| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Password Modify LDAPv3 extended operation erroneously
forces the client to supply old password
Reviewed by: Pete & Nathan (Thanks!)
Fix Description: If the BIND operation was successful, the CONN_DN field
is always set to the proper DN. This is even the case during a SASL or
client cert DN if the authentication was successful AND the given
identity could be mapped to a real user in the directory. Also, the
authmethod will be something other than NULL or none. So, if the old
password was not given, that is ok if there is a non-anonymous bind DN
and a real authmethod. The rest of the operation passes through the usual access control.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Most of our integer based config parameters do not do a good job
validating input. For example, alphabetic characters will be accepted as a value
if "0" is a valid setting for a given parameter since atoi returns "0" on error. We
also don't properly check for range errors for many parameters.
Reviewed by: Rich, Pete, and Noriko (Thanks!)
Files: ldapserver/ldap/servers/slapd/libglobs.c
Branch: HEAD
Fix Description: This adds better input validation for a number of integer based config
settings. I replaced our usage of atoi() with strtol() so we can recognize
conversion errors. I also added more descriptive error strings where they were
missing. I revised the fix due to feedback from Noriko. She recommended that
we check for ERANGE areas for all calls to strtol insead of only checking when
LONG_MAX is a valid setting for a config parameter.
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
| |
and more on Solaris and HP-UX.
Use setup.inf from admin server, and make sure the admin component is in there.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: DSMLGW code uses non-standard sun.misc.Base64Encoder
Reviewed by: The team (Thanks!)
Fix Description: Added jakarta-commons-codec.jar to the DS build and
packaging. We will need to add this file to the bundle of dsmlgw jar
files on /share/builds/components.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: If you try to add one of the new password policy attributes to a fine-grained
policy, you get an objectclass violation error.
Reviewed by: Rich, Noriko (thanks!)
Files: ldapserver/ldap/schema/00core.ldif
Branch: HEAD
Fix Description: This adds new password policy config attributes need to the schema and updates
the "passwordPolicy" objectclass needs to allow them. I've also updated our master schema document
to keep track of the OIDs.
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Chain BIND requests with chain on update + global pw policy
Reviewed by: Nathan, Pete (Thanks!)
Fix Description: When using global password policy, we need to chain the
BIND request back to a master so that it can update the pw policy op
attrs in the user's entry and replicate them to all other servers. The
call to config_get_pw_is_global_policy() is expensive (acquires a lock)
so we delay it as long as possible.
The reason we have to use config_get_pw_is_global_policy() is because the entry distribution plugin interface is poor - we have no way to register an init or start function to get the config, and no way to register a statechange callback to be notified of changes to the global password policy.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: crash in PTA plugin when bind returned controls
Reviewed by: Pete (Thanks!)
Fix Description: Fix by Ulf. We are passing the ***LDAPControl when it
needs the **LDAPControl.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
| |
Fixed the broken build (64-bit).
LDFLAG (set in the tools/Makefile) was not passed to rsearch and ldclt.
|
| |
|
|
|
|
| |
Fixed broken build on Solaris.
1) removed redeclared getsubopt in port.h
2) defined _XOPEN_SOURCE 500 for Linux
|
| | |
|
| | |
|
| |
|
|
| |
Checking in Ulf's proposal; should not get connid from pid if the op is internal. (plus the value is just for debug print which is disabled now)
|
| | |
|
| |
|
|
|
|
|
| |
backup; Restore tries to restore all the fles from the backupdir
1) if the specified backup directory exists, rename it to <dir>.bak
2) support relative dir for the backup/restore dir, e.g., "bak2db bak/mybak"
|
| | |
|
| |
|
|
| |
integrated ldclt from DSRK into the DS source tree.
|
| |
|
|
|
|
|
| |
If the specified backup dir does not exist, does not contain necessary files
(including the directory is not accessible), is not a directory, or is
identical to the path to the db dir, issues an error and stops restoring before
wiping out the database.
|
| | |
|
| | |
|
| |
|
|
| |
Integrating rsearch and infadd source codes from DSRK into the Directory Server build tree.
|
| | |
|
| | |
|
| |
|
|
| |
It used to be taken to the "convert to quoted value" section even though the rdn did not have a quote.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Bug Description: The dsgw cookie directory needs to be writable by the admin server uid
Reviewed by: Nathan (Thanks!)
Fix Description: DS Gateway authentication breaks because the admin server uid cannot write to the bin/slapd/authck directory. This fix makes sure that directory is owned by the correct uid. I've also put a similar fix into the ds spec file %post section to fix this when upgrading from fds10 to fds101.
Platforms tested: Fedora Core 4
Flag Day: no
Doc impact: no
|
| |
|
|
|
| |
If missing entry_id is found, skip it and continue reading the primary db to be
reindexed.
|
| | |
|
| |
|
|
| |
When reading a rotation info file, compare the contents with the files in the logs dir, if mismatch is found, update the rotation info file. Once the files arestored in the rotation info file, they will be the target of cleanup at the nextlog ration.
|
| | |
|
| |
|
|
| |
need to set localuser before creating/opening error log.
|
| |
|
|
|
| |
Modified to change the owner to the "localuser" if the error log file is not
owned by the user.
|
| |
|
|
|
|
|
|
|
|
| |
the contents. I'm not sure why we haven't caught this earlier, but
I believe it has something to do with the patch to make ds build on
Fedora Core 4 with gcc4. To do that, we turn off the -fwriteable-strings
argument to gcc. I suppose with it on, it moves those strings to
some sort of writeable memory location. With it off, constant strings
are definitely in the data section. There was one place in views that
used a constant string, and a couple of places in the windows sync code.
|
| |
|
|
|
|
| |
NSS/SSL init. For example, import needs to hash passwords, export of encrypted attrs needs encryption.
2) Only create, configure (for SSL) and bind TCP ports if running in regular or referral mode. Before, the code short circuited if doing import, export, etc. before getting to the port stuff. But since 1) above, the code needs to take care only to do network related stuff if in network mode.
|
| | |
|
| |
|
|
|
| |
related files are owned by the correct user, but make that happen before
the detach so we can ask for the pin on the terminal.
|
| | |
|
| |
|
|
| |
Fixed to get the adminid from the right place: adminpw
|
| |
|
|
|
|
| |
was due to the security CGI not being able to read the ds key/cert db files. They were owned by root instead of the server uid because they were being created by NSS_Initialize which was being called before the server did the setuid.
The fix is to move the NSS/SSL initialization code to just after the setuid call.
|
| |
|
|
|
| |
1) setup was not using the correct value for the config admin ID during reconfig. The fix is to get the correct uid from the admpw file.
2) It is often difficult to figure out the correct id/url for the admin server when running it for the first time. The fix is for setup to print out the correct command to use so the user can copy/paste it into the terminal. The commands are also saved to setup.log in case they close the terminal window.
|
| |
|
|
| |
tab. The solution is to chown the alias directory to the admin server uid so that the security CGI can create the key/cert dbs in that directory.
|
| |
|
|
| |
generally compatible, they are compatible for this specific case
|
| |
|
|
|
|
| |
Fix: Put the dsml gateway and command line jar files in a package called
extjava.tar.gz so that users can choose to deploy these separately if they
want dsml functionality.
|
| |
|
|
|
|
|
| |
i1) For non-RHEL platforms, package cyrus sasl library and the supported plugins.
2) by default, cyrus sasl expects to see the plugins in /usr/lib/sasl2.
Instead, tell sasl to search "../../../lib/sasl2" (relative path from ns-slapd)
for the plugins.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Allow ldapserver rpm to be made externally
Reviewed by: Noriko (Thanks!)
Fix Description: Just use a simple sed command to replace the tokens in
the spec.tmpl file. Just assume Fedora branding for this. For some
reason, on FC4, the setup -b step does not work unless I added a second
echo yes to the command. The tar command used by the rpmbuild step must
have all of the command line arguments before the directory to tar. I
moved some things around to make the rpm build process more dsbuild
friendly.
Platforms tested: FC4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
| |
Bug Description: sasl code needs to accomodate older versions of sasl
Reviewed by: Noriko (Thanks!)
Fix Description: 1) Change build to use -L/usr/kerberos/lib on RHEL3
since that's where gssapi_krb5 is on that platform 2) ifdef out the use
of SASL_AUX_PASSWORD_PROP - if it's not defined, we don't need to use it.
Platforms tested: RHEL3
Flag Day: no
Doc impact: no
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: slapd crashes during SASL authentication
Reviewed by: Noriko (Thanks!)
Branch: HEAD and Directory71RtmBranch
Fix Description: When we build cyrus-sasl on RHEL, we tell it to use
berkeley db for its sasldb database. It uses whatever version of
berkeley db is installed in the system. On RHEL3, this is usually
libdb-4.1. However, at runtime, slapd uses 4.2, leading to conflicts.
This doesn't happen on RHEL4 because it already has 4.2 on it. The db
is used to lookup auxiliary properties (auxprop) related to the user,
such as password or whatever. This happens in sasl after the user is
looked up. In our server, the way we use it, we don't care about these
auxprops, or we get them in another way. If you don't tell sasl which
auxprop plugin you want to use, it tries to use all of them, which means
it will attempt to use the sasldb plugin, which will lead to the crash.
The solution is to add our own auxprop plugin which is just a dummy that
does nothing, and tell sasl to use our plugin.
Platforms tested: RHEL3, RHEL4
Flag Day: no
Doc impact: no
QA impact: retest
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Fix internal component versions and formats for initial
FDS 1.0 build
Reviewed by: Noriko (Thanks!)
Fix Description: Some of the naming conventions needed to change e.g.
/s/b/c/ldapconsole10ext became /fedora/components/directoryconsole/1.0.
Made the ds onlinehelp docs available to build externally. Perldap has
no zip file anymore, just the dirs we copy over. Adminserver includes
the unzipped directories - we need to fix that eventually, but in the
meantime, I made tar skip those unzipped directories. I also merged
Noriko's fix for the assecure.txt problem in setup into Fedora DS. Noriko also pointed out an unused Makefile variable.
Platforms tested: RHEL3
Flag Day: no
Doc impact: no
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: Change ldapserver version to 1.0
Reviewed by: Noriko (Thanks!)
Fix Description: This also fixes some lingering build issues involving
perldap, which is no longer a separate setup package, but just gets
included into DS in a similar manner to nspr, nss, etc.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bug Description: parameterize ldapjdk and crimson jar locations
Reviewed by: Noriko, Nathan (Thanks!)
Fix Description: This is also needed for GAR. The xmltools also
ldapjdk.jar, and needs crimson.jar. DSMLGW does not need crimson.jar.
It makes sense to separate these out of the dsmlgw jars. I changed the
dsmlgw build.xml to be able to pickup ldapjdk.jar from a different
location - defaults to the usual dist/classes.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
Bug(s) fixed: 172005
Bug Description: Change ldapserver version to 1.0
Reviewed by: Noriko (Thanks!)
Fix Description: This also fixes some lingering build issues involving
perldap, which is no longer a separate setup package, but just gets
included into DS in a similar manner to nspr, nss, etc.
Platforms tested: RHEL4
Flag Day: no
Doc impact: no
QA impact: should be covered by regular nightly and manual testing
New Tests integrated into TET: none
|
