October 2007 - 389-commits - Fedora Mailing-Lists

[Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm ldbm_search.c, 1.11, 1.12

by Doctor Conrad

Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv27588/slapd/back-ldbm Modified Files: ldbm_search.c Log Message: Resolves: #193724 Summary: "nested" filtered roles result in deadlock (Comment #12) Description: 1. Changed cache_lock to the read-write lock. 2. Instead of using the local vattr_context in vattr_test_filter, use the one set in pblock as much as possible. To achieve the goal, introduced pb_vattr_context to pblock. 3. Increased VATTR_LOOP_COUNT_MAX from 50 to 256. 4. When the loop count hit VATTR_LOOP_COUNT_MAX, it sets LDAP_UNWILLING_TO_PERFORM and returns it to the client. Index: ldbm_search.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/ldbm_search.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- ldbm_search.c 27 Sep 2007 21:33:37 -0000 1.11 +++ ldbm_search.c 12 Oct 2007 18:03:42 -0000 1.12 @@ -48,14 +48,14 @@ /* prototypes */ static int build_candidate_list( Slapi_PBlock *pb, backend *be, - struct backentry *e, const char * base, int scope, - int *lookup_returned_allidsp, IDList** candidates); + struct backentry *e, const char * base, int scope, + int *lookup_returned_allidsp, IDList** candidates); static IDList *base_candidates( Slapi_PBlock *pb, struct backentry *e ); static IDList *onelevel_candidates( Slapi_PBlock *pb, backend *be, const char *base, struct backentry *e, Slapi_Filter *filter, int managedsait, int *lookup_returned_allidsp, int *err ); static back_search_result_set* new_search_result_set(IDList* idl,int vlv, int lookthroughlimit); static void delete_search_result_set( back_search_result_set **sr ); static int can_skip_filter_test( Slapi_PBlock *pb, struct slapi_filter *f, - int scope, IDList *idl ); + int scope, IDList *idl ); /* This is for performance testing, allows us to disable ACL checking altogether */ #if defined(DISABLE_ACL_CHECK) @@ -69,38 +69,38 @@ static int compute_lookthrough_limit( Slapi_PBlock *pb, struct ldbminfo *li ) { - Slapi_Connection *conn = NULL; - int limit; + Slapi_Connection *conn = NULL; + int limit; - slapi_pblock_get( pb, SLAPI_CONNECTION, &conn); + slapi_pblock_get( pb, SLAPI_CONNECTION, &conn); - if ( slapi_reslimit_get_integer_limit( conn, - li->li_reslimit_lookthrough_handle, &limit ) - != SLAPI_RESLIMIT_STATUS_SUCCESS ) { - /* - * no limit associated with binder/connection or some other error - * occurred. use the default. - */ - int isroot = 0; - - slapi_pblock_get( pb, SLAPI_REQUESTOR_ISROOT, &isroot ); - if (isroot) { - limit = -1; - } else { - PR_Lock(li->li_config_mutex); - limit = li->li_lookthroughlimit; - PR_Unlock(li->li_config_mutex); - } - } + if ( slapi_reslimit_get_integer_limit( conn, + li->li_reslimit_lookthrough_handle, &limit ) + != SLAPI_RESLIMIT_STATUS_SUCCESS ) { + /* + * no limit associated with binder/connection or some other error + * occurred. use the default. + */ + int isroot = 0; + + slapi_pblock_get( pb, SLAPI_REQUESTOR_ISROOT, &isroot ); + if (isroot) { + limit = -1; + } else { + PR_Lock(li->li_config_mutex); + limit = li->li_lookthroughlimit; + PR_Unlock(li->li_config_mutex); + } + } - return( limit ); + return( limit ); } /* don't free the berval, just clean it */ static void berval_done(struct berval *val) { - slapi_ch_free_string(&val->bv_val); + slapi_ch_free_string(&val->bv_val); } /* @@ -116,20 +116,20 @@ { slapi_send_ldap_result( pb, ldap_result, NULL, ldap_result_description, 0, NULL ); } - { - /* hack hack --- code to free the result set if we don't need it */ - /* We get it and check to see if the structure was ever used */ - back_search_result_set *sr = NULL; - slapi_pblock_get( pb, SLAPI_SEARCH_RESULT_SET, &sr ); - if ( (NULL != sr) && (function_result != 0) ) { - delete_search_result_set(&sr); - } - } - slapi_sdn_done(sdn); - if (vlv_request_control) - { - berval_done(&vlv_request_control->value); - } + { + /* hack hack --- code to free the result set if we don't need it */ + /* We get it and check to see if the structure was ever used */ + back_search_result_set *sr = NULL; + slapi_pblock_get( pb, SLAPI_SEARCH_RESULT_SET, &sr ); + if ( (NULL != sr) && (function_result != 0) ) { + delete_search_result_set(&sr); + } + } + slapi_sdn_done(sdn); + if (vlv_request_control) + { + berval_done(&vlv_request_control->value); + } return function_result; } @@ -630,8 +630,8 @@ */ static int build_candidate_list( Slapi_PBlock *pb, backend *be, struct backentry *e, - const char * base, int scope, int *lookup_returned_allidsp, - IDList** candidates) + const char * base, int scope, int *lookup_returned_allidsp, + IDList** candidates) { struct ldbminfo *li = (struct ldbminfo *) be->be_database->plg_private; int managedsait= 0; @@ -875,123 +875,123 @@ return( candidates ); } -static int grok_filter(struct slapi_filter *f); +static int grok_filter(struct slapi_filter *f); #if 0 /* Helper for grok_filter() */ static int -grok_filter_list(struct slapi_filter *flist) +grok_filter_list(struct slapi_filter *flist) { - struct slapi_filter *f; + struct slapi_filter *f; - /* Scan the clauses of the AND filter, if any of them fails the grok, then we fail */ - for ( f = flist; f != NULL; f = f->f_next ) { - if ( !grok_filter(f) ) { - return( 0 ); - } - } - return( 1 ); + /* Scan the clauses of the AND filter, if any of them fails the grok, then we fail */ + for ( f = flist; f != NULL; f = f->f_next ) { + if ( !grok_filter(f) ) { + return( 0 ); + } + } + return( 1 ); } #endif /* Helper function for can_skip_filter_test() */ -static int grok_filter(struct slapi_filter *f) +static int grok_filter(struct slapi_filter *f) { - switch ( f->f_choice ) { - case LDAP_FILTER_EQUALITY: - return 1; /* If there's an ID list and an equality filter, we can skip the filter test */ - case LDAP_FILTER_SUBSTRINGS: - return 0; - - case LDAP_FILTER_GE: - return 1; - - case LDAP_FILTER_LE: - return 1; - - case LDAP_FILTER_PRESENT: - return 1; /* If there's an ID list, and a presence filter, we can skip the filter test */ - - case LDAP_FILTER_APPROX: - return 0; - - case LDAP_FILTER_EXTENDED: - return 0; - - case LDAP_FILTER_AND: - return 0; /* Unless we check to see whether the presence and equality branches - of the search filter were all indexed, we get things wrong here, - so let's punt for now */ - /* return grok_filter_list(f->f_and); AND clauses are potentially OK */ - - case LDAP_FILTER_OR: - return 0; - - case LDAP_FILTER_NOT: - return 0; - - default: - return 0; - } + switch ( f->f_choice ) { + case LDAP_FILTER_EQUALITY: + return 1; /* If there's an ID list and an equality filter, we can skip the filter test */ + case LDAP_FILTER_SUBSTRINGS: + return 0; + + case LDAP_FILTER_GE: + return 1; + + case LDAP_FILTER_LE: + return 1; + + case LDAP_FILTER_PRESENT: + return 1; /* If there's an ID list, and a presence filter, we can skip the filter test */ + + case LDAP_FILTER_APPROX: + return 0; + + case LDAP_FILTER_EXTENDED: + return 0; + + case LDAP_FILTER_AND: + return 0; /* Unless we check to see whether the presence and equality branches + of the search filter were all indexed, we get things wrong here, + so let's punt for now */ + /* return grok_filter_list(f->f_and); AND clauses are potentially OK */ + + case LDAP_FILTER_OR: + return 0; + + case LDAP_FILTER_NOT: + return 0; + + default: + return 0; + } } /* Routine which says whether or not the indices produced a "correct" answer */ static int can_skip_filter_test( - Slapi_PBlock *pb, - struct slapi_filter *f, - int scope, - IDList *idl + Slapi_PBlock *pb, + struct slapi_filter *f, + int scope, + IDList *idl ) { - int rc = 0; + int rc = 0; + + /* Is the ID list ALLIDS ? */ + if ( ALLIDS(idl)) { + /* If so, then can't optimize */ + return rc; + } + + /* Is this a base scope search? */ + if ( scope == LDAP_SCOPE_BASE ) { + /* + * If so, then we can't optimize. Why not? Because we only consult + * the entrydn index in producing our 1 candidate, and that means + * we have not used the filter to produce the candidate list. + */ + return rc; + } - /* Is the ID list ALLIDS ? */ - if ( ALLIDS(idl)) { - /* If so, then can't optimize */ - return rc; - } - - /* Is this a base scope search? */ - if ( scope == LDAP_SCOPE_BASE ) { - /* - * If so, then we can't optimize. Why not? Because we only consult - * the entrydn index in producing our 1 candidate, and that means - * we have not used the filter to produce the candidate list. - */ - return rc; - } - - /* Grok the filter and tell me if it has only equality components in it */ - rc = grok_filter(f); - - /* If we haven't determined that we can't skip the filter test already, - * do one last check for attribute subtypes. We don't need to worry - * about any complex filters here since grok_filter() will have already - * assumed that we can't skip the filter test in those cases. */ - if (rc != 0) { - char *type = NULL; - char *basetype = NULL; - - /* We don't need to free type since that's taken - * care of when the filter is free'd later. We - * do need to free basetype when we are done. */ - slapi_filter_get_attribute_type(f, &type); - basetype = slapi_attr_basetype(type, NULL, 0); - - /* Is the filter using an attribute subtype? */ - if (strcasecmp(type, basetype) != 0) { - /* If so, we can't optimize since attribute subtypes - * are simply indexed under their basetype attribute. - * The basetype index has no knowledge of the subtype - * itself. In the future, we should add support for - * indexing the subtypes so we can optimize this type - * of search. */ - rc = 0; - } - slapi_ch_free_string(&basetype); - } + /* Grok the filter and tell me if it has only equality components in it */ + rc = grok_filter(f); - return rc; + /* If we haven't determined that we can't skip the filter test already, + * do one last check for attribute subtypes. We don't need to worry + * about any complex filters here since grok_filter() will have already + * assumed that we can't skip the filter test in those cases. */ + if (rc != 0) { + char *type = NULL; + char *basetype = NULL; + + /* We don't need to free type since that's taken + * care of when the filter is free'd later. We + * do need to free basetype when we are done. */ + slapi_filter_get_attribute_type(f, &type); + basetype = slapi_attr_basetype(type, NULL, 0); + + /* Is the filter using an attribute subtype? */ + if (strcasecmp(type, basetype) != 0) { + /* If so, we can't optimize since attribute subtypes + * are simply indexed under their basetype attribute. + * The basetype index has no knowledge of the subtype + * itself. In the future, we should add support for + * indexing the subtypes so we can optimize this type + * of search. */ + rc = 0; + } + slapi_ch_free_string(&basetype); + } + + return rc; } @@ -1014,24 +1014,25 @@ int ldbm_back_next_search_entry_ext( Slapi_PBlock *pb, int use_extension ) { - backend *be; - ldbm_instance *inst; + backend *be; + ldbm_instance *inst; struct ldbminfo *li; - int scope; - int managedsait; - Slapi_Attr *attr; - Slapi_Filter *filter; - char *base; - back_search_result_set *sr; - ID id; - struct backentry *e; - int nentries; - time_t curtime, stoptime, optime; - int tlimit, llimit, slimit, isroot; - struct berval **urls = NULL; - int err; - Slapi_DN basesdn; - char *target_uniqueid; + int scope; + int managedsait; + Slapi_Attr *attr; + Slapi_Filter *filter; + char *base; + back_search_result_set *sr; + ID id; + struct backentry *e; + int nentries; + time_t curtime, stoptime, optime; + int tlimit, llimit, slimit, isroot; + struct berval **urls = NULL; + int err; + Slapi_DN basesdn; + char *target_uniqueid; + int rc = 0; slapi_pblock_get( pb, SLAPI_BACKEND, &be ); slapi_pblock_get( pb, SLAPI_PLUGIN_PRIVATE, &li ); @@ -1083,8 +1084,8 @@ slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY_EXT, NULL ); } slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY, NULL ); - slapi_sdn_done(&basesdn); - return -1; + rc = SLAPI_FAIL_GENERAL; + goto bail; } /* check time limit */ @@ -1097,8 +1098,8 @@ slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY_EXT, NULL ); } slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY, NULL ); - slapi_sdn_done(&basesdn); - return -1; + rc = SLAPI_FAIL_GENERAL; + goto bail; } /* check lookthrough limit */ @@ -1110,8 +1111,8 @@ slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY_EXT, NULL ); } slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY, NULL ); - slapi_sdn_done(&basesdn); - return -1; + rc = SLAPI_FAIL_GENERAL; + goto bail; } /* get the entry */ @@ -1124,8 +1125,8 @@ slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY_EXT, NULL ); } slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY, NULL ); - slapi_sdn_done(&basesdn); - return 0; + rc = 0; + goto bail; } ++sr->sr_lookthroughcount; /* checked above */ @@ -1142,8 +1143,8 @@ * is gonna be traumatic. unavoidable. */ slapi_send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL); - slapi_sdn_done(&basesdn); - return return_on_disk_full(li); + rc = return_on_disk_full(li); + goto bail; } } LDAPDebug( LDAP_DEBUG_ARGS, "candidate %lu not found\n", (u_long)id, 0, 0 ); @@ -1182,8 +1183,8 @@ slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY_EXT, e ); } slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY, e->ep_entry ); - slapi_sdn_done(&basesdn); - return 0; + rc = 0; + goto bail; } } else @@ -1253,8 +1254,8 @@ cache_return( &inst->inst_cache, &e ); delete_search_result_set( &sr ); slapi_send_ldap_result( pb, LDAP_SIZELIMIT_EXCEEDED, NULL, NULL, nentries, urls ); - slapi_sdn_done(&basesdn); - return -1; + rc = SLAPI_FAIL_GENERAL; + goto bail; } slapi_pblock_set( pb, SLAPI_SEARCH_SIZELIMIT, &slimit ); } @@ -1277,8 +1278,8 @@ } slapi_pblock_set( pb, SLAPI_SEARCH_RESULT_ENTRY, e->ep_entry ); } - slapi_sdn_done(&basesdn); - return 0; + rc = 0; + goto bail; } else { @@ -1289,11 +1290,19 @@ { /* Failed the filter test, and this isn't a VLV Search */ cache_return( &inst->inst_cache, &(sr->sr_entry) ); + if (LDAP_UNWILLING_TO_PERFORM == filter_test) { + /* Need to catch this error to detect the vattr loop */ + slapi_send_ldap_result( pb, filter_test, NULL, + "Failed the filter test", 0, NULL ); + rc = SLAPI_FAIL_GENERAL; + goto bail; + } } } } - /*NOTREACHED*/ +bail: slapi_sdn_done(&basesdn); + return rc; } @@ -1333,19 +1342,19 @@ ldbm_instance *inst; if ( backend_info_ptr == NULL ) - return 1; + return 1; slapi_pblock_get( pb, SLAPI_BACKEND, &be ); - inst = (ldbm_instance *) be->be_instance_info; + inst = (ldbm_instance *) be->be_instance_info; cache_return( &inst->inst_cache, (struct backentry **)&backend_info_ptr ); if( ((struct backentry *) backend_info_ptr)->ep_vlventry != NULL ) { - /* This entry was created during a vlv search whose acl check failed. It needs to be - * freed here */ + /* This entry was created during a vlv search whose acl check failed. It needs to be + * freed here */ slapi_entry_free( ((struct backentry *) backend_info_ptr)->ep_vlventry ); - ((struct backentry *) backend_info_ptr)->ep_vlventry = NULL; + ((struct backentry *) backend_info_ptr)->ep_vlventry = NULL; } return 0; }

16 years, 6 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/plugins/roles roles_cache.c, 1.6, 1.7 roles_cache.h, 1.5, 1.6 roles_plugin.c, 1.7, 1.8

by Doctor Conrad

Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/roles In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv27588/plugins/roles Modified Files: roles_cache.c roles_cache.h roles_plugin.c Log Message: Resolves: #193724 Summary: "nested" filtered roles result in deadlock (Comment #12) Description: 1. Changed cache_lock to the read-write lock. 2. Instead of using the local vattr_context in vattr_test_filter, use the one set in pblock as much as possible. To achieve the goal, introduced pb_vattr_context to pblock. 3. Increased VATTR_LOOP_COUNT_MAX from 50 to 256. 4. When the loop count hit VATTR_LOOP_COUNT_MAX, it sets LDAP_UNWILLING_TO_PERFORM and returns it to the client. Index: roles_cache.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/roles/roles_cache.c,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- roles_cache.c 10 Nov 2006 23:45:24 -0000 1.6 +++ roles_cache.c 12 Oct 2007 18:03:43 -0000 1.7 @@ -105,7 +105,7 @@ PRThread *roles_tid; int keeprunning; - Slapi_Mutex *cache_lock; + PRRWLock *cache_lock; Slapi_Mutex *stop_lock; Slapi_Mutex *change_lock; @@ -143,6 +143,7 @@ Slapi_Entry *requested_entry; /* entry to get nsrole from */ int has_value; /* flag to determine if a new value has been added to the result */ int need_value; /* flag to determine if we need the result */ + vattr_context *context; /* vattr context */ } roles_cache_build_result; /* Structure used to check if is_entry_member_of is part of a role defined in its suffix */ @@ -178,8 +179,9 @@ static int roles_cache_find_node( caddr_t d1, caddr_t d2 ); static int roles_cache_find_roles_in_suffix(Slapi_DN *target_entry_dn, roles_cache_def **list_of_roles); static int roles_is_entry_member_of_object(caddr_t data, caddr_t arg ); +static int roles_is_entry_member_of_object_ext(vattr_context *c, caddr_t data, caddr_t arg ); static int roles_check_managed(Slapi_Entry *entry_to_check, role_object *role, int *present); -static int roles_check_filtered(Slapi_Entry *entry_to_check, role_object *role, int *present); +static int roles_check_filtered(vattr_context *c, Slapi_Entry *entry_to_check, role_object *role, int *present); static int roles_check_nested(caddr_t data, caddr_t arg); static int roles_is_inscope(Slapi_Entry *entry_to_check, Slapi_DN *role_dn); static void berval_set_string(struct berval *bv, const char* string); @@ -303,7 +305,7 @@ return(NULL); } - new_suffix->cache_lock = slapi_new_mutex(); + new_suffix->cache_lock = PR_NewRWLock(PR_RWLOCK_RANK_NONE, "roles_def_lock"); new_suffix->change_lock = slapi_new_mutex(); new_suffix->stop_lock = slapi_new_mutex(); new_suffix->create_lock = slapi_new_mutex(); @@ -610,7 +612,7 @@ slapi_log_error( SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, "--> roles_cache_update \n"); - slapi_lock_mutex(suffix_to_update->cache_lock); + PR_RWLock_Wlock(suffix_to_update->cache_lock); operation = suffix_to_update->notified_operation; entry = suffix_to_update->notified_entry; @@ -646,7 +648,7 @@ suffix_to_update->notified_entry = NULL; } - slapi_unlock_mutex(suffix_to_update->cache_lock); + PR_RWLock_Unlock(suffix_to_update->cache_lock); if ( dn != NULL ) { @@ -1426,6 +1428,11 @@ */ int roles_cache_listroles(Slapi_Entry *entry, int return_values, Slapi_ValueSet **valueset_out) { + return roles_cache_listroles_ext(NULL, entry, return_values, valueset_out); +} + +int roles_cache_listroles_ext(vattr_context *c, Slapi_Entry *entry, int return_values, Slapi_ValueSet **valueset_out) +{ roles_cache_def *roles_cache = NULL; int rc = 0; roles_cache_build_result arg; @@ -1464,13 +1471,14 @@ arg.need_value = return_values; arg.requested_entry = entry; arg.has_value = 0; + arg.context = c; /* XXX really need a mutex for this read operation ? */ - slapi_lock_mutex(roles_cache->cache_lock); + PR_RWLock_Rlock(roles_cache->cache_lock); avl_apply(roles_cache->avl_tree, (IFP)roles_cache_build_nsrole, &arg, -1, AVL_INORDER); - slapi_unlock_mutex(roles_cache->cache_lock); + PR_RWLock_Unlock(roles_cache->cache_lock); if( !arg.has_value ) { @@ -1507,53 +1515,59 @@ ------------------------ Traverse the tree containing roles definitions for a suffix and for each one of them, check wether the entry is a member of it or not - For ones which check out positive, we add their DN to the value - always return 0 to allow to trverse all the tree + For ones which check out positive, we add their DN to the value + always return 0 to allow to trverse all the tree */ static int roles_cache_build_nsrole( caddr_t data, caddr_t arg ) { Slapi_Value *value = NULL; roles_cache_build_result *result = (roles_cache_build_result*)arg; role_object *this_role = (role_object*)data; - roles_cache_search_in_nested get_nsrole; + roles_cache_search_in_nested get_nsrole; /* Return a value different from the stop flag to be able to go through all the tree */ - int rc = 0; + int rc = 0; + int tmprc = 0; - slapi_log_error(SLAPI_LOG_PLUGIN, - ROLES_PLUGIN_SUBSYSTEM, "--> roles_cache_build_nsrole: role %s\n", - (char*) slapi_sdn_get_ndn(this_role->dn)); + slapi_log_error(SLAPI_LOG_PLUGIN, + ROLES_PLUGIN_SUBSYSTEM, "--> roles_cache_build_nsrole: role %s\n", + (char*) slapi_sdn_get_ndn(this_role->dn)); value = slapi_value_new_string(""); - get_nsrole.is_entry_member_of = result->requested_entry; - get_nsrole.present = 0; - get_nsrole.hint = 0; + get_nsrole.is_entry_member_of = result->requested_entry; + get_nsrole.present = 0; + get_nsrole.hint = 0; - roles_is_entry_member_of_object((caddr_t)this_role, (caddr_t)&get_nsrole); + tmprc = roles_is_entry_member_of_object_ext(result->context, (caddr_t)this_role, (caddr_t)&get_nsrole); + if (SLAPI_VIRTUALATTRS_LOOP_DETECTED == tmprc) + { + /* all we want to detect and return is loop/stack overflow */ + rc = tmprc; + } /* If so, add its DN to the attribute */ if (get_nsrole.present) { result->has_value = 1; - if ( result->need_value ) - { - slapi_value_set_string(value,(char*) slapi_sdn_get_ndn(this_role->dn)); - slapi_valueset_add_value(*(result->nsrole_values),value); - } - else - { - /* we don't need the value but we already know there is one nsrole. - stop the traversal - */ - rc = -1; - } + if ( result->need_value ) + { + slapi_value_set_string(value,(char*) slapi_sdn_get_ndn(this_role->dn)); + slapi_valueset_add_value(*(result->nsrole_values),value); + } + else + { + /* we don't need the value but we already know there is one nsrole. + stop the traversal + */ + rc = -1; + } } slapi_value_free(&value); - slapi_log_error(SLAPI_LOG_PLUGIN, - ROLES_PLUGIN_SUBSYSTEM, "<-- roles_cache_build_nsrole\n"); + slapi_log_error(SLAPI_LOG_PLUGIN, + ROLES_PLUGIN_SUBSYSTEM, "<-- roles_cache_build_nsrole\n"); return rc; } @@ -1564,54 +1578,54 @@ Checks if an entry has a presented role, assuming that we've already verified that the role both exists and is in scope - return 0: no processing error - return -1: error + return 0: no processing error + return -1: error */ int roles_check(Slapi_Entry *entry_to_check, Slapi_DN *role_dn, int *present) { roles_cache_def *roles_cache = NULL; role_object *this_role = NULL; - roles_cache_search_in_nested get_nsrole; + roles_cache_search_in_nested get_nsrole; int rc = 0; - slapi_log_error(SLAPI_LOG_PLUGIN, - ROLES_PLUGIN_SUBSYSTEM, "--> roles_check\n"); + slapi_log_error(SLAPI_LOG_PLUGIN, + ROLES_PLUGIN_SUBSYSTEM, "--> roles_check\n"); - *present = 0; + *present = 0; - PR_RWLock_Rlock(global_lock); + PR_RWLock_Rlock(global_lock); if ( roles_cache_find_roles_in_suffix(slapi_entry_get_sdn(entry_to_check), &roles_cache) != 0 ) { - PR_RWLock_Unlock(global_lock); + PR_RWLock_Unlock(global_lock); return -1; } - PR_RWLock_Unlock(global_lock); + PR_RWLock_Unlock(global_lock); this_role = (role_object *)avl_find(roles_cache->avl_tree, role_dn, (IFP)roles_cache_find_node); - /* MAB: For some reason the assumption made by this function (the role exists and is in scope) - * does not seem to be true... this_role might be NULL after the avl_find call (is the avl_tree - * broken? Anyway, this is crashing the 5.1 server on 29-Aug-01, so I am applying the following patch - * to avoid the crash inside roles_is_entry_member_of_object */ - /* Begin patch */ - if (!this_role) { - /* Assume that the entry is not member of the role (*present=0) and leave... */ - return rc; - } - /* End patch */ + /* MAB: For some reason the assumption made by this function (the role exists and is in scope) + * does not seem to be true... this_role might be NULL after the avl_find call (is the avl_tree + * broken? Anyway, this is crashing the 5.1 server on 29-Aug-01, so I am applying the following patch + * to avoid the crash inside roles_is_entry_member_of_object */ + /* Begin patch */ + if (!this_role) { + /* Assume that the entry is not member of the role (*present=0) and leave... */ + return rc; + } + /* End patch */ - get_nsrole.is_entry_member_of = entry_to_check; - get_nsrole.present = 0; - get_nsrole.hint = 0; + get_nsrole.is_entry_member_of = entry_to_check; + get_nsrole.present = 0; + get_nsrole.hint = 0; roles_is_entry_member_of_object((caddr_t)this_role, (caddr_t)&get_nsrole); - *present = get_nsrole.present; + *present = get_nsrole.present; - slapi_log_error(SLAPI_LOG_PLUGIN, - ROLES_PLUGIN_SUBSYSTEM, "<-- roles_check\n"); + slapi_log_error(SLAPI_LOG_PLUGIN, + ROLES_PLUGIN_SUBSYSTEM, "<-- roles_check\n"); return rc; } @@ -1691,6 +1705,11 @@ */ static int roles_is_entry_member_of_object(caddr_t data, caddr_t argument ) { + return roles_is_entry_member_of_object_ext(NULL, data, argument ); +} + +static int roles_is_entry_member_of_object_ext(vattr_context *c, caddr_t data, caddr_t argument ) +{ int rc = -1; roles_cache_search_in_nested *get_nsrole = (roles_cache_search_in_nested*)argument; @@ -1717,7 +1736,7 @@ rc = roles_check_managed(entry_to_check,this_role,&get_nsrole->present); break; case ROLE_TYPE_FILTERED: - rc = roles_check_filtered(entry_to_check,this_role,&get_nsrole->present); + rc = roles_check_filtered(c, entry_to_check,this_role,&get_nsrole->present); break; case ROLE_TYPE_NESTED: { @@ -1789,13 +1808,14 @@ return 1: fail -> to check the presence, see present */ -static int roles_check_filtered(Slapi_Entry *entry_to_check, role_object *role, int *present) +static int roles_check_filtered(vattr_context *c, Slapi_Entry *entry_to_check, role_object *role, int *present) { int rc = 0; slapi_log_error(SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, "--> roles_check_filtered\n"); - rc = slapi_filter_test_simple(entry_to_check,role->filter); + rc = slapi_vattr_filter_test_ext(slapi_vattr_get_pblock_from_context(c), + entry_to_check, role->filter, 0, 0); if ( rc == 0 ) { *present = 1; @@ -1991,7 +2011,7 @@ avl_free(role_def->avl_tree, (IFP)roles_cache_role_object_free); slapi_sdn_free(&(role_def->suffix_dn)); - slapi_destroy_mutex(role_def->cache_lock); + PR_DestroyRWLock(role_def->cache_lock); role_def->cache_lock = NULL; slapi_destroy_mutex(role_def->change_lock); role_def->change_lock = NULL; Index: roles_cache.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/roles/roles_cache.h,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- roles_cache.h 10 Nov 2006 23:45:24 -0000 1.5 +++ roles_cache.h 12 Oct 2007 18:03:43 -0000 1.6 @@ -73,6 +73,7 @@ void roles_cache_stop(); void roles_cache_change_notify(Slapi_PBlock *pb); int roles_cache_listroles(Slapi_Entry *entry, int return_value, Slapi_ValueSet **valueset_out); +int roles_cache_listroles_ext(vattr_context *c, Slapi_Entry *entry, int return_value, Slapi_ValueSet **valueset_out); int roles_check(Slapi_Entry *entry_to_check, Slapi_DN *role_dn, int *present); Index: roles_plugin.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/roles/roles_plugin.c,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- roles_plugin.c 8 Dec 2006 18:11:09 -0000 1.7 +++ roles_plugin.c 12 Oct 2007 18:03:43 -0000 1.8 @@ -248,7 +248,7 @@ { int rc = -1; - rc = roles_cache_listroles(e, 1, results); + rc = roles_cache_listroles_ext(c, e, 1, results); if (rc == 0) { *free_flags = SLAPI_VIRTUALATTRS_RETURNED_COPIES;

16 years, 6 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/slapd slap.h, 1.27, 1.28 slapi-private.h, 1.17, 1.18 vattr_spi.h, 1.5, 1.6 filterentry.c, 1.5, 1.6 vattr.c, 1.6, 1.7

by Doctor Conrad

Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv27588/slapd Modified Files: slap.h slapi-private.h vattr_spi.h filterentry.c vattr.c Log Message: Resolves: #193724 Summary: "nested" filtered roles result in deadlock (Comment #12) Description: 1. Changed cache_lock to the read-write lock. 2. Instead of using the local vattr_context in vattr_test_filter, use the one set in pblock as much as possible. To achieve the goal, introduced pb_vattr_context to pblock. 3. Increased VATTR_LOOP_COUNT_MAX from 50 to 256. 4. When the loop count hit VATTR_LOOP_COUNT_MAX, it sets LDAP_UNWILLING_TO_PERFORM and returns it to the client. Index: slap.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slap.h,v retrieving revision 1.27 retrieving revision 1.28 diff -u -r1.27 -r1.28 --- slap.h 2 Oct 2007 18:39:50 -0000 1.27 +++ slap.h 12 Oct 2007 18:03:42 -0000 1.28 @@ -1418,6 +1418,7 @@ /* For password policy control */ int pb_pwpolicy_ctrl; + void *pb_vattr_context; /* hold the vattr_context for roles/cos */ } slapi_pblock; /* The referral element */ Index: slapi-private.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-private.h,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- slapi-private.h 5 Oct 2007 23:31:07 -0000 1.17 +++ slapi-private.h 12 Oct 2007 18:03:42 -0000 1.18 @@ -475,7 +475,8 @@ void slapi_vattrcache_cache_all(); void slapi_vattrcache_cache_none(); -int vattr_test_filter(/* Entry we're interested in */ Slapi_Entry *e, +int vattr_test_filter( Slapi_PBlock *pb, + /* Entry we're interested in */ Slapi_Entry *e, Slapi_Filter *f, filter_type_t filter_type, char *type); Index: vattr_spi.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/vattr_spi.h,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- vattr_spi.h 10 Nov 2006 23:45:40 -0000 1.5 +++ vattr_spi.h 12 Oct 2007 18:03:42 -0000 1.6 @@ -88,4 +88,6 @@ int slapi_vattr_namespace_values_get_sp(vattr_context *c, /* Entry we're interested in */ Slapi_Entry *e, /* backend namespace dn */ Slapi_DN *namespace_dn, /* attr type name */ char *type, /* pointer to result set */ Slapi_ValueSet*** results,int **type_name_disposition, char ***actual_type_name, int flags, int *free_flags, int *subtype_count); int slapi_vattr_value_compare_sp(vattr_context *c, Slapi_Entry *e,char *type, Slapi_Value *test_this, int *result, int flags); int slapi_vattr_namespace_value_compare_sp(vattr_context *c,/* Entry we're interested in */ Slapi_Entry *e, /* backend namespace dn*/Slapi_DN *namespace_dn, /* attr type name */ const char *type, Slapi_Value *test_this,/* pointer to result */ int *result, int flags); +Slapi_PBlock *slapi_vattr_get_pblock_from_context( vattr_context *c ); + Index: filterentry.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/filterentry.c,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- filterentry.c 10 Nov 2006 23:45:40 -0000 1.5 +++ filterentry.c 12 Oct 2007 18:03:42 -0000 1.6 @@ -861,7 +861,7 @@ if ( only_check_access || rc != LDAP_SUCCESS ) { return( rc ); } - rc = vattr_test_filter( e, f, FILTER_TYPE_AVA, f->f_ava.ava_type ); + rc = vattr_test_filter( pb, e, f, FILTER_TYPE_AVA, f->f_ava.ava_type ); break; case LDAP_FILTER_SUBSTRINGS: @@ -873,7 +873,7 @@ if ( only_check_access || rc != LDAP_SUCCESS ) { return( rc ); } - rc = vattr_test_filter( e, f, FILTER_TYPE_SUBSTRING, f->f_sub_type); + rc = vattr_test_filter( pb, e, f, FILTER_TYPE_SUBSTRING, f->f_sub_type); break; case LDAP_FILTER_GE: @@ -886,7 +886,7 @@ if ( only_check_access || rc != LDAP_SUCCESS ) { return( rc ); } - rc = vattr_test_filter( e, f, FILTER_TYPE_AVA, f->f_ava.ava_type); + rc = vattr_test_filter( pb, e, f, FILTER_TYPE_AVA, f->f_ava.ava_type); break; case LDAP_FILTER_LE: @@ -899,7 +899,7 @@ if ( only_check_access || rc != LDAP_SUCCESS ) { return( rc ); } - rc = vattr_test_filter( e, f, FILTER_TYPE_AVA, f->f_ava.ava_type); + rc = vattr_test_filter( pb, e, f, FILTER_TYPE_AVA, f->f_ava.ava_type); break; case LDAP_FILTER_PRESENT: @@ -911,7 +911,7 @@ if ( only_check_access || rc != LDAP_SUCCESS ) { return( rc ); } - rc = vattr_test_filter( e, f, FILTER_TYPE_PRES, f->f_type); + rc = vattr_test_filter( pb, e, f, FILTER_TYPE_PRES, f->f_type); break; case LDAP_FILTER_APPROX: @@ -924,7 +924,7 @@ if ( only_check_access || rc != LDAP_SUCCESS ) { return( rc ); } - rc = vattr_test_filter( e, f, FILTER_TYPE_AVA, f->f_ava.ava_type); + rc = vattr_test_filter( pb, e, f, FILTER_TYPE_AVA, f->f_ava.ava_type); break; case LDAP_FILTER_EXTENDED: Index: vattr.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/vattr.c,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- vattr.c 10 Nov 2006 23:45:40 -0000 1.6 +++ vattr.c 12 Oct 2007 18:03:42 -0000 1.7 @@ -102,7 +102,7 @@ unsigned int vattr_context_loop_count; unsigned int error_displayed; }; -#define VATTR_LOOP_COUNT_MAX 50 +#define VATTR_LOOP_COUNT_MAX 256 typedef vattr_sp_handle vattr_sp_handle_list; @@ -300,11 +300,19 @@ vattr_context *vattr_context_new( Slapi_PBlock *pb ) { - vattr_context *c = (vattr_context *)slapi_ch_calloc(1, sizeof(vattr_context)); + vattr_context *c = NULL; + if (pb && pb->pb_vattr_context) { + c = (vattr_context *)pb->pb_vattr_context; + } else { + c = (vattr_context *)slapi_ch_calloc(1, sizeof(vattr_context)); + } /* The payload is zero, which is what we want */ if ( c ) { c->pb = pb; } + if ( pb && c != (vattr_context *)pb->pb_vattr_context ) { + pb->pb_vattr_context = (void *)c; + } return c; } @@ -333,15 +341,33 @@ /* Decrement the loop count */ if (0 == vattr_context_unmark(*c)) { /* If necessary, delete the structure */ + if ((*c)->pb) { + (*c)->pb->pb_vattr_context = NULL; + } slapi_ch_free((void **)c); } } +static int vattr_context_grok_pb( Slapi_PBlock *pb, vattr_context **c ) +{ + int rc = -1; + if (NULL == c) { + return rc; + } + *c = vattr_context_new( pb ); + if (NULL == *c) { + return ENOMEM; + } + rc = vattr_context_check(*c); + vattr_context_mark(*c); /* increment loop count */ + return rc; +} + /* Check and mess with the context structure on entry to a vattr sp function */ static int vattr_context_grok(vattr_context **c) { int rc = 0; - /* First check that we've not got into an infinite loop. + /* First check that we've not got into an infinite loop. We do so by means of the vattr_context structure. */ @@ -388,10 +414,12 @@ * >0 an ldap error code * */ -int vattr_test_filter( /* Entry we're interested in */ Slapi_Entry *e, +int vattr_test_filter( Slapi_PBlock *pb, + /* Entry we're interested in */ Slapi_Entry *e, Slapi_Filter *f, filter_type_t filter_type, - char * type) { + char * type) +{ int rc = -1; int sp_bit = 0; /* Set if an SP supplied an answer */ vattr_sp_handle_list *list = NULL; @@ -445,26 +473,23 @@ char **actual_type_name; int buffer_flags; vattr_get_thang my_get = {0}; - vattr_context ctx; /* bit cacky, but need to make a null terminated lists for now * for the (unimplemented and so fake) batch attribute request */ char *types[2]; void *hint_list[2]; + vattr_context *ctx; + vattr_context_grok_pb( pb, &ctx ); /* get or new context */ types[0] = type; types[1] = 0; hint_list[1] = 0; - /* set up some local context */ - ctx.vattr_context_loop_count=1; - ctx.error_displayed = 0; - for (current_handle = vattr_map_sp_first(list,&hint); current_handle; current_handle = vattr_map_sp_next(current_handle,&hint)) { hint_list[0] = hint; - rc = vattr_call_sp_get_batch_values(current_handle,&ctx,e, + rc = vattr_call_sp_get_batch_values(current_handle,ctx,e, &my_get,types,&results,&type_name_disposition, &actual_type_name,flags,&buffer_flags, hint_list); @@ -474,6 +499,7 @@ break; } } + vattr_context_ungrok(&ctx); if(!sp_bit) { @@ -483,7 +509,6 @@ * but first lets cache the no result */ slapi_entry_vattrcache_merge_sv(e, type, NULL ); - } else { @@ -491,7 +516,7 @@ * A vattr sp supplied an answer. * so turn the value into a Slapi_Attr, pass * to the syntax plugin for comparison. - */ + */ if ( filter_type == FILTER_TYPE_AVA || filter_type == FILTER_TYPE_SUBSTRING ) { @@ -566,14 +591,13 @@ slapi_ch_free((void**)&type_name_disposition); } } - break; - } + } }/* switch */ } /* If no SP supplied the answer, take it from the entry */ - if (!sp_bit) - { + if (rc <= 1 && !sp_bit) /* if LDAP ERROR is set, skip further testing */ + { int acl_test_done; if ( filter_type == FILTER_TYPE_AVA ) { @@ -597,7 +621,7 @@ 0 /* do test filter */, &acl_test_done); } - } + } return rc; } /* @@ -1690,7 +1714,7 @@ *actual_type_name = (char**)slapi_ch_calloc(2, sizeof(*actual_type_name)); ret =((handle->sp->sp_get_fn)(handle,c,e,*type,*results,*type_name_disposition,*actual_type_name,flags,buffer_flags, hint)); - if(ret) + if (ret) { slapi_ch_free((void**)results ); slapi_ch_free((void**)type_name_disposition ); @@ -2332,6 +2356,16 @@ PR_RWLock_Unlock(e->e_virtual_lock); } +Slapi_PBlock * +slapi_vattr_get_pblock_from_context(vattr_context *c) +{ + if (c) { + return c->pb; + } else { + return NULL; + } +} + #ifdef VATTR_TEST_CODE /* Prototype SP begins here */

16 years, 6 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication cl5_api.c, 1.16, 1.17 repl5_replica_config.c, 1.7, 1.8

by Doctor Conrad

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv18707 Modified Files: cl5_api.c repl5_replica_config.c Log Message: Resolves: 238630 Summary: Remove changelog db file when replica config is removed. Index: cl5_api.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/cl5_api.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- cl5_api.c 24 Sep 2007 23:39:22 -0000 1.16 +++ cl5_api.c 12 Oct 2007 17:22:54 -0000 1.17 @@ -6391,20 +6391,24 @@ _cl5WriteRUV (file, PR_FALSE); } - /* close file */ + /* close the db */ if (file->db) file->db->close(file->db, 0); if (file->flags & DB_FILE_DELETED) - { - PR_snprintf(fullpathname, MAXPATHLEN, "%s/%s", s_cl5Desc.dbDir, file->name); - if (PR_Delete(fullpathname) != PR_SUCCESS) + { + int rc = 0; + /* We need to use the libdb API to delete the files, otherwise we'll + * run into problems when we try to checkpoint transactions later. */ + PR_snprintf(fullpathname, MAXPATHLEN, "%s/%s", s_cl5Desc.dbDir, file->name); + rc = s_cl5Desc.dbEnv->dbremove(s_cl5Desc.dbEnv, 0, fullpathname, 0, 0); + if (rc != 0) { - slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl, "_cl5DBCloseFile: " - "failed to remove (%s) file; NSPR error - %d\n", file->name, PR_GetError ()); - - } - } + slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl, "_cl5DBCloseFile: " + "failed to remove (%s) file; libdb error - %d (%s)\n", file->name, + rc, dblayer_strerror(rc)); + } + } /* slapi_ch_free accepts NULL pointer */ slapi_ch_free ((void**)&file->name); Index: repl5_replica_config.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5_replica_config.c,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- repl5_replica_config.c 10 Nov 2006 23:45:17 -0000 1.7 +++ repl5_replica_config.c 12 Oct 2007 17:22:54 -0000 1.8 @@ -460,9 +460,17 @@ if (mtnode_ext->replica) { + char ebuf[BUFSIZ]; + /* remove object from the hash */ r = (Replica*)object_get_data (mtnode_ext->replica); PR_ASSERT (r); + /* The changelog for this replica is no longer valid, so we should remove it. */ + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "replica_config_delete: " + "Warning: The changelog for replica %s is no longer valid since " + "the replica config is being deleted. Removing the changelog.\n", + escape_string(slapi_sdn_get_dn(replica_get_root(r)),ebuf)); + cl5DeleteDBSync(mtnode_ext->replica); replica_delete_by_name (replica_get_name (r)); object_release (mtnode_ext->replica); mtnode_ext->replica = NULL;

16 years, 6 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/slapd plugin_internal_op.c, 1.7, 1.8

by Doctor Conrad

Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv11904/ldapserver/ldap/servers/slapd Modified Files: plugin_internal_op.c Log Message: Resolves: bug 288291 Bug Description: add an view object inside a view object that has an improper nsviewfilter crashes the server Reviewed by: nhosoi (Thanks!) Fix Description: I could not reproduce the problem by simply adding the bogus nsviewfilter. The server seemed to run fine, but I didn't stress it. However, if I restarted the server, the server would core during startup. The last message in the error log would say something about recovering the database, which is probably why the bug reporter said that it will not recover the database. The problem doesn't appear to be with views specifically, but with any internal search which uses the search_internal_callback_pb() (as opposed to the non callback internal search) and there are search base rewriters (such as the views code). The aci code uses this type of search at startup to find the acis, and that's where I saw the crash. I could crash the server at startup regardless of whether the view filter was bogus or not. The problem is that we are not passing in the address of new_base to slapi_ch_free. The fix is to use slapi_ch_free_string and pass in the address of the st! ring. That fixes the crash. I also cleaned up a few places in the views code which was not checking to see if slapi_str2filter returned NULL, which would happen in the case of the bogus search filter. I also added an error message which will tell the user that filter X in entry Y is bogus. Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no Index: plugin_internal_op.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/plugin_internal_op.c,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- plugin_internal_op.c 10 Nov 2006 23:45:40 -0000 1.7 +++ plugin_internal_op.c 12 Oct 2007 16:53:03 -0000 1.8 @@ -768,7 +768,7 @@ } if(original_base != new_base) - slapi_ch_free((void**)new_base); + slapi_ch_free_string(&new_base); /* we strdup'd this above - need to free */ slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET_DN, &original_base);

16 years, 6 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/plugins/views views.c, 1.9, 1.10

by Doctor Conrad

Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/views In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv11904/ldapserver/ldap/servers/plugins/views Modified Files: views.c Log Message: Resolves: bug 288291 Bug Description: add an view object inside a view object that has an improper nsviewfilter crashes the server Reviewed by: nhosoi (Thanks!) Fix Description: I could not reproduce the problem by simply adding the bogus nsviewfilter. The server seemed to run fine, but I didn't stress it. However, if I restarted the server, the server would core during startup. The last message in the error log would say something about recovering the database, which is probably why the bug reporter said that it will not recover the database. The problem doesn't appear to be with views specifically, but with any internal search which uses the search_internal_callback_pb() (as opposed to the non callback internal search) and there are search base rewriters (such as the views code). The aci code uses this type of search at startup to find the acis, and that's where I saw the crash. I could crash the server at startup regardless of whether the view filter was bogus or not. The problem is that we are not passing in the address of new_base to slapi_ch_free. The fix is to use slapi_ch_free_string and pass in the address of the st! ring. That fixes the crash. I also cleaned up a few places in the views code which was not checking to see if slapi_str2filter returned NULL, which would happen in the case of the bogus search filter. I also added an error message which will tell the user that filter X in entry Y is bogus. Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no Index: views.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/views/views.c,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- views.c 10 Nov 2006 23:45:33 -0000 1.9 +++ views.c 12 Oct 2007 16:53:02 -0000 1.10 @@ -764,6 +764,12 @@ buf = slapi_ch_strdup(current->viewfilter); pCurrentFilter = slapi_str2filter( buf ); + if (!pCurrentFilter) { + char ebuf[BUFSIZ]; + slapi_log_error(SLAPI_LOG_FATAL, VIEWS_PLUGIN_SUBSYSTEM, + "Error: the view filter [%s] in entry [%s] is not valid\n", + buf, escape_string(current->pDn, ebuf)); + } if(pBuiltFilter && pCurrentFilter) pBuiltFilter = slapi_filter_join_ex( LDAP_FILTER_AND, pBuiltFilter, pCurrentFilter, 0 ); else @@ -935,7 +941,13 @@ if(buf) { pCurrentFilter = slapi_str2filter( buf ); - if(pOrSubFilter) + if (!pCurrentFilter) { + char ebuf[BUFSIZ]; + slapi_log_error(SLAPI_LOG_FATAL, VIEWS_PLUGIN_SUBSYSTEM, + "Error: the view filter [%s] in entry [%s] is not valid\n", + buf, escape_string(currentChild->pDn, ebuf)); + } + if(pOrSubFilter && pCurrentFilter) pOrSubFilter = slapi_filter_join_ex( LDAP_FILTER_OR, pOrSubFilter, pCurrentFilter, 0 ); else pOrSubFilter = pCurrentFilter; @@ -994,8 +1006,14 @@ buf = slapi_ch_calloc(1, strlen(viewRDNstr) + 11 ); /* 3 for filter */ sprintf(buf, "(%s)", viewRDNstr ); viewSubFilter = slapi_str2filter( buf ); - - if(pView->includeChildViewsFilter) + if (!viewSubFilter) { + char ebuf[BUFSIZ]; + slapi_log_error(SLAPI_LOG_FATAL, VIEWS_PLUGIN_SUBSYSTEM, + "Error: the view filter [%s] in entry [%s] is not valid\n", + buf, escape_string(current->pDn, ebuf)); + } + + if(pView->includeChildViewsFilter && viewSubFilter) pView->includeChildViewsFilter = slapi_filter_join_ex( LDAP_FILTER_OR, pView->includeChildViewsFilter, viewSubFilter, 0 ); else pView->includeChildViewsFilter = viewSubFilter;

16 years, 6 months

1
0
0 / 0

[Fedora-directory-commits] esc/win32 build.sh,1.2,1.3

by Doctor Conrad

Author: jmagne Update of /cvs/dirsec/esc/win32 In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv28915 Modified Files: build.sh Log Message: Bump up version strings. Index: build.sh =================================================================== RCS file: /cvs/dirsec/esc/win32/build.sh,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- build.sh 25 Jul 2007 23:12:15 -0000 1.2 +++ build.sh 12 Oct 2007 00:10:32 -0000 1.3 @@ -57,7 +57,7 @@ #CoolKey values COOLKEY_NAME=coolkey -COOLKEY_TAG=COOLKEY_1_1_0 +COOLKEY_TAG=HEAD #Fedora repo for CoolKey and ESC @@ -76,7 +76,7 @@ #ESC values ESC_NAME=esc -ESC_VERSION_NO=1.0.1-5 +ESC_VERSION_NO=1.1.0-0 #Cygwin values

16 years, 6 months

1
0
0 / 0

[Fedora-directory-commits] esc/mac mac-build.sh,1.1,1.2

by Doctor Conrad

Author: jmagne Update of /cvs/dirsec/esc/mac In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv25787 Modified Files: mac-build.sh Log Message: Bump up the version numbers. Index: mac-build.sh =================================================================== RCS file: /cvs/dirsec/esc/mac/mac-build.sh,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- mac-build.sh 2 Aug 2007 18:22:20 -0000 1.1 +++ mac-build.sh 11 Oct 2007 20:34:26 -0000 1.2 @@ -42,12 +42,12 @@ IFD_EGATE_NAME=ifd-egate-0.05 IFD_EGATE_REL=15 -COOLKEY_PKG_NAME=SmartCardManager1.14.pkg +COOLKEY_PKG_NAME=SmartCardManager1.15.pkg COOLKEY_VOL_NAME=SMARTCARDMANAGER COOLKEY_TAG=HEAD -ESC_VERSION=1.0.1-4 +ESC_VERSION=1.1.0-0 COOLKEY_DMG_NAME=SmartCardManager-$ESC_VERSION.OSX4.darwin.dmg

16 years, 6 months

1
0
0 / 0

by Doctor Conrad

Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/schema In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv30180 Removed Files: 50ns-calendar.ldif 50ns-compass.ldif 50ns-delegated-admin.ldif 50ns-legacy.ldif 50ns-mail.ldif 50ns-mcd-browser.ldif 50ns-mcd-config.ldif 50ns-mcd-li.ldif 50ns-mcd-mail.ldif 50ns-media.ldif 50ns-mlm.ldif 50ns-msg.ldif 50ns-netshare.ldif 50ns-news.ldif 50ns-proxy.ldif 50ns-wcal.ldif 51ns-calendar.ldif Log Message: remove obsolete schema --- 50ns-calendar.ldif DELETED --- --- 50ns-compass.ldif DELETED --- --- 50ns-delegated-admin.ldif DELETED --- --- 50ns-legacy.ldif DELETED --- --- 50ns-mail.ldif DELETED --- --- 50ns-mcd-browser.ldif DELETED --- --- 50ns-mcd-config.ldif DELETED --- --- 50ns-mcd-li.ldif DELETED --- --- 50ns-mcd-mail.ldif DELETED --- --- 50ns-media.ldif DELETED --- --- 50ns-mlm.ldif DELETED --- --- 50ns-msg.ldif DELETED --- --- 50ns-netshare.ldif DELETED --- --- 50ns-news.ldif DELETED --- --- 50ns-proxy.ldif DELETED --- --- 50ns-wcal.ldif DELETED --- --- 51ns-calendar.ldif DELETED ---

16 years, 6 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/schema 10rfc2307bis.ldif, NONE, 1.1

by Doctor Conrad

Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/schema In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21756/ldapserver/ldap/schema Added Files: 10rfc2307bis.ldif Log Message: Resolves: bug 165761 Added rfc2307bis schema, but in the data directory. It is not compatible with the older rfc2307 schema included with the directory server. Users will need to upgrade their database to fix posixGroup entries in order to use this schema --- NEW FILE 10rfc2307bis.ldif --- # New and improved RFC 2307 schema (aka RFC 2307 bis) # "An Approach for Using LDAP as a Network Information Service" # This schema has not yet been approved. # dn: cn=schema attributeTypes: ( 1.3.6.1.1.1.1.0 NAME 'uidNumber' DESC 'An integer uniquely identifying a user in an administrative domain' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.1 NAME 'gidNumber' DESC 'An integer uniquely identifying a group in an administrative domain' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.2 NAME 'gecos' DESC 'The GECOS field; the common name' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absolute path to the home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'The path to the login shell' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.5 NAME 'shadowLastChange' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.6 NAME 'shadowMin' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.7 NAME 'shadowMax' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.8 NAME 'shadowWarning' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.9 NAME 'shadowInactive' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.11 NAME 'shadowFlag' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.12 NAME 'memberUid' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.1.1.1.13 NAME 'memberNisNetgroup' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple' DESC 'Netgroup triple' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.1.1.1.15 NAME 'ipServicePort' DESC 'Service port number' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.16 NAME 'ipServiceProtocol' DESC 'Service protocol name' SUP name ) attributeTypes: ( 1.3.6.1.1.1.1.17 NAME 'ipProtocolNumber' DESC 'IP protocol number' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.18 NAME 'oncRpcNumber' DESC 'ONC RPC number' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' DESC 'IPv4 addresses as a dotted decimal omitting leading zeros or IPv6 addresses as defined in RFC2373' SUP name ) attributeTypes: ( 1.3.6.1.1.1.1.20 NAME 'ipNetworkNumber' DESC 'IP network as a dotted decimal, eg. 192.168, omitting leading zeros' SUP name SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.21 NAME 'ipNetmaskNumber' DESC 'IP netmask as a dotted decimal, eg. 255.255.255.0, omitting leading zeros' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.22 NAME 'macAddress' DESC 'MAC address in maximal, colon separated hex notation, eg. 00:00:92:90:ee:e2' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.1.1.1.23 NAME 'bootParameter' DESC 'rpc.bootparamd parameter' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.1.1.1.24 NAME 'bootFile' DESC 'Boot image name' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.1.1.1.26 NAME 'nisMapName' DESC 'Name of a A generic NIS map' SUP name ) attributeTypes: ( 1.3.6.1.1.1.1.27 NAME 'nisMapEntry' DESC 'A generic NIS entry' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.28 NAME 'nisPublicKey' DESC 'NIS public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.29 NAME 'nisSecretKey' DESC 'NIS secret key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.30 NAME 'nisDomain' DESC 'NIS domain' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributeTypes: ( 1.3.6.1.1.1.1.31 NAME 'automountMapName' DESC 'automount Map Name' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.32 NAME 'automountKey' DESC 'Automount Key value' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributeTypes: ( 1.3.6.1.1.1.1.33 NAME 'automountInformation' DESC 'Automount information' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) # end of attribute types - beginning of objectclasses objectClasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' SUP top AUXILIARY DESC 'Abstraction of an account with POSIX attributes' MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory ) MAY ( userPassword $ loginShell $ gecos $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount' SUP top AUXILIARY DESC 'Additional attributes for shadow passwords' MUST uid MAY ( userPassword $ description $ shadowLastChange $ shadowMin $ shadowMax $ shadowWarning $ shadowInactive $ shadowExpire $ shadowFlag ) ) objectClasses: ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top AUXILIARY DESC 'Abstraction of a group of accounts' MUST gidNumber MAY ( userPassword $ memberUid $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.3 NAME 'ipService' SUP top STRUCTURAL DESC 'Abstraction an Internet Protocol service. Maps an IP port and protocol (such as tcp or udp) to one or more names; the distinguished value of the cn attribute denotes the services canonical name' MUST ( cn $ ipServicePort $ ipServiceProtocol ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.4 NAME 'ipProtocol' SUP top STRUCTURAL DESC 'Abstraction of an IP protocol. Maps a protocol number to one or more names. The distinguished value of the cn attribute denotes the protocols canonical name' MUST ( cn $ ipProtocolNumber ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.5 NAME 'oncRpc' SUP top STRUCTURAL DESC 'Abstraction of an Open Network Computing (ONC) [RFC1057] Remote Procedure Call (RPC) binding. This class maps an ONC RPC number to a name. The distinguished value of the cn attribute denotes the RPC services canonical name' MUST ( cn $ oncRpcNumber ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.6 NAME 'ipHost' SUP top AUXILIARY DESC 'Abstraction of a host, an IP device. The distinguished value of the cn attribute denotes the hosts canonical name. Device SHOULD be used as a structural class' MUST ( cn $ ipHostNumber ) MAY ( userPassword $ l $ description $ manager ) ) objectClasses: ( 1.3.6.1.1.1.2.7 NAME 'ipNetwork' SUP top STRUCTURAL DESC 'Abstraction of a network. The distinguished value of the cn attribute denotes the networks canonical name' MUST ipNetworkNumber MAY ( cn $ ipNetmaskNumber $ l $ description $ manager ) ) objectClasses: ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL DESC 'Abstraction of a netgroup. May refer to other netgroups' MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.9 NAME 'nisMap' SUP top STRUCTURAL DESC 'A generic abstraction of a NIS map' MUST nisMapName MAY description ) objectClasses: ( 1.3.6.1.1.1.2.10 NAME 'nisObject' SUP top STRUCTURAL DESC 'An entry in a NIS map' MUST ( cn $ nisMapEntry $ nisMapName ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.11 NAME 'ieee802Device' SUP top AUXILIARY DESC 'A device with a MAC address; device SHOULD be used as a structural class' MAY macAddress ) objectClasses: ( 1.3.6.1.1.1.2.12 NAME 'bootableDevice' SUP top AUXILIARY DESC 'A device with boot parameters; device SHOULD be used as a structural class' MAY ( bootFile $ bootParameter ) ) objectClasses: ( 1.3.6.1.1.1.2.14 NAME 'nisKeyObject' SUP top AUXILIARY DESC 'An object with a public and secret key' MUST ( cn $ nisPublicKey $ nisSecretKey ) MAY ( uidNumber $ description ) ) objectClasses: ( 1.3.6.1.1.1.2.15 NAME 'nisDomainObject' SUP top AUXILIARY DESC 'Associates a NIS domain with a naming context' MUST nisDomain ) objectClasses: ( 1.3.6.1.1.1.2.16 NAME 'automountMap' SUP top STRUCTURAL MUST ( automountMapName ) MAY description ) objectClasses: ( 1.3.6.1.1.1.2.17 NAME 'automount' SUP top STRUCTURAL DESC 'Automount information' MUST ( automountKey $ automountInformation ) MAY description ) ## namedObject is needed for groups without members objectClasses: ( 1.3.6.1.4.1.5322.13.1.1 NAME 'namedObject' SUP top STRUCTURAL MAY cn )

16 years, 6 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-commits October 2007