| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
Summary: Only change permissions of certdb when it is newly created.
|
| |
|
|
|
|
|
| |
Summary: When password policy is on, replacing userpassword starting with
{clear} fails
Description: #484311 is not a bug; this change is just to improve the error
message.
|
| |
|
|
| |
Summary: Ensure server group has proper permissions on certificate db files.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: Clear directory manager password with password storage scheme other
than clear crashes the server
Description:
1) introducing a flag (_nss_initialized) and an API (slapd_nss_is_initialized)
to represent NSS_Initialize is called or not.
2) in config_set_rootpw, if the directory manager's password is given unhashed,
check if NSS is already initialized and the directory manager's password
storage scheme is clear or not. If NSS is not initialized and if the storage
scheme is not CLEAR, report it and return an error LDAP_PARAM_ERROR.
|
| |
|
|
| |
Summary: Update member attributes that refer to renamed entries when processing a MODRDN.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Modification of nsViewFilter of a virtual view OU crashes the server
Reviewed by: nhosoi, andrey.ivanov (Thanks!)
Fix Description: When we delete a node, not only do we need to have the parent node discover its new children, we need to have each child discover a new parent.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: DS crash when modify entry that does not exist in AD
Reviewed by: nkinder (Thanks!)
Fix Description: The function that checks to see if the mod has already been made to the AD entry should just return 0 if the AD entry does not exist or could not be found - in this case, the regular windows replay code will handle it.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: HPUX: Server to Server SASL - Unknown Authentication Method
Reviewed by: nkinder (Thanks!)
Fix Description: On some platforms, we do not install the sasl auth method plugins in a standard location, so we have the nsslapd-saslpath config setting to provide that location in a CB_GETPATH callback provided to sasl_server_init. This works fine for being a SASL server. However, to be an LDAP SASL client, we have to provide that callback to sasl_client_init too. This call happens the first time the mozldap client library is initialized. mozldap has a hardcoded list of sasl callbacks it provides, and does not allow callers to augment that list. So, we simply replace the list with one that contains the CB_GETPATH callback.
Platforms tested: HP-UX 11.23 64-bit
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
| |
Summary: Syntax plugin (phonetic): "Sounds like" does not support Western
European characters
Description: added a support for Latin-1 characters (UNICODE:00C0 - 00FF)
|
| |
|
|
| |
Summary: test plugin (datainterop): eliminate BDB dependency from testdbinterop
|
| |
|
|
|
| |
Summary: db2ldif -s "" crashes with segmentation fault
Change description: adding a check to see if there is no entries.
|
| |
|
|
| |
Summary: Enhanced rsearch to allow user filter and password to be configurable (contributed by telackey@bozemanpass.com).
|
| |
|
|
|
|
|
|
|
| |
Bug Description: server seg fault if doing SSLCLIENTAUTH without being an ssl server
Reviewed by: nkinder (Thanks!)
Fix Description: When I changed the code to allow the DS to be an SSL client without having to be an SSL server, I missed the svrcore setup for EXTERNAL (ssl client auth). The fix is to check to see if svrcore has been set up, and initialize it if not, before attempting to use it.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Configuring Server to Server GSSAPI over SSL - Need better Error Message
Reviewed by: nkinder (Thanks!)
Fix Description: If the user attempts to set the bind mech to GSSAPI, and a secure transport is being used, the server will return LDAP_UNWILLING_TO_PERFORM and provide a useful error message. Same if GSSAPI is being used and the user attempts to use a secure transport.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Removing Group Member in ADS and Send and Receive Updates Crashes the Directory Server
Reviewed by: nkinder (Thanks!)
Fix Description: I broke this with my earlier fix about sending mods to AD. There are calls which reset the raw entry from AD before the call to mod_already_made. The fix is to only retrieve the raw entry just before we use it, after it may have been reset. I also found a memory leak in the mod init with valueset function I added for the prior fix.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
| |
Summary: userattr="parent[1].<attribute>#LDAPURL" does not work
Description: It turned out userattr="parent[1].<attribute>#LDAPURL" was not
implemented. The functionality has been implemented with this change.
|
| |
|
|
| |
Summary: Consistently deal with attr syntax info struct ref count when fetcvhing and returning them to the global hashtables.
|
| |
|
|
| |
Summary: Allow attribute aliases to be used as SUP attribute in attributetype definitions.
|
| |
|
|
| |
Summary: Fixed assertion when improperly deleting syntaxinfo.
|
| |
|
|
| |
Summary: Reject pre-hashed password from unprivileged users when password syntax checking is enabled. Don't check password syntax for pre-hashed password from privileged users.
|
| |
|
|
| |
Summary: Make password modify extended operation reset expired passwords.
|
| |
|
|
|
|
|
|
| |
Summary: Slow import post-processing with large number of non-leaf entries (comment #15)
Change description:
Fixed ldbm_ancestorid_new_idl_create_index so that the ancestor key has the
value including all the descendent ids in the IDlist. The code checked in
previously only stores the direct children and their children.
|
| |
|
|
| |
Summary: Make password modify extop work properly with the password policy control.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: DirSync interval should be configurable
Reviewed by: nhosoi (Thanks!)
Fix Description: Added a new config attribute - winSyncInterval - this is how often to run the dirsync search, in seconds. The default is 600 (5 minutes) which was the old hard coded value. Due to the way it's coded, the change only takes effect when the agreement is created or restarted, so the value cannot really be dynamically changed.
Platforms tested: RHEL5
Flag Day: no
Doc impact: yes - document the new attribute
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Server to Server SASL - DIGEST/MD5 - Can not Stop server
Reviewed by: nhosoi (Thanks!)
Fix Description: Using ldap_set_option with LDAP_OPT_X_SASL_SECPROPS is not thread safe. ldap_set_option acquires the OPTION lock, but using LDAP_OPT_X_SASL_SECPROPS just calls return rather than calling break to exit the switch and unlock the lock. A mozilla bug has been filed https://bugzilla.mozilla.org/show_bug.cgi?id=473438. The fix is to use LDAP_OPT_X_SASL_SSF_MAX.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Acceptance test: mmrepl {accept,chainonupdate} : slapd dumps core during accept_cleanup()
Reviewed by: nkinder (Thanks!)
Fix Description: Have to call ldapssl_set_option(ld, SSL_NO_CACHE, PR_TRUE) after setting up the connection for client auth
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: WinSync ignores entry if NT attributes are added later.
Reviewed by: nkinder (Thanks!)
Fix Description: If we are replaying a modify operation, we need to check if the ntUser objectclass is being added along with the other attributes that tell the sync service to sync this entry. If the objectclass is being added or replaced, we check the existing entry to see if it is still a sync-able entry. If it is, we call process_replay_add to add the entry. I changed this function to accept a Slapi_Entry to add rather than the operation structure. Finally, I had to change the way we send the Account Control flags to take into account an entry that may have been added as a result of a modify operation.
I fixed a memory leak when setting the Slapi_Attr attribute type, and cleaned up a compiler warning.
NOTE: There will be no clear text password to send (unless the userPassword was modified in the same modify operation). This means the account will be added to Windows, and will be enabled, but will be essentially unusable - the user cannot login - until either the user modifies the password on the directory server side, or the administrator resets the password.
Platforms tested: RHEL5
Flag Day: no
Doc impact: yes - we will have to document the new winsync behavior
|
| |
|
|
|
|
|
|
|
| |
Summary: Approximate Search '~=' Returns unexpected result
Change description: increasing the maximum length of "phonetic" string from 4
to 6. The length 4 is sometimes too short to distinguish long words. For
instance, the sample string Queensland is converted to KNSLNT if there is no
limitation; Consulting is to KNSLTNK. By cutting them at the 5th character,
the 2 strings are considered to sound like each other.
|
| |
|
|
| |
Summary: Make regex filter code handle empty values properly.
|
| |
|
|
| |
Summary: Expose internal operation flag via SLAPI.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: ldapsearch with size limit (-z) doesn't work with OR filter and range search
Description:
SIZELIMIT is checked in index_range_read to eliminate the unnecessary data
retrieval. But when the filter contains a range search which is connected by
AND, then we should not do sizelimit. There was a bug in the function which
sets is_and. The flag should have been cleared only when the function set it
to 1. Instead, it was cleared each time the function is called. It let
index_range_read stop reading when it reaches sizelimit even though it should
not have.
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: winsync doesn't recognize some changes
Reviewed by: nkinder (Thanks!)
Fix Description: Before sending updates to AD, first check to see if the updates still apply. For modify/add operations, check to make sure the value to add doesn't exist. If it does, remove it from the list of values in the mod. If all values are removed, then just skip the modify/add op altogether. For modify/del ops, check to see if the attribute exists. If not, just skip the op. If it does exist, check to see if the values exist, and remove the values from the mod/del op that do not exist anymore. If all values have been removed, just skip the mod/del op.
I added a new slapi function - slapi_mod_init_valueset_byval - which will init a Slapi_Mod and init the list of values using a valueset. Fortunately there was already a function for converting a Slapi_Value** to a berval**.
I also fixed a few compiler warnings.
Platforms tested: RHEL5
Flag Day: no
Doc impact: yes - add new function to slapi docs
|
| |
|
|
| |
Summary: Optimized fetching of remote entry when checking if a rename is needed with winsync.
|
| |
|
|
| |
Summary: Add support for synchronizing the cn attribute between DS and AD.
|
| |
|
|
|
|
|
| |
Summary: Memory leak in ns-slapd's Class Of Service
Fix Description: When all the necessary values for the template cache are not
available, the allocated memory should be discarded. One of them pCosPriority
was missed to release.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: rhds accounts are disabled in ad after full sync
Reviewed by: nkinder (Thanks!)
Fix Description: The incremental sync code calls send_accountcontrol_modify after adding an entry, but the total update code does not. I modified the code to do that. I also changed the send_accountcontrol_modify to force the account to be enabled if adding it. I tried just adding userAccountContro:512 to the default user add template, but AD does not like this - gives operations error. So you have to modify userAccountControl after adding the entry. I also cleaned up a couple of minor memory leaks.
Platforms tested: RHEL5
Flag Day: no
Doc impact: Yes - we need to document the fact that new accounts will now be created in AD enabled
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Server to Server SASL/DIGEST-MD5 not Supported over SSL/TLS
Reviewed by: nkinder (Thanks!)
Fix Description: If using TLS/SSL, we don't need to use a sasl security layer, so just set the maxssf to 0.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Only check permissions on nsslapd-rundir in normal execution mode.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: DN with antislash('\') rename (modrdn) problem
Problem description:
Unescape codes in the DS (strcpy_special_undo in ava.c and
strcpy_unescape_dnvalue in dn.c) were "unescaping" more than the escape code
(e.g., escape_dn_value in NET LDAP) does escaping. The test string
'BeforeSlash\AfterSlash' fortunately/unfortunately contains '\Af', which is
considered '\##' (where # is hex number) by the DS unescape functions even
though it was not meant to be escaped. As long as using UTF-8, there is no
chance for the server to receive "\af".
Change description:
1) There were identical static functions: strcpy_special_undo (ava.c) and
strcpy_special_undo (dn.c). Merged them to strcpy_unescape_value and put it in
util.c.
2) In the unescape/normalize functions for dn (strcpy_unescape_value in util.c
and substr_dn_normalize in dn.c), added a check for the first hex number in
'\##'. If the 8th bit is on, we don't do unescaping but store it as is since
the unescaped character is not UTF-8.
3) If 2 consecutive '\'s are passed to the unescape/normalize functions, keep
one of them.
|
| |
|
|
| |
Summary: Don't allow auto-generated attributes to be used in RDN.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Replication: Server to Server Connection Error: SASL(-1): generic failure: All-whitespace username.
Reviewed by: nkinder (Thanks!)
Fix Description: My earlier fix for this bug broke GSSAPI - it would cause the username and authid to only be freed under certain conditions e.g. if the krb creds were still valid, the code would not free the username and authid, so they would be passed via SASL instead of the principal name. This fix just makes sure username and authid are always freed, under all circumstances.
Platforms tested: RHEL5, Fedora 9
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Add missing parent objectclasses for all operations (replicated or not).
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: Replication: Server to Server Connection Error: SASL(-1): generic failure: All-whitespace username.
Reviewed by: nkinder (Thanks!)
Fix Description: 1) SASL/DIGEST-MD5 needs both username and authid
2) The username and authid in this context are always a bind DN - they must have the "dn:" prefix in order for the SASL mapping to work
3) gssapi (kerberos) sets both username and authid to NULL
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Ensure directories created by installer get the requested mode applied.
|
| |
|
|
| |
Summary: Add check for permissions on nsslapd-rundir at startup.
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: rhds80 seg fault - pass sync - entry missing userPassword ?
Reviewed by: nkinder (Thanks!)
Fix Description: The fix is pretty obvious - just make sure we don't deref a NULL. The reason for the NULL is due to a sequence of more than one modify for the userPassword attribute, where one of the mods is a replace with no value or a delete of the attribute. The bug has the details about how to reproduce. One thing I don't know is what client is generating this sequence of operations . . .
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
| |
Summary: Log error to errors log when we have a problem writing stats file.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: db backend entry cache settings field "Memory available for cache" boundaries
Fix Description:
db_strtoul: check the input string. If the string starts with '-', returning
the error ERANGE -- the same error as the larger the upper limit is passed.
cache.c: the minimum entry cache size defined in cache.c was 200000, which is
different from the info on the Configuration Command File Reference Guide:
Valid Range: 500 kilobytes to 4 gigabytes for 32-bit platforms and 500
kilobytes to 2^64-1 for 64-bit platforms
Adjusting the define to the doc.
|
| |
|
|
|
|
| |
Summary: extensible filter having range operation crashes the server (comment#7)
Description: As Rich suggested, set the pb->pb_op to glob_pb->pb_op to catch
the abandon request in case the underlying operation is interrupted.
|
| |
|
|
|
|
|
|
| |
Summary: spurious errors logged when specifying default locale
Description:
As Ulf Weltman pointed out, U_USING_FALLBACK_WARNING is not an error. (So is
not U_USING_DEFAULT_WARNING.) When U_USING_FALLBACK_WARNING or
U_USING_DEFAULT_WARNING is returned, suppressed printing the error messages.
|
