| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
result being a paged one
https://bugzilla.redhat.com/show_bug.cgi?id=558099
Description: searched entry count is logged in the access log as
(nentries=<num>). When RFC 2696 page results control is passed,
the nentries logs the page size instead of the total searched
count. andrey.ivanov@polytechnique.fr proposed to log the control
info as follows:
[..] conn=# op=#RESULT err=0 tag=101 nentries=# etime=0 notes=P
This patch implemented the spec.
Also, there was a bug regarding unindexed note "notes=U" when
the paged results control is received. Only the first page logs
it, but not the rest. The bug was fixed.
|
| |
|
|
|
|
|
|
|
| |
This commit fixes many compiler warnings, mostly for things like unused
variables, functions, goto labels.
One place was using csngen_free instead of csn_free. A couple of places
were using casts incorrectly, and several places needed some casts added.
Tested on: RHEL5 x86_64, Fedora 14 x86_64
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=531642
Resolves: 531642
Fix description:
1. Introduced a config parameter nsslapd-entryusn-global: on|off to
enable | disable the global mode. By default, off.
In the global mode, search on root dse returns "lastusn: <num>"
without the backend subtype (e.g., "lastusn;userroot: <num>")
2. Added slapi_get_next_suffix_ext to mapping_tree.c, which visits
children as well as siblings in the mapping tree.
(Note: slapi_get_next_suffix does just siblings.)
3. import (ldif2db) adds "entryusn: 0" to every entry unless the
entry already contains the entryusn attribute.
4. ldbm_back_delete, ldbm_back_modify, ldbm_back_modrdn: set
ldap_result_code to pblock so that bepost plugin could see if
the operation was successful or not.
See also http://directory.fedoraproject.org/wiki/Entry_USN#Global_mode
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
of the total number of entries
https://bugzilla.redhat.com/show_bug.cgi?id=513166
Description: By definition, the first integer of the response
control is for the estimated search result set size. This fix
sets the estimated result set size.
* controlType = LDAP_CONTROL_PAGEDRESULTS;
* criticality = n/a;
* controlValue:
* realSearchControlValue ::= SEQUENCE {
* size INTEGER (0..maxInt),
* -- result set size estimate from server
* cookie OCTET STRING
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
failure in PR_Poll
https://bugzilla.redhat.com/show_bug.cgi?id=604453
Resolves: bug 604453
Bug Description: SASL Stress and Server crash: Program quits with the assertion failure in PR_Poll
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: When the server pushes the SASL IO layer on to the connection
it must do so when there are no other references to the connection. The only
way to do this without introducing more locking is to have the saslbind code
just register the intent to push SASL IO at the next available time. This
cannot be done in the sasl bind code (or any operation code for that matter)
because connection_threadmain() will enable the connection for reading
(and polling) after reading the PDU and before calling the operation
function. Therefore, during the operation function, the connection may be
being actively polled, so we must not access the conn c_prfd.
The best place to push the IO layer is in connection_threadmain, after the
server has notified that there is read ready on the connection, but before
we have actually attempted to read anything. At this point,
connection_threadmain is the only thread that will be accessing the
connection, and if we push or pop the IO layer before calling the read
function, we are guaranteed to have the correct IO layer to use.
The code has been made generic enough to allow for use by the startTLS code
if the need arises.
I also added some more locking in the saslbind code, and changed the sasl IO
code to more closely resemble the way that the NSS code deals with IO
layer push/pop.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit c28fcadfc7812108573e40f13624e11a5a8609e5)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
attribute returns all elements.
https://bugzilla.redhat.com/show_bug.cgi?id=572162
Resolves: bug 572162
Bug Description: the string "|*" within a search filter on a non-indexed attribute returns all elements.
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: PCRE interprets the '|' character as the start of
alternative branch. In the search filter, the other side of the '|' is
empty, which means match everything. The solution is to escape this and
other PCRE special chars before matching.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=576074
Resolves: bug 576074
Bug Description: search filters with parentheses fail
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: PCRE requires '(' and ')' to be escaped to match a literal
parenthesis. Otherwise, it thinks the parenthesis is used for grouping.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sasl/external
https://bugzilla.redhat.com/show_bug.cgi?id=554573
Resolves: bug 554573
Bug Description: ACIs use bind DN from bind req rather than cert mapped DN from sasl/external
Reviewed by: ???
Branch: HEAD
Fix Description: Added a new config option - nsslapd-force-sasl-external (on/off)
default is off - when set to on, a SIMPLE bind on a connection that has set
a DN from a cert will be changed to be a SASL/EXTERNAL bind.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: yes - new attribute to document
Note: This commit is for reapplying the patch I accidentally reverted
by the previous revert (031e725dce895bf2382ca7801cef772fe6b24c61).
(see commit f4b90ed5e43fa06ea6185cf17073b7a32db6ef4c, as well)
commit 031e725dce895bf2382ca7801cef772fe6b24c61
Author: Noriko Hosoi <nhosoi@redhat.com>
Date: Fri Mar 5 16:09:28 2010 -0800
Revert "Merge branch '547503'"
This reverts commit f2a04fdc45cc8a408267019990504354282c4303, reversing
changes made to 0b95451c7e50cb6b2d0cb310dddca18336e1b2ac.
|
| |
|
|
|
| |
This reverts commit f2a04fdc45cc8a408267019990504354282c4303, reversing
changes made to 0b95451c7e50cb6b2d0cb310dddca18336e1b2ac.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sasl/external
https://bugzilla.redhat.com/show_bug.cgi?id=554573
Resolves: bug 554573
Bug Description: ACIs use bind DN from bind req rather than cert mapped DN from sasl/external
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: Added a new config option - nsslapd-force-sasl-external (on/off)
default is off - when set to on, a SIMPLE bind on a connection that has set
a DN from a cert will be changed to be a SASL/EXTERNAL bind.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: yes - new attribute to document
|
| |
|
|
|
|
|
|
|
|
|
| |
There were many places in the server code that directly used the syntax
plugin for the attribute. If the attribute schema definition specified
a matching rule, we must use that matching rule for matching values of
that attribute, filtering that attribute, and generating index keys for
values of that attribute. New internal and plugin APIs have been added
that use the Slapi_Attr* instead of using the syntax plugin directly.
The new API will determine which matching rule to apply based on the
schema definition.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for assigning a precedence to each plugin.
This precedence value is used to determine what order the plugins
should be called in within a given plugin type.
The precedence value is an integer between 1 and 99. The value is
set in the nsslapd-pluginPrecedence attribute in a plugin config
entry in "cn=config". If a plugin does not have a precedence
value set, the plugin is treated as if it has a precedence of 50.
For more details, see the feature design document at:
http://directory.fedoraproject.org/wiki/Plugin_Ordering
I also removed an incorrect log message in the linked attrs plugin
that I noticed while debugging this patch.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new config setting named nsslapd-anonlimitsdn
that one can set to the DN of an entry containing the bind-based
resource limit attributes to use for operations performed by an
anonymous user. This allows the defaults to still be used for
all other actual bound users who do not have any user specific
resource settings.
This implementation approach allows any resource limits that
are registered via the reslimit API to work with this anonymous
limits template entry.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a new configuration setting to the cn=config entry named
nsslapd-minssf. This can be set to a non-negative integer representing
the minimum key strength required to process operations. The default
setting will be 0.
The SSF for a particular connection will be determined by the key
strength cipher used to protect the connection. If the SSF used for a
connection does not meet the minimum requirement, the operation will be
rejected with an error code of LDAP_UNWILLING_TO_PERFORM (53) along
with a message stating that the minimum SSF was not met. Notable
exceptions to this are operations that attempt to protect a connection.
These operations are:
* SASL BIND
* startTLS
These operations will be allowed to occur on a connection with a SSF
less than the minimum. If the results of these operations end up with
a SSF smaller than the minimum, they will be rejected. Additionally,
we allow UNBIND and ABANDON operations to go through.
I also corrected a few issues with the anonymous access switch code
that I noticed while testing. We need to allow the startTLS extended
operation to go through when sent by an anonymous user since it is
common to send startTLS prior to a BIND to protect the credentials.
I also noticed that we were using the authtype from the operation
struct to determine is a user was anonymous when we really should
have been using the DN. This was causing anonymous operations to
get through on SSL/TLS connections.
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds a new config switch (nsslapd-allow-anonymous-access) that
allows one to restrict all anonymous access. When this is enabled,
the connection displatch code will only allow BIND operations through
for an unauthenticated user. The BIND code will only allow the
operation through if it's not an anonymous or unauthenticated BIND.
I also fixed a missing capability in the SELinux policy that I ran
into while testing this patch.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Design doc:
http://directory.fedoraproject.org/wiki/Entry_USN#Plugin_Default_Config_Entr
New slapi APIs in libslapd:
int slapi_set_plugin_default_config(const char *type, Slapi_Value *value);
Description: Add given "type: value" to the plugin default config entry
(cn=plugin default config,cn=config) unless the same "type:
value" pair already exists in the entry.
Parameters: type - Attribute type to add to the default config entry
value - Attribute value to add to the default config entry
Return Value: 0 if the operation was successful
non-0 if the operation was not successful
int slapi_get_plugin_default_config(char *type, Slapi_ValueSet **valueset);
Description: Get attribute values of given type from the plugin default
config entry (cn=plugin default config,cn=config).
Parameters: type - Attribute type to get from the default config entry
valueset - Valueset holding the attribute values
Return Value: 0 if the operation was successful
non-0 if the operation was not successful
warning: Caller is responsible to free attrs by slapi_ch_array_free
Changes in the Replication plugin:
1) Functions to set replicated attributes
agmt_set_replicated_attributes_from_attr and
agmt_set_replicated_attributes_from_entry
call _agmt_set_default_fractional_attrs to sets the default excluded
attribute list from the plugin default config entry before setting
them from each replication agreement.
To support it, agmt_parse_excluded_attrs_config_attr is changed to be
re-entrant.
2) Fixed a minor memory leak in the fractional attributes (ra->frac_attrs).
3) Added a check for the duplicated fractional attributes.
Changes in the USN plugin:
1) usn_start calls slapi_set_plugin_default_config to add "entryusn" to
the EXCLUDE list of the value of nsds5ReplicatedAttributeList in the
plugin default config entry.
2) fix for the bug 518673 - entryusn: wrong lastusn value; When the entryusn
is not assigned yet, the next value to be set is 0. Lastusn is calculate
as (the next entryusn - 1). Although the entryusn is 64-bit unsigned
long, it should be printed as a 64-bit signed integer for lastusn.
Other:
Fixed a compiler error in ldap/servers/slapd/dse.c.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The vendor, brand, and capbrand are set in configure - we should use those
everywhere rather than have to run some sort of script over the code to
change vendor, brand, version, etc. I've added VENDOR, BRAND, CAPBRAND
to the default defines passed to the compiler, and changed the code to use
these defines. And instead of the unintuitively named PRODUCTTEXT macro,
we should use the already defined PRODUCT_VERSION.
This allowed me to get rid of some code. The version was from a generated
file called dirver.h which we don't need anymore, and we don't need the perl
script dirver.pl which generated it.
The vendor string was coming from the dirlite header file. So I also used this
as an excuse to get rid of all references to dirlite once and for all (yay!).
For the places in plain text files which are not substituted, I just used the
generic name Dirsrv or Directory Server instead of having an explicit brand
and/or version in there.
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
estimate of total no of entries are same
The code processing search results were returning the PAGE END without
knowing there are more entries to return or not. To learn it, introduced
"read ahead" one entry when it comes to the PAGE END. If there are more
entries, the code undo the read ahead, which prompts for the next page
on the client side. If there is no more entries, it returns the status
SEARCH END instead of PAGE END.
In addition to the read ahead implementation to fix the bug 513916,
* supporting Simple Paged Results for chaining backend is added.
* fixed a bug in idl_new_fetch (idl_new.c) -- idlistscanlimit was not
checked when the cursor comes to the end of an index file.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
valgrind is a very useful tool - however, the directory server produces a lot
of false positives that have to be suppressed in order to get to the useful
information. These patches attempt to reduce some of that noise.
1) aclparse - should calculate the length of the string _after_ trimming the
spaces
2) something about random number generation causes some of the bits to be uninitialized, and valgrind doesn't like it - this patch doesn't eliminate the error, just reduces it
3) use initialized memory when generating hashes - also remove "magic numbers"
4) bin.c - slapi_value_get_string must not be used with unterminated (binary) values
5) we get these odd valgrind reports from deep within bdb about invalid reads and uninitialized memory - I thought perhaps because we were initializing DBT structures with = {0} which the bdb docs says is not sufficient - they recommend memset or bzero
6) There are some small memory leaks during attrcrypt initialization and in error cases
7) error message in ldif2ldbm.c was attempting to print the Slapi_DN structure rather than getting the char *dn
8) After we call NSS_Initialize, we must call the NSS shutdown functions to clean up the caches and other data structures, otherwise NSS will leak memory. This is harmless since it happens at exit, but valgrind reports hundreds of memory leaks. The solution is to make sure we go through a single exit point after NSS_Initialize. This means many places that just called exit() must instead return with a real return value. This mostly affected main.c, detach.c, and a couple of other places called during startup.
9) minor memory leaks in mapping tree initialization
10) sasl_map.c - should not call this in referral mode
11) minor memory leaks during ssl init
Reviewed by: nkinder, nhosoi (Thanks!)
|
| |
|
|
|
|
|
|
|
|
| |
These changes allow the server to be built with OpenLDAP (2.4.17+). A brief summary of the changes:
* #defines not provided by OpenLDAP were copied into slapi-plugin.h and protected with #ifndef blocks
* where it made sense, I created slapi wrapper functions for things like URL and LDIF processing to abstract way the differences in the APIs
* I created a new file utf8.c which contains the UTF8 functions from MozLDAP - this is only compiled when using OpenLDAP
* I tried to clean up the code - use the _ext versions of LDAP functions everywhere since the older versions should be considered deprecated
* I removed some unused code
NOTE that this should still be considered a work in progress since it depends on functionality not yet present in a released version of OpenLDAP, for NSS crypto and for the LDIF public API.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is part of the port to OpenLDAP, to simplify the code that
interacts with the BER I/O layer. Ideally, since we only deal
with NSPR I/O, not raw I/O, in the directory server, we can push
any additional layers, such as SASL, as NSPR I/O layers. This
is how NSS works, to push the SSL codec layer on top of the regular
NSPR network I/O layer.
Only 3 functions are implemented - PR_Send (sasl_io_send), PR_Recv
(sasl_io_recv), and PR_Write (sasl_io_write).
This simplified the code in saslbind.c and connection.c, and removed
special handling for SASL connections - now they are just treated as
regular NSPR connections - the app has not nor does not need to know
the connection is a SASL connection.
In addition, this gives us the ability to use SASL and SSL at the same
time. The SASL I/O layer can be pushed on top of the SSL layer, so
that we can use SSL for connection encryption, and SASL for authentication,
without having to worry about mixing the two.
Reviewed by: nkinder (Thanks!)
Platforms tested: RHEL5 x86_64, Fedora 9 x86_64
|
| |
|
|
|
| |
1) Fixing compiler warnings on regex.c.
2) Adding dse_search_set_release to dse.c to support simple paged results on DSE.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This adds a new configuration attribute named
nsslapd-require-secure-binds. When enabled, a simple bind
will only be allowed over a secure transport (SSL/TLS or a
SASL privacy layer). An attempt to do a simple bind over
an insecure transport will return a LDAP result of
LDAP_CONFIDENTIALITY_REQUIRED. This new setting will not
affect anonymous or unauthenticated binds.
The default setting is to have this option disabled.
|
| |
|
|
|
|
|
|
| |
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Thread_Aware_Regex
Additional 2 unrelated changes are being made:
1) dbgen.pl.in: secretary and manager are having a dn format value "cn=...".
2) slapi_counter_sunos_sparcv9.S: adding "#define _ASM 1" to force to set an assembler code macro _ASM.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) Make sure we use "const" consistently
2) Make sure we use "unsigned char" consistently
for some reason (unsigned char)*p did not compare to '\xHH' literals unless the literal was also cast to (unsigned char)
3) added some missing function prototypes
4) removed some unused variables/functions, or commented out for use when debugging
5) various other compiler warnings
With all of these, the code compiles cleanly on RHEL5 x86_64 using
gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-44)
and
CFLAGS="-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic"
The only warning now is the spurious message about %llu or %lld having the wrong format argument.
Reviewed by: nhosoi (Thanks!)
|
| |
|
|
| |
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Simple_Paged_Results_Design
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The DN syntax has become more restrictive over time, and the
current rules are quite strict. Strict adherence to the rules
defined in RFC 4514, section 3, would likely cause some pain to
client applications. Things such as spaces between the RDN
components are not allowed, yet many people use them still since
they were allowed in the previous specification outlined in RFC
1779.
To deal with the special circumstances around validation of the DN
syntax, a configuration attribute is provided named
nsslapd-dn-validate-strict. This configuration attribute will
ensure that the value strictly adheres to the rules defined in RFC
4514, section 3 if it is set to on. If it is set to off, the server
will normalize the value before checking it for syntax violations.
Our current normalization function was designed to handle DN values
adhering to RFC 1779 or RFC 2253
|
| |
|
|
|
|
| |
Also added numericstring syntax support.
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Syntax_Validation_Design
|
| |
|
|
|
|
|
|
|
| |
Bug Description: unbind or abandon with unsupported critical controls does not close connection
Reviewed by: nkinder (Thanks!)
Fix Description: When an unbind request is received that has controls marked as critical, and we do not support those controls, we must treat them as non-critical controls and continue processing.
Platforms tested: RHEL4, RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Consistently deal with attr syntax info struct ref count when fetcvhing and returning them to the global hashtables.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Support server-to-server SASL - console chaining, server cleanup
Reviewed by: nkinder (Thanks!)
Fix Description: There are two sets of diffs here. The first set adds tls, gssapi, and digest to the chaining database (aka database link) panels in the console. I had to add support for revert to some of the code to make the Reset button work without having to retrieve the values from the server each time. We already store the original values locally in the _origModel - I added code to allow the use of that in the Reset button.
The second set of diffs is for the server.
1) I had to add support for "SIMPLE" for bindMechanism - this translates to LDAP_SASL_SIMPLE for the actual mechanism. This value is NULL, so I had to add handling for NULL values in the cb config code (slapi_ch_* work fine with NULL values).
2) Added some more debugging/tracing code
3) The server to server SSL code would only work if the server were configured to be an SSL server. But for the server to be an SSL client, it only needs NSS initialized and to have the CA cert. It also needs to configured some of the SSL settings and install the correct policy. I changed the server code to do this.
Platforms tested: RHEL5
Flag Day: no
Doc impact: Yes
|
| |
|
|
| |
Summary: Add configuration parameter to limit maximum allowed incoming SASL IO packet size.
|
| |
|
|
| |
Summary: Add config setting to disable unauthenticated binds.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Support server-to-server SASL - part 1
Reviewed by: nkinder, nhosoi, ssorce (Thanks!)
Fix Description: I've created two new functions to handle the client side of LDAP in the server - slapi_ldap_init_ext and slapi_ldap_bind. These two functions are designed to work with any connection type (ldap, ldaps, ldap+starttls, and eventually ldapi) and bind type (plain, sasl, client cert). The secure flag has been extended to use a value of 2 to mean use startTLS. One tricky part is that there is no place to store the startTLS flag in init to pass to bind, so we store that in the clientcontrols field which is currently unused. We do that because the semantics of ldap_init are not to do any network traffic, but defer that until the bind operation (or whatever the first actual operation is e.g. start_tls). I plan to replace all of the places in the code that do ldap init and bind with these functions.
I started with replication. I extended the transport to add tls for startTLS and the bind method to add sasl/gssapi and sasl/digest-md5. I removed a lot of code from repl5_connection that is now done with just slapi_ldap_init_ext and slapi_ldap_bind. One tricky part of the replication code is that it polls the connection for write available, using some ldap sdk internals. I had to fix that code to work within the public ldap api since nspr and sasl muck with the internals in different incompatible ways.
Finally, there is a lot of new kerberos code in the server. The way the server does sasl/gssapi auth with its keytab is similar to the way it does client cert auth with its ssl server cert. One big difference is that the server cannot pass the kerberos identity and credentials through the ldap/sasl/gssapi layers directly. Instead, we have to create a memory credentials cache and set the environment variable to point to it. This allows the sasl/gssapi layer to grab the credentials for use with kerberos. The way the code is written, it should also allow "external" kerberos auth e.g. if someone really wants to do some script which does a periodic kinit to refresh the file based cache, that should also work.
I added some kerberos configure options. configure tries to first use krb5-config to get the compiler and linker information. If that fails, it just looks for some standard system libraries. Note that Solaris does not allow direct use of the kerberos api until Solaris 11, so most likely Solaris builds will have to use --without-kerberos (--with-kerberos is on by default).
Fixed a bug in kerberos.m4 found by nkinder.
ssorce has pointed out a few problems with my kerberos usage that will be addressed in the next patch.
Changed the log level in ldap_sasl_get_val - pointed out by nkinder
Platforms tested: Fedora 9, Fedora 8
Flag Day: yes
Doc impact: oh yes
|
| |
|
|
| |
Summary: Convert counters to 64-bit capable Slapi_Counter type.
|
| |
|
|
|
|
|
| |
Summary: LDAPI: when nsslapd-ldapiautodnsuffix doesn't exist - Bind is incorrect
Description:
- introducing --enable-auto-dn-suffix option to configure (disabled by default)
- building the auto-dn-suffix code only when the option is set
|
| |
|
|
| |
Summary: Add support for 64-bit counters (phase 1).
|
| |
|
|
|
| |
Summary: Memory usage research: checking in the experimental code
See also: http://directory.fedoraproject.org/wiki/Memory_Usage_Research
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: various valgrind reported startup memory leaks
Reviewed by: nhosoi (Thanks!)
Files: see diff
Branch: HEAD
Fix Description: These memory leaks are not serious, but they do create a lot of noise in
valgrind.
Platforms tested: RHEL5, Fedora 8
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
| |
Summary: attacker can tie up CPU in regex code
Description: when substring search is requested, sets the time limit based upon
the nsslapd-timelimit value. Pass the timelimit (time_up) to the regular
expression function. When the time is up, it returns the "Timelimit exceeded"
error. Note: timelimit is applied non-Directory Manager users.
|
| |
|
|
|
| |
Summary: Dynamically reload schema via task interface (comment #15)
Description: fixed the broken function declaration.
|
| |
|
|
|
|
| |
Summary: Dynamically reload schema via task interface
Description: implemented task based schema file reloading
(see also http://directory.fedoraproject.org/wiki/Dynamically_Reload_Schema)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: simple password auth fails using NSS 3.11.99 or later
Reviewed by: nkinder (Thanks!)
Fix Description: The new softokn in NSS 3.11.99 and later requires that
the server calls NSS_Init() after forking, but before detaching from the
controlling terminal. In fact, this was always a requirement, but the
softokn in older NSS allow it. However, it's possible that some
hardware crypto devices do not allow this and may not work with older
directory servers. The fix is to move the nss/ssl initialization so
that it can be called at the right point, or from other points in cases
where the server does not fork (e.g. db2ldif).
Platforms tested: Fedora 9 i386, RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
| |
Description: tmpwatch whacks stats
Reviewed by: nkinder (Thanks!)
Fix Description: move the snmp slapd.stats file to run_dir (/var/run/dirsrv) and rename to slapd-instance.stats. Had to add nsslapd-rundir to cn=config in order for ldap-agent to be able to get it.
Doc: Yes, we need to document the new attribute nsslapd-rundir.
|
| |
|
|
| |
Summary: HP-UX: warnings reported by the HP-UX compiler
|
| |
|
|
|
|
|
|
|
|
| |
Summary: CRM 1474928 : ds7.1 db index/vlv not handling a stop-slapd, hangs slapd
Description:
1. moved active thread count from ns-slapd to libslapd for the task threads to
use.
2. provided APIs to increment/decrement/get the active thread count
3. let task threads increment the active thread count when it's spawned and
decrement it when it quits.
|
| |
|
|
|
|
| |
Summary: Reimplement ds_remove without setuputil code (comment #6)
Description: adding nsslapd-instancedir to dse.ldif for ds_remove to find out
the instance dir path.
|
| |
|
|
|
|
| |
Summary: Add config attributes to cn=config to support Console (comment #1)
Description: Console needs to know the default paths for ldif_dir and bak_dir.
Adding the paths to cn=config.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Summary: configure needs to support --with-fhs (Comment #6)
Changes: Added the following include next to the end of the copyright block.
+
+#ifdef HAVE_CONFIG_H
+# include <config.h>
+#endif
+
|
