| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
If a slot from the connection table had previously been used for
an LDAPI connection, it would cause serious performance degradation
(20 times worse on my system) to a TCP connection that reused the
same slot. The problem was that we were not clearing the flag
that indicates that a connection is a UNIX local socket in the
connection cleanup function. Clearing this flag makes the reused
slots perform as expected.
|
| |
|
|
|
|
| |
The previous fix for bug 195302 caused a crash during import. We
need to check if sdn is NULL before trying to get the dn member
from it in pw_encodevals_ext().
|
| |
|
|
|
|
|
|
| |
This patch makes SASL EXTERNAL binds obey the account lock. The
previous code was allowing the bind through even if the account
was locked.
This patch was contributed by Ulf Weltman of Hewlett Packard.
|
| |
|
|
|
|
|
| |
This patch makes SASL binds call the pre-op and post-op plug-ins.
The previous code was not calling the plug-ins for SASL binds.
This fix was contributed by Ulf Weltman of Hewlett Packard.
|
| |
|
|
|
|
|
|
|
| |
This patch makes the server use the password storage scheme set in
the appropriate fine-grained password policy (if it is set). The
previous code was always using the global storage scheme.
This fix was based off of a fix contributed by Ulf Weltman of
Hewlett Packard.
|
| |
|
|
|
|
|
| |
My previous patch for bug 504817 could cause us to read past the
end of the RDN string if it ended with a single escape character.
This fix adds a bounds check to ensure that we don't read past
the end of the string.
|
| |
|
|
|
|
| |
My previous patch for removing the fixed length buffer used in
the password history checking code introduced a problem where we
could attempt to free a NULL pointer.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When performing operations with multiple mods to the same multi-valued
attribute on a single modify operation, a replica was not resolving
the attribute values correctly. This would lead to an inconsistency
between the master the change was initially performed against and the
replicas. The problem would occur with a modify operation such as
this:
dn: uid=testuser,dc=example,dc=com
changetype: modify
add: cn
cn: 2
-
replace: cn
cn: 3
The problem is that we use the CSNs from the attribute state data
to determine which values should remain after the operation (this is
done to merge with later occuring changes from other masters). The
CSN for all mods within the same modify operation is exactly the same.
The old code was looking for attributes older than the deletion that
occurs as a part of the replace, then deleting those values. This
would cause the value of "2" in the above example to remain. Simply
changing this comparision to look for values with the same or older
CSN to delete would cause the new value of "3" to be removed as well
when we get around to resolving the attribute after the second half
of the replace operation.
The fix is to use a different CSN comparison when we are removing all
values of an attribute during attribute resolution (remove values with
the same or older CSN). This is safe becuse the only present values
at this time are older values or values added in a previous mod in the
same modify operation. When processing other mods that are not
removing all values of an attribute, we only want to remove values
with a CSN older that that of the current modify operation. This
prevents us from removing a newly added value, such as "3" in the
example above. This is safe since we resolve the attribute after
each mod in the modify operation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
version 1.2.5.a1
Instead of changing configure.ac AC_INIT for each version change, there
is a new file - VERSION.sh. This file also contains support for creating
version numbers for pre-releases, and pre-release strings containing git
commit hashes.
One of the complications is that AC_INIT does not allow you to override the version and package tarname fields. We can override them after the fact everywhere
except in config.h. AC_INIT defines the following which we would like to override but cannot: PACKAGE_VERSION PACKAGE_TARNAME PACKAGE_STRING PACKAGE_BUGREPORT
Instead, we define DS_ versions of these e.g. DS_PACKAGE_VERSION etc. and make
these available with AC_DEFINE(DS_PACKAGE_VERSION,...) etc.
As an extra added precaution, we undefine these in Makefile.am like this:
DS_DEFINES = ... \
-UPACKAGE_VERSION -UPACKAGE_TARNAME -UPACKAGE_STRING -UPACKAGE_BUGREPORT
If someone tries to use PACKAGE_VERSION in C code, they will not be able to,
and will have to use DS_PACKAGE_VERSION instead. All of the DS code that used
PACKAGE_VERSION has been changed to use DS_PACKAGE_VERSION instead.
There is a new make target - git-archive - as a convenience for creating source
tarballs from git. By default, the source archive will be placed in the build
directory - you can specify SRCDISTDIR=/path/to/SOURCES to use an alternate
dir (e.g. make SRCDISTDIR=/path/to/rpmbuild/SOURCES git-archive to make a
source tarball for rpmbuild)
configure will print the branded package name and version
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The bug fix for bug 438139 introduced a regression that causes the
server to not handle LDAPv2 quoted RDN values correctly. We were
including the '"' characters used to contain an unescaped value in
the actual value itself.
The proper thing to do is to eliminate any '"' characters that are
not escaped when we unescape the value. I have tested this new fix
with the oringinal issue from bug 438139 to ensure that it does not
introduce a regression for that bug.
|
| |
|
|
|
|
|
|
|
|
|
| |
If some sort of error occurs during the sending updates to AD phase
of an incremental winsync update, we still attempt to send the dirsync
control to AD. This can cause spurious error messages to be logged to
the errors log stating that we can't send the control since we are not
connected to AD anymore.
This patch simply skips sending the dirsync control if we encountered
an error sending updates to AD.
|
| |
|
|
|
|
|
| |
This option will accept format like "-e deref=derefAttr:attr"
to ldclt when "-e esearch" is requested.
example: -e esearch -e deref=secretary:mail
search will dereference the "secretary" attribute and then return the "mail" attribute value
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The password history code was using a fixed length array to store
the historical password values that are used to compare to the new
password. The array was hardcoded to 25 values. The server will
allow a maximum 24 password history values to be kept by limiting
the passwordInHistory configuration value, though it would be
possible to do something such as import an LDIF with more than 24
historical password values in an entry, causing the server to crash
when the next password change occurs.
This patch eliminates the fixed length array and dynamically
allocates the array based off of the number of values that exist
in the entry whose password is being modified.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The AD tombstone mapping code is not behaving correctly if a
cn contains a comma (such as a "last, first" type value). The
code is supposed to locate the first ":" in the tombstone DN,
then scan for the first "," after that. Everything between is
the GUID. The problem is that the code is starting at the
beginning of the string when searching for the "," instead of
starting at the ":" that was previously found. This causes the
"," in the cn to be found instead, which makes us fail to find
the GUID.
The fix is to simply start searching for the "," from the ":"
in the tombstone DN.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for assigning a precedence to each plugin.
This precedence value is used to determine what order the plugins
should be called in within a given plugin type.
The precedence value is an integer between 1 and 99. The value is
set in the nsslapd-pluginPrecedence attribute in a plugin config
entry in "cn=config". If a plugin does not have a precedence
value set, the plugin is treated as if it has a precedence of 50.
For more details, see the feature design document at:
http://directory.fedoraproject.org/wiki/Plugin_Ordering
I also removed an incorrect log message in the linked attrs plugin
that I noticed while debugging this patch.
|
| |
|
|
|
|
| |
This option will accept format like "-e attreplacefile=jpegPhoto:/some/binary.file"
to ldclt. The content of the given file will be used to replace the attribute
"jpegPhoto" (in this case). The given file could be plain text or binary file.
|
| |
|
|
|
|
|
| |
This adds SMD5 password storage support to the existing password
storage plug-in. Add upgrade LDIF has been added to ensure that
this new functionality will be available to servers that are
upgraded from previous versions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some older releases did not have nsslapd-rundir - upgrading from
those releases will cause the server not to start - we must add
nsslapd-rundir if it is missing
We also got rid of nsslapd-ldapiautodnsuffix, so remove that from
the config - it doesn't hurt anything to leave it, but the error
message is annoying
I also added back a mostly truncated version of 28pilot.ldif because
some apps still use pilotObject - those apps should change to
use a different objectclass ASAP.
Tested on Fedora 11 i386 and x86_64
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds a new config setting named nsslapd-anonlimitsdn
that one can set to the DN of an entry containing the bind-based
resource limit attributes to use for operations performed by an
anonymous user. This allows the defaults to still be used for
all other actual bound users who do not have any user specific
resource settings.
This implementation approach allows any resource limits that
are registered via the reslimit API to work with this anonymous
limits template entry.
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch adds a new ssf bind rule keyword to the access control
plug-in. This allows you to write ACIs that require a specific
level of encryption for the rule to apply. The new keyword can
be used with '=', '!=', '<', '>', '<=' and '>=' comparators.
I added code that stores the SSF in effect for an operation into
the operation struct. The value that we store is the higher of
the two between the SASL SSF and the SSL/TLS SSF.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a new configuration setting to the cn=config entry named
nsslapd-minssf. This can be set to a non-negative integer representing
the minimum key strength required to process operations. The default
setting will be 0.
The SSF for a particular connection will be determined by the key
strength cipher used to protect the connection. If the SSF used for a
connection does not meet the minimum requirement, the operation will be
rejected with an error code of LDAP_UNWILLING_TO_PERFORM (53) along
with a message stating that the minimum SSF was not met. Notable
exceptions to this are operations that attempt to protect a connection.
These operations are:
* SASL BIND
* startTLS
These operations will be allowed to occur on a connection with a SSF
less than the minimum. If the results of these operations end up with
a SSF smaller than the minimum, they will be rejected. Additionally,
we allow UNBIND and ABANDON operations to go through.
I also corrected a few issues with the anonymous access switch code
that I noticed while testing. We need to allow the startTLS extended
operation to go through when sent by an anonymous user since it is
common to send startTLS prior to a BIND to protect the credentials.
I also noticed that we were using the authtype from the operation
struct to determine is a user was anonymous when we really should
have been using the DN. This was causing anonymous operations to
get through on SSL/TLS connections.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=526319
Resolves: bug 526319
Bug Description: SASL IO sometimes loops with "error: would block"
Reviewed by: nkinder (Thanks!)
Fix Description: The semantics for recv() are that it returns -1 for errors, 0 for connection closed, and non-zero for some bytes received. The sasl code was not using those semantics - it was returning 0 for successful read and -1 for error. Although I have not been able to reproduce the exact failure, what I believe is happening is that the initial read of the packet length in sasl_io_start_packet() works, and the sasl IO is received. At some point, the connection is
closed by the client, and the PR_Recv return of 0 is not handled correctly, and somehow the errno gets set to EWOULDBLOCK. From this point on, PR_Recv() will return -1 (since the socket has been closed) and errno is not reset from EWOULDBLOCK.
The fix is to make sure the sasl IO code handles the PR_Recv() return value
correctly.
Note that with CONNS (8) error log level, you may still occasionally see "would block" errors, but as long as they are not endlessly repeating, this should
be ok.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix contributed by Ulf Weltman (ulf.weltman@hp.com)
Description From Ulf Weltman (ulf.weltman@hp.com)
In previous releases, if LDIF being imported contained createTimestamp,
creatorsName, modifyTimestamp, or modifiersName, those values would be kept in
the imported entries. BZ# 462922 added code to insert those attributes during
import but it clobbers any values existing in the LDIF being imported. I think
the imported values should take precedence, this would be useful during
migration for example.
If anyone wants to take advantage of the new behavior where the server
provisions new values, they can strip out the values from the LDIF before
importing or they can set nsslapd-exclude-from-export to not export those
attributes before importing.
See also https://bugzilla.redhat.com/show_bug.cgi?id=525007
Reviewed by richm, nkinder, and nhosoi
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
multi-valued
http://bugzilla.redhat.com/show_bug.cgi?id=518514
Resolves: bug 518514
Bug Description: Bitwise Plugin: Bitwise filter doesn't return except the first entry if its multi-valued
Reviewed by: nhosoi (Thanks!)
Fix Description: Get the values as a char ** - look through each one until
we find one that matches.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds a new config switch (nsslapd-allow-anonymous-access) that
allows one to restrict all anonymous access. When this is enabled,
the connection displatch code will only allow BIND operations through
for an unauthenticated user. The BIND code will only allow the
operation through if it's not an anonymous or unauthenticated BIND.
I also fixed a missing capability in the SELinux policy that I ran
into while testing this patch.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=516305
Resolves: bug 516305
Bug Description: MODIFY/replace with empty values does not ignore missing or unknown attributes
Reviewed by: nhosoi (Thanks!)
Fix Description: The function mods_have_effect() did not work correctly. It
would set the flag have_effect = 0 the first time a type was not found.
Then if a subsequent mod would apply, it would still return have_effect = 0.
What it should do is keep looking for all mod types in the list of mods to
see if any of them would apply, and return have_effect = 1 if at least one
of them would apply. This corresponds to RFC 4511 section 4.6:
replace: replace all existing values of the modification
attribute with the new values listed, creating the attribute
if it did not already exist. A replace with no value will
delete the entire attribute if it exists, and it is ignored
if the attribute does not exist.
So the proper behavior is to ignore attributes that do not exist, and to
apply the rest.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=513308
Resolves: bug 513308
Bug Description: empty principal name used when using server to server sasl for db chaining
Reviewed by: nhosoi (Thanks!)
Fix Description: Change the logic to check if the username is a valid principal name. A valid principal name in this context will be a non-empty string that
does not contain the '=' character (which will be a bind DN in this context).
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=519455
Resolves: bug 519455
Bug Description: Should not attempt to pop SASL IO layer if not using SASL IO
Reviewed by: nkinder (Thanks!)
Fix Description: Before attempting to pop the SASL IO layer from the prfd,
first make sure we are using sasl IO, the prfd is not NULL, and the prfd
has a SASL IO layer on it.
This also fixes a bug with setting nsslapd-localhost in the bootstrap code -
if you are using a system that does not have DNS configured correctly, you
may want to force the SASL code to use the nsslapd-localhost for the FQDN.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=518279
Resolves: bug 518279
Bug Description: logs created at startup can get wrong file mode
Reviewed by: nkinder (Thanks!)
Fix Description: Try to apply the mode using chmod() if a log file has been specified. If and only if the log file has not been set, or if the chmod() succeeds, apply the changes to the internal config.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds SELinux policy to confine the SNMP subagent (ldap-agent).
There were some changes required around the aubagent to make it
work in a more standard fashion.
I moved the ldap-agent binary and wrapper to sbindir. It was
previously in bindir, yet it is not a user command. The location
really should be sbindir per FHS.
I added init scripts for the subagent, so it can now be managed
using "service dirsrv-snmp [start|stop|restart|condrestart|status]".
While doing this, I found that the parent process was exiting with
1 on success instead of 0, so I fixed that.
I added a default config file for the subagent as well. When using
the init script, the config file is hardcoded into this standard
location. Having this config template should also hopefully cut
down on configuration errors since it's self documenting.
The pid file location was also changed to go into /var/run per FHS.
Previously, it was written to the same directory as the log file.
There are a few notes in the policy .te file about some bugs that
we are working around for now. These bugs are mainly minor issues
in the snmp policy that is a part of the selinux-policy pacakge.
Once those bugs are fixed, we can clean our policy .te file up.
|
| |
|
|
| |
See also http://directory.fedoraproject.org/wiki/Entry_USN#Standalone.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adding "-e deref" option to ldclt.
Add mode (-e add): "-e deref" adds "secretary: <DN>" to the entry.
This is true when the entry's objectclass is
inetOrgPerson (-e inetOrgPerson").
Search mode (-e esearch): "-e deref" sets dereference control to the search,
where the dereference attribute and dereferenced
attribute are hardcoded to "secretary" and "cn",
respectively.
Usage:
ldclt [...] -e add -e random -e inetOrgPerson -e deref -f test_XX
ldclt [...] -e esearch -e random -e inetOrgPerson -e deref -f test_XX
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This cleans up the following warnings:
ds.git/ldap/servers/slapd/back-ldbm/ldbm_usn.c:102: warning: unused variable 'li'
ds.git/ldap/servers/plugins/replication/repl5_agmt.c:1184: warning: too many arguments for format
ds.git/ldap/servers/plugins/syntaxes/dn.c:143: warning: unused variable 'val_copy'
ds.git/ldap/servers/plugins/syntaxes/deliverymethod.c:264: warning: unused variable 'p'
ds.git/ldap/servers/plugins/syntaxes/facsimile.c:269: warning: unused variable 'p'
ds.git/ldap/servers/plugins/usn/usn.c:107: warning: value computed is not used
ds.git/ldap/servers/plugins/usn/usn.c:263: warning: control reaches end of non-void function
ds.git/ldap/servers/plugins/usn/usn.c:525: warning: control reaches end of non-void function
The only one I'm not sure about is changing usn_get_attr to always return a 0 - please review that usage.
With these fixes, I only see the llu and lld format warnings on RHEL5 with the default rpmbuild compiler flags.
Reviewed by: nhosoi (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Design doc:
http://directory.fedoraproject.org/wiki/Entry_USN#Plugin_Default_Config_Entr
New slapi APIs in libslapd:
int slapi_set_plugin_default_config(const char *type, Slapi_Value *value);
Description: Add given "type: value" to the plugin default config entry
(cn=plugin default config,cn=config) unless the same "type:
value" pair already exists in the entry.
Parameters: type - Attribute type to add to the default config entry
value - Attribute value to add to the default config entry
Return Value: 0 if the operation was successful
non-0 if the operation was not successful
int slapi_get_plugin_default_config(char *type, Slapi_ValueSet **valueset);
Description: Get attribute values of given type from the plugin default
config entry (cn=plugin default config,cn=config).
Parameters: type - Attribute type to get from the default config entry
valueset - Valueset holding the attribute values
Return Value: 0 if the operation was successful
non-0 if the operation was not successful
warning: Caller is responsible to free attrs by slapi_ch_array_free
Changes in the Replication plugin:
1) Functions to set replicated attributes
agmt_set_replicated_attributes_from_attr and
agmt_set_replicated_attributes_from_entry
call _agmt_set_default_fractional_attrs to sets the default excluded
attribute list from the plugin default config entry before setting
them from each replication agreement.
To support it, agmt_parse_excluded_attrs_config_attr is changed to be
re-entrant.
2) Fixed a minor memory leak in the fractional attributes (ra->frac_attrs).
3) Added a check for the duplicated fractional attributes.
Changes in the USN plugin:
1) usn_start calls slapi_set_plugin_default_config to add "entryusn" to
the EXCLUDE list of the value of nsds5ReplicatedAttributeList in the
plugin default config entry.
2) fix for the bug 518673 - entryusn: wrong lastusn value; When the entryusn
is not assigned yet, the next value to be set is 0. Lastusn is calculate
as (the next entryusn - 1). Although the entryusn is 64-bit unsigned
long, it should be printed as a 64-bit signed integer for lastusn.
Other:
Fixed a compiler error in ldap/servers/slapd/dse.c.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=504651
Resolves: 504651
Bug Description: Need to store additional attributes in Retro Changelog
Submitted by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed by: rmeggins (thanks!)
Platforms tested: FC10 x86_64
Fix Description: The fix allows recording some user-defined attributes
from the target entry of the operation (e.g. objectGUID) and built-in
attributes generated by the plugin (e.g. isReplicated) into the change
log entry. The attributes should be specified in the configuration entry:
dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
...
nsslapd-attribute: objectGUID
nsslapd-attribute: isReplicated
The change log entry will contain the additional attributes:
dn: changeNumber=...,cn=changelog
...
objectGUID: ...
isReplicated: ...
---
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=519065
Resolves: 519065
Bug Description: Fails to start if attrcrypt can't unwrap keys
Reviewed by: nhosoi (Thanks!)
Fix Description: If not using the attrcrypt feature, just return success
if the keys could not be unwrapped.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
Resolves: bug 487425
Bug Description: slapd crashes after changelog is moved
Reviewed by: rmeggins
Fix Description: Call clcache_set_config after the global changelog cache pool has been allocated.
Platforms tested: HPUX 11 (PA-RISC 2.0 64-bit)
Flag Day: no
Doc impact: no
<diffs>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=518544
Resolves: bug 518544
Bug Description: large entries cause server SASL responses to fail
Reviewed by: nhosoi (Thanks!)
Branch: HEAD and 1.2
Fix Description: The SASL server code was broken when we switched over to
use NSPR I/O for the SASL IO layer. If the entire encrypted buffer could
not be sent to the client, the server was just failing. Instead, the server
must keep track of how many encrypted bytes were sent. If all of the
encrypted bytes could not be sent, we must return the appropriate error
to the caller to let them know the operation would block. The caller in
this case is the write_function() which does a poll() to see if the socket
is available for writing again, then will attempt the send again.
I also cleaned up usage of the various Debug macros.
Finally, I discovered that the sasl init code was calling config_get_localhost()
before that value could be set. In most cases, it is ok, because it will
fall back to the default hostname from the system. However, if for some
reason you want to use a different localhost, it will fail. Now it will be
set in the boostrap config code.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Pre-hashed passwords may not use the standard internal salt length. The old
ldif base64 decode function would return the number of bytes in the decoded
string - the new NSPR function does not. We can't use strlen on the decoded
value since it is binary and may contain nulls. The solution is to use a
function to calculate exactly how many bytes the encode string will have
when decoded, taking into account padding. Since we know exactly how many
bytes are decoded, and we know exactly how many bytes of that decoded value
are the hash, the remainder must be the salt, however many bytes that is.
I tested this code with salt lengths from 1 to 99.
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
| |
The commit a26ba73fb5040383c27872997bc07ab0c2006459 made to fix the bug 509472
put the assertion at the wrong place. It should be applied just for the worker
thread.
|
| |
|
|
|
|
|
|
|
|
|
| |
modifying attributes with subtypes
Andrey Ivanov (andrey.ivanov@polytechnique.fr) pointed out my previous
check-in for bug 506786 had an inefficient code. To determine whether
to delete an equality index key or not, the code checks the key still
exists in the value array having the same attribute type. The check
should be done as soon as one value is found in the value array instead
of checking through all of them.
|
| |
|
|
| |
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The vendor, brand, and capbrand are set in configure - we should use those
everywhere rather than have to run some sort of script over the code to
change vendor, brand, version, etc. I've added VENDOR, BRAND, CAPBRAND
to the default defines passed to the compiler, and changed the code to use
these defines. And instead of the unintuitively named PRODUCTTEXT macro,
we should use the already defined PRODUCT_VERSION.
This allowed me to get rid of some code. The version was from a generated
file called dirver.h which we don't need anymore, and we don't need the perl
script dirver.pl which generated it.
The vendor string was coming from the dirlite header file. So I also used this
as an excuse to get rid of all references to dirlite once and for all (yay!).
For the places in plain text files which are not substituted, I just used the
generic name Dirsrv or Directory Server instead of having an explicit brand
and/or version in there.
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
modifying attributes with subtypes
When there are identical attribute value pairs except subtypes exist
in an entry, if one of the pairs are deleted, it should not affect the
index the attribute value is the key.
e.g.,
mail: abc
mail;en: abc
mail;fr: xyz
removing mail=abc or mail;en=abc, should not remove =abc from the
mail.db#.
This fix uses the value array evals to determine if the equality key
in the index should be deleted or not. The value array evals stores
the values of the attribute in the entry after the deletion is done.
If evals is empty, it means the to-be-deleted attribute value pair is
the only pair in the entry. Thus, the equality key can be removed fom
the index.
If evals has values, then the to-be-deleted attribute (curr_attr,
which was retrieved from the old entry) value needs to be checked if
it's in evals or not. If it is in evals, the equality key is still
used by other pair(s). So, leave it. Otherwise, the key can be
removed.
In the above example, let's assume removing mail=abc. evals holds
{"abc", "xyz"}. curr_attr abc is in evals, thus =abc will not be
removed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
db2index all (internally, called upgradedb) reads through the main db
id2entry.db# and reindex all the associated indexed attributes. The
reindex borrows the import code where the entry id is newly assigned.
The new entry id's are connective. On the other hand, entry id's of the
entries in the db to be reindexed are not. The borrowed import code
assumes the entry id and the index of the fifo are tightly coupled and
the timing when the writing to and reading from the fifo are calculated
based upon the
assumption.
The assumption should have been revised so that the entry id which is
available up to is kept in ready_EID in the job structure and entry id from
each entry (entry->ep_id) is compared with ready_EID instead of ready_ID
that holds the sequential number.
Additionally, I eliminated unused variable "shift" from import_fifo_fetch.
Also, _dblayer_delete_instance_dir cleans up files and directories, recursively.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
estimate of total no of entries are same
The code processing search results were returning the PAGE END without
knowing there are more entries to return or not. To learn it, introduced
"read ahead" one entry when it comes to the PAGE END. If there are more
entries, the code undo the read ahead, which prompts for the next page
on the client side. If there is no more entries, it returns the status
SEARCH END instead of PAGE END.
In addition to the read ahead implementation to fix the bug 513916,
* supporting Simple Paged Results for chaining backend is added.
* fixed a bug in idl_new_fetch (idl_new.c) -- idlistscanlimit was not
checked when the cursor comes to the end of an index file.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
DNA doesn't handle multiple mods to a managed attribute
in the same modify operation properly. If an operation
such as deleting a managed value triggers generation, we
aren't checking if another mod in the same operation is
actually adding a new value. This triggers us to generate
a value when we really shouldn't. The fix is to unset the
generate flag if we find a subsequent mod to the same
managed type. It will be reset if we truly need to
generate a new value.
|
| |
|
|
|
|
|
|
|
| |
syntax attributes.
The selfwrite ACI keyword currently only applies when writing to attributes
using the Distringuished Name syntax. It needs to also work with the Name And
Optional UID syntax since that is the syntax used for the uniqueMember
attribute.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If you have an ACI with multiple macros in it and the second attribtue does not
exist in the entry you are bound as, the in-memory list used for macro
substitution is free'd twice.
The code swaps hands the charray it plans to return after substitution over to
a working list, but it doesn't set the return list to NULL. When the second
macro attribute is not found, the working list is free'd, yet the address is
returned to the caller, who then tries to free the list a second time. The fix
is to set the list to be returned to NULL when the memory is handed over to the
working list.
|
| |
|
|
|
|
| |
Since per entry-response controls are ignored by the ldapsearch client,
we are getting rid of the unnecessary write_controls calls for Simple Paged
Results and GER.
|
