| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
|
|
|
| |
The problem was check_db_version finds the existing DBVERSION is old and set
dblayer_private->blayer_recovery_required = 1. If it's set,
DBLAYER_CLEAN_RECOVER_MODE is processed properly. Unfortunately, it was
"reinitialized" in the function read_metadata, which is called after
check_db_version.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: ldapserver: Close potential security vulnerabilities in CGI code
Reviewed by: Nathan, Noriko, and Pete (Thanks!)
Fix Description: Clean up usage of sprintf, strcpy, fgets instead of
gets, fixed buffer usage, etc., mostly in the CGI code and other user
facing code (i.e. setup). Also, Steve Grubb told me about a GCC trick
to force it to check printf style varargs functions, to check the format
string against the argument string, for type mismatches, missing
arguments, and too many arguments.
In the CGI form argument parsing code, we needed to be more careful
about checking for bad input - good input is supposed to look like this:
name=value&name=value&.....
&name=value. I don't think the original code
was checking properly for something like name&name=value.
There was another place where we were not checking to see if a buffer
had enough room before appending a string to it.
I had to change a couple of functions to allow passing in the size of
the buffer.
Fixed some issues raised by Noriko and Nathan.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
| |
nsconfig.mk so that the makefile used for packaging gets the info.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
1) picked up the latest components including Cyrus SASL, Perldap, SetupUtil,
and AdminServer
2) fixed the java paths for the internal build.
3) added an option -AA to HP-UX C++ compiler to adjust to SetupUtil build (use
libstd 2)
4) replaced <iostream.h>, <strstream.h> and <fstream.h> with <iostream>,
<strstream>, <fstream> respectively in ldap/cm/newinst/ux-dialog.cc
5) package svrcore and perldap, which were dropped in the current
ldap/cm/Makefile
6) added a perl script genPerlDAPInf.pl to generate perldap.inf file
|
| |
|
|
|
|
|
|
|
| |
. removed the dependency on DBM
. Updated components' RELDATEs.
. Console jar file name adjustment: <brand>-<comp>-<dotversion>.jar
. Fix for HP-UX IPF
. Use non-branded SetupUtil; add resource file to change branding
. Updated the code to call createSIE so that the right brand is passed to SetupUtil.
|
| | |
|
| |
|
|
| |
build to compile
|
| | |
|
| | |
|
| |
|
|
| |
slapd_chown_if_not_owner function
|
| |
|
|
| |
if idl is NULL, changed add_op_attrs to always set IMPORT_ADD_OP_ATTRS_NO_PARENT in non-error case (err == 0 or err == DB_NOTFOUND)
|
| |
|
|
|
|
|
| |
The problem is that the new IDL code is not exposing the DB_NOTFOUND error when
the index key is not found. Import checks if the result was DB_NOTFOUND when
checking for the parent entry's entrydn index. This works fine with the old
IDL code. (nkinder@redhat.com)
|
| | |
|
| |
|
|
| |
re-binding
|
| |
|
|
|
|
| |
operations simultaneously.
Demoted the write lock to the read lock in vlv_update_all_indexes
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: crash after succesful pwdchange via ldappasswd
Reviewed by: Pete, Nathan (Thanks!)
Fix Description: The passwd_extop code does an internal operation to
change the password. Some of this code is only intended to be called
for external operations where you have a conn structure. The one place
in particular which caused this bug is in update_pw_info, where it is
only triggered if you must change the password or password expiration is
in effect. The fix is to just check to see if the pb_conn is not null.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
|
| |
|
|
|
| |
1) NSCONFIG accidentally got a white space (for non-Linux platforms)
2) Solaris needs to include limits.h explicitly
|
| |
|
|
|
|
| |
Description: crash: modify/delete when attr name doesn't match database
Reviewed by: All (Thanks!)
Fix description: Use case insensitive comparison for attribute names.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: recursion causes OOM with bad DN in dn2ancestor
Reviewed by: All (Thanks!)
Fix Description:
The fix looks scary, but I thought it would be best to get rid of
recursion entirely (ugh - recursion in a multi threaded server - this
isn't lisp . . .). Along with eliminating recursion, I created a new
function called slapi_dn_find_parent that just returns a pointer to the
beginning of the parent of the given dn, rather than returning a copy
(as in slapi_dn_parent), to eliminate malloc/free in cases where it is
unnecessary such as iterating through the parents in an DN. The new
function is basically just the guts of slapi_dn_parent with one twist,
specifically to address the bug in question - it skips through
consecutive runs of DN separator characters. We should probably have a
function like const char *slapi_dn_is_valid(const char *) that returns
NULL if the given DN is valid or returns a pointer to the first invalid
character if not. We could probably save a lot of time in processing
bad or malicious client requests.
Anyway, back to dn2ancestor. The given ancestordn must contain the
_unnormalized_ parent DN, since some clients get irritated when they get
back an DN in a different form than given. However, we need to have a
normalized DN to pass to dn2entry, and we cannot use a single Slapi_DN
that has both a dn and a ndn that are passed in byval (unless we add a
new API or skip the API altogether), so the variable ancestorndn holds
the normalized DN. Using the original pointer to the given sdn also
allows us to avoid malloc/free entirely.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: We need a test case that calls moddn and
modify operations with really bad DNs, consisting of nothing but
thousands of ',', '+', and '=' chars.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: memory leaks using ber_scanf when handling bad BER packets
Reviewed by: All (Thanks!)
Files: https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=123783
Branch: HEAD
Fix Description:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179135#c0
I basically did a search through our code for all calls to ber_scanf,
ber_get_stringa, and ber_get_stringal and made sure we properly free any
arguments that may have been allocated. There was a bug in the ldapsdk
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=179135 that causes
us to free uninitialized memory when trying to clean up the result of
ber_get_stringal (or ber_scanf with 'V'). I had to initialize some
variables to NULL so that we could properly clean them up, and added
some additional clean ups that were missing. Also, in repl_extop.c, we
were calling free on an array that we should have been calling
ch_array_free on. Yet another lesson in the evils of slapi_ch_free and
disabling compiler type checks in general.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
| |
RPM post install adds a new patch to fix the httpd module load order, removes
the console patch
Tell the user to run setup/setup after upgrade installation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: If you delete an attribute from an entry on AD, the attribute
doesn't get deleted on the DS side. The replication code doesn't even notice
that the entry changed.
Reviewed by: Rich, Noriko, Pete (thanks!)
Files: see diffs
Branch: HEAD, Directory71Branch
Fix Description: The dirsync search control passes back deleted attributes with no
values. If you try to add a Slapi_Attr with no values to a Slapi_Entry, it doesn't
get added. This fix stuffs the deleted attributes into the deleted attributes list
in the Slapi_Entry and checks for them when creating the modification
operations to be performed on the local entry.
Flag Day: no
Doc impact: no
QA impact: A regression test needs to be added
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: 64bit issues with normalize_path(), make_dn(), and
add_aci_v()
Reviewed by: Nathan and Noriko (Thanks!)
Fix Description: 1) use sizeof(char *) as the elemsize to pass to
slapi_ch_calloc(). 2) create a variable const char *NULLSTR = 0 to pass
as the last argument to the varargs functions.
Platforms tested: RHEL4 64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RHEL4_x86_64_gcc3_OPT.OBJ
The makefiles were assuming that if the string 86 was found in uname -m
it should use x86 for the arch. However, it should only do this if
uname -m is not x86_64. Also, for RHEL/Linux, we do not have to add the
NS64TAG just before the _OPT (or _DBG) since it's already in the arch.
Other platforms continue to use the other naming convention. The
default naming convention for the mozilla components is
Linux2.6_x86_64_glibc_PTH_64_OPT.OBJ. I considered using Wan-Teh's
instructions about source builds, but that would cause many changes to
be made to our makefiles, so I just changed the way we calculate the
mozilla OBJDIR name from the regular OBJDIR name. These changes are
pretty much the same for adminutil, setuputil, adminserver, and ldapserver.
For ldapserver, I had to change nsarch (adminserver changed nsarch in a
different way). I also got rid of the 32 bit specific setup stuff. I
assume this was due to 32 bit NES admin server, so we can get rid of
this for the future, because we will have all native 64 bit apps. I also
went ahead and rolled in the gcc4 changes since they are safe for gcc3
as well.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Password Modify LDAPv3 extended operation erroneously
forces the client to supply old password
Reviewed by: Pete & Nathan (Thanks!)
Fix Description: If the BIND operation was successful, the CONN_DN field
is always set to the proper DN. This is even the case during a SASL or
client cert DN if the authentication was successful AND the given
identity could be mapped to a real user in the directory. Also, the
authmethod will be something other than NULL or none. So, if the old
password was not given, that is ok if there is a non-anonymous bind DN
and a real authmethod. The rest of the operation passes through the usual access control.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Most of our integer based config parameters do not do a good job
validating input. For example, alphabetic characters will be accepted as a value
if "0" is a valid setting for a given parameter since atoi returns "0" on error. We
also don't properly check for range errors for many parameters.
Reviewed by: Rich, Pete, and Noriko (Thanks!)
Files: ldapserver/ldap/servers/slapd/libglobs.c
Branch: HEAD
Fix Description: This adds better input validation for a number of integer based config
settings. I replaced our usage of atoi() with strtol() so we can recognize
conversion errors. I also added more descriptive error strings where they were
missing. I revised the fix due to feedback from Noriko. She recommended that
we check for ERANGE areas for all calls to strtol insead of only checking when
LONG_MAX is a valid setting for a config parameter.
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Chain BIND requests with chain on update + global pw policy
Reviewed by: Nathan, Pete (Thanks!)
Fix Description: When using global password policy, we need to chain the
BIND request back to a master so that it can update the pw policy op
attrs in the user's entry and replicate them to all other servers. The
call to config_get_pw_is_global_policy() is expensive (acquires a lock)
so we delay it as long as possible.
The reason we have to use config_get_pw_is_global_policy() is because the entry distribution plugin interface is poor - we have no way to register an init or start function to get the config, and no way to register a statechange callback to be notified of changes to the global password policy.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: crash in PTA plugin when bind returned controls
Reviewed by: Pete (Thanks!)
Fix Description: Fix by Ulf. We are passing the ***LDAPControl when it
needs the **LDAPControl.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
| |
Fixed the broken build (64-bit).
LDFLAG (set in the tools/Makefile) was not passed to rsearch and ldclt.
|
| |
|
|
|
|
| |
Fixed broken build on Solaris.
1) removed redeclared getsubopt in port.h
2) defined _XOPEN_SOURCE 500 for Linux
|
| | |
|
| | |
|
| |
|
|
| |
Checking in Ulf's proposal; should not get connid from pid if the op is internal. (plus the value is just for debug print which is disabled now)
|
| | |
|
| |
|
|
|
|
|
| |
backup; Restore tries to restore all the fles from the backupdir
1) if the specified backup directory exists, rename it to <dir>.bak
2) support relative dir for the backup/restore dir, e.g., "bak2db bak/mybak"
|
| | |
|
| |
|
|
| |
integrated ldclt from DSRK into the DS source tree.
|
| |
|
|
|
|
|
| |
If the specified backup dir does not exist, does not contain necessary files
(including the directory is not accessible), is not a directory, or is
identical to the path to the db dir, issues an error and stops restoring before
wiping out the database.
|
| | |
|
| | |
|
| |
|
|
| |
Integrating rsearch and infadd source codes from DSRK into the Directory Server build tree.
|
| | |
|
| | |
|
| |
|
|
| |
It used to be taken to the "convert to quoted value" section even though the rdn did not have a quote.
|
| | |
|
| |
|
|
|
| |
If missing entry_id is found, skip it and continue reading the primary db to be
reindexed.
|
| | |
|
| |
|
|
| |
When reading a rotation info file, compare the contents with the files in the logs dir, if mismatch is found, update the rotation info file. Once the files arestored in the rotation info file, they will be the target of cleanup at the nextlog ration.
|
