O layer. Ideally, since we only deal
with NSPR I/O, not raw I/O, in the directory server, we can push
any additional layers, such as SASL, as NSPR I/O layers. This
is how NSS works, to push the SSL codec layer on top of the regular
NSPR network I/O layer.
Only 3 functions are implemented - PR_Send (sasl_io_send), PR_Recv
(sasl_io_recv), and PR_Write (sasl_io_write).
This simplified the code in saslbind.c and connection.c, and removed
special handling for SASL connections - now they are just treated as
regular NSPR connections - the app has not nor does not need to know
the connection is a SASL connection.
In addition, this gives us the ability to use SASL and SSL at the same
time. The SASL I/O layer can be pushed on top of the SSL layer, so
that we can use SSL for connection encryption, and SASL for authentication,
without having to worry about mixing the two.
Reviewed by: nkinder (Thanks!)
Platforms tested: RHEL5 x86_64, Fedora 9 x86_64
|
| |
|
|
|
| |
1) Fixing compiler warnings on regex.c.
2) Adding dse_search_set_release to dse.c to support simple paged results on DSE.
|
| |
|
|
| |
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Simple_Paged_Results_Design
|
| |
|
|
| |
Summary: Allow password modify extop when password reset is needed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Need to address 64-bit compiler warnings - again
Reviewed by: nhosoi (Thanks!)
Fix Description: This patch cleans up most of the other remaining compiler warnings. I compiled the directory server code with these flags on RHEL5 x86_64: -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
I also enabled argument/format match checking for most of the commonly used varadic functions. Most of the problems I found fell into these categories:
1) Too many or not enough arguments e.g. most everything that uses or did use LDAPDebug had extra 0,0 arguments. If they had been switched to use slapi_log_error, I removed the extra arguments - for those places still using LDAPDebug, I introduced more macros to handle the number of arguments, since C macros cannot be varadic.
2) When using NSPR formatting functions, we have to use %llu or %lld for 64-bit values, even on 64-bit systems. However, for regular system formatting functions, we have to use %ld or %lu. I introduced two new macros NSPRIu64 and NSPRI64 to handle cases where we are passing explicit 64-bit values to NSPR formatting functions, so that we can use the regular PRIu64 and PRI64 macros for regular system formatting functions. I also made sure we used NSPRI* only with NSPR functions, and used PRI* only with system functions.
3) use %lu for size_t and %ld for time_t
I did find a few "real" errors, places that the code was doing something definitely not right:
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/acl/aclinit.c_sec4
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/acl/acllas.c_sec17
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/http/http_impl.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/memberof/memberof.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/pam_passthru/pam_ptimpl.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/replication/cl5_api.c_sec5
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/replication/cl5_clcache.c_sec2
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/replication/replutil.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/slapd/libglobs.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/slapd/back-ldbm/dbverify.c_sec2
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/slapd/back-ldbm/ldif2ldbm.c_sec3
This is why it's important to use this compiler checking, and why it's important to fix compiler warnings, if for no other reason than the sheer noise from so many warnings can mask real errors.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Convert counters to 64-bit capable Slapi_Counter type.
|
| |
|
|
| |
Summary: Add support for 64-bit counters (phase 1).
|
| |
|
|
|
| |
Summary: Memory usage research: checking in the experimental code
See also: http://directory.fedoraproject.org/wiki/Memory_Usage_Research
|
| |
|
|
| |
Summary: Don't define _XOPEN_SOURCE_EXTENDED on HP-UX.
|
| |
|
|
| |
Summary: HP-UX: warnings reported by the HP-UX compiler
|
| |
|
|
|
|
|
|
|
|
| |
Summary: CRM 1474928 : ds7.1 db index/vlv not handling a stop-slapd, hangs slapd
Description:
1. moved active thread count from ns-slapd to libslapd for the task threads to
use.
2. provided APIs to increment/decrement/get the active thread count
3. let task threads increment the active thread count when it's spawned and
decrement it when it quits.
|
| |
|
|
| |
Summary: Random SASL GSSAPI test failure on shadowfoot (Comment #9)
|
| |
|
|
|
|
|
| |
Summary: Random SASL GSSAPI test failure on shadowfoot (Comment #7)
Changes: If PR_Recv in sasl_recv_connection gets EAGAIN (== errno 11),
check whether it should be retried as being done for "a temporary
non-blocking I/O error".
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Summary: configure needs to support --with-fhs (Comment #6)
Changes: Added the following include next to the end of the copyright block.
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+
|
| |
|
|
|
|
| |
support
comment#5: Fixed a stupid copy and paste bug...
|
| |
|
|
|
|
|
|
| |
slapi-private.h: introduced PRLDAP_SET_PORT to set port to the port field in
PRNetAddr. A copy of the same macro in LDAP C SDK (v6). Note: once NSPR
provides an equivalent API, we may want to replace this macro with the one.
(the NSPR compatibility issue remains, though.)
connection.c, daemon.c: replaced PR_SetNetAddr with PRLDAP_SET_PORT.
|
| |
|
|
|
|
|
|
|
| |
Changes:
1) When ber_get_next_buffer_ext fails, not just LBER_DEFAULT but
LBER_OVERFLOW can be set to the ber tag. Thus, LBER_OVERFLOW is also
checked in the error check now.
2) The too large length error used be checked as "errno == EMSGSIZE",
which is replaced with "tag == LBER_OVERFLOW"
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
sync plus associated UI
|
| |
|
|
| |
warnings on Linux; remove pam_passthru from DS 7.1
|
| | |
|
| | |
|
|
|
(foxworth)
|
