| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: migration: Migrate from 1.0.x to 1.1
Reviewed by: nhosoi (Thanks!)
Fix Description: The basic strategy is
1) shutdown the old servers - databases should be quiescent
2) run the migration script - this will copy all of the files (under /opt/fedora-ds/slapd-* by default) to their new FHS style locations, and fix up any entries and attributes that are obsolete or have changed (e.g. values that refer to paths)
3) service fedora-ds start
The migration script does not need to do anything to the database files - the new database code added by Noriko will handle the database upgrade automagically, but I'm leaving the database upgrade code in the script, commented out, in case we need it in the future.
This also fixes an annoying problem with automake - it would build ds_newinst.pl from ds_newinst.pl.in in the source ldap/admin/src directory, and use that version. This is really a problem with multi platform builds, where you want to share the ldapserver source code among multiple platforms. With the fix, built/ldap/admin/src/ds_newinst.pl is generated from srcdir/ldap/admin/src/ds_newinst.pl.in, and srcdir/ldap/admin/src/ds_newinst.pl is not written.
Platforms tested: FC6
Flag Day: no
Doc impact: Yes - we need to document migration
|
| |
|
|
|
|
|
|
| |
Summary: Change format of DBVERSION and guardian files (Comment #6)
1) introduced new strings for DBVERSION
2) added the logic to compare the new DBVERSION strings
note: we don't store the current db version string in the replication
code any more. Instead, we get it from Berkeley DB header file db.h.
|
| |
|
|
|
|
|
|
| |
Summary: Change format of DBVERSION and guardian files (Comment #4)
1) introduced new strings for DBVERSION
2) added the logic to compare the new DBVERSION strings
note: we don't store the current db version string in the backend source
code any more. Instead, we get it from Berkeley DB header file db.h.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: PAM passthru ENTRY method not working
Reviewed by: prowley (Thanks!)
Fix Description: There are several problems.
1) For the ENTRY method to perform the internal search to get the entry for the bind DN, it must have a component ID (aka plugin identity). The code was already there to get/set it, but it was never initialized in the init function.
2) You cannot mix slapi_sdn_new* with slapi_sdn_init* - slapi_sdn_init will erase the knowledge that the Slapi_DN was allocated with malloc and it will not free it in slapi_sdn_free().
3) People may assume they can specify a subtree (e.g. ou=people,dc=example,dc=com) instead of a suffix for the list of included/excluded suffixes. The error message will not print a list of valid suffixes for the admin to use.
4) slapi_be_exist was failing because the database does not notify the mapping tree code that the backend is started during startup. This works fine under normal conditions because most all of the code in mapping_tree.c will lookup the backend if the mtn_be pointer in the mapping tree node is NULL. However, slapi_be_exist and slapi_be_select do not do this. The proper solution is to call slapi_mtn_be_started() at database startup time. This is the same thing that happens when a backend is added at runtime.
Platforms tested: FC6
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Modification of directory entries with VLV-indexed null-value attributes results in server crash
Reviewed by: nkinder, nhosoi, prowley (Thanks!)
Fix Description: The value lowest_value is defined outside the loop that loops through all the attributes in the vlv sort specification (e.g. usually something like cn givenname o ou sn if defined by the console browsing index). lowest_value is not reset for each loop iteration. So if it goes through the loop one time for e.g. givenname, and givenname has values, lowest_value will point to the lowest value of givenname until the key is created, then it is freed. So the next loop iteration uses o, and if for example o does not have any values, lowest_value will point to the already freed memory used by the givenname iteration, which is now garbage (e.g. the lowest_value->bv_len may be very large, which is the probably cause of the malloc out of memory errors seen by the customer). The solution is to reset lowest_value to NULL before each loop iteration (I did this by moving the declaration and initialization of lowest_value inside the loop scope) and testing for lowest_value == NULL before trying to use it.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
| |
Summary: CRM #1160370 RHDS does not reset passwordRetryCount to 0 upon a successful BIND
Change: If password lockout is on, need_new_pw from the successful bind tries
to set passwordRetryCount to 0 in smods, but if passwordExpirationTime is not
set and password never expires, the smods is not applied and discarded. Added
pw_apply_mods if password lockout is on.
|
| |
|
|
|
| |
Summary: A system index of eq for nsds5ReplConflict does not help
Change: added a presence index for nsds5ReplConflict
|
| |
|
|
|
| |
Summary: Add LDAPI (LDAP over unix domain sockets) (Comment #5)
Change: Fixed a copy & paste error...
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Split core schema
Reviewed by: prowley (Thanks!)
Files: see diff
Branch: HEAD
Fix Description: Moved all schema not required to start the server from
00core.ldif into a new file called 01common.ldif. Andrew and Satish
already did the work to determine which schema are required to start the
server, which is the schema needed to be in 00core.ldif.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
|
| |
|
|
|
| |
Summary: LDAPI: referral mode needs LDAPI socket? (Comment #3)
Change: LDAPI is disabled in the initial configuration parameter setting.
|
| |
|
|
|
| |
Summary: LDAPI: referral mode needs LDAPI socket? (Comment #3)
Change: if ldapifilepath is not passed, LDAPI is disabled in the newly created instance.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: allow ds_newinst with ldapi and no serverport
Reviewed by: nkinder, nhosoi (Thanks!)
Fix Description: Two new fields have been added to the ds_newinst .inf files:
ldapifilepath - the full path and file name of the server ldapi file
start_server - if present and has a value of 0, this tells ds_newinst not to start the server - default is 1
The ds_newinst code has been changed to allow an empty or "0" value servport if an ldapifilepath is given (and ENABLE_LDAPI is defined). Either a valid server port or an ldapifilepath must be provided, or both.
In addition, I changed ds_newinst.pl to accept a .inf file given on stdin.
Platforms tested: RHEL4, FC6
Flag Day: no
Doc impact: We will have to document ldapi support on the wiki.
|
| |
|
|
| |
Summary: Corrected out of date licensing/copyright block in a few files.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Bug Description: aci with bogus uid= dn created by ds_newinst
Reviewed by: nhosoi (Thanks!)
Fix Description: Unknown to me until just now, PL_strdup(NULL) will return "" - the empty string. The code in config_suitespot() expects that empty or unused fields are NULL. The solution is to create a create_instance_strdup() wrapper around PL_strdup() and use that in cases where the argument may be NULL. I checked create_instance.c. Every other place where PL_strdup is used, the argument is checked for NULL first. So these are the only places affected. Instance creation works fine after this change and does not create the offending aci.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Add enable switches for optional/experimental features
Reviewed by: nkinder, nhosoi, prowley (Thanks!)
Fix Description: Added --enable-pam-passthru, --enable-dna, and --enable-ldapi. They are all on by default and must be explicitly disabled (--disable-pam-passthru). These all cause ENABLE_xxx to be defined for C code so that we can enclose the code in #ifdef ENABLE_PAM_PASSTHRU blocks, for example. For the first two, these also cause the plugins to be built - so that if you specify --disable-pam-passthru, the plugin code will not be built at all. I discovered a nifty autoconf macro called AS_HELP_STRING - this nicely formats the help messages output by configure --help. I don't know if it's worth going through all of our m4 code to use this, but I went ahead and fixed configure.ac. Create instance will now add plugin configuration entries (but disabled) for pam passthru and dna if the corresponding ENABLE_ macros are defined. I also fixed a bug with passthru (not pam passthru) - the plugin configuration entry was not being added.
Platforms tested: RHEL4, FC6
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: clean up template-scriptname which is derived from template-scriptname.in
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Allow building with bdb 4.4 or later
Reviewed by: nkinder (Thanks!)
Fix Description: db.m4 already had code to detect and use the correct version of db headers and libraries. There have been some minor api changes since 4.3, so not much code changes were required. Note that this merely allows the server to build and run with db4.4 or later, not to take advantage of the newer features of the API.
Platforms tested: FC7
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: FHS: use sysconfdir (/etc) as config file location - allow builders to set dynamic config directory location at configure time
Reviewed by: nhosoi, nkinder, prowley (Thanks!)
Fix Description: I've added a new configure switch: --with-instconfigdir. This switch will allow the user to specify a different location to store the dynamic instance specific config files rather than the default $sysconfdir/$package_name (e.g. /etc/fedora-ds). This is the directory which will contain the slapd-instance directories which contain the instance specific config, schema, and security files. Even though the user could override this with ds_newinst.pl ([slapd] section config_dir), we needed to be able to set the default so that the user would not have to remember to do this every time, and so that packagers could set a reasonable default value for their platform.
Platforms tested: FC6, RHEL4
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Add support for /etc/init scripts
Reviewed by: nkinder (Thanks!)
Fix Description: Add the new initscript. The initscript is called $PACKAGE_NAME which by
default is fedora-ds. This script is created from wrappers/initscript.in,
sed'd by the fixupcmd in Makefile.am during make install. The way it works is
this: service fedora-ds cmd will execute the cmd on all instances (found in
/etc/fedora-ds by default). service fedora-ds cmd instance will execute cmd on
only that instance. So if you have
/etc/fedora-ds/slapd-foo
/etc/fedora-ds/slapd-bar
and you do
service start fedora-ds
it will start up both slapd-foo and slapd-bar. If you do
service start fedora-ds bar
it will start up only slapd-bar. If you do
service start fedora-ds biff
you will get an error message. The initdir is platform specific (e.g.
/etc/rc.d/init.d on linux, /etc/init.d on Solaris) so the
definition was added to the platform dependent section of configure.ac.
The init script is explicitly branded, including the filename. I needed to add
support to the autotool files so that we could change the name of the file.
Since package_name is defined when you use the AC_INIT macro in configure.ac,
we don't need to define it elsewhere (e.g. #define BRAND_DS). So I added the
branding and other information to the autotool files, and changed
create_instance to use package_name instead of brand_ds to be consistent.
Having the package_name defined in much fewer places should make it much easier
to change in the future if necessary.
I also fixed a compiler warning in ldaprot.h.
Platforms tested: RHEL4, FC6
Flag Day: no
Doc impact: Yes. We need to document how to use the initscript, and how to enable startup on boot - chkconfig fedora-ds on
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: FHS: use sysconfdir (/etc) as config file location
Reviewed by: nhosoi (Thanks!)
Fix Description: After much deliberation, we have decided that it is ok that our dynamic config files are under /etc/fedora-ds/slapd-instance.
So the config_dir will be /etc/fedora-ds/slapd-instance and the security and schema files will go there as well. Since the FHS is ambiguous about this issue, and it will be very confusing if the configuration files are not under /etc, and there are some agents (webmin, cfengine) that do "dynamically" modify config files under /etc, this outweighs any considerations about having the server using it's config file like an "ascii database".
In addition, the presence of repl-monitor-cgi causes rpm to complain, and since we only support CGIs in the Admin Server, this file has been removed from the core fedora-ds package.
Platforms tested: RHEL4, FC6
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: FHS: move exes to _bindir; move ns-slapd to _sbindir
Reviewed by: many people (Thanks!)
Fix Description: In order to be more FHS compliant, we need to make the following changes:
1) move files executable by end users to _bindir (e.g. /usr/bin) - this means logconv.pl, ds_newinst, dbscan, etc.
2) move the server executable ns-slapd to _sbindir (e.g. /usr/sbin)
And, to be more packaging friendly, the additional changes:
3) move libback-ldbm to the plugins dir - it is a plugin
4) use the libtool -avoid-version flag with plugins - we don't need the .so.0.0.0 for plugins
I had to add support for sbindir and SBINDIR to create_instance and ds_newinst. We were using serverdir for 3 things - command line programs, server specific shared libs, and the server executable itself. These are now in 3 different places. The biggest change was to the scripts. I kept serverdir and SERVER-DIR to be the location of the server shared libs to avoid changing even more stuff. I had to add SERVERBIN-DIR to the scripts - this is the location of ns-slapd and is set by sbindir in create_instance (which defaults to SBINDIR from Makefile.am which defaults to $prefix/sbin in configure - whew).
I've tested instance creation with these diffs - everything seems to work fine.
5) reorder files in alphabetical order - suggested by nkinder
6) add $LDFLAGS to test in db.m4
7) touch all template/wrapper .in files to make them newer than their corresponding files
Platforms tested: RHEL4, FC6
Flag Day: no
Doc impact: Yes, but the docs will have to change quite a bit for all of the FHS related changes.
|
| |
|
|
|
|
|
|
|
|
| |
Summary: Nightly build uses autotools/yum (Comment #32)
Changes: Makefile: moved scripts temlate dir from /etc to /usr/share
template-{start,stop}-slapd: modified the pid and startpid name to
slapd-<id>.pid and slapd-<id>.startpid.
Note: these changes do not affect the new build using autotools. The 3 files
would be eliminated when we move to the new build completely. The fix is for
keeping the nightly acceptance tests healthy by the transfer is completed.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Description: Instance specific dirs should be in instance directory
Fix Description: Needed to reverse rundir and ds_get_server_name() when constructing the pidfile name.
Reviewed by: nhosoi (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
| |
Description: Warn if cert or key file is missing
Fix Description: My fix for https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=224672 reopened
this bug. I think the correct way to address this problem is this:
If using security, the key and cert db files must exist i.e. there must already
be a server cert for the server.
If not using security, there may not be a key/cert db, but NSS will create them
if the directory is writable.
Reviewed by: nhosoi (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: Get rid of key/cert db prefix
Reviewed by: nhosoi (Thanks!)
Fix Description: Now that we have everything in its own instance
specific directory, we do not need the troublesome key/cert database
prefix. This simplifies the slapd_nss_init code a great deal.
Platforms tested: RHEL4
Flag Day: no
Doc impact: YES - A couple of the pages on the wiki talk about slapd-instance-cert8.db and so on - these pages will have to change once FDS 1.1 is released
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Instance specific dirs should be in instance directory
Reviewed by: nhosoi (Thanks!)
Fix Description: Fixed create instance to create these instance specific directories:
/var/lock/slapd-instance -> /var/lock/fedora-ds/slapd-instance
/var/lib/slapd-instance -> /var/lib/fedora-ds/slapd-instance
/var/log/slapd-instance -> /var/log/fedora-ds/slapd-instance
/var/run/slapd-instance -> /var/run/fedora-ds
For now, I'm side-stepping the question of what to do about permissions on /var/run/fedora-ds/slapd-instance.pid - we'll address this in the RPM creation.
I've also moved the migration scripts to the %{_libdir}/fedora-ds/slapd-instance directory, and I've made the default directory for the key/cert db the same as the config directory. I think the dynamic nature of their configuration warrants the move.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: Move script-templates from sysconfdir to datadir
Reviewed by: nkinder, dennis (Thanks!)
Files: see diff
Branch: HEAD
Fix Description: Just change sysconfdir to datadir in both the Makefile.am (which controls where the files are put during installation) and in create_instance.c (which controls where instance creation looks for the templates to use them to create the real scripts).
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
|
| |
|
|
|
| |
Summary: make new_task() non-static
Adding a sample task plugin code and updating the README for the plugin.
|
| |
|
|
|
|
|
| |
Summary: [195305] make new_task() non-static
Changes: provide slapi_new_task and slapi_destroy_task as slapi APIs
Summary: [195307] task registration by plugins is wiped by task_init()
Changes: clean up old tasks before plugin_startall
|
| |
|
|
|
| |
Summary: referential integrity plugin does not stack with Class of Service appliance (Comment #16)
Changes: Don't call dblayer_close before plugin_closeall.
|
| |
|
|
|
| |
Summary: referential integrity plugin does not stack with Class of Service appliance (Comment #14)
Changes: Added the CoS plugin dependency to MMR.
|
| |
|
|
|
|
|
|
| |
Summary: referential integrity plugin does not stack with Class of Service appliance (Comment #11)
Changes:
1) registered cos_post_op and roles_post_op as SLAPI_PLUGIN_INTERNAL_POST_op_FN
functions.
2) changed the plugin type of CoS and Roles from "postoperation" to "object".
|
| |
|
|
|
| |
Summary: Directory Server hangs when running VLV search and update operations simultaneously. (Comment#22)
Change: Before creating db cursor, unlock vlvSearchList.
|
| |
|
|
| |
Summary: Fix inconsistent clear password storage and ensure that SASL authentication uses passwords properly.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: db backend path handling could be impoved to deal with "//", "..", etc.
Changes:
util.c:
modified rel2abspath so that if the given path contains "//", calls the
normalize function, and the normalize function eliminates the repeated
separators.
ldbm_config.c, ldbm_instance_config.c:
before setting the nsslapd-directory paths, pass them to rel2abspath to clean
up the paths.
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: Server autoconf build crashes when stopped/started very quickly
Reviewed by: nhosoi (Thanks!)
Fix Description: The problem was that 3 of the database threads were being started and stopped before the 4th had a chance to start. So the thread count would start at 3 and drop to 0, and the dblayer_pre_close code would think everything was fine. The 4th thread is the checkpoint thread which was doing a db_checkpoint operation before incrementing the thread count. For some reason, on x86_64 with the system provided libdb-4.2, the checkpoint operation was taking longer than it usually does with our locally built libdb-4.2, so this allowed the other 3 threads to stop and start before the checkpoint thread had a chance to increment the thread count.
The solution is to make sure the incrementing of the thread count occurs as early as possible in the thread function, before any executable code that might take any time. This should ensure that all of the threads start up and increment the thread count before the shutdown occurs.
The second part of the solution is that, according to wtc, the NSPR maintainer, the PR_Atomic functions should not be used as a semaphore like this. So, the code was rewritten to use locks and condition variables. The code is not performance critical, so adding locking should not have any impact on performance. In addition, the new code is much cleaner, more correct, and more obvious about what it's doing.
Platforms tested: RHEL4 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
Summary: Directory Server hangs when running VLV search and update operations simultaneously. (Comment #16)
Changes:
1. promoted idl_delete to global to make it available in
vlv_trim_candidates_byvalue. In vlv_trim_candidate_byvalue, if any id's in the
idlist is found not having the corresponding entry, delete the id from the
idlist and retry the binary search.
2. demoted too noisy error message: - compare_entries db err -30990
3. not to include the db access code (cursor operation) inside of the read-lock in vlv_find_index_by_filter.
|
| |
|
|
|
|
| |
Summary: Make random password generation work with policies
Changes: 1) Generate a password that meets the current password syntax rules.
2) Report errors when Min8Bit is set or MinCategories > 4
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Instance specific schema files should be owned by server uid
Reviewed by: nkinder (Thanks!)
Fix Description: Add a new function - ds_copy_group_files_using_mode_owner() - that allows you to set the file mode and owner when copying directories and files. Use that function when copying the schema files to the new instance directory.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Improved error messages for password syntax violations.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Use @libdir@ instead of hardcoded /usr/lib in template-script.in files
Reviewed by: nkinder (Thanks!)
Fix Description: Just replace /usr/lib with @libdir@ in the script template .in files.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
|
| |
|
|
|
| |
Summary: replica initialization: random failure (Comment #1)
Change: if acquire_replica is called for replica initialization, log REPLICA_BUSY.
|
