| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
Summary: DN Rename with case change only fails
Description: The modrdn operation allows the source dn and the target dn are
identical or the same except the cases.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: RFE: search optimization and single character substring searches
Description: extended the substring key to have 3 types:
* begin (e.g., *^a)
* middle (e.g., *abc)
* end (e.g., *xy$)
* Usage: turn an index object to extensibleobject and set an integer value as
follows:
* dn: cn=sn, cn=index, cn=userRoot, cn=ldbm database, cn=plugins, cn=config
* objectClass: extensibleObject
* nsSubStrBegin: 2
* nsSubStrMiddle: 3
* nsSubStrEnd: 2
* [...]
|
| |
|
|
| |
Summary: Use default stack size on LP64 systems.
|
| |
|
|
|
|
|
|
|
| |
Summary: Directory server is caching string case for attributes with Directorystring syntax even after deletion
Description:
Introduced a new flag SLAPI_VALUE_FLAG_USENEWVALUE for valueset_remove_valuearr
to exchange the value in the deleted value set and the to be added value. With
this change, the newly added value is resurrected instead of the original
value.
|
| |
|
|
|
|
|
|
| |
Summary: attacker can tie up CPU in regex code
Description: when substring search is requested, sets the time limit based upon
the nsslapd-timelimit value. Pass the timelimit (time_up) to the regular
expression function. When the time is up, it returns the "Timelimit exceeded"
error. Note: timelimit is applied non-Directory Manager users.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: GER: allow GER for non-existing entries
Description:
[slapd/charray.c]
new: charray_merge_nodup -- merge 2 string arrays skipping the duplicates
modified: charray_remove -- introduced "freeit" flag. If true, the removed
string is freed. (The API is used only in chainingdb. The change is applied
to the plugin.)
[slapd/opshared.c]
modified: check OP_FLAG_GET_EFFECTIVE_RIGHTS in the iterate to support
"@<objectclass>". It's needed to do at the location since we have to call acl
plugin even
when no entries are returned from the search. If no entries are returned and
"@<objectclass>" is found in the attribute list, acl effective rights code
generates the corresponding template entry.
[slapd/pblock.c]
place to store gerattrs is added (SLAPI_SEARCH_GERATTRS), where gerattrs is an
array of strings which store "...@<objectclass>".
[slapd/result.c]
moved OP_FLAG_GET_EFFECTIVE_RIGHTS checking to iterate (opshared.c)
[slapd/schema.c]
new: slapi_schema_list_objectclass_attributes -- return the required and/or
allowed attributes belonging to the given objectclass. This is used to support
"*" and "+" in the get effective rights.
new: slapi_schema_get_superior_name -- return the superior objectclass name of
the given objectclass.
[slapd/search.c]
if "<attr>@<objectclass>" is found in the attribute list, cut the <attr> part
out and added to the attrs array (pblock SLAPI_SEARCH_ATTRS) and store the
original
string to the gerattrs (pblock SLAPI_SEARCH_GERATTRS).
[plugin/acl/acleffectiverights.c]
modified: _ger_g_permission_granted -- if the requester and the subject user
are
identical, give "g" permission
modified: _ger_parse_control -- replaced strcpy with memmove since strcpy does
not guarantee the result of the overlap copy.
modified: _ger_get_attrs_rights -- support "*" (all attributes belonging to the
object) and "+" (operational attributes). If repeated attributes are found in
the given attribute list, they are reduced to one.
new: _ger_generate_template_entry -- generate a template entry if
"@<objectclass>" is passed.
[pluginc/cb/*]
adjusted to the updated charray_remove.
Please see also this wiki page for the overview and test cases.
http://directory.fedoraproject.org/wiki/Get_Effective_Rights_for_non-present_attributes
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: MMR breaks with time skew errors
Reviewed by: nhosoi, nkinder (Thanks!)
Fix Description: CSN remote offset generation seems broken. We seem to accumulate a remote offset that keeps growing until we hit the limit of 1 day, then replication stops. The idea behind the remote offset is that servers may be seconds or minutes off. When replication starts, one of the itmes in the payload of the start extop is the latest CSN from the supplier. The CSN timestamp field is (sampled_time + local offset + remote offset). Sampled time comes from the time thread in the server that updates the time once per second. This allows the consumer, if also a master, to adjust its CSN generation so as not to generate duplicates or CSNs less than those from the supplier. However, the logic in csngen_adjust_time appears to be wrong:
remote_offset = remote_time - gen->state.sampled_time;
That is, remote_offset = (remote sampled_time + remote local offset + remote remote offset) - gen->state.sampled_time
It should be
remote_offset = remote_time - (sampled_time + local offset + remote offset)
Since the sampled time is not the actual current time, it may be off by 1 second. So the new remote_offset will be at least 1 second more than it should be. Since this is the same remote_offset used to generate the CSN to send back to the other master, this offset would keep increasing and increasing over time. The script attached to the bug helps measure this effect. The new code also attempts to refresh the sampled time while adjusting to make sure we have as current a sampled_time as possible. In the old code, the remote_offset is "sent" back and forth between the masters, carried along in the CSN timestamp generation. In the new code, this can happen too, but to a far less extent, and should max out at (real offset + N seconds) where N is the number of masters.
In the old code, you could only call csngen_adjust_time if you first made sure the remote timestamp >= local timestamp. I have removed this restriction and moved that logic into csngen_adjust_time. I also cleaned up the code in the consumer extop - I combined the checking of the CSN from the extop with the max CSN from the supplier RUV - now we only adjust the time once based on the max of all of these CSNs sent by the supplier.
Finally, I cleaned up the error handling in a few places that assumed all errors were time skew errors.
Follow up - I found a bug in my previous patch - _csngen_adjust_local_time must not be called when the sampled time == the current time. So I fixed that where I was calling _csngen_adjust_local_time, and I also changed _csngen_adjust_local_time so that time_diff == 0 is a no-op.
Platforms tested: RHEL5, F8, F9
Flag Day: no
Doc impact: no
QA impact: Should test MMR and use the script to measure the offset effect.
|
| |
|
|
| |
Summary: Indexing code needs to use new entry copy to search for subtypes when deleting an attribute value.
|
| | |
|
| |
|
|
|
| |
Summary: Dynamically reload schema via task interface (comment #15)
Description: fixed the broken function declaration.
|
| |
|
|
| |
Summary: Dynamically reload schema via task interface
|
| |
|
|
|
| |
Summary: Dynamically reload schema via task interface
Description: slapi_validate_schema_files: call dse_destroy only when the previous validation was successful.
|
| |
|
|
|
|
| |
Summary: Dynamically reload schema via task interface
Description: implemented task based schema file reloading
(see also http://directory.fedoraproject.org/wiki/Dynamically_Reload_Schema)
|
| |
|
|
|
|
| |
Summary: Dynamically reload schema via task interface
Description: implemented task based schema file reloading
(see also http://directory.fedoraproject.org/wiki/Dynamically_Reload_Schema)
|
| | |
|
| |
|
|
|
|
| |
Summary: LDAPI: support auto-bind
Description: String representation of socktype was not set correctly when
the socktype was PR_AF_LOCAL.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: LDAPI: support auto-bind
Description:
1) Debugged the basic code of slapd_get_socket_peer, which is used for Solaris9
and HP-UX. The recvmsg call returns an error immediately if no data is waiting
to be received since the socket is set PR_SockOpt_Nonblocking (O_NONBLOCK). To
make slapd_get_socket_peer more robust, we have to retry recvmsg if it returns
EAGAIN. But set a retry count not to hang there.
2) Introduced c_local_valid in the Connection handle to tell the autobind
code that the uid/gid pair is valid or not.
3) Stops the automagic/unconditional auto-bind (the code used to be in
daemon.c).
4) Auto-bind is effective only when the client passes the SASL/EXTERNAL request.
|
| |
|
|
|
|
|
|
|
|
|
| |
Summary: LDAPI: referral mode needs LDAPI socket
Problem Description: If you start the server with the referral mode, e.g.,
like this:
ns-slapd refer -D /etc/dirsrv/slapd-test -r ldap://laputa.example.com
UNIX socket for LDAPI was not opened since LDAPI configuration parameters are
not read from dse.ldif at that moment.
Fix Description: adding the code to process nsslapd-ldapifilepath and
nsslapd-ldapilisten in slapd_bootstrap_config.
|
| |
|
|
|
|
|
| |
Summary: Allow larger regex buffer to enable long substring filters
Description: Applying the patches provided by ulf.weltman@hp.com.
regex.c: use dynamically allocated regex buffer, use ptrdiff_t to store the offsets to be restored after the realloc, and use a constant for the value of "how much the NFA buffer can grow in one iteration on the pattern".
string.c: use dynamically allocated buffer if the prepared buffer is not large enough, used wrong pointer (pat instead of p) in a debug message, and performed an unneeded strcat of ".*"
|
| |
|
|
|
|
|
|
| |
Summary: memory leaks in extensible filter code
Description: applying the patch provided by Ulf Weltman
1) type is not consumed in attrlist_merge
2) although dnattrs is a linked list, only the first item was released.
Test case filter: "(ou:dn:=groups)"
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: simple password auth fails using NSS 3.11.99 or later
Reviewed by: nkinder (Thanks!)
Fix Description: The new softokn in NSS 3.11.99 and later requires that
the server calls NSS_Init() after forking, but before detaching from the
controlling terminal. In fact, this was always a requirement, but the
softokn in older NSS allow it. However, it's possible that some
hardware crypto devices do not allow this and may not work with older
directory servers. The fix is to move the nss/ssl initialization so
that it can be called at the right point, or from other points in cases
where the server does not fork (e.g. db2ldif).
Platforms tested: Fedora 9 i386, RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Fixed valrgind errors about use of unitialized values.
|
| |
|
|
| |
Summary: Enhanced SLAPI task API and ported existing tasks to use new API.
|
| |
|
|
|
|
|
|
| |
Summary: SASL IO functions set/get: argument mismatch
Fix description: When setting the IO functions in sasl_io_setup, use the local
memory to pass the IO functions. Plus, allocate the memory for backing up the
existing IO functions (real_iofns in the code), which is set in sasl_io_setup
and the area is released after setting it back in sasl_io_cleanup.
|
| |
|
|
| |
Summary: Fixed crash in replication during bulk import. Use bulk impport code more consistently.
|
| |
|
|
| |
Summary: Allow import fifo to clear out all finished entries.
|
| |
|
|
|
| |
Descriptionn: fedora-ds-base build problem
Fix Description: Correct usage of va_list and vfprintf
|
| |
|
|
|
|
|
| |
Summary: Multiple restores from a non-existant directory could wipe out database
Description: The given archive path was not normalized. Due to the trailing
slash '/', comparing with the db dir failed and wiped out the db dirs.
Applying the path normalization to the archive path.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: db2bak: crash bug (comment #8, 11)
Description:
Set the strong requirement: nsslapd-directory must have some value.
to guarantee it:
1) checking errors from ldbm_config_directory_set. If the check fails, don't
start the server.
2) if nsslapd-directory does not exist or the value is empty in dse.ldif,
issuing an error message and returning the error code.
3) since it was difficult to distinguish the nsslapd-directory empty value from
the initial default value, introduced CONFIG_FLAG_SKIP_DEFAULT_SETTING flag to
tell the backend config code to skip setting the default value
|
| |
|
|
|
|
|
|
|
|
|
| |
Summary: LongDuration: Error log Rotation test suite causes slapd hang
Problem description: LDAPDebug eventually calls slapd_log_error_proc_internal,
which obtains the lock. If any functions called in the lock tries to log into
the errors log, it tries to get the same lock and it hangs there since the
underlying PR_Lock is not reentrant.
Fix description: log__enough_freespace and log__delete_error_logfile could be
called indirectly from slapd_log_error_proc_internal. Instead of LDAPDebug,
changed these functions to call log__error_emergency when necessary.
|
| |
|
|
|
|
| |
Summary: db2bak fails if the archive path exists and ends with '/' (Comment #8)
Description: Changed the condition to normalize the path: if '.' or '/' is
included in the path, normalize it.
|
| |
|
|
|
|
| |
Summary: Hide nsslapd-db-transaction
Description: don't show the configuration parameter nsslapd-db-transaction in
dse.ldif.
|
| |
|
|
|
|
| |
Summary: clu test failures (Comment #7)
Description: 1) Removing obsolete PATH info from Usage
2) Replacing "idl" with "ID list" following the suggestion from Doc.
|
| |
|
|
|
|
|
| |
Summary: listenhost: hostname associated with multiple addresses
1) parentheses were needed around *addr, which should have been evaluated
before the array.
2) fixed a small memory leak.
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: dbgen.pl uses incorrect perl interpreter on hpux
Reviewed by: nhosoi (Thanks!)
Fix Description: Set @perlexec@ to the correct platform specific perl location.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: migration : encryption key entries missing when source is 6.21
Reviewed by: nhosoi (Thanks!)
Fix Description: I found out why it wasn't always adding the attribute encryption entries. If the cn=monitor entry existed for the database, it would not add the other container entries. I don't know why it did that. I changed it to always add those entries, and just skip the ones that already exist. This should ensure that the attribute encryption entries always exist.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
| |
Summary: "nested" filtered roles result in deadlock
Description: Function slapi_vattr_values_get_sp used to use the context
allocated on the stack. Changed it to call vattr_context_new to set the
locally created pblock (local_pb). The pblock is used to pass the context
loop info as the stack gets deeper to prevent the stack overflow. At the
end of this function slapi_vattr_values_get_sp, slapi_pblock_destroy is
called if the context is local (use_local_ctx). The function cleans up
pb_vattr_context internally.
|
| |
|
|
|
|
| |
Summary: HP-UX: warnings reported by the HP-UX compiler (Comment #25,26)
Change description: moved the DEBUG_TRACE to the place before deleting the
physical log file.
|
| |
|
|
| |
Summary: Don't define _XOPEN_SOURCE_EXTENDED on HP-UX.
|
| |
|
|
|
| |
Description: ssl acceptance tests are failing
Fix Description: This isn't the full fix, but the error message should print out the directory where it was looking for the missing cert db files.
|
| |
|
|
|
|
| |
Description: rhds71 Malformed Dynamic Authorization Group makes Directory Server Crash
Reviewed by: supplemental
Fix Description: In some cases, it is ok if the filter is NULL. So just allow NULL in those cases. slapi_str2filter must take either NULL or a writable string, so make sure we pass those in correctly.
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: qualify warning message when cert8.db is missing
Reviewed by: self
Fix Description: Only warn when both cert8.db and cert7.db are missing. If cert7.db is there, NSS will automatically create cert8.db from it.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
| |
Summary: Solaris: warnings reported by the Solaris compiler
|
| |
|
|
|
|
| |
Summary: infadd tool won't start. Fails to load data file (comment #4)
Description: HP compiler does not like to have a function call in a constant
expression.
|
| |
|
|
|
|
|
|
|
| |
Summary: MMR: Supplier does not respond anymore after many operations (deletes)
Description: introduce OP_FLAG_REPL_RUV. It's set in repl5_replica.c if the
entry is RUV. The operation should not be blocked at the backend SERIAL lock
(this is achieved by having OP_FLAG_REPL_FIXUP set in the operation flag).
But updating RUV has nothing to do with VLV, thus if the flag is set, it skips
the VLV indexing.
|
| |
|
|
|
|
|
|
|
|
| |
Bug Description: rhds71 Malformed Dynamic Authorization Group makes Directory Server Crash
Reviewed by: nhosoi (Thanks!)
Fix Description: The problem was that we were not checking the return value of slapi_str2filter(). I added a check at the crash site, and it will not print out a helpful error message. I did a search through the code looking for other similar places and found a couple. I added similar code in those places.
I added an initialization of a buffer to null, as suggested by nhosoi.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
| |
Summary: "nested" filtered roles result in deadlock (comment #16)
Description: fixed a memory leak introduced in the previous checkins (comment #12)
|
| |
|
|
| |
Summary: Look for infadd data files in TEMPLATEDIR.
|
| | |
|
| |
|
|
|
|
|
| |
Description: tmpwatch whacks stats
Reviewed by: nkinder (Thanks!)
Fix Description: move the snmp slapd.stats file to run_dir (/var/run/dirsrv) and rename to slapd-instance.stats. Had to add nsslapd-rundir to cn=config in order for ldap-agent to be able to get it.
Doc: Yes, we need to document the new attribute nsslapd-rundir.
|
