| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
Summary: Memory leak in ns-slapd's Class Of Service
Fix Description: When all the necessary values for the template cache are not
available, the allocated memory should be discarded. One of them pCosPriority
was missed to release.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: rhds accounts are disabled in ad after full sync
Reviewed by: nkinder (Thanks!)
Fix Description: The incremental sync code calls send_accountcontrol_modify after adding an entry, but the total update code does not. I modified the code to do that. I also changed the send_accountcontrol_modify to force the account to be enabled if adding it. I tried just adding userAccountContro:512 to the default user add template, but AD does not like this - gives operations error. So you have to modify userAccountControl after adding the entry. I also cleaned up a couple of minor memory leaks.
Platforms tested: RHEL5
Flag Day: no
Doc impact: Yes - we need to document the fact that new accounts will now be created in AD enabled
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Server to Server SASL/DIGEST-MD5 not Supported over SSL/TLS
Reviewed by: nkinder (Thanks!)
Fix Description: If using TLS/SSL, we don't need to use a sasl security layer, so just set the maxssf to 0.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Only check permissions on nsslapd-rundir in normal execution mode.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: DN with antislash('\') rename (modrdn) problem
Problem description:
Unescape codes in the DS (strcpy_special_undo in ava.c and
strcpy_unescape_dnvalue in dn.c) were "unescaping" more than the escape code
(e.g., escape_dn_value in NET LDAP) does escaping. The test string
'BeforeSlash\AfterSlash' fortunately/unfortunately contains '\Af', which is
considered '\##' (where # is hex number) by the DS unescape functions even
though it was not meant to be escaped. As long as using UTF-8, there is no
chance for the server to receive "\af".
Change description:
1) There were identical static functions: strcpy_special_undo (ava.c) and
strcpy_special_undo (dn.c). Merged them to strcpy_unescape_value and put it in
util.c.
2) In the unescape/normalize functions for dn (strcpy_unescape_value in util.c
and substr_dn_normalize in dn.c), added a check for the first hex number in
'\##'. If the 8th bit is on, we don't do unescaping but store it as is since
the unescaped character is not UTF-8.
3) If 2 consecutive '\'s are passed to the unescape/normalize functions, keep
one of them.
|
| |
|
|
| |
Summary: Don't allow auto-generated attributes to be used in RDN.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Replication: Server to Server Connection Error: SASL(-1): generic failure: All-whitespace username.
Reviewed by: nkinder (Thanks!)
Fix Description: My earlier fix for this bug broke GSSAPI - it would cause the username and authid to only be freed under certain conditions e.g. if the krb creds were still valid, the code would not free the username and authid, so they would be passed via SASL instead of the principal name. This fix just makes sure username and authid are always freed, under all circumstances.
Platforms tested: RHEL5, Fedora 9
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Add missing parent objectclasses for all operations (replicated or not).
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: Replication: Server to Server Connection Error: SASL(-1): generic failure: All-whitespace username.
Reviewed by: nkinder (Thanks!)
Fix Description: 1) SASL/DIGEST-MD5 needs both username and authid
2) The username and authid in this context are always a bind DN - they must have the "dn:" prefix in order for the SASL mapping to work
3) gssapi (kerberos) sets both username and authid to NULL
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
| |
Summary: Make "back" reponse in setup code work correctly.
|
| |
|
|
| |
Summary: Fix undefined subroutine error when trying to display usage message in setup scripts.
|
| |
|
|
| |
Summary: Ensure directories created by installer get the requested mode applied.
|
| |
|
|
| |
Summary: Add check for permissions on nsslapd-rundir at startup.
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: rhds80 seg fault - pass sync - entry missing userPassword ?
Reviewed by: nkinder (Thanks!)
Fix Description: The fix is pretty obvious - just make sure we don't deref a NULL. The reason for the NULL is due to a sequence of more than one modify for the userPassword attribute, where one of the mods is a replace with no value or a delete of the attribute. The bug has the details about how to reproduce. One thing I don't know is what client is generating this sequence of operations . . .
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
| |
Summary: Log error to errors log when we have a problem writing stats file.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: db backend entry cache settings field "Memory available for cache" boundaries
Fix Description:
db_strtoul: check the input string. If the string starts with '-', returning
the error ERANGE -- the same error as the larger the upper limit is passed.
cache.c: the minimum entry cache size defined in cache.c was 200000, which is
different from the info on the Configuration Command File Reference Guide:
Valid Range: 500 kilobytes to 4 gigabytes for 32-bit platforms and 500
kilobytes to 2^64-1 for 64-bit platforms
Adjusting the define to the doc.
|
| |
|
|
| |
Summary: Make repl-monitor.pl a template to pass in correct perl environment.
|
| |
|
|
|
|
| |
Summary: extensible filter having range operation crashes the server (comment#7)
Description: As Rich suggested, set the pb->pb_op to glob_pb->pb_op to catch
the abandon request in case the underlying operation is interrupted.
|
| |
|
|
|
|
|
|
| |
Summary: spurious errors logged when specifying default locale
Description:
As Ulf Weltman pointed out, U_USING_FALLBACK_WARNING is not an error. (So is
not U_USING_DEFAULT_WARNING.) When U_USING_FALLBACK_WARNING or
U_USING_DEFAULT_WARNING is returned, suppressed printing the error messages.
|
| |
|
|
| |
Summary: Allow password modify extop when password reset is needed.
|
| |
|
|
|
| |
Summary: extensible filter having range operation crashes the server
Description: we should prevent accessing the inside of NULL pointer.
|
| |
|
|
|
|
|
| |
Summary: LOG: the intenal type of maxlogsize, maxdiskspace and minfreespace
should be 64-bit integer
Description: support nsslapd-*log-maxlogsize, nsslapd-*log-logmaxdiskspace and
nsslapd-*log-logminfreediskspace larger than 2GB.
|
| |
|
|
|
|
| |
Summary: RFE: search optimization and single character substring searches
(comment #20)
Description: update the comments to adjust to the program.
|
| |
|
|
|
|
| |
Summray: MMR: intensive conflict test crashes the server
Description: values2keys functions in the syntax plugin did not check the
existence of the input and output variable.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Need to address 64-bit compiler warnings - again
Reviewed by: nhosoi (Thanks!)
Fix Description: This patch cleans up most of the other remaining compiler warnings. I compiled the directory server code with these flags on RHEL5 x86_64: -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
I also enabled argument/format match checking for most of the commonly used varadic functions. Most of the problems I found fell into these categories:
1) Too many or not enough arguments e.g. most everything that uses or did use LDAPDebug had extra 0,0 arguments. If they had been switched to use slapi_log_error, I removed the extra arguments - for those places still using LDAPDebug, I introduced more macros to handle the number of arguments, since C macros cannot be varadic.
2) When using NSPR formatting functions, we have to use %llu or %lld for 64-bit values, even on 64-bit systems. However, for regular system formatting functions, we have to use %ld or %lu. I introduced two new macros NSPRIu64 and NSPRI64 to handle cases where we are passing explicit 64-bit values to NSPR formatting functions, so that we can use the regular PRIu64 and PRI64 macros for regular system formatting functions. I also made sure we used NSPRI* only with NSPR functions, and used PRI* only with system functions.
3) use %lu for size_t and %ld for time_t
I did find a few "real" errors, places that the code was doing something definitely not right:
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/acl/aclinit.c_sec4
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/acl/acllas.c_sec17
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/http/http_impl.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/memberof/memberof.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/pam_passthru/pam_ptimpl.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/replication/cl5_api.c_sec5
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/replication/cl5_clcache.c_sec2
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/replication/replutil.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/slapd/libglobs.c_sec1
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/slapd/back-ldbm/dbverify.c_sec2
https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/slapd/back-ldbm/ldif2ldbm.c_sec3
This is why it's important to use this compiler checking, and why it's important to fix compiler warnings, if for no other reason than the sheer noise from so many warnings can mask real errors.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Summary: Unindexed search does not get logged with "notes=U"
Fix Description: In each <index-type> candidates function, check if the
attribute is indexed by calling index_read_ext instead of index_read. The
function index_read_ext takes a variable to return whether the attribute is
indexed or not. Once it's determined, set SLAPI_OP_NOTE_UNINDEXED to the
pblock, which is used when logging the result.
|
| |
|
|
| |
Summary: Avoid replicating default schema when DESC element is an empty string.
|
| |
|
|
|
|
|
| |
Summary: schema replication op error logs wrong error
Description:
As suggested by Ulf in his original comment, put break in the case
CONN_OPERATION_FAILED and set the macro to return_value for the readability.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: db2ldif -s "suffix" issues confusing warnings when sub suffix exists
[main.c]
* if -s <dn> is passed to db2ldif, the <dn> is used to look up the instance
name the <dn> belongs to with the base dn "cn=mapping tree,cn=config" and the
filter "(&(objectclass=nsmappingtree)(|(cn=*<dn>\")(cn=*<dn>)))". If the <dn>
is not the suffix, but the sub node, it fails to find out the instance which
contains the <dn>. To solve the problem, going upward the DIT until the
instance is found.
* If multiple backends are specified to export, all the names are printed.
[ldif2ldbm.c]
* ldbm_fetch_subtrees: when -s <dn> is passsed to db2ldif, added a logic to
avoid the further process if the <dn> does not belong to the backend.
* When multiple backends are exported, dse was loaded each time. Changed not
to do so.
* Export counter was not decremented when the entry was not to be exported.
|
| |
|
|
|
|
|
|
|
|
| |
Summary: Replica crashes in the consumer initialization if the backend to be
replicated does not exist
Description:
. mapping_tree.c: if NULL mapping tree state is passed, return an error.
. repl_extop.c: if mapping tree node state is NULL, don't reset the mapping
tree state.
. replutil.c: if NULL mapping tree state is passed, log it and return.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: Slow import post-processing with large number of non-leaf entries
Description:
Building the ancestorid index does not need to be so expensive, since the
information is available from the parentid index. The cost is associated with
general overhead in maintaining the IDLists in memory, and in particular to the
constant unions done on them to add children. When these lists may contain
millions of entries, the time spent copying the existing data when inserting
children is prohibitively expensive. This does not affect all layouts equally,
but does cause problems when large numbers of children are dispersed throughout
the tree.
BDB can usually handle inserts efficiently on its own, so it is not necessary
to maintain complete IDLists in memory for all the entries and write them out
in total. Updates can be performed directly to the DB instead.
Note: checking in the patch on behalf of Thomas Lackey
|
| |
|
|
| |
Summary: A number of the default attribute and objectclass definitions end up in 99user.ldif if you add any custom schema over LDAP.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Support server-to-server SASL - console chaining, server cleanup
Reviewed by: nkinder (Thanks!)
Fix Description: There are two sets of diffs here. The first set adds tls, gssapi, and digest to the chaining database (aka database link) panels in the console. I had to add support for revert to some of the code to make the Reset button work without having to retrieve the values from the server each time. We already store the original values locally in the _origModel - I added code to allow the use of that in the Reset button.
The second set of diffs is for the server.
1) I had to add support for "SIMPLE" for bindMechanism - this translates to LDAP_SASL_SIMPLE for the actual mechanism. This value is NULL, so I had to add handling for NULL values in the cb config code (slapi_ch_* work fine with NULL values).
2) Added some more debugging/tracing code
3) The server to server SSL code would only work if the server were configured to be an SSL server. But for the server to be an SSL client, it only needs NSS initialized and to have the CA cert. It also needs to configured some of the SSL settings and install the correct policy. I changed the server code to do this.
Platforms tested: RHEL5
Flag Day: no
Doc impact: Yes
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Summary: log expiration policy broken in some cases
Description:
1. set default values to loginfo.log_*_rotationtime, log_*_rotationunit,
log_*_rotationtime_secs, log_*_exptime, log_*_exptimeunit, log_*_exptime_secs,
where * matches access, error, or audit.
2. log_set_expirationtime: if the given exptime is 0 or less than 0, -1 (no
expire) is set to the internal expiration time. If log_set_expirationtimeunit
is not called at this moment, the default value is used.
3. log_set_expirationtimeunit: set the given expunit value to
loginfo.log_*_exptimeunit, which was missing. If exptime is -1 at this moment
(i.e., log_set_expirationtime is not called yet or set "no expire"), the
internal expiration time is set to -1 (no expire).
|
| |
|
|
| |
Summary: Add access to RUV by users other than "cn=Directory Manager".
|
| |
|
|
|
|
|
| |
Summary: vlv: memory leak
Description: if the addresses of the passed key and the returned key don't
match, the space for the returned key is allocated in libdb. Thus, we have to
release the returned key.
|
| |
|
|
| |
Summary: Added validation for nsslapd-maxsasliosize value.
|
| |
|
|
|
|
|
|
|
|
| |
Summary: memory leaks after db "get" deadlocks, e.g. in CL5 trim
Description: Even if cursor->c_get returns non SUCCESS(==0), there is an
occasion that DBT data holds memory which is allocated in libdb. To release
the memory, put
slapi_ch_free ((void **)&key.data);
slapi_ch_free ((void **)&data.data);
just after the while loop, where we come to the point when cursor->c_get fails.
|
| |
|
|
| |
Summary: Add configuration parameter to limit maximum allowed incoming SASL IO packet size.
|
| |
|
|
| |
Summary: Fixed memory leak in collator plug-in.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: Specially crafted Server Side Sort crashes directory server or makes
it unresponsive
Description: The cause of the problem was a buffer overflow. The length of the
2 sort specs "-sn;2.16.840.1.113730.3.3.2.18.1.6 -givenName;2.16.840.1.113730.3.
3.2.18.1.6 " is just about the prepared buffer size, which is unfortunate since
there is no space for the candidate size, e.g., "(1944)" being added later. By
adding the "(1944)" to the static buffer, it caused buffer overflow and crashed
your server. The code to check the length of the candidate size before
calculating the buffer size is added.
|
| |
|
|
| |
Summary: Make password modify extop use fine-grained password policies correctly.
|
| |
|
|
| |
Summary: Changed the way we specify the memory offset in the slapi_counter_set_value() assembly code to make it work properly with gcc3.
|
| |
|
|
| |
Summary: Index nscpEntryDN attribute when importing tombstones.
|
| |
|
|
|
|
| |
Summary: Problems migrating from libdb-4.4 to libdb-4.7
Description: Removed the code to remove transaction logs for the db version
upgrade.
|
| |
|
|
|
|
|
|
|
|
|
| |
Summary: dbverify: support integer type index
Description:
1) changed dblayer_bt_compare to public (proto-back-ldbm.h, dblayer.c)
2) set dblayer_bt_compare by dbp->set_bt_compare if the attribute has a
comparison function set in ai->ai_key_cmp_fn (dbverify.c)
3) cleaned up the function dbverify_ext; set the right page size based upon the
idl type (new idl or old idl), also set dup compare function only when the idl
type is new. (dbverify.c)
|
| |
|
|
| |
Summary: LDCLT: add abandon to ldclt
|
| |
|
|
| |
Summary: Clean-up leftover changelog semaphore at startup.
|
| |
|
|
| |
Summary: Made replica_set_updatedn detect value add modify operations properly.
|
| |
|
|
| |
Summary: nsslapd-timelimit setting should accept a value of -1.
|
