| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
These changes allow the server to be built with OpenLDAP (2.4.17+). A brief summary of the changes:
* #defines not provided by OpenLDAP were copied into slapi-plugin.h and protected with #ifndef blocks
* where it made sense, I created slapi wrapper functions for things like URL and LDIF processing to abstract way the differences in the APIs
* I created a new file utf8.c which contains the UTF8 functions from MozLDAP - this is only compiled when using OpenLDAP
* I tried to clean up the code - use the _ext versions of LDAP functions everywhere since the older versions should be considered deprecated
* I removed some unused code
NOTE that this should still be considered a work in progress since it depends on functionality not yet present in a released version of OpenLDAP, for NSS crypto and for the LDIF public API.
|
| |
|
|
|
|
|
|
| |
1) Commit 281f14adb012a54d8b10c9d51dbce6f5c6f3e549 was based on the wrong
observation and testing. Backing off the change.
2) Search result set is retrieved from pblock and used for simple paged results.
When the search result set is released, the address stashed in pblock should
have been set NULL not to access the address again.
|
| |
|
|
|
|
| |
There was a contention between the connection table cleanup thread (main)
and the search thread. The cleanup code should have been protected by
the same mutex we do in the paged result code (c_mutex).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements a linked attribute plug-in. Details of the
plug-in features and design are available on the 389 wiki at:
http://directory.fedoraproject.org/wiki/Linked_Attributes_Design
In addition, I encountered a memory leak when testing the new plug-in
with valgrind. There was a fix to the dse add code for a double free
a few months back, which causes a leak in certain situations. This
previous fix was for bz#489763. The proper thing to do is to make
the dse backend add function consume the passed in entry upon success
and leave it for the caller to deal with upon failure. This is the
way the back-ldbm add function works.
|
| |
|
|
|
| |
Summary: Access log reports 'notes=U' for VLV indexed searches if there are no records to be found
Fix Description: VLV creates an empty IDL if no matched entries are found. To do so, VLV code was calling idl_alloc with argument 0, which generated ALLID. It's changed to call idl_alloc with 1. It creates a normal empty IDL.
|
| |
|
|
|
|
|
| |
Fix Description: unescape parenthesis in the regular expression.
E.g., ^u:\(.*\) ==> ^u:(.*)
This unescape is necessary for the new regex code using PCRE
to keep the backward compatibility.
|
| |
|
|
|
|
| |
This patch consolidates the functionality of read_function and secure_read_function into a single read_function that deals with NSPR PRFileDesc objects. It does the same for write_function and secure_write_function. Since there is only one write function, there is no need to push a separate secure read/write function to the lber layer - importing the prfd into ssl (SSL_ImportFd) does that.
I've also added some more debugging.
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is part of the port to OpenLDAP, to simplify the code that
interacts with the BER I/O layer. Ideally, since we only deal
with NSPR I/O, not raw I/O, in the directory server, we can push
any additional layers, such as SASL, as NSPR I/O layers. This
is how NSS works, to push the SSL codec layer on top of the regular
NSPR network I/O layer.
Only 3 functions are implemented - PR_Send (sasl_io_send), PR_Recv
(sasl_io_recv), and PR_Write (sasl_io_write).
This simplified the code in saslbind.c and connection.c, and removed
special handling for SASL connections - now they are just treated as
regular NSPR connections - the app has not nor does not need to know
the connection is a SASL connection.
In addition, this gives us the ability to use SASL and SSL at the same
time. The SASL I/O layer can be pushed on top of the SSL layer, so
that we can use SSL for connection encryption, and SASL for authentication,
without having to worry about mixing the two.
Reviewed by: nkinder (Thanks!)
Platforms tested: RHEL5 x86_64, Fedora 9 x86_64
|
| |
|
|
|
| |
1) Fixing compiler warnings on regex.c.
2) Adding dse_search_set_release to dse.c to support simple paged results on DSE.
|
| |
|
|
|
| |
To avoid unnecessary ldap_mods_free for the early error_returns
which could be called before mods are set to smods.
|
| |
|
|
|
|
|
|
|
| |
Our schema parser requires a space after the opening paran
when multiple SUP objectclasses are listed in the definition
of an objectclass. The RFCs show that a space is not required.
This patch simply removes the requirement that a space be
present after the opening paran.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This adds a new configuration attribute named
nsslapd-require-secure-binds. When enabled, a simple bind
will only be allowed over a secure transport (SSL/TLS or a
SASL privacy layer). An attempt to do a simple bind over
an insecure transport will return a LDAP result of
LDAP_CONFIDENTIALITY_REQUIRED. This new setting will not
affect anonymous or unauthenticated binds.
The default setting is to have this option disabled.
|
| |
|
|
|
|
|
|
| |
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Thread_Aware_Regex
Additional 2 unrelated changes are being made:
1) dbgen.pl.in: secretary and manager are having a dn format value "cn=...".
2) slapi_counter_sunos_sparcv9.S: adding "#define _ASM 1" to force to set an assembler code macro _ASM.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
1) Make sure we use "const" consistently
2) Make sure we use "unsigned char" consistently
for some reason (unsigned char)*p did not compare to '\xHH' literals unless the literal was also cast to (unsigned char)
3) added some missing function prototypes
4) removed some unused variables/functions, or commented out for use when debugging
5) various other compiler warnings
With all of these, the code compiles cleanly on RHEL5 x86_64 using
gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-44)
and
CFLAGS="-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic"
The only warning now is the spurious message about %llu or %lld having the wrong format argument.
Reviewed by: nhosoi (Thanks!)
|
| |
|
|
| |
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Simple_Paged_Results_Design
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The DN syntax has become more restrictive over time, and the
current rules are quite strict. Strict adherence to the rules
defined in RFC 4514, section 3, would likely cause some pain to
client applications. Things such as spaces between the RDN
components are not allowed, yet many people use them still since
they were allowed in the previous specification outlined in RFC
1779.
To deal with the special circumstances around validation of the DN
syntax, a configuration attribute is provided named
nsslapd-dn-validate-strict. This configuration attribute will
ensure that the value strictly adheres to the rules defined in RFC
4514, section 3 if it is set to on. If it is set to off, the server
will normalize the value before checking it for syntax violations.
Our current normalization function was designed to handle DN values
adhering to RFC 1779 or RFC 2253
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This starts the effort to be able to use Doxygen to
auto-generate the SLAPI documentation.
I started documenting everything in slapi-plugin.h
from the top down. There is a TODO comment indicating
where the effort needs to be picked up from in the
header file.
To build the SLAPI docs, run "doxygen slapi.doxy" in
the top of the source tree. The resulting doc files
will be in a subdirectory named "docs". The build of
the docs still needs to be integrated with the rest of
the build.
|
| |
|
|
|
|
| |
Also added numericstring syntax support.
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Syntax_Validation_Design
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: LOG: the intenal type of maxlogsize, maxdiskspace and minfreespace should be 64-bit integer (comment #20)
Description: In log_reverse_convert_time, by initializing "struct tm" with
NULLs:
struct tm tm = {0};
tm_isdst is also set to 0, which means no daylight saving. mktime thinks when
converting struct tm to time_t, use the knowledge "the time that the time_t
represents is not in the daylight saving period". Instead, we should have set
"tm.tm_isdst = -1;". That means, we don't have the knowledge, calculate it in
mktime.
I also fixed a silly bug in generating a rotated log file name which I
introduced in my previous checkin.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: LOG: the intenal type of maxlogsize, maxdiskspace and minfreespace should be 64-bit integer (comment #20)
Description:
1) replaced PR_GetOpenFileInfo with PR_GetOpenFileInfo64 in log_getfilesize.
PR_GetOpenFileInfo does not return the correct file size if the size is
larger than 2GB.
2) when a rotation info file is missing and recreated, the file size stored
in the file was not correct.
3) rotated file name is created with the time stamp when rotated. The reverse
conversion function had a problem and the file name in the rotation info and
the real one could mismatch.
|
| |
|
|
| |
NOTE: We do not have support for atomic 64-bit counters on ppc - ppc platorms use the mutex approach instead
|
| |
|
|
|
|
| |
Summary: mmldif crashes in PK11_CreateDigestContext
Description: NSS was not initialized. Since cert db, key db, or secmod db are
not needed, changed to call NSS_NoDB_Init to initialize NSS.
|
| |
|
|
|
|
|
|
|
| |
Summary: log module issues unnecessary/inaccurate syslog errors
Description:
1) don't log "Exceeded max number of logs allowed" in syslog messages. It's an
info level log, which is not appropriate to log in syslog messages.
2) when deleting an error log file failed, a wrong file name (audit log) was
printed. I also added the error code and the message why the deletion failed.
|
| |
|
|
|
|
|
| |
Summary: If an independent process db2ldif rotates the error log, it crashes the server.
Description: PR_Rename failure due to the FILE_EXIST is benign. Ignore the
error and goes forward. The procedure is extended to all the log type: error,
access, and audit.
|
| |
|
|
|
| |
Summary: rhds80 64b el5.3 - db2ldif lock case
Description: Fixed double free, which confused the server operation and eventually crashed the server.
|
| |
|
|
|
|
|
|
|
|
| |
Bug Description: crash in reliab15 test
Reviewed by: nkinder (Thanks!)
Fix Description: There was still a small window of time during which the connection could be closed out from under the other thread which was sending/reading result. The solution is to use explicit locking using the conn->lock to protect access to the conn->ld. Since this also affected the total update code, I tested it under similar conditions, and found that it exhibited the same behavior. I added checking to the total update code to check for disconnection and coordinate access in the entry sending/result reading threads.
I also fixed a spurious error message about the sasl path.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
| |
Summary: slapi_ldap_init_ext needs to be modified due to the build failure on Solaris
Description: instead of replacing client_callbacks, set sasl path to SASL_PATH
using putenv.
|
| |
|
|
|
|
| |
Description: mapping tree code inconsistent about treatment of quoted node names
Reviewed by: nhosoi (Thanks!)
Fix Description: Look for (|(%s=\"%s\")(%s=%s))) when looking for mapping tree suffixes - there may be a quoted suffix, or one without quotes, so look for either
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: During migration, if import fails for some reason,
the exact cause of why it was unable to open the LDIF is not logged.
Reviewed by: nhosoi (thanks!)
Files: see diff
Branch: HEAD
Fix Description: As discussed in the bug council, the fix is to just
report the actual error returned when the open() of the LDIF fails.
This reports the errno and a string description of the error in the
errors log (which is also output to stderr when running ldif2db).
Platforms tested: F9
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: unbind or abandon with unsupported critical controls does not close connection
Reviewed by: nkinder (Thanks!)
Fix Description: When an unbind request is received that has controls marked as critical, and we do not support those controls, we must treat them as non-critical controls and continue processing.
Platforms tested: RHEL4, RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: some cn=config options show up with incorrect value on 64-bit
Reviewed by: nkinder (Thanks!)
Fix Description: The get functions return a specific sized type (e.g. an int). We were assigning this to a void *. We cannot do this. We must assign the return value from the get function to the correct size and type variable. I changed the config code to do this. I also had a look at the database and chaining database config code which does similar things with void *, but that code works a little bit differently and appears to be ok.
Platforms tested: RHEL5 x86_64 (need to test on HP-UX)
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
| |
Summary: nsIndexType allows a blank value but does not properly apply default indexes
Description: the values retrieved from the index entry were not checked whether
it's empty or not. With this fix, if it's empty, it issues an warning and
returns LDAP_OPERATIONS_ERROR.
|
| |
|
|
|
|
|
| |
Summary: Entry cache: invalid counter usage
Description: if new entry size is larger than old size, the delta is added to
the cache size using slapi_counter_add; otherwise, the delta is subtracted from
the cache size using slapi_counter_subtract.
|
| |
|
|
|
|
|
|
|
| |
Summary: timelimit not honored in some cases
Description: Range search operations could take longer time than the time limit
depending upon the data size, but there was no chance to check the time limit
in the code (index_range_read). Thus, once the range search operation has
started, it could have lasted far exceeding the specified time limit.
I introduced the time check in the range search function.
|
| |
|
|
| |
Summary: Only change permissions of certdb when it is newly created.
|
| |
|
|
|
|
|
| |
Summary: When password policy is on, replacing userpassword starting with
{clear} fails
Description: #484311 is not a bug; this change is just to improve the error
message.
|
| |
|
|
| |
Summary: Ensure server group has proper permissions on certificate db files.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: Clear directory manager password with password storage scheme other
than clear crashes the server
Description:
1) introducing a flag (_nss_initialized) and an API (slapd_nss_is_initialized)
to represent NSS_Initialize is called or not.
2) in config_set_rootpw, if the directory manager's password is given unhashed,
check if NSS is already initialized and the directory manager's password
storage scheme is clear or not. If NSS is not initialized and if the storage
scheme is not CLEAR, report it and return an error LDAP_PARAM_ERROR.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: HPUX: Server to Server SASL - Unknown Authentication Method
Reviewed by: nkinder (Thanks!)
Fix Description: On some platforms, we do not install the sasl auth method plugins in a standard location, so we have the nsslapd-saslpath config setting to provide that location in a CB_GETPATH callback provided to sasl_server_init. This works fine for being a SASL server. However, to be an LDAP SASL client, we have to provide that callback to sasl_client_init too. This call happens the first time the mozldap client library is initialized. mozldap has a hardcoded list of sasl callbacks it provides, and does not allow callers to augment that list. So, we simply replace the list with one that contains the CB_GETPATH callback.
Platforms tested: HP-UX 11.23 64-bit
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: test plugin (datainterop): eliminate BDB dependency from testdbinterop
|
| |
|
|
|
| |
Summary: db2ldif -s "" crashes with segmentation fault
Change description: adding a check to see if there is no entries.
|
| |
|
|
| |
Summary: Enhanced rsearch to allow user filter and password to be configurable (contributed by telackey@bozemanpass.com).
|
| |
|
|
|
|
|
|
|
| |
Bug Description: server seg fault if doing SSLCLIENTAUTH without being an ssl server
Reviewed by: nkinder (Thanks!)
Fix Description: When I changed the code to allow the DS to be an SSL client without having to be an SSL server, I missed the svrcore setup for EXTERNAL (ssl client auth). The fix is to check to see if svrcore has been set up, and initialize it if not, before attempting to use it.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Removing Group Member in ADS and Send and Receive Updates Crashes the Directory Server
Reviewed by: nkinder (Thanks!)
Fix Description: I broke this with my earlier fix about sending mods to AD. There are calls which reset the raw entry from AD before the call to mod_already_made. The fix is to only retrieve the raw entry just before we use it, after it may have been reset. I also found a memory leak in the mod init with valueset function I added for the prior fix.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Consistently deal with attr syntax info struct ref count when fetcvhing and returning them to the global hashtables.
|
| |
|
|
| |
Summary: Allow attribute aliases to be used as SUP attribute in attributetype definitions.
|
| |
|
|
| |
Summary: Fixed assertion when improperly deleting syntaxinfo.
|
| |
|
|
| |
Summary: Reject pre-hashed password from unprivileged users when password syntax checking is enabled. Don't check password syntax for pre-hashed password from privileged users.
|
| |
|
|
| |
Summary: Make password modify extended operation reset expired passwords.
|
| |
|
|
|
|
|
|
| |
Summary: Slow import post-processing with large number of non-leaf entries (comment #15)
Change description:
Fixed ldbm_ancestorid_new_idl_create_index so that the ancestor key has the
value including all the descendent ids in the IDlist. The code checked in
previously only stores the direct children and their children.
|
