| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: migration results in incomplete admin server sie
Reviewed by: nkinder (Thanks!)
Fix Description: This is a redesign of one of the core pieces of the setup/migration code - the code that adds the LDAP entries in various places. For starters, I removed the code that would implicitly delete existing trees. This is the root cause of this bug, and other similar problems with setup/instance creation that have been reported. We should never implicitly delete entries. Instead, we should explicitly delete entries by using the changetype: delete in an LDIF template file.
Another source of problems was that to update an entry, we would delete it and add it back. This caused some configuration settings to be wiped out (e.g. encryption settings). We cannot do this any more. The LDIF template entries have been modified to have two sets of information for each entry that requires update - the entry to add if no entry exists (the full entry) or the changes to make to the entry if it does exist. The code in Util.pm has been changed to ignore duplicate entries and to ignore changes made to entries that do not exist.
Another source of problems with migration is that the error checking was not adequate, especially with FileConn and dse.ldif reading. The fix is to add better error checking and reporting in these areas of code, including error messages.
Yet another problem is the run_dir handling. On many platforms the run_dir is shared among all DS instances and the admin server. Older versions of the software allowed you to run the servers as root. We have to make sure run_dir is usable by the least privileged user of all of the servers.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
|
| |
|
|
|
| |
Description: slapd hang during cs80 cloning setup.
Fix Description: Not exactly related to the bug, but Noriko found a couple of places during investigation of internal add operations where the Slapi_Entry* could be leaked upon error. These fixes ensure that the entry is properly freed in case of error.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: slapd hang during cs80 cloning setup.
Reviewed by: nhosoi (Thanks!)
Fix Description: If replication code attempts to add the RUV entry during replica configuration, and the add operation returns an error, the code will attempt to free the entry. This causes a double free. Internal add operations always consume and free the entry, success or failure. The solution is to set the entry to NULL just after adding it so the clean up code will not be able to free it again.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Cross Platform Migration Fails with: Unable to access
nsslapd-rundir: Bad address
Reviewed by: nkinder (Thanks!)
Fix Description: Need to add any new attributes added in 8.0 and 8.1 to
the ignoreOld hash table in the migration script. The way migration
works, it assumes an attribute is supported in both the old version and
the new version. So if the attribute is absent in the old entry and
present in the new entry, it assumes the user removed the attribute in
the old entry, so removes it in the new entry. The ignoreOld hash table
holds the list of attributes that we should ignore for the purposes of
attribute comparison. These are the attributes we just want to pass
through.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
| |
Description: RFE change default place for kerberos keytabs
Fix Description: changed to
# KRB5_KTNAME=@instconfigdir@/myname.keytab ; export KRB5_KTNAME
Where @instconfigdir@ will usually expand to /etc/dirsrv
|
| |
|
|
|
|
|
|
|
| |
Bug Description: some cn=config options show up with incorrect value on 64-bit
Reviewed by: nkinder (Thanks!)
Fix Description: The get functions return a specific sized type (e.g. an int). We were assigning this to a void *. We cannot do this. We must assign the return value from the get function to the correct size and type variable. I changed the config code to do this. I also had a look at the database and chaining database config code which does similar things with void *, but that code works a little bit differently and appears to be ok.
Platforms tested: RHEL5 x86_64 (need to test on HP-UX)
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
| |
Summary: Compare operation in nsaccountlock returns error
Description: Compare function for the CoS attribute cos_cache_cmp_attr failed
to set the result.
|
| |
|
|
| |
Summary: Added new remove-ds.pl script and manpage.
|
| |
|
|
|
| |
Description: referential integrity plugin incorrectly treats "rename" operations
Fix Description: join RDNs with "," instead of ", " to make the new DN - thanks to Andrey Ivanov (andrey.ivanov@polytechnique.fr)
|
| |
|
|
|
|
|
| |
Summary: nsIndexType allows a blank value but does not properly apply default indexes
Description: the values retrieved from the index entry were not checked whether
it's empty or not. With this fix, if it's empty, it issues an warning and
returns LDAP_OPERATIONS_ERROR.
|
| |
|
|
|
|
|
| |
Summary: Entry cache: invalid counter usage
Description: if new entry size is larger than old size, the delta is added to
the cache size using slapi_counter_add; otherwise, the delta is subtracted from
the cache size using slapi_counter_subtract.
|
| |
|
|
|
|
|
|
|
| |
Summary: timelimit not honored in some cases
Description: Range search operations could take longer time than the time limit
depending upon the data size, but there was no chance to check the time limit
in the code (index_range_read). Thus, once the range search operation has
started, it could have lasted far exceeding the specified time limit.
I introduced the time check in the range search function.
|
| |
|
|
| |
Summary: Only change permissions of certdb when it is newly created.
|
| |
|
|
|
|
|
| |
Summary: When password policy is on, replacing userpassword starting with
{clear} fails
Description: #484311 is not a bug; this change is just to improve the error
message.
|
| |
|
|
| |
Summary: Ensure server group has proper permissions on certificate db files.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: Clear directory manager password with password storage scheme other
than clear crashes the server
Description:
1) introducing a flag (_nss_initialized) and an API (slapd_nss_is_initialized)
to represent NSS_Initialize is called or not.
2) in config_set_rootpw, if the directory manager's password is given unhashed,
check if NSS is already initialized and the directory manager's password
storage scheme is clear or not. If NSS is not initialized and if the storage
scheme is not CLEAR, report it and return an error LDAP_PARAM_ERROR.
|
| |
|
|
| |
Summary: Update member attributes that refer to renamed entries when processing a MODRDN.
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Modification of nsViewFilter of a virtual view OU crashes the server
Reviewed by: nhosoi, andrey.ivanov (Thanks!)
Fix Description: When we delete a node, not only do we need to have the parent node discover its new children, we need to have each child discover a new parent.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: DS crash when modify entry that does not exist in AD
Reviewed by: nkinder (Thanks!)
Fix Description: The function that checks to see if the mod has already been made to the AD entry should just return 0 if the AD entry does not exist or could not be found - in this case, the regular windows replay code will handle it.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: HPUX: Server to Server SASL - Unknown Authentication Method
Reviewed by: nkinder (Thanks!)
Fix Description: On some platforms, we do not install the sasl auth method plugins in a standard location, so we have the nsslapd-saslpath config setting to provide that location in a CB_GETPATH callback provided to sasl_server_init. This works fine for being a SASL server. However, to be an LDAP SASL client, we have to provide that callback to sasl_client_init too. This call happens the first time the mozldap client library is initialized. mozldap has a hardcoded list of sasl callbacks it provides, and does not allow callers to augment that list. So, we simply replace the list with one that contains the CB_GETPATH callback.
Platforms tested: HP-UX 11.23 64-bit
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
| |
Summary: Syntax plugin (phonetic): "Sounds like" does not support Western
European characters
Description: added a support for Latin-1 characters (UNICODE:00C0 - 00FF)
|
| |
|
|
| |
Summary: test plugin (datainterop): eliminate BDB dependency from testdbinterop
|
| |
|
|
|
| |
Summary: db2ldif -s "" crashes with segmentation fault
Change description: adding a check to see if there is no entries.
|
| |
|
|
| |
Summary: Enhanced rsearch to allow user filter and password to be configurable (contributed by telackey@bozemanpass.com).
|
| |
|
|
|
|
|
|
|
| |
Bug Description: server seg fault if doing SSLCLIENTAUTH without being an ssl server
Reviewed by: nkinder (Thanks!)
Fix Description: When I changed the code to allow the DS to be an SSL client without having to be an SSL server, I missed the svrcore setup for EXTERNAL (ssl client auth). The fix is to check to see if svrcore has been set up, and initialize it if not, before attempting to use it.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Configuring Server to Server GSSAPI over SSL - Need better Error Message
Reviewed by: nkinder (Thanks!)
Fix Description: If the user attempts to set the bind mech to GSSAPI, and a secure transport is being used, the server will return LDAP_UNWILLING_TO_PERFORM and provide a useful error message. Same if GSSAPI is being used and the user attempts to use a secure transport.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Removing Group Member in ADS and Send and Receive Updates Crashes the Directory Server
Reviewed by: nkinder (Thanks!)
Fix Description: I broke this with my earlier fix about sending mods to AD. There are calls which reset the raw entry from AD before the call to mod_already_made. The fix is to only retrieve the raw entry just before we use it, after it may have been reset. I also found a memory leak in the mod init with valueset function I added for the prior fix.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
| |
Summary: userattr="parent[1].<attribute>#LDAPURL" does not work
Description: It turned out userattr="parent[1].<attribute>#LDAPURL" was not
implemented. The functionality has been implemented with this change.
|
| |
|
|
| |
Summary: Consistently deal with attr syntax info struct ref count when fetcvhing and returning them to the global hashtables.
|
| |
|
|
| |
Summary: Allow attribute aliases to be used as SUP attribute in attributetype definitions.
|
| |
|
|
| |
Summary: Fixed assertion when improperly deleting syntaxinfo.
|
| |
|
|
| |
Summary: Reject pre-hashed password from unprivileged users when password syntax checking is enabled. Don't check password syntax for pre-hashed password from privileged users.
|
| |
|
|
| |
Summary: Make password modify extended operation reset expired passwords.
|
| |
|
|
|
|
|
|
| |
Summary: Slow import post-processing with large number of non-leaf entries (comment #15)
Change description:
Fixed ldbm_ancestorid_new_idl_create_index so that the ancestor key has the
value including all the descendent ids in the IDlist. The code checked in
previously only stores the direct children and their children.
|
| |
|
|
| |
Description: aRecord not defined
|
| |
|
|
| |
Summary: Make password modify extop work properly with the password policy control.
|
| |
|
|
|
| |
Description: add sudo and hostObject schemas by default
Fix Description: added 60nss-ldap.ldif for the hostObject and other nss ldap schema
|
| |
|
|
|
|
|
|
|
| |
Bug Description: DirSync interval should be configurable
Reviewed by: nhosoi (Thanks!)
Fix Description: Added a new config attribute - winSyncInterval - this is how often to run the dirsync search, in seconds. The default is 600 (5 minutes) which was the old hard coded value. Due to the way it's coded, the change only takes effect when the agreement is created or restarted, so the value cannot really be dynamically changed.
Platforms tested: RHEL5
Flag Day: no
Doc impact: yes - document the new attribute
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Server to Server SASL - DIGEST/MD5 - Can not Stop server
Reviewed by: nhosoi (Thanks!)
Fix Description: Using ldap_set_option with LDAP_OPT_X_SASL_SECPROPS is not thread safe. ldap_set_option acquires the OPTION lock, but using LDAP_OPT_X_SASL_SECPROPS just calls return rather than calling break to exit the switch and unlock the lock. A mozilla bug has been filed https://bugzilla.mozilla.org/show_bug.cgi?id=473438. The fix is to use LDAP_OPT_X_SASL_SSF_MAX.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
| |
Bug Description: Acceptance test: mmrepl {accept,chainonupdate} : slapd dumps core during accept_cleanup()
Reviewed by: nkinder (Thanks!)
Fix Description: Have to call ldapssl_set_option(ld, SSL_NO_CACHE, PR_TRUE) after setting up the connection for client auth
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: WinSync ignores entry if NT attributes are added later.
Reviewed by: nkinder (Thanks!)
Fix Description: If we are replaying a modify operation, we need to check if the ntUser objectclass is being added along with the other attributes that tell the sync service to sync this entry. If the objectclass is being added or replaced, we check the existing entry to see if it is still a sync-able entry. If it is, we call process_replay_add to add the entry. I changed this function to accept a Slapi_Entry to add rather than the operation structure. Finally, I had to change the way we send the Account Control flags to take into account an entry that may have been added as a result of a modify operation.
I fixed a memory leak when setting the Slapi_Attr attribute type, and cleaned up a compiler warning.
NOTE: There will be no clear text password to send (unless the userPassword was modified in the same modify operation). This means the account will be added to Windows, and will be enabled, but will be essentially unusable - the user cannot login - until either the user modifies the password on the directory server side, or the administrator resets the password.
Platforms tested: RHEL5
Flag Day: no
Doc impact: yes - we will have to document the new winsync behavior
|
| |
|
|
| |
Summary: Add AUXILIARY keyword to domainRelatedObject and simpleSecurityObject definitions.
|
| |
|
|
|
|
|
|
|
| |
Summary: Approximate Search '~=' Returns unexpected result
Change description: increasing the maximum length of "phonetic" string from 4
to 6. The length 4 is sometimes too short to distinguish long words. For
instance, the sample string Queensland is converted to KNSLNT if there is no
limitation; Consulting is to KNSLTNK. By cutting them at the 5th character,
the 2 strings are considered to sound like each other.
|
| |
|
|
| |
Summary: Make regex filter code handle empty values properly.
|
| |
|
|
| |
Summary: Remove dependency on Term::ReadKey for password prompting in Perl scripts.
|
| |
|
|
| |
Summary: Expose internal operation flag via SLAPI.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Summary: ldapsearch with size limit (-z) doesn't work with OR filter and range search
Description:
SIZELIMIT is checked in index_range_read to eliminate the unnecessary data
retrieval. But when the filter contains a range search which is connected by
AND, then we should not do sizelimit. There was a bug in the function which
sets is_and. The flag should have been cleared only when the function set it
to 1. Instead, it was cleared each time the function is called. It let
index_range_read stop reading when it reaches sizelimit even though it should
not have.
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: winsync doesn't recognize some changes
Reviewed by: nkinder (Thanks!)
Fix Description: Before sending updates to AD, first check to see if the updates still apply. For modify/add operations, check to make sure the value to add doesn't exist. If it does, remove it from the list of values in the mod. If all values are removed, then just skip the modify/add op altogether. For modify/del ops, check to see if the attribute exists. If not, just skip the op. If it does exist, check to see if the values exist, and remove the values from the mod/del op that do not exist anymore. If all values have been removed, just skip the mod/del op.
I added a new slapi function - slapi_mod_init_valueset_byval - which will init a Slapi_Mod and init the list of values using a valueset. Fortunately there was already a function for converting a Slapi_Value** to a berval**.
I also fixed a few compiler warnings.
Platforms tested: RHEL5
Flag Day: no
Doc impact: yes - add new function to slapi docs
|
| |
|
|
| |
Summary: Optimized fetching of remote entry when checking if a rename is needed with winsync.
|
| |
|
|
| |
Summary: Add support for synchronizing the cn attribute between DS and AD.
|
