| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
multi-valued
http://bugzilla.redhat.com/show_bug.cgi?id=518514
Resolves: bug 518514
Bug Description: Bitwise Plugin: Bitwise filter doesn't return except the first entry if its multi-valued
Reviewed by: nhosoi (Thanks!)
Fix Description: Get the values as a char ** - look through each one until
we find one that matches.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
This adds a new config switch (nsslapd-allow-anonymous-access) that
allows one to restrict all anonymous access. When this is enabled,
the connection displatch code will only allow BIND operations through
for an unauthenticated user. The BIND code will only allow the
operation through if it's not an anonymous or unauthenticated BIND.
I also fixed a missing capability in the SELinux policy that I ran
into while testing this patch.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=516305
Resolves: bug 516305
Bug Description: MODIFY/replace with empty values does not ignore missing or unknown attributes
Reviewed by: nhosoi (Thanks!)
Fix Description: The function mods_have_effect() did not work correctly. It
would set the flag have_effect = 0 the first time a type was not found.
Then if a subsequent mod would apply, it would still return have_effect = 0.
What it should do is keep looking for all mod types in the list of mods to
see if any of them would apply, and return have_effect = 1 if at least one
of them would apply. This corresponds to RFC 4511 section 4.6:
replace: replace all existing values of the modification
attribute with the new values listed, creating the attribute
if it did not already exist. A replace with no value will
delete the entire attribute if it exists, and it is ignored
if the attribute does not exist.
So the proper behavior is to ignore attributes that do not exist, and to
apply the rest.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=513308
Resolves: bug 513308
Bug Description: empty principal name used when using server to server sasl for db chaining
Reviewed by: nhosoi (Thanks!)
Fix Description: Change the logic to check if the username is a valid principal name. A valid principal name in this context will be a non-empty string that
does not contain the '=' character (which will be a bind DN in this context).
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=519455
Resolves: bug 519455
Bug Description: Should not attempt to pop SASL IO layer if not using SASL IO
Reviewed by: nkinder (Thanks!)
Fix Description: Before attempting to pop the SASL IO layer from the prfd,
first make sure we are using sasl IO, the prfd is not NULL, and the prfd
has a SASL IO layer on it.
This also fixes a bug with setting nsslapd-localhost in the bootstrap code -
if you are using a system that does not have DNS configured correctly, you
may want to force the SASL code to use the nsslapd-localhost for the FQDN.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=518279
Resolves: bug 518279
Bug Description: logs created at startup can get wrong file mode
Reviewed by: nkinder (Thanks!)
Fix Description: Try to apply the mode using chmod() if a log file has been specified. If and only if the log file has not been set, or if the chmod() succeeds, apply the changes to the internal config.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=523476
Resolves: bug 523476
Bug Description: 389-ds-base/glibmm24: conflicting perl provides
Reviewed by: nhosoi (Thanks!)
Files: see diff
Fix Description: Rename "Util" to "DSUtil"
Platforms tested: Fedora 11 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Updates are implemented in:
perl - code that plugs in to setup - scriptlets that are imported into
the setup perl interpreter and executed in process, giving access to all
of the packages and context provided by setup
ldif - applied to instances, in the same manner as ConfigFile directives
to setup
other - any executable file, shell script, etc. can be invoked, with a limited
amount of context from the setup process
An update directory is added to the package - /usr/share/dirsrv/update - this
directory contains the update files - the update filenames begin with two digits
and are executed in numeric order (00 first, then 01, etc. up to 99) which
should provide enough flexibility
In addition, there are 5 stages of update:
pre - invoked before any instance specific code
preinst, runinst, postinst - invoked for each instance
post - invoked after any instance specific code
Example files are provided which demonstrate how to get the context.
There are two different modes of operation for update:
online - must supply a bind dn and password for each instance - servers must
be up and running
offline - operates directly on the dse.ldif - servers must be shutdown first
A new section is added to the .inf file that can be passed in
[slapd-instancename]
RootDN = binddn
RootDNPwd = bindpw
The RootDN is optional - if not supplied, it will get the nsslapd-rootdn attribute from the dse.ldif for the instance.
I also fixed some problems with error messages.
The pam pta plugin entry was giving object class violations, so I added the
missing attributes - note that these are replaced by the plugin code when
the plugin is loaded - they are only needed during setup.
Fixed usage of $_ - $_ behaves like a dynamically scoped variable - which
means if you use it in an outer context, you cannot use it in an inner
context, even if it is used in a different function. Rather than attempting
to figure out how to use $_ safely in lower level functions, I just removed
the use of it altogether, which also makes the code easier to read.
Reviewed by: nhosoi (Thanks!) - fixed minor issues found
Platforms tested: Fedora 11
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds SELinux policy to confine the SNMP subagent (ldap-agent).
There were some changes required around the aubagent to make it
work in a more standard fashion.
I moved the ldap-agent binary and wrapper to sbindir. It was
previously in bindir, yet it is not a user command. The location
really should be sbindir per FHS.
I added init scripts for the subagent, so it can now be managed
using "service dirsrv-snmp [start|stop|restart|condrestart|status]".
While doing this, I found that the parent process was exiting with
1 on success instead of 0, so I fixed that.
I added a default config file for the subagent as well. When using
the init script, the config file is hardcoded into this standard
location. Having this config template should also hopefully cut
down on configuration errors since it's self documenting.
The pid file location was also changed to go into /var/run per FHS.
Previously, it was written to the same directory as the log file.
There are a few notes in the policy .te file about some bugs that
we are working around for now. These bugs are mainly minor issues
in the snmp policy that is a part of the selinux-policy pacakge.
Once those bugs are fixed, we can clean our policy .te file up.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds a "dirsrv" selinux policy module to confine the ns-slapd
daemon. The setup and migration perl modules were changed to take
care of any relabeling of installed files if selinux support was
compiled in.
The build system now takes a "--with-selinux" option that will
compile the dirsrv policy module and enable any selinux specific
setup code.
To use the dirsrv policy module, the module will need to be loaded
using the semodule utility. It is also necessary to relabel the
installed files using restorecon after performing a make install.
All of this will be taken care of in the spec file when in the
case of using a RPM package.
|
| |
|
|
| |
See also http://directory.fedoraproject.org/wiki/Entry_USN#Standalone.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adding "-e deref" option to ldclt.
Add mode (-e add): "-e deref" adds "secretary: <DN>" to the entry.
This is true when the entry's objectclass is
inetOrgPerson (-e inetOrgPerson").
Search mode (-e esearch): "-e deref" sets dereference control to the search,
where the dereference attribute and dereferenced
attribute are hardcoded to "secretary" and "cn",
respectively.
Usage:
ldclt [...] -e add -e random -e inetOrgPerson -e deref -f test_XX
ldclt [...] -e esearch -e random -e inetOrgPerson -e deref -f test_XX
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This cleans up the following warnings:
ds.git/ldap/servers/slapd/back-ldbm/ldbm_usn.c:102: warning: unused variable 'li'
ds.git/ldap/servers/plugins/replication/repl5_agmt.c:1184: warning: too many arguments for format
ds.git/ldap/servers/plugins/syntaxes/dn.c:143: warning: unused variable 'val_copy'
ds.git/ldap/servers/plugins/syntaxes/deliverymethod.c:264: warning: unused variable 'p'
ds.git/ldap/servers/plugins/syntaxes/facsimile.c:269: warning: unused variable 'p'
ds.git/ldap/servers/plugins/usn/usn.c:107: warning: value computed is not used
ds.git/ldap/servers/plugins/usn/usn.c:263: warning: control reaches end of non-void function
ds.git/ldap/servers/plugins/usn/usn.c:525: warning: control reaches end of non-void function
The only one I'm not sure about is changing usn_get_attr to always return a 0 - please review that usage.
With these fixes, I only see the llu and lld format warnings on RHEL5 with the default rpmbuild compiler flags.
Reviewed by: nhosoi (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Design doc:
http://directory.fedoraproject.org/wiki/Entry_USN#Plugin_Default_Config_Entr
New slapi APIs in libslapd:
int slapi_set_plugin_default_config(const char *type, Slapi_Value *value);
Description: Add given "type: value" to the plugin default config entry
(cn=plugin default config,cn=config) unless the same "type:
value" pair already exists in the entry.
Parameters: type - Attribute type to add to the default config entry
value - Attribute value to add to the default config entry
Return Value: 0 if the operation was successful
non-0 if the operation was not successful
int slapi_get_plugin_default_config(char *type, Slapi_ValueSet **valueset);
Description: Get attribute values of given type from the plugin default
config entry (cn=plugin default config,cn=config).
Parameters: type - Attribute type to get from the default config entry
valueset - Valueset holding the attribute values
Return Value: 0 if the operation was successful
non-0 if the operation was not successful
warning: Caller is responsible to free attrs by slapi_ch_array_free
Changes in the Replication plugin:
1) Functions to set replicated attributes
agmt_set_replicated_attributes_from_attr and
agmt_set_replicated_attributes_from_entry
call _agmt_set_default_fractional_attrs to sets the default excluded
attribute list from the plugin default config entry before setting
them from each replication agreement.
To support it, agmt_parse_excluded_attrs_config_attr is changed to be
re-entrant.
2) Fixed a minor memory leak in the fractional attributes (ra->frac_attrs).
3) Added a check for the duplicated fractional attributes.
Changes in the USN plugin:
1) usn_start calls slapi_set_plugin_default_config to add "entryusn" to
the EXCLUDE list of the value of nsds5ReplicatedAttributeList in the
plugin default config entry.
2) fix for the bug 518673 - entryusn: wrong lastusn value; When the entryusn
is not assigned yet, the next value to be set is 0. Lastusn is calculate
as (the next entryusn - 1). Although the entryusn is 64-bit unsigned
long, it should be printed as a 64-bit signed integer for lastusn.
Other:
Fixed a compiler error in ldap/servers/slapd/dse.c.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=504651
Resolves: 504651
Bug Description: Need to store additional attributes in Retro Changelog
Submitted by: Endi Sukma Dewata <edewata@redhat.com>
Reviewed by: rmeggins (thanks!)
Platforms tested: FC10 x86_64
Fix Description: The fix allows recording some user-defined attributes
from the target entry of the operation (e.g. objectGUID) and built-in
attributes generated by the plugin (e.g. isReplicated) into the change
log entry. The attributes should be specified in the configuration entry:
dn: cn=Retro Changelog Plugin,cn=plugins,cn=config
...
nsslapd-attribute: objectGUID
nsslapd-attribute: isReplicated
The change log entry will contain the additional attributes:
dn: changeNumber=...,cn=changelog
...
objectGUID: ...
isReplicated: ...
---
|
| |
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=519065
Resolves: 519065
Bug Description: Fails to start if attrcrypt can't unwrap keys
Reviewed by: nhosoi (Thanks!)
Fix Description: If not using the attrcrypt feature, just return success
if the keys could not be unwrapped.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
| |
Resolves: bug 487425
Bug Description: slapd crashes after changelog is moved
Reviewed by: rmeggins
Fix Description: Call clcache_set_config after the global changelog cache pool has been allocated.
Platforms tested: HPUX 11 (PA-RISC 2.0 64-bit)
Flag Day: no
Doc impact: no
<diffs>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=518544
Resolves: bug 518544
Bug Description: large entries cause server SASL responses to fail
Reviewed by: nhosoi (Thanks!)
Branch: HEAD and 1.2
Fix Description: The SASL server code was broken when we switched over to
use NSPR I/O for the SASL IO layer. If the entire encrypted buffer could
not be sent to the client, the server was just failing. Instead, the server
must keep track of how many encrypted bytes were sent. If all of the
encrypted bytes could not be sent, we must return the appropriate error
to the caller to let them know the operation would block. The caller in
this case is the write_function() which does a poll() to see if the socket
is available for writing again, then will attempt the send again.
I also cleaned up usage of the various Debug macros.
Finally, I discovered that the sasl init code was calling config_get_localhost()
before that value could be set. In most cases, it is ok, because it will
fall back to the default hostname from the system. However, if for some
reason you want to use a different localhost, it will fail. Now it will be
set in the boostrap config code.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Pre-hashed passwords may not use the standard internal salt length. The old
ldif base64 decode function would return the number of bytes in the decoded
string - the new NSPR function does not. We can't use strlen on the decoded
value since it is binary and may contain nulls. The solution is to use a
function to calculate exactly how many bytes the encode string will have
when decoded, taking into account padding. Since we know exactly how many
bytes are decoded, and we know exactly how many bytes of that decoded value
are the hash, the remainder must be the salt, however many bytes that is.
I tested this code with salt lengths from 1 to 99.
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
| |
The commit a26ba73fb5040383c27872997bc07ab0c2006459 made to fix the bug 509472
put the assertion at the wrong place. It should be applied just for the worker
thread.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds centralized start, stop, and restart scripts
for ns-slapd. These scripts live in the sbin directory
and will act upon all instances if an instance identifier
is not specified (similar to the init script). The
instance specific scripts have been modified to call the
new centralized scripts.
The instance specific parameters needed by the new scripts
are located in the instance specific initconfig scripts,
which are now created by setup-ds.pl with values mapped
from the inf file.
|
| |
|
|
|
|
|
|
|
|
|
| |
modifying attributes with subtypes
Andrey Ivanov (andrey.ivanov@polytechnique.fr) pointed out my previous
check-in for bug 506786 had an inefficient code. To determine whether
to delete an equality index key or not, the code checks the key still
exists in the value array having the same attribute type. The check
should be done as soon as one value is found in the value array instead
of checking through all of them.
|
| |
|
|
| |
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The vendor, brand, and capbrand are set in configure - we should use those
everywhere rather than have to run some sort of script over the code to
change vendor, brand, version, etc. I've added VENDOR, BRAND, CAPBRAND
to the default defines passed to the compiler, and changed the code to use
these defines. And instead of the unintuitively named PRODUCTTEXT macro,
we should use the already defined PRODUCT_VERSION.
This allowed me to get rid of some code. The version was from a generated
file called dirver.h which we don't need anymore, and we don't need the perl
script dirver.pl which generated it.
The vendor string was coming from the dirlite header file. So I also used this
as an excuse to get rid of all references to dirlite once and for all (yay!).
For the places in plain text files which are not substituted, I just used the
generic name Dirsrv or Directory Server instead of having an explicit brand
and/or version in there.
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
modifying attributes with subtypes
When there are identical attribute value pairs except subtypes exist
in an entry, if one of the pairs are deleted, it should not affect the
index the attribute value is the key.
e.g.,
mail: abc
mail;en: abc
mail;fr: xyz
removing mail=abc or mail;en=abc, should not remove =abc from the
mail.db#.
This fix uses the value array evals to determine if the equality key
in the index should be deleted or not. The value array evals stores
the values of the attribute in the entry after the deletion is done.
If evals is empty, it means the to-be-deleted attribute value pair is
the only pair in the entry. Thus, the equality key can be removed fom
the index.
If evals has values, then the to-be-deleted attribute (curr_attr,
which was retrieved from the old entry) value needs to be checked if
it's in evals or not. If it is in evals, the equality key is still
used by other pair(s). So, leave it. Otherwise, the key can be
removed.
In the above example, let's assume removing mail=abc. evals holds
{"abc", "xyz"}. curr_attr abc is in evals, thus =abc will not be
removed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
db2index all (internally, called upgradedb) reads through the main db
id2entry.db# and reindex all the associated indexed attributes. The
reindex borrows the import code where the entry id is newly assigned.
The new entry id's are connective. On the other hand, entry id's of the
entries in the db to be reindexed are not. The borrowed import code
assumes the entry id and the index of the fifo are tightly coupled and
the timing when the writing to and reading from the fifo are calculated
based upon the
assumption.
The assumption should have been revised so that the entry id which is
available up to is kept in ready_EID in the job structure and entry id from
each entry (entry->ep_id) is compared with ready_EID instead of ready_ID
that holds the sequential number.
Additionally, I eliminated unused variable "shift" from import_fifo_fetch.
Also, _dblayer_delete_instance_dir cleans up files and directories, recursively.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
estimate of total no of entries are same
The code processing search results were returning the PAGE END without
knowing there are more entries to return or not. To learn it, introduced
"read ahead" one entry when it comes to the PAGE END. If there are more
entries, the code undo the read ahead, which prompts for the next page
on the client side. If there is no more entries, it returns the status
SEARCH END instead of PAGE END.
In addition to the read ahead implementation to fix the bug 513916,
* supporting Simple Paged Results for chaining backend is added.
* fixed a bug in idl_new_fetch (idl_new.c) -- idlistscanlimit was not
checked when the cursor comes to the end of an index file.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
DNA doesn't handle multiple mods to a managed attribute
in the same modify operation properly. If an operation
such as deleting a managed value triggers generation, we
aren't checking if another mod in the same operation is
actually adding a new value. This triggers us to generate
a value when we really shouldn't. The fix is to unset the
generate flag if we find a subsequent mod to the same
managed type. It will be reset if we truly need to
generate a new value.
|
| |
|
|
|
|
|
|
| |
%rootdn% (Directory Manager) has all rights on every entry by nature.
Thus, it is not needed to give any acis. This template has several
groupOfUniqueNames objects which MUST have uniqueMember. At this
moment, there is no entry which could be a uniqueMember. Just to
satisfy the objectclass, set %rootdn% to uniqueMember of the objectclass.
|
| |
|
|
|
|
|
|
|
| |
syntax attributes.
The selfwrite ACI keyword currently only applies when writing to attributes
using the Distringuished Name syntax. It needs to also work with the Name And
Optional UID syntax since that is the syntax used for the uniqueMember
attribute.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If you have an ACI with multiple macros in it and the second attribtue does not
exist in the entry you are bound as, the in-memory list used for macro
substitution is free'd twice.
The code swaps hands the charray it plans to return after substitution over to
a working list, but it doesn't set the return list to NULL. When the second
macro attribute is not found, the working list is free'd, yet the address is
returned to the caller, who then tries to free the list a second time. The fix
is to set the list to be returned to NULL when the memory is handed over to the
working list.
|
| |
|
|
|
|
| |
Since per entry-response controls are ignored by the ldapsearch client,
we are getting rid of the unnecessary write_controls calls for Simple Paged
Results and GER.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds support for the newly proposed LDAP Dereference feature (not to
be confused with alias dereferencing). The details of the proposed feature
can be found here:
http://www.openldap.org/devel/cvsweb.cgi/~checkout~/doc/drafts/draft-masarati-ldap-deref-xx.txt
This adds a new deref plugin to the directory server. This is a pre op search
plugin. In order to allow the plugin to rewrite the controls sent back with
each entry, I changed the way pre-search and pre-entry plugins work. They now
have the ability to alter the entry and controls just before being sent back
to the client.
This plugin does not currently support internal operations. It should be easy
to add a call to register the plugin for internal ops if we need to do that.
The code supports real, computed (e.g. memberOf), and virtual attributes
both as the attibute to dereference and in the list of attributes to return
from each dereferenced entry. This will allow us to use attributes such as
nsRole as the derefattr.
Tested on RHEL5 x86_64 with various openldap 2.4.15+ and Net::LDAP clients.
valgrind output is clean
|
| |
|
|
| |
Based on RFC2252, NameAndOptionalUID = DistinguishedName [ "#" bitstring ]
|
| |
|
|
|
|
|
|
|
| |
The aci attribute is currently defined with a syntax of IA5 String.
This syntax only allows 7-bit characters. Now that the server has
support for syntax validation, this would prevent one from using
international characters in aci rules. This patch defines the aci
attribute with the Directory String syntax, which allows any valid
UTF8 character.
|
| |
|
|
|
|
|
|
| |
This reverts commit 1e3138f1d41562d6f42a8fdf0934af23219bb8e1.
Misunderstood nsslapd-lookthroughlimit. Regardless of the filter test result,
once hit the lookthroughlimit, search should be aborted there. That's what
the original code does and that is correct.
|
| |
|
|
|
| |
SPR returns one page in one operation. Let the search_result_set keep the
current sizelimit and make the sizelimit work beyond operations.
|
| |
|
|
|
| |
When sort request control is given, even if the search result is NULL,
sort response control should be created and passed to the client.
|
| |
|
|
|
|
|
|
| |
First cut for implementing Entry USN.
See http://directory.fedoraproject.org/wiki/Entry_USN for the design details.
This change includes a bug fix for "db2ldif -r"; event queue system was not
shutdown before the plugins are closed, which could have crashed the command
line utility.
|
| |
|
|
|
|
|
| |
When filter test is necessary against the search results and the test fails,
lookthroughcount attached to the search result structure should have been
decremented since the entry will not be sent to the client, but it was not.
This change fixes it.
|
| |
|
|
|
|
| |
The DN used by the ns-newpwpolicy script to refer to the pwpolicy
subentries are not legal. We need to escape ',' chars in the value
instead of just trying to use double-quotes around the value.
|
| |
|
|
|
|
|
| |
_cl5DBOpen removes a changelog db if there is no matching replica for the file.
The manner to remove the changelog db file was not good -- not using the API
that Berkeley DB provided, but removing it with NSPR delete function PR_Delete.
This fix replaces PR_Delete with the Berkeley DB API dbremove.
|
| |
|
|
|
|
|
|
| |
When importing an ldif with pre-encrypted attributes, we
need to skip the syntax check to avoid the import of those
entries being skipped. The fix makes a copy of an entry
with encrypted attributes, removes the encrypted attribtues,
and uses this trimmed copy for the syntax check.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch updates and reorganizes our core schema to follow
the most recently defined standards. The layout of the core
schema files is as follows:
00core.ldif - RFC 4512, RFC 4519, LDAP Subentry Internet Draft
01core389.ldif - 389 specific schema (required to start server)
02common.ldif - 389 specific schema (highly recommended,
Changelog Internet Draft, plug-in schema)
05rfc2927.ldif - MIME Directory Profile for LDAP Schema
05rfc4523.ldif - Schema Definitions for X.509 Certificates
05rfc4524.ldif - Cosine LDAP/X.500 Schema
06inetorgperson.ldif - RFC 2798 (pulls in RFC 2079 and part of
the obsolete RFC 1274 due to required attributes)
There are still a handful of syntaxes that we don't support, so
I've substituted syntaxes for about 15 attributes. The schema and
DIT related description syntaxes are not supported, so I've used
the "Directory String" syntax instead in 00core.ldif. The
certificate syntaxes defined in 4523 are not supported, so I've
used the "Octet String" syntax instead. All of these deviations
are commented with a "TODO" listing the syntax that we need to
implement.
I have also updated the Mozilla address book schema to the latest
from upstream for a minor bug fix. I changed the nsSymmetricKey
attribute to use the "Octet String" syntax since the "Binary"
syntax is deprecated.
|
| |
|
|
|
|
|
|
| |
Unsalted password comparison was broken by the switch from using the ldif base64 function to using the NSPR base64 function. The old function used to return the number of bytes. The new one does not. The code was assuming there was
always a salt, but this is not the case. Now, the code determines if there
is a salt by comparing the calculated length (hash_len) with the actual number
of bytes in the hash (shaLen).
Reviewed by: nhosoi (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds support for the following standard syntaxes, complete
with validation functions:
Bit String
Delivery Method
Enhanced Guide
Facsimile Telephone Number
Fax
Guide
Name And Optional UID
Printable String
Teletex Terminal Identifier
Telex Number
This patch does not change the schema to use any of these syntaxes
yet. That will come when we update to the current versions of the
standard schema from the LDAP RFCs.
I also fixed an error in makefile.am where Setup.pm was listed
twice in perl_DATA.
|
| |
|
|
|
|
|
|
|
|
|
| |
The current attrcrypt is failing because it attempts to store the encryption
symkey in the nsSymmetricKey attribute. This attribute is not defined in the
schema, so it defaults to DirectoryString syntax. Storing the value then fails
syntax validation because the binary values in the key do not conform to
DirectoryString. The code was poorly designed to handle and report errors of
this nature. The real fix is to add nsSymmetricKey as a BINARY syntax
attribute. I also cleaned up the error detection and reporting for this case.
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
valgrind is a very useful tool - however, the directory server produces a lot
of false positives that have to be suppressed in order to get to the useful
information. These patches attempt to reduce some of that noise.
1) aclparse - should calculate the length of the string _after_ trimming the
spaces
2) something about random number generation causes some of the bits to be uninitialized, and valgrind doesn't like it - this patch doesn't eliminate the error, just reduces it
3) use initialized memory when generating hashes - also remove "magic numbers"
4) bin.c - slapi_value_get_string must not be used with unterminated (binary) values
5) we get these odd valgrind reports from deep within bdb about invalid reads and uninitialized memory - I thought perhaps because we were initializing DBT structures with = {0} which the bdb docs says is not sufficient - they recommend memset or bzero
6) There are some small memory leaks during attrcrypt initialization and in error cases
7) error message in ldif2ldbm.c was attempting to print the Slapi_DN structure rather than getting the char *dn
8) After we call NSS_Initialize, we must call the NSS shutdown functions to clean up the caches and other data structures, otherwise NSS will leak memory. This is harmless since it happens at exit, but valgrind reports hundreds of memory leaks. The solution is to make sure we go through a single exit point after NSS_Initialize. This means many places that just called exit() must instead return with a real return value. This mostly affected main.c, detach.c, and a couple of other places called during startup.
9) minor memory leaks in mapping tree initialization
10) sasl_map.c - should not call this in referral mode
11) minor memory leaks during ssl init
Reviewed by: nkinder, nhosoi (Thanks!)
|
| |
|
|
|
|
| |
This cleans up all of the compiler warnings produced with -Wall on RHEL/Fedora platforms.
The warnings about the %lld and %llu formats are still produced and cannot be helped.
Reviewed by: nkinder (Thanks!)
|
| |
|
|
|
|
|
|
|
|
| |
These changes allow the server to be built with OpenLDAP (2.4.17+). A brief summary of the changes:
* #defines not provided by OpenLDAP were copied into slapi-plugin.h and protected with #ifndef blocks
* where it made sense, I created slapi wrapper functions for things like URL and LDIF processing to abstract way the differences in the APIs
* I created a new file utf8.c which contains the UTF8 functions from MozLDAP - this is only compiled when using OpenLDAP
* I tried to clean up the code - use the _ext versions of LDAP functions everywhere since the older versions should be considered deprecated
* I removed some unused code
NOTE that this should still be considered a work in progress since it depends on functionality not yet present in a released version of OpenLDAP, for NSS crypto and for the LDIF public API.
|
