January 2010 - 389-commits - Fedora Mailing-Lists

esc/src/app/xul/esc/chrome/content/esc ESC.js, 1.26, 1.27

by Jack Magne

Author: jmagne Update of /cvs/dirsec/esc/src/app/xul/esc/chrome/content/esc In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv17514 Modified Files: ESC.js Log Message: Resolves: #469867 Cannot use arrow keys with esc. Resolves: 469233 If format fails because of a misconfiguration, it should no longer show the progress bar. Index: ESC.js =================================================================== RCS file: /cvs/dirsec/esc/src/app/xul/esc/chrome/content/esc/ESC.js,v retrieving revision 1.26 retrieving revision 1.27 diff -u -r1.26 -r1.27 --- ESC.js 21 Jan 2010 00:56:11 -0000 1.26 +++ ESC.js 28 Jan 2010 19:22:29 -0000 1.27 @@ -29,6 +29,8 @@ var gFactoryMode = 0; var gHiddenPage = 0; var gExternalUI = 0; +var gErrorAlready = 0; + loadStringBundle(); //ESC constants @@ -1792,9 +1794,63 @@ UpdateCoolKeyAvailabilityForEnrollment(); } +function AdminKeyPressHandler(evt) +{ + var newitem = null; + var olditem = null; + var offset = 0; + var selectedIndex = 0; + + var list = document.getElementById("AdminBindingList"); + if(!list) + return; + + var numRows = list.getRowCount(); + if(numRows == 0) + { + return; + } + selectedIndex = list.selectedIndex; + + if(selectedIndex == -1) + { + olditem = list.getItemAtIndex(0); + if(olditem) { + list.selectItem(olditem); + olditem.click(); + } + } + selectedIndex = list.selectedIndex; + olditem = list.getItemAtIndex(selectedIndex); + + if(evt.keyCode == KeyEvent.DOM_VK_UP) { + offset = -1; + } + if(evt.keyCode == KeyEvent.DOM_VK_DOWN) { + offset = 1; + } + + if(offset == 0) + return; + + if(olditem) { + list.moveByOffset( offset , 1, 0); + newitem = list.getItemAtIndex(list.selectedIndex); + olditem.blur(); + if(newitem) + newitem.click(); + } +} + function InitializeAdminBindingList() { + var list = document.getElementById("AdminBindingList"); + + if(list) { + list.addEventListener("keypress", AdminKeyPressHandler, false); + } + gAdminPage = 1; UpdateAdminBindingListAvailability(); @@ -1802,6 +1858,7 @@ DoSetEnrolledBrowserLaunchState(); DoHandleEnrolledBrowserLaunch(); + window.setTimeout('ShowWindow()',250); } @@ -2540,6 +2597,8 @@ listrow.setAttribute("flex","1"); listrow.setAttribute("id",KeyToRowID(keyType,keyID)); + var listBoxSize = adminListBox.getRowCount(); + var imageCell = InsertListCell(listrow); if(!imageCell) @@ -2763,6 +2822,7 @@ var tokencode = null; var failed = 0; + gErrorAlready = 0; if (type == "userKey") { @@ -2793,12 +2853,13 @@ { UpdateAdminListRow(keyType,keyID); UpdateAdminKeyDetailsArea(keyType,keyID); - if(!failed) + if(!failed && !gErrorAlready) { AdminToggleStatusProgress(1,keyType,keyID); UpdateAdminKeyAreaDetailsLabel(getBundleString("enrollingToken")); } } + gErrorAlready = 0; } function DoCollectPassword(operation) @@ -2823,6 +2884,7 @@ var screennamepwd = null; var failed = 0; + gErrorAlready = 0; if (GetCoolKeyIsEnrolled(keyType, keyID)) { @@ -2844,12 +2906,13 @@ UpdateAdminListRow(keyType,keyID); UpdateAdminKeyDetailsArea(keyType,keyID); - if(!failed) + if(!failed && !gErrorAlready) { AdminToggleStatusProgress(1,keyType,keyID); UpdateAdminKeyAreaDetailsLabel(getBundleString("resettingTokenPIN")); } } + gErrorAlready = 0; } function DoFormatCoolKey(type) @@ -2866,6 +2929,7 @@ var failed = 0; var globalType = GetCachedTokenType(keyID); + gErrorAlready = 0; if(!type) lType = gKeyEnrollmentType; else @@ -2891,12 +2955,13 @@ { UpdateAdminListRow(keyType,keyID); UpdateAdminKeyDetailsArea(keyType,keyID); - if(!failed) + if(!failed && !gErrorAlready) { AdminToggleStatusProgress(1,keyType,keyID); UpdateAdminKeyAreaDetailsLabel(getBundleString("formatingToken")); } } + gErrorAlready = 0; } function DoCancelOperation() { @@ -3157,6 +3222,7 @@ AdminToggleStatusProgress(0,keyType,keyID); } + gErrorAlready = 1; if(!CheckForSecurityMode()) MyAlert(typeStr); ClearProgressBar(KeyToProgressBarID(keyType, keyID)); @@ -3327,7 +3393,6 @@ function loadExternalESCUI() { - esc_enroll_uri = null; var keyType= null; @@ -3390,6 +3455,7 @@ UpdateEnrollmentArea(keyType,keyID,inserted,showFullUI,showExternalUI); ui_id.addProgressListener(uiListener,Components.interfaces.nsIWebProgress.NOTIFY_STATE_DOCUMENT); ui_id.setAttribute("src",esc_enroll_uri); + } }

13 years, 10 months

1
0
0 / 0

ldap/servers

by Noriko Hosoi

ldap/servers/slapd/valueset.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) New commits: commit 246527f4c01d32289e0082083d364563af59635a Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Thu Jan 28 10:36:40 2010 -0800 247413 - Incorrect error on multiple identical value add https://bugzilla.redhat.com/show_bug.cgi?id=247413 [Problem Description] Adding multiple identical values returns "Operations error (LDAP_OPERATIONS_ERROR == 0x1)" instead of "Type or value exists (LDAP_TYPE_OR_VALUE_EXISTS == 0x14)" E.g., dn: ou=test,dc=example,dc=com changetype: modify replace: description description: test description: test modifying entry "ou=test,dc=example,dc=com" ldap_modify: Operations error (1) [Fix Description] API valueset_replace used to override any error from the lower layer with LDAP_OPERATIONS_ERROR. If the error is LDAP_TYPE_OR_VALUE_EXISTS, the error is now returned as is. diff --git a/ldap/servers/slapd/valueset.c b/ldap/servers/slapd/valueset.c index 3df302f..7334a7a 100644 --- a/ldap/servers/slapd/valueset.c +++ b/ldap/servers/slapd/valueset.c @@ -1358,7 +1358,9 @@ valueset_replace(Slapi_Attr *a, Slapi_ValueSet *vs, Slapi_Value **valstoreplace) Avlnode *vtree = NULL; rc = valuetree_add_valuearray( a->a_type, a->a_plugin, valstoreplace, &vtree, NULL ); valuetree_free(&vtree); - if ( LDAP_SUCCESS != rc ) + if ( LDAP_SUCCESS != rc && + /* bz 247413: don't override LDAP_TYPE_OR_VALUE_EXISTS */ + LDAP_TYPE_OR_VALUE_EXISTS != rc ) { /* There were already duplicate values in the value set */ rc = LDAP_OPERATIONS_ERROR;

13 years, 10 months

1
0
0 / 0

ldap/servers

by Noriko Hosoi

ldap/servers/plugins/referint/referint.c | 702 +++++++++++++++++++++---------- 1 file changed, 493 insertions(+), 209 deletions(-) New commits: commit 3fdcbddd6c4939954e3393f78ded57cd253fa764 Author: Noriko Hosoi <nhosoi(a)jiji.localdomain> Date: Thu Jan 28 08:51:32 2010 -0800 557224 - subtree rename breaks the referential integrity plug-in https://bugzilla.redhat.com/show_bug.cgi?id=557224 Fix Description: The referential integrity plugin has not supported the subtree rename (modrdn with newsuperior). This patch is adding the support. There are 2 typical cases. (case 1) DN that modrdn modifies matches the value of attributes which is the target of the referential integrity. E.g., modrdn: uid=A,ou=B,o=C --> uid=AA,ou=BB,o=C then, member: uid=A,ou=B,ou=C --> uid=AA,ou=BB,ou=C seeAlso: uid=A,ou=B,ou=C --> uid=AA,ou=BB,ou=C (case 2) DN that modrdn modifies is the ancestor of the value of attributes which is the target of the referential integrity. E.g., modrdn: ou=B,o=C --> ou=BB,o=C then, member: uid=A,ou=B,ou=C --> uid=A,ou=BB,ou=C seeAlso: uid=A,ou=B,ou=C --> uid=A,ou=BB,ou=C diff --git a/ldap/servers/plugins/referint/referint.c b/ldap/servers/plugins/referint/referint.c index 1c36982..a38ad0a 100644 --- a/ldap/servers/plugins/referint/referint.c +++ b/ldap/servers/plugins/referint/referint.c @@ -77,10 +77,10 @@ int referint_postop_del( Slapi_PBlock *pb ); int referint_postop_modrdn( Slapi_PBlock *pb ); int referint_postop_start( Slapi_PBlock *pb); int referint_postop_close( Slapi_PBlock *pb); -int update_integrity(char **argv, char *origDN, char *newrDN, int logChanges); +int update_integrity(char **argv, char *origDN, char *newrDN, char *newsuperior, int logChanges); void referint_thread_func(void *arg); int GetNextLine(char *dest, int size_dest, PRFileDesc *stream); -void writeintegritylog(char *logfilename, char *dn, char *newrdn); +void writeintegritylog(char *logfilename, char *dn, char *newrdn, char *newsuperior); int my_fgetc(PRFileDesc *stream); /* global thread control stuff */ @@ -199,10 +199,10 @@ referint_postop_del( Slapi_PBlock *pb ) }else if(delay == 0){ /* no delay */ /* call function to update references to entry */ - rc = update_integrity(argv, dn, NULL, logChanges); + rc = update_integrity(argv, dn, NULL, NULL, logChanges); }else{ /* write the entry to integrity log */ - writeintegritylog(argv[1],dn, NULL); + writeintegritylog(argv[1],dn, NULL, NULL); rc = 0; } } else { @@ -220,6 +220,7 @@ referint_postop_modrdn( Slapi_PBlock *pb ) { char *dn; char *newrdn; + char *newsuperior; int oprc; int rc; char **argv; @@ -230,9 +231,10 @@ referint_postop_modrdn( Slapi_PBlock *pb ) if ( slapi_pblock_get( pb, SLAPI_IS_REPLICATED_OPERATION, &isrepop ) != 0 || slapi_pblock_get( pb, SLAPI_MODRDN_TARGET, &dn ) != 0 || - slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn ) != 0 || - slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &oprc) != 0 ){ - + slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn ) != 0 || + slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR, &newsuperior ) != 0 || + slapi_pblock_get(pb, SLAPI_PLUGIN_OPRETURN, &oprc) != 0 ){ + slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM, "referint_postop_modrdn: could not get parameters\n" ); return( -1 ); @@ -280,10 +282,10 @@ referint_postop_modrdn( Slapi_PBlock *pb ) }else if(delay == 0){ /* no delay */ /* call function to update references to entry */ - rc = update_integrity(argv, dn, newrdn, logChanges); + rc = update_integrity(argv, dn, newrdn, newsuperior, logChanges); }else{ /* write the entry to integrity log */ - writeintegritylog(argv[1],dn, newrdn); + writeintegritylog(argv[1],dn, newrdn, newsuperior); rc = 0; } @@ -310,202 +312,466 @@ int isFatalSearchError(int search_result) } -int update_integrity(char **argv, char *origDN, char *newrDN, int logChanges){ - - Slapi_PBlock *search_result_pb = NULL; - Slapi_PBlock *mod_result_pb = NULL; - Slapi_Entry **search_entries = NULL; - int search_result; - Slapi_DN *sdn = NULL; - Slapi_Value *oldDNslv = NULL; - void *node = NULL; - LDAPMod attribute1, attribute2; - const LDAPMod *list_of_mods[3]; - char *values_del[2]; - char *values_add[2]; - char *filter = NULL; - int i, j; - const char *search_base = NULL; - char *newDN=NULL; - char **dnParts=NULL; - int dnsize; - int x; - int rc; - - if ( argv == NULL ) { - slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM, - "referint_postop required config file arguments missing\n" ); - rc = -1; - goto free_and_return; - } - - oldDNslv = slapi_value_new_string(origDN); - /* for now, just putting attributes to keep integrity on in conf file, - until resolve the other timing mode issue */ +static int +_do_modify(Slapi_PBlock *mod_pb, const char *entryDN, LDAPMod **mods) +{ + int rc = 0; + + slapi_pblock_init(mod_pb); + + /* Use internal operation API */ + slapi_modify_internal_set_pb(mod_pb, entryDN, mods, NULL, NULL, + referint_plugin_identity, 0); + slapi_modify_internal_pb(mod_pb); + slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &rc); + + return rc; +} + +/* + * update one attribute value per _do_modify + */ +static int +_update_one_per_mod(const char *entryDN, /* DN of the searched entry */ + Slapi_Attr *attr, /* referred attribute */ + char *attrName, + char *origDN, /* original DN that was modified */ + char *norm_origDN, /* normalized original DN */ + char *newRDN, /* new RDN from modrdn */ + char *newsuperior, /* new superior from modrdn */ + Slapi_PBlock *mod_pb) +{ + LDAPMod *list_of_mods[3]; + char *values_del[2]; + char *values_add[2]; + char *newDN = NULL; + char **dnParts = NULL; + char *sval = NULL; + char *newvalue = NULL; + LDAPMod attribute1, attribute2; + int rc = 0; + + if (NULL == newRDN && NULL == newsuperior) { + /* in delete mode */ + /* delete old dn so set that up */ + values_del[0] = origDN; + values_del[1] = NULL; + attribute1.mod_type = attrName; + attribute1.mod_op = LDAP_MOD_DELETE; + attribute1.mod_values = values_del; + list_of_mods[0] = &attribute1; + /* terminate list of mods. */ + list_of_mods[1] = NULL; + rc = _do_modify(mod_pb, entryDN, list_of_mods); + if (rc) { + slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM, + "_update_one_value: entry %s: deleting \"%s: %s\" failed (%d)" + "\n", entryDN, attrName, origDN, rc); + } + } else { + /* in modrdn mode */ + const char *superior = NULL; + int nval = 0; + Slapi_Value *v = NULL; + + /* need to put together rdn into a dn */ + dnParts = ldap_explode_dn( origDN, 0 ); + if (NULL == newRDN) { + newRDN = dnParts[0]; + } + if (newsuperior) { + superior = (const char *)newsuperior; + } else { + /* no need to free superior */ + superior = slapi_dn_find_parent(origDN); + } + newDN = slapi_ch_smprintf("%s,%s", newRDN, superior); + /* + * Compare the modified dn with the value of + * the target attribute of referint to find out + * the modified dn is the ancestor (case 2) or + * the value itself (case 1). + * + * E.g., + * (case 1) + * modrdn: uid=A,ou=B,o=C --> uid=A',ou=B',o=C + * (origDN) (newDN) + * member: uid=A,ou=B,ou=C --> uid=A',ou=B',ou=C + * (sval) (newDN) + * + * (case 2) + * modrdn: ou=B,o=C --> ou=B',o=C + * (origDN) (newDN) + * member: uid=A,ou=B,ou=C --> uid=A,ou=B',ou=C + * (sval) (sval' + newDN) + */ + for (nval = slapi_attr_first_value(attr, &v); + nval != -1; + nval = slapi_attr_next_value(attr, nval, &v)) { + char *p = NULL; + /* DN syntax, which should be a string */ + sval = slapi_ch_strdup(slapi_value_get_string(v)); + slapi_dn_normalize_case(sval); + p = PL_strstr(sval, norm_origDN); + if (p == sval) { + /* (case 1) */ + values_del[0] = sval; + values_del[1] = NULL; + attribute1.mod_type = attrName; + attribute1.mod_op = LDAP_MOD_DELETE; + attribute1.mod_values = values_del; + list_of_mods[0] = &attribute1; + + values_add[0] = newDN; + values_add[1] = NULL; + attribute2.mod_type = attrName; + attribute2.mod_op = LDAP_MOD_ADD; + attribute2.mod_values = values_add; + list_of_mods[1] = &attribute2; + list_of_mods[2] = NULL; + rc = _do_modify(mod_pb, entryDN, list_of_mods); + if (rc) { + slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM, + "_update_one_value: entry %s: replacing \"%s: %s\" " + "with \"%s: %s\" failed (%d)\n", + entryDN, attrName, origDN, attrName, newDN, rc); + } + } else if (p) { + char bak; + /* (case 2) */ + values_del[0] = sval; + values_del[1] = NULL; + attribute1.mod_type = attrName; + attribute1.mod_op = LDAP_MOD_DELETE; + attribute1.mod_values = values_del; + list_of_mods[0] = &attribute1; + + bak = *p; + *p = '\0'; + newvalue = slapi_ch_smprintf("%s%s", sval, newDN); + *p = bak; + values_add[0]=newvalue; + values_add[1]=NULL; + attribute2.mod_type = attrName; + attribute2.mod_op = LDAP_MOD_ADD; + attribute2.mod_values = values_add; + list_of_mods[1] = &attribute2; + list_of_mods[2] = NULL; + rc = _do_modify(mod_pb, entryDN, list_of_mods); + if (rc) { + slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM, + "_update_one_value: entry %s: replacing \"%s: %s\" " + "with \"%s: %s\" failed (%d)\n", + entryDN, attrName, sval, attrName, newvalue, rc); + } + slapi_ch_free_string(&newvalue); + } + /* else: value does not include the modified DN. Ignore it. */ + slapi_ch_free_string(&sval); + } + + /* cleanup memory allocated for dnParts and newDN */ + if (dnParts){ + slapi_ldap_value_free(dnParts); + dnParts = NULL; + } + slapi_ch_free_string(&newDN); + } +bail: + /* in case these memories have not freed */ + slapi_ch_free_string(&newvalue); + slapi_ch_free_string(&sval); + if (dnParts){ + slapi_ldap_value_free(dnParts); + dnParts = NULL; + } + slapi_ch_free_string(&newDN); + + return rc; +} + +/* + * update multiple attribute values per _do_modify + */ +static int +_update_all_per_mod(const char *entryDN, /* DN of the searched entry */ + Slapi_Attr *attr, /* referred attribute */ + char *attrName, + char *origDN, /* original DN that was modified */ + char *norm_origDN, /* normalized original DN */ + char *newRDN, /* new RDN from modrdn */ + char *newsuperior, /* new superior from modrdn */ + Slapi_PBlock *mod_pb) +{ + Slapi_Mods *smods = NULL; + char *newDN = NULL; + char **dnParts = NULL; + char *sval = NULL; + char *newvalue = NULL; + int rc = 0; + int nval = 0; + + slapi_attr_get_numvalues(attr, &nval); + + if (NULL == newRDN && NULL == newsuperior) { + /* in delete mode */ + LDAPMod *mods[2]; + char *values_del[2]; + LDAPMod attribute1; + + /* delete old dn so set that up */ + values_del[0] = origDN; + values_del[1] = NULL; + attribute1.mod_type = attrName; + attribute1.mod_op = LDAP_MOD_DELETE; + attribute1.mod_values = values_del; + mods[0] = &attribute1; + /* terminate list of mods. */ + mods[1] = NULL; + rc = _do_modify(mod_pb, entryDN, mods); + if (rc) { + slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM, + "_update_one_value: entry %s: deleting \"%s: %s\" failed (%d)" + "\n", entryDN, attrName, origDN, rc); + } + } else { + /* in modrdn mode */ + const char *superior = NULL; + int nval = 0; + Slapi_Value *v = NULL; + + /* need to put together rdn into a dn */ + dnParts = ldap_explode_dn( origDN, 0 ); + if (NULL == newRDN) { + newRDN = dnParts[0]; + } + if (newsuperior) { + superior = (const char *)newsuperior; + } else { + /* no need to free superior */ + superior = slapi_dn_find_parent(origDN); + } + newDN = slapi_ch_smprintf("%s,%s", newRDN, superior); + /* + * Compare the modified dn with the value of + * the target attribute of referint to find out + * the modified dn is the ancestor (case 2) or + * the value itself (case 1). + * + * E.g., + * (case 1) + * modrdn: uid=A,ou=B,o=C --> uid=A',ou=B',o=C + * (origDN) (newDN) + * member: uid=A,ou=B,ou=C --> uid=A',ou=B',ou=C + * (sval) (newDN) + * + * (case 2) + * modrdn: ou=B,o=C --> ou=B',o=C + * (origDN) (newDN) + * member: uid=A,ou=B,ou=C --> uid=A,ou=B',ou=C + * (sval) (sval' + newDN) + */ + slapi_attr_get_numvalues(attr, &nval); + smods = slapi_mods_new(); + slapi_mods_init(smods, 2 * nval + 1); + + for (nval = slapi_attr_first_value(attr, &v); + nval != -1; + nval = slapi_attr_next_value(attr, nval, &v)) { + char *p = NULL; + /* DN syntax, which should be a string */ + sval = slapi_ch_strdup(slapi_value_get_string(v)); + slapi_dn_normalize_case(sval); + p = PL_strstr(sval, norm_origDN); + if (p == sval) { + /* (case 1) */ + slapi_mods_add_string(smods, LDAP_MOD_DELETE, attrName, sval); + slapi_mods_add_string(smods, LDAP_MOD_ADD, attrName, newDN); + + } else if (p) { + /* (case 2) */ + slapi_mods_add_string(smods, LDAP_MOD_DELETE, attrName, sval); + *p = '\0'; + newvalue = slapi_ch_smprintf("%s%s", sval, newDN); + slapi_mods_add_string(smods, LDAP_MOD_ADD, attrName, newvalue); + slapi_ch_free_string(&newvalue); + } + /* else: value does not include the modified DN. Ignore it. */ + slapi_ch_free_string(&sval); + } + rc = _do_modify(mod_pb, entryDN, slapi_mods_get_ldapmods_byref(smods)); + if (rc) { + slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM, + "_update_all_value: entry %s failed (%d)\n", + entryDN, rc); + } + + /* cleanup memory allocated for dnParts and newDN */ + if (dnParts){ + slapi_ldap_value_free(dnParts); + dnParts = NULL; + } + slapi_ch_free_string(&newDN); + slapi_mods_free(&smods); + } + + return rc; +} + +int +update_integrity(char **argv, char *origDN, + char *newrDN, char *newsuperior, int logChanges) +{ + Slapi_PBlock *search_result_pb = NULL; + Slapi_PBlock *mod_pb = slapi_pblock_new(); + Slapi_Entry **search_entries = NULL; + int search_result; + Slapi_DN *sdn = NULL; + void *node = NULL; + char *filter = NULL; + int i, j; + const char *search_base = NULL; + char *norm_origDN = NULL; + int rc; + + if ( argv == NULL ) { + slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM, + "referint_postop required config file arguments missing\n" ); + rc = -1; + goto free_and_return; + } - /* Search each namingContext in turn */ - for ( sdn = slapi_get_first_suffix( &node, 0 ); sdn != NULL; - sdn = slapi_get_next_suffix( &node, 0 )) - { - search_base = slapi_sdn_get_dn( sdn ); + /* for now, just putting attributes to keep integrity on in conf file, + until resolve the other timing mode issue */ - - for(i=3; argv[i] != NULL; i++) - { - unsigned long filtlen = strlen(argv[i]) + (strlen(origDN) * 3 ) + 4; - filter = (char *)slapi_ch_calloc( filtlen, sizeof(char )); - if (( search_result = ldap_create_filter( filter, filtlen, "(%a=%e)", - NULL, NULL, argv[i], origDN, NULL )) == LDAP_SUCCESS ) { - - /* Need only the current attribute and its subtypes */ - char * attrs[2]; - attrs[0]=argv[i]; - attrs[1]=NULL; - - /* Use new search API */ - search_result_pb = slapi_pblock_new(); - slapi_search_internal_set_pb(search_result_pb, search_base, LDAP_SCOPE_SUBTREE, - filter, attrs, 0 /* attrs only */, NULL,NULL,referint_plugin_identity,0); - slapi_search_internal_pb(search_result_pb); - - slapi_pblock_get( search_result_pb, SLAPI_PLUGIN_INTOP_RESULT, &search_result); - } - - - /* if search successfull then do integrity update */ - if(search_result == 0) - { - slapi_pblock_get( search_result_pb,SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, - &search_entries); - - for(j=0; search_entries[j] != NULL; j++) - { - Slapi_Attr *attr = NULL; - char *attrName = NULL; - - /* Loop over all the attributes of the entry and search for the integrity attribute and its subtypes */ - for (slapi_entry_first_attr(search_entries[j], &attr); attr; slapi_entry_next_attr(search_entries[j], attr, &attr)) - { - /* Take into account only the subtypes of the attribute in argv[i] having the necessary value - origDN */ - slapi_attr_get_type(attr, &attrName); - if ((slapi_attr_type_cmp(argv[i], attrName, SLAPI_TYPE_CMP_SUBTYPE) == 0) && - (slapi_attr_value_find(attr, slapi_value_get_berval(oldDNslv)) == 0)) - { - /* no matter what mode in always going to delete old dn so set that up */ - values_del[0]= origDN; - values_del[1]= NULL; - attribute1.mod_type = attrName; - attribute1.mod_op = LDAP_MOD_DELETE; - attribute1.mod_values = values_del; - list_of_mods[0] = &attribute1; - - if(newrDN == NULL){ - /* in delete mode so terminate list of mods cause this is the only one */ - list_of_mods[1] = NULL; - }else if(newrDN != NULL){ - /* in modrdn mode */ - - /* need to put together rdn into a dn */ - dnParts = ldap_explode_dn( origDN, 0 ); - - /* skip original rdn so start at 1*/ - dnsize = 0; - for(x=1; dnParts[x] != NULL; x++) - { - /* +1 for comma adding later */ - dnsize += strlen(dnParts[x]) + 1; - } - /* add the newrDN length */ - dnsize += strlen(newrDN) + 1; - - newDN = slapi_ch_calloc(dnsize, sizeof(char)); - strcat(newDN, newrDN); - for(x=1; dnParts[x] != NULL; x++) - { - strcat(newDN, ","); - strcat(newDN, dnParts[x]); - } - - values_add[0]=newDN; - values_add[1]=NULL; - attribute2.mod_type = attrName; - attribute2.mod_op = LDAP_MOD_ADD; - attribute2.mod_values = values_add; - - /* add the new dn to list of mods and terminate list of mods */ - list_of_mods[1] = &attribute2; - list_of_mods[2] = NULL; - - } - - /* try to cleanup entry */ - - /* Use new internal operation API */ - mod_result_pb=slapi_pblock_new(); - slapi_modify_internal_set_pb(mod_result_pb,slapi_entry_get_dn(search_entries[j]), - (LDAPMod **)list_of_mods,NULL,NULL,referint_plugin_identity,0); - slapi_modify_internal_pb(mod_result_pb); - - /* could check the result code here if want to log it or something later - for now, continue no matter what result is */ - - slapi_pblock_destroy(mod_result_pb); - - /* cleanup memory allocated for dnParts and newDN */ - if(dnParts != NULL){ - for(x=0; dnParts[x] != NULL; x++) - { - slapi_ch_free_string(&dnParts[x]); - } - slapi_ch_free((void **)&dnParts); - } - slapi_ch_free_string(&newDN); - } - } - } - - - - }else{ - if(isFatalSearchError(search_result)) - { - /* NPCTE fix for bugid 531225, esc 0. <P.R> <30-May-2001> */ - slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM, - "referint_postop search (base=%s filter=%s) returned error %d\n", search_base,filter,search_result ); - /* end of NPCTE fix for bugid 531225 */ - rc = -1; - goto free_and_return; - } - - } - - slapi_ch_free((void**)&filter); + norm_origDN = slapi_ch_strdup(origDN); + slapi_dn_normalize_case(norm_origDN); - if(search_result_pb != NULL){ - slapi_free_search_results_internal(search_result_pb); - slapi_pblock_destroy(search_result_pb); - search_result_pb= NULL; - } + search_result_pb = slapi_pblock_new(); - } - } - /* if got here, then everything good rc = 0 */ - rc = 0; + /* Search each namingContext in turn */ + for ( sdn = slapi_get_first_suffix( &node, 0 ); sdn != NULL; + sdn = slapi_get_next_suffix( &node, 0 )) + { + search_base = slapi_sdn_get_dn( sdn ); -free_and_return: + for(i = 3; argv[i] != NULL; i++) + { + unsigned long filtlen = strlen(argv[i]) + (strlen(origDN) * 3 ) + 5; + filter = (char *)slapi_ch_calloc( filtlen, sizeof(char )); + if (( search_result = ldap_create_filter( filter, filtlen, + "(%a=*%e)", NULL, NULL, argv[i], origDN, NULL )) + == LDAP_SUCCESS ) { + + /* Need only the current attribute and its subtypes */ + char *attrs[2]; + attrs[0] = argv[i]; + attrs[1] = NULL; + + /* Use new search API */ + slapi_pblock_init(search_result_pb); + slapi_search_internal_set_pb(search_result_pb, search_base, + LDAP_SCOPE_SUBTREE, filter, attrs, 0 /* attrs only */, + NULL, NULL, referint_plugin_identity, 0); + slapi_search_internal_pb(search_result_pb); + + slapi_pblock_get( search_result_pb, SLAPI_PLUGIN_INTOP_RESULT, + &search_result); + } - slapi_value_free(&oldDNslv); + /* if search successfull then do integrity update */ + if(search_result == LDAP_SUCCESS) + { + slapi_pblock_get(search_result_pb, + SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, + &search_entries); - /* free filter and search_results_pb */ - slapi_ch_free_string(&filter); + for(j=0; search_entries[j] != NULL; j++) + { + Slapi_Attr *attr = NULL; + char *attrName = NULL; + + /* Loop over all the attributes of the entry and search + * for the integrity attribute and its subtypes */ + for (slapi_entry_first_attr(search_entries[j], &attr); attr; + slapi_entry_next_attr(search_entries[j], attr, &attr)) + { + /* Take into account only the subtypes of the attribute + * in argv[i] having the necessary value - origDN */ + slapi_attr_get_type(attr, &attrName); + if (slapi_attr_type_cmp(argv[i], attrName, + SLAPI_TYPE_CMP_SUBTYPE) == 0) + { + int nval = 0; + slapi_attr_get_numvalues(attr, &nval); + + /* + * We want to reduce the "modify" call as much as + * possible. But if an entry contains 1000s of + * attributes which need to be updated by the + * referint plugin (e.g., a group containing 1000s + * of members), we want to avoid to allocate too + * many mods * in one "modify" call. + * This is a compromise: If an attribute type has + * more than 128 values, we update the attribute + * value one by one. Otherwise, update all values + * in one "modify" call. + */ + if (nval > 128) { + rc = _update_one_per_mod( + slapi_entry_get_dn(search_entries[j]), + attr, attrName, + origDN, norm_origDN, + newrDN, newsuperior, + mod_pb); + } else { + rc = _update_all_per_mod( + slapi_entry_get_dn(search_entries[j]), + attr, attrName, + origDN, norm_origDN, + newrDN, newsuperior, + mod_pb); + } + /* Should we stop if one modify returns an error? */ + } + } + } + } else { + if (isFatalSearchError(search_result)) + { + /* NPCTE fix for bugid 531225, esc 0. <P.R> <30-May-2001> */ + slapi_log_error( SLAPI_LOG_FATAL, REFERINT_PLUGIN_SUBSYSTEM, + "update_integrity search (base=%s filter=%s) returned " + "error %d\n", search_base, filter, search_result); + /* end of NPCTE fix for bugid 531225 */ + rc = -1; + goto free_and_return; + } + } - if(search_result_pb != NULL) - { - slapi_free_search_results_internal(search_result_pb); - slapi_pblock_destroy(search_result_pb); - } + slapi_ch_free((void**)&filter); + + if (search_result_pb) { + slapi_free_search_results_internal(search_result_pb); + } + } + } + /* if got here, then everything good rc = 0 */ + rc = 0; + +free_and_return: + slapi_ch_free_string(&norm_origDN); + + /* free filter and search_results_pb */ + slapi_ch_free_string(&filter); - return(rc); + slapi_pblock_destroy(mod_pb); + if (search_result_pb) { + slapi_free_search_results_internal(search_result_pb); + slapi_pblock_destroy(search_result_pb); + } + + return(rc); } int referint_postop_start( Slapi_PBlock *pb) @@ -585,8 +851,9 @@ int referint_postop_close( Slapi_PBlock *pb) return(0); } -void referint_thread_func(void *arg){ - +void +referint_thread_func(void *arg) +{ char **plugin_argv = (char **)arg; PRFileDesc *prfd; char *logfilename; @@ -595,7 +862,7 @@ void referint_thread_func(void *arg){ int no_changes; char delimiter[]="\t\n"; char *ptoken; - char *tmpdn, *tmprdn; + char *tmpdn, *tmprdn, *tmpsuperior; int logChanges=0; char * iter = NULL; @@ -659,18 +926,24 @@ void referint_thread_func(void *arg){ strcpy(tmpdn, ptoken); ptoken = ldap_utf8strtok_r (NULL, delimiter, &iter); - if(!strcasecmp(ptoken, "NULL")){ + if(!strcasecmp(ptoken, "NULL")) { tmprdn = NULL; - }else{ - tmprdn = slapi_ch_calloc(strlen(ptoken) + 1, sizeof(char)); - strcpy(tmprdn, ptoken); + } else { + tmprdn = slapi_ch_smprintf("%s", ptoken); } + ptoken = ldap_utf8strtok_r (NULL, delimiter, &iter); + if (!strcasecmp(ptoken, "NULL")) { + tmpsuperior = NULL; + } else { + tmpsuperior = slapi_ch_smprintf("%s", ptoken); + } - update_integrity(plugin_argv, tmpdn, tmprdn, logChanges); + update_integrity(plugin_argv, tmpdn, tmprdn, tmpsuperior, logChanges); - slapi_ch_free((void **) &tmpdn); - slapi_ch_free((void **) &tmprdn); + slapi_ch_free_string(&tmpdn); + slapi_ch_free_string(&tmprdn); + slapi_ch_free_string(&tmpsuperior); } PR_Close(prfd); @@ -782,7 +1055,9 @@ GetNextLine(char *dest, int size_dest, PRFileDesc *stream) { return i; } -void writeintegritylog(char *logfilename, char *dn, char *newrdn){ +void +writeintegritylog(char *logfilename, char *dn, char *newrdn, char *newsuperior) +{ PRFileDesc *prfd; char buffer[MAX_LINE]; int len_to_write = 0; @@ -820,6 +1095,14 @@ void writeintegritylog(char *logfilename, char *dn, char *newrdn){ /* add the length of the newrdn */ len_to_write += strlen(newrdn); } + if(NULL == newsuperior) + { + /* add the length of "NULL" */ + len_to_write += 4; + }else{ + /* add the length of the newsuperior */ + len_to_write += strlen(newsuperior); + } if(len_to_write > MAX_LINE ) { @@ -828,9 +1111,10 @@ void writeintegritylog(char *logfilename, char *dn, char *newrdn){ " line length exceeded. It will not be able" " to update references to this entry.\n"); }else{ - PR_snprintf(buffer, MAX_LINE, "%s\t%s\t\n", + PR_snprintf(buffer, MAX_LINE, "%s\t%s\t%s\t\n", dn, - (newrdn != NULL) ? newrdn : "NULL"); + (newrdn != NULL) ? newrdn : "NULL", + (newsuperior != NULL) ? newsuperior : "NULL"); if (PR_Write(prfd,buffer,strlen(buffer)) < 0){ slapi_log_error(SLAPI_LOG_FATAL,REFERINT_PLUGIN_SUBSYSTEM, " writeintegritylog: PR_Write failed : The disk"

13 years, 10 months

1
0
0 / 0

ldap/servers

by Nathan Kinder

ldap/servers/plugins/replication/windows_protocol_util.c | 203 +++++++++++---- 1 file changed, 159 insertions(+), 44 deletions(-) New commits: commit d9fdaf2c29bb2ead7f7a93f0b6b34c26a024a184 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Wed Jan 27 15:11:23 2010 -0800 Bug 549554 - Trim single-valued attributes before sending to AD There are a number of attributes that AD defines as single-valued that are multi-valued in the LDAP RFCs. We already had a few special cases in the winsync code where we only send one attribute to AD to allow the change to be accepted. We then simply check if the value in AD is present in DS when comparing entries for further changes. This fix cleans up that old implementation a bit by adding a static list of these single-valued attributes and a helper function to check if a particular type is in that list. I also had to extend the attr_compare_present() function to allow a length to be passed in for limiting the comparison to a portion of the values. This is needed for the initials attribute, which is single-valued and length constrained in AD. diff --git a/ldap/servers/plugins/replication/windows_protocol_util.c b/ldap/servers/plugins/replication/windows_protocol_util.c index fdcdc45..65de19d 100644 --- a/ldap/servers/plugins/replication/windows_protocol_util.c +++ b/ldap/servers/plugins/replication/windows_protocol_util.c @@ -180,6 +180,30 @@ static char* windows_group_matching_attributes[] = NULL }; +/* List of attributes that are single-valued in AD, but multi-valued in DS */ +static char * windows_single_valued_attributes[] = +{ + "facsimileTelephoneNumber", + "givenName", + "homePhone", + "homePostalAddress", + "initials", + "l", + "mail", + "mobile", + "pager", + "physicalDeliveryOfficeName", + "postalCode", + "sn", + "st", + "street", + FAKE_STREET_ATTR_NAME, + "streetAddress", + "telephoneNumber", + "title", + NULL +}; + /* List of attributes that are common to AD and LDAP, so we simply copy them over in both directions */ static char* nt4_user_matching_attributes[] = { @@ -1612,6 +1636,26 @@ is_straight_mapped_attr(const char *type, int is_user /* or group */, int is_nt4 } return found; } + +static int +is_single_valued_attr(const char *type) +{ + int found; + size_t offset = 0; + char *this_attr = NULL; + + /* Look for the type in the list of single-valued AD attributes */ + while ((this_attr = windows_single_valued_attributes[offset])) + { + if (0 == slapi_attr_type_cmp(this_attr, type, SLAPI_TYPE_CMP_SUBTYPE)) + { + found = 1; + break; + } + offset++; + } + return found; +} static void windows_map_attr_name(const char *original_type , int to_windows, int is_user, int is_create, char **mapped_type, int *map_dn) @@ -1740,18 +1784,38 @@ windows_create_remote_entry(Private_Repl_Protocol *prp,Slapi_Entry *original_ent if ( is_straight_mapped_attr(type,is_user,is_nt4) ) { + /* If this attribute is single-valued in AD, + * we only want to send the first value. */ + if (is_single_valued_attr(type)) + { + if (slapi_valueset_count(vs) > 1) { + int i = 0; + Slapi_Value *value = NULL; + Slapi_Value *new_value = NULL; + + i = slapi_valueset_first_value(vs,&value); + if (i >= 0) { + /* Dup the first value, trash the valueset, then copy in the dup'd value. */ + new_value = slapi_value_dup(value); + slapi_valueset_done(vs); + /* The below hands off the memory to the valueset */ + slapi_valueset_add_value_ext(vs, new_value, SLAPI_VALUE_FLAG_PASSIN); + } + } + } + /* The initials attribute is a special case. AD has a constraint - * that limits the value length. If we're sending a change to - * the initials attribute to AD, we trim if neccessary. - */ - if (0 == slapi_attr_type_cmp(type, "initials", SLAPI_TYPE_CMP_SUBTYPE)) { + * that limits the value length. If we're sending a change to + * the initials attribute to AD, we trim if neccessary. + */ + if (0 == slapi_attr_type_cmp(type, "initials", SLAPI_TYPE_CMP_SUBTYPE)) { int i = 0; const char *initials_value = NULL; - Slapi_Value *value = NULL; + Slapi_Value *value = NULL; - i = slapi_valueset_first_value(vs,&value); + i = slapi_valueset_first_value(vs,&value); while (i >= 0) { - initials_value = slapi_value_get_string(value); + initials_value = slapi_value_get_string(value); /* If > AD_INITIALS_LENGTH, trim the value */ if (strlen(initials_value) > AD_INITIALS_LENGTH) { @@ -1767,6 +1831,7 @@ windows_create_remote_entry(Private_Repl_Protocol *prp,Slapi_Entry *original_ent i = slapi_valueset_next_value(vs, i, &value); } } + /* copy over the attr values */ slapi_entry_add_valueset(new_entry,type,vs); } else @@ -2360,6 +2425,26 @@ windows_map_mods_for_replay(Private_Repl_Protocol *prp,LDAPMod **original_mods, /* Check to see if this attribute is passed through */ if (is_straight_mapped_attr(attr_type,is_user,is_nt4)) { + /* If this attribute is single-valued in AD, + * we only want to send the first value. */ + if (is_single_valued_attr(attr_type)) { + Slapi_Mod smod; + + slapi_mod_init_byref(&smod,mod); + + /* Check if there is more than one value */ + if (slapi_mod_get_num_values(&smod) > 1) { + slapi_mod_get_first_value(&smod); + /* Remove all values except for the first */ + while (slapi_mod_get_next_value(&smod)) { + /* This modifies the bvalues in the mod itself */ + slapi_mod_remove_value(&smod); + } + } + + slapi_mod_done(&smod); + } + /* The initials attribute is a special case. AD has a constraint * that limits the value length. If we're sending a change to * the initials attribute to AD, we trim if neccessary. @@ -2421,11 +2506,9 @@ windows_map_mods_for_replay(Private_Repl_Protocol *prp,LDAPMod **original_mods, slapi_valueset_free(vs); } else { - /* AD treats streetAddress as a single-valued attribute, while we define it - * as a multi-valued attribute as it's defined in rfc 4519. We only - * sync the first value to AD to avoid a constraint violation. - */ - if (0 == slapi_attr_type_cmp(mapped_type, "streetAddress", SLAPI_TYPE_CMP_SUBTYPE)) { + /* If this attribute is single-valued in AD, + * we only want to send the first value. */ + if (is_single_valued_attr(mapped_type)) { Slapi_Mod smod; slapi_mod_init_byref(&smod,mod); @@ -2533,7 +2616,7 @@ attr_compare_equal(Slapi_Attr *a, Slapi_Attr *b, int n) * If n is 0, then just compare the entire attribute. */ if ((va->bv.bv_len < n) || (vb->bv.bv_len < n) || (n == 0)) { if (va->bv.bv_len == vb->bv.bv_len) { - if (0 != memcmp(va->bv.bv_val, vb->bv.bv_val, va->bv.bv_len)) { + if (slapi_attr_value_find(b, slapi_value_get_berval(va)) != 0) { match = 0; } } else { @@ -2548,24 +2631,55 @@ attr_compare_equal(Slapi_Attr *a, Slapi_Attr *b, int n) return match; } -/* Returns non-zero if all of the values of attribute a are contained in attribute b. */ +/* Returns non-zero if all of the values of attribute a are contained in attribute b. + * You can compare only the first n characters of the values by passing in the length + * as n. If you want to compare the entire attribute value, set n to 0. */ static int -attr_compare_present(Slapi_Attr *a, Slapi_Attr *b) +attr_compare_present(Slapi_Attr *a, Slapi_Attr *b, int n) { int match = 1; int i = 0; + int j = 0; Slapi_Value *va = NULL; + Slapi_Value *vb = NULL; /* Iterate through values in attr a and search for each in attr b */ for (i = slapi_attr_first_value(a, &va); va && (i != -1); i = slapi_attr_next_value(a, i, &va)) { - if (slapi_attr_value_find(b, slapi_value_get_berval(va)) != 0) { - /* This value wasn't found, so stop checking for values */ - match = 0; - break; + if (n == 0) { + /* Compare the entire attribute value */ + if (slapi_attr_value_find(b, slapi_value_get_berval(va)) != 0) { + match = 0; + goto bail; + } + } else { + /* Only compare up the values up to the specified length. */ + int found = 0; + + for (j = slapi_attr_first_value(b, &vb); vb && (j != -1); + j = slapi_attr_next_value(b, j, &vb)) { + /* If either val is less than n, then check if the length, then values are + * equal. If both are n or greater, then only compare the first n chars. */ + if ((va->bv.bv_len < n) || (vb->bv.bv_len < n)) { + if (va->bv.bv_len == vb->bv.bv_len) { + if (0 == memcmp(va->bv.bv_val, vb->bv.bv_val, va->bv.bv_len)) { + found = 1; + } + } + } else if (0 == memcmp(va->bv.bv_val, vb->bv.bv_val, n)) { + found = 1; + } + } + + /* If we didn't find this value from attr a in attr b, we're done. */ + if (!found) { + match = 0; + goto bail; + } } } +bail: return match; } @@ -3901,23 +4015,22 @@ windows_generate_update_mods(Private_Repl_Protocol *prp,Slapi_Entry *remote_entr * to_windows case has the create only flag set. We * just need to check if the value from the AD entry * is already present in the DS entry. */ - if (0 == slapi_attr_type_cmp(type, "name", SLAPI_TYPE_CMP_SUBTYPE) && !to_windows) { - values_equal = attr_compare_present(attr, local_attr); - /* AD has a legth contraint on the initials attribute, - * so treat is as a special case. */ + if (!to_windows && (0 == slapi_attr_type_cmp(type, "name", SLAPI_TYPE_CMP_SUBTYPE))) { + values_equal = attr_compare_present(attr, local_attr, 0); + /* AD has a length contraint on the initials attribute (in addition + * to defining it as single-valued), so treat is as a special case. */ } else if (0 == slapi_attr_type_cmp(type, "initials", SLAPI_TYPE_CMP_SUBTYPE)) { - values_equal = attr_compare_equal(attr, local_attr, AD_INITIALS_LENGTH); - /* If we're getting a streetAddress (a fake attr name is used) from AD, then - * we just check if the value in AD is present in our entry in DS. In this - * case, attr is from the AD entry, and local_attr is from the DS entry. */ - } else if (0 == slapi_attr_type_cmp(type, FAKE_STREET_ATTR_NAME, SLAPI_TYPE_CMP_SUBTYPE) && !to_windows) { - values_equal = attr_compare_present(attr, local_attr); - /* If we are checking if we should send a street attribute to AD, then - * we want to first see if the AD entry already contains any street value - * that is present in the DS entry. In this case, attr is from the DS - * entry, and local_attr is from the AD entry. */ - } else if ((0 == slapi_attr_type_cmp(type, "street", SLAPI_TYPE_CMP_SUBTYPE) && to_windows)) { - values_equal = attr_compare_present(local_attr, attr); + values_equal = attr_compare_present(attr, local_attr, AD_INITIALS_LENGTH); + /* If this is a single valued type in AD, then we just check if the value + * in AD is present in our entry in DS. In this case, attr is from the AD + * entry, and local_attr is from the DS entry. */ + } else if (!to_windows && is_single_valued_attr(type)) { + values_equal = attr_compare_present(attr, local_attr, 0); + /* If this is a single valued type in AD, then we just check if the AD + * entry already contains any value that is present in the DS entry. In + * this case, attr is from the DS entry, and local_attr is from the AD entry. */ + } else if (to_windows && is_single_valued_attr(type)) { + values_equal = attr_compare_present(local_attr, attr, 0); } else { /* Compare the entire attribute values */ values_equal = attr_compare_equal(attr, local_attr, 0); @@ -3930,9 +4043,10 @@ windows_generate_update_mods(Private_Repl_Protocol *prp,Slapi_Entry *remote_entr "windows_generate_update_mods: %s, %s : values are different\n", slapi_sdn_get_dn(slapi_entry_get_sdn_const(local_entry)), local_type); - if ((0 == slapi_attr_type_cmp(local_type, "streetAddress", - SLAPI_TYPE_CMP_SUBTYPE) && to_windows)) { - /* streetAddress is single-valued in AD, so make + if (to_windows && ((0 == slapi_attr_type_cmp(local_type, "streetAddress", SLAPI_TYPE_CMP_SUBTYPE)) || + (0 == slapi_attr_type_cmp(local_type, "telephoneNumber", SLAPI_TYPE_CMP_SUBTYPE)) || + (0 == slapi_attr_type_cmp(local_type, "physicalDeliveryOfficeName", SLAPI_TYPE_CMP_SUBTYPE)))) { + /* These attributes are single-valued in AD, so make * sure we don't try to send more than one value. */ if (slapi_valueset_count(vs) > 1) { int i = 0; @@ -4044,10 +4158,9 @@ windows_generate_update_mods(Private_Repl_Protocol *prp,Slapi_Entry *remote_entr } } else { - if ((0 == slapi_attr_type_cmp(local_type, "streetAddress", - SLAPI_TYPE_CMP_SUBTYPE) && to_windows)) { - /* streetAddress is single-valued in AD, so make - * sure we don't try to send more than one value. */ + /* If this attribute is single-valued in AD, + * we only want to send the first value. */ + if (to_windows && is_single_valued_attr(local_type)) { if (slapi_valueset_count(vs) > 1) { int i = 0; Slapi_Value *value = NULL; @@ -4063,8 +4176,10 @@ windows_generate_update_mods(Private_Repl_Protocol *prp,Slapi_Entry *remote_entr slapi_valueset_add_value_ext(vs, new_value, SLAPI_VALUE_FLAG_PASSIN); } } - } else if ((0 == slapi_attr_type_cmp(local_type, "initials", - SLAPI_TYPE_CMP_SUBTYPE) && to_windows)) { + } + + if (to_windows && (0 == slapi_attr_type_cmp(local_type, "initials", + SLAPI_TYPE_CMP_SUBTYPE))) { /* initials is constratined to a max length of * 6 characters in AD, so trim the value if * needed before sending. */

13 years, 10 months

1
0
0 / 0

ldap/servers

by Richard Allen Megginson

ldap/servers/slapd/dynalib.c | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) New commits: commit 62d967419616d77891c78e4ee3553482cbea1c17 Author: Rich Megginson <rmeggins(a)redhat.com> Date: Tue Jan 26 11:15:18 2010 -0700 Bug 537466 - nsslapd-distribution-plugin should not require plugin name to begin with "lib" https://bugzilla.redhat.com/show_bug.cgi?id=537466 Resolves: bug 537466 Bug Description: nsslapd-distribution-plugin should not require plugin name to begin with "lib" Reviewed by: nhosoi (Thanks!) Branch: HEAD Fix Description: We use the function PL_GetLibraryName from NSPR to get the platform specific DLL/shared lib filename suffix. Unfortunately, this function also prepends the string "lib" to the given name if the given file has no suffix. If the given name already has the correct suffix, it does not prepend the "lib" to the name. get_plugin_name() should look for the original library name in the string returned by PL_GetLibraryName. If it is there, and has something before it in the string, see if it is "/lib" - if so, remove the extraneous "lib" string. If "/lib" is not there, then just pass the string through as is. To summarize: /full/path/to/name.so -> /full/path/to/name.so - error if /full/path/to/name.so does not exist name -> /default/plugin/path/libname.so -> /default/plugin/path/name.so name.so -> /default/plugin/path/name.so Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no diff --git a/ldap/servers/slapd/dynalib.c b/ldap/servers/slapd/dynalib.c index 4acae45..a659a5e 100644 --- a/ldap/servers/slapd/dynalib.c +++ b/ldap/servers/slapd/dynalib.c @@ -174,18 +174,31 @@ symload_report_error( const char *libpath, char *symbol, char *plugin, int libop /* PR_GetLibraryName does almost everything we need, and unfortunately a little bit more - it adds "lib" to be beginning of the library - name. So we have to strip that part off. + name if the library name does not end with the current platform + DLL suffix - so + foo.so -> /path/foo.so + libfoo.so -> /path/libfoo.so + BUT + foo -> /path/libfoo.so + libfoo -> /path/liblibfoo.so */ static char * get_plugin_name(const char *path, const char *lib) { + const char *libstr = "/lib"; + size_t libstrlen = 4; char *fullname = PR_GetLibraryName(path, lib); - char *ptr = PL_strrstr(fullname, "/lib"); - - if (ptr) { - ++ptr; /* now points at the "l" */ - /* just copy the remainder of the string on top of here */ - memmove(ptr, ptr+3, strlen(ptr+3)+1); + char *ptr = PL_strrstr(fullname, lib); + + /* see if /lib was added */ + if (ptr && ((ptr - fullname) >= libstrlen)) { + /* ptr is at the libname in fullname, and there is something before it */ + ptr -= libstrlen; /* ptr now points at the "/" in "/lib" if it is there */ + if (0 == PL_strncmp(ptr, libstr, libstrlen)) { + /* just copy the remainder of the string on top of here */ + ptr++; /* ptr now points at the "l" in "/lib" - keep the "/" */ + memmove(ptr, ptr+3, strlen(ptr+3)+1); + } } return fullname;

13 years, 10 months

1
0
0 / 0

ldap/servers

by Richard Allen Megginson

ldap/servers/plugins/bitwise/bitwise.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) New commits: commit 73fdd3b8945a34cc3d386c697e4e99560ba7997a Author: Rich Megginson <rmeggins(a)redhat.com> Date: Tue Jan 26 09:51:05 2010 -0700 Bug 543080 - Bitwise plugin fails to return the exact matched entries for Bitwise search filter https://bugzilla.redhat.com/show_bug.cgi?id=543080 Resolves: bug 543080 Bug Description: Bitwise plugin fails to return the exact matched entries for Bitwise search filter Reviewed by: nhosoi (Thanks!) Branch: HEAD Fix Description: The Microsoft Windows AD bitwise filters do not work exactly like the usual bitwise AND (&) and OR (|) operators. For the AND case the matching rule is true only if all bits from the value given in the filter value match the value from the entry. For the OR case, the matching rule is true if any bits from the value given in the filter match the value from the entry. For the AND case, this means that even though (a & b) is True, if (a & b) != b, the matching rule will return False. For the OR case, this means that even though (a | b) is True, this may be because there are bits in a. But we only care about bits in a that are also in b. So we do (a & b) - this will return what we want, which is to return True if any of the bits in b are also in a. Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no diff --git a/ldap/servers/plugins/bitwise/bitwise.c b/ldap/servers/plugins/bitwise/bitwise.c index 7c88c93..01c05fd 100644 --- a/ldap/servers/plugins/bitwise/bitwise.c +++ b/ldap/servers/plugins/bitwise/bitwise.c @@ -124,10 +124,24 @@ internal_bitwise_filter_match(void* obj, Slapi_Entry* entry, Slapi_Attr* attr, i rc = LDAP_CONSTRAINT_VIOLATION; } else { int result; + /* The Microsoft Windows AD bitwise operators do not work exactly + as the plain old C bitwise operators work. For the AND case + the matching rule is true only if all bits from the given value + match the value from the entry. For the OR case, the matching + rule is true if any bits from the given value match the value + from the entry. + For the AND case, this means that even though (a & b) is True, + if (a & b) != b, the matching rule will return False. + For the OR case, this means that even though (a | b) is True, + this may be because there are bits in a. But we only care + about bits in a that are also in b. So we do (a & b) - this + will return what we want, which is to return True if any of + the bits in b are also in a. + */ if (op == BITWISE_OP_AND) { - result = (a & b); + result = ((a & b) == b); /* all the bits in the given value are found in the value from the entry */ } else if (op == BITWISE_OP_OR) { - result = (a | b); + result = (a & b); /* any of the bits in b are also in a */ } if (result) { rc = 0;

13 years, 10 months

1
0
0 / 0

2 commits - ldap/servers

by Richard Allen Megginson

ldap/servers/slapd/back-ldbm/misc.c | 2 +- ldap/servers/slapd/result.c | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) New commits: commit 9b38ac3b5d27014c072cffb5a83e5888689c411b Author: Rich Megginson <rmeggins(a)redhat.com> Date: Mon Jan 25 18:05:38 2010 -0700 Clean up assert for entrydn Use entryrdn instead diff --git a/ldap/servers/slapd/back-ldbm/misc.c b/ldap/servers/slapd/back-ldbm/misc.c index 137c934..802370b 100644 --- a/ldap/servers/slapd/back-ldbm/misc.c +++ b/ldap/servers/slapd/back-ldbm/misc.c @@ -155,7 +155,7 @@ compute_entry_tombstone_rdn(const char *entryrdn, const char *uniqueid) { char *tombstone_rdn; - PR_ASSERT(NULL != entrydn); + PR_ASSERT(NULL != entryrdn); PR_ASSERT(NULL != uniqueid); tombstone_rdn = slapi_ch_smprintf("%s=%s, %s", commit 485cecd849dcaaee4677d832dbd171b091fe1dee Author: Rich Megginson <rmeggins(a)redhat.com> Date: Mon Jan 25 17:30:23 2010 -0700 Net::LDAP password modify extop breaks; msgid in response is 0xFF https://bugzilla.redhat.com/show_bug.cgi?id=554887 Resolves: bug 554887 Bug Description: Net::LDAP password modify extop breaks; msgid in response is 0xFF Reviewed by: ??? Branch: HEAD Fix Description: We use a fake conn for the internal password modify operation so that we can use the real credentials. Unfortunately, this messes up the result code - because there is a real, non-NULL conn, it thinks it needs to send the result back to a real client rather than handle it as an internal operation. It looks as though o_result_handler is only used for internal operations. The fix is to change the result handling code to check for an internal op OR conn == NULL to see if we should use the result handler instead. Platforms tested: RHEL5 x86_64 Flag Day: no Doc impact: no diff --git a/ldap/servers/slapd/result.c b/ldap/servers/slapd/result.c index b085965..7c872aa 100644 --- a/ldap/servers/slapd/result.c +++ b/ldap/servers/slapd/result.c @@ -291,6 +291,7 @@ send_ldap_result_ext( int flush_ber_element = 1; Slapi_Operation *operation; char *dn; + int internal_op; passwdPolicy *pwpolicy = NULL; slapi_pblock_get (pb, SLAPI_OPERATION, &operation); @@ -354,7 +355,8 @@ send_ldap_result_ext( break; } - if ( conn == NULL ) { + internal_op = operation_is_flag_set( operation, OP_FLAG_INTERNAL ); + if ( ( conn == NULL ) || ( internal_op ) ) { if ( operation->o_result_handler != NULL ) { operation->o_result_handler( conn, operation, err, matched, text, nentries, urls );

13 years, 10 months

1
0
0 / 0

Changes to 'refs/tags/389-admin-1.1.11.a1'

by Richard Allen Megginson

Tag '389-admin-1.1.11.a1' created by Rich Megginson <rmeggins(a)redhat.com> at 2010-01-26 01:38 +0000 This is the 1.1.11.a1 release This is the first release with full support for SELinux enforcement -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQBLXke3DbZhGaewJlIRAipgAJ46P23iln0R8NdUsTZKxzL0LBafLwCgzTtN WvOfr0pFSh9ZCoFd3RcbgAY= =u1YN -----END PGP SIGNATURE----- Changes since 389-admin-1.1.10: Rich Megginson (1): bump version to 1.1.11.a1 --- VERSION.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) ---

13 years, 10 months

1
0
0 / 0

VERSION.sh

by Richard Allen Megginson

VERSION.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) New commits: commit 46f127aab4b99616c363946274c5675f56ecd9cd Author: Rich Megginson <rmeggins(a)redhat.com> Date: Mon Jan 25 18:25:16 2010 -0700 bump version to 1.1.11.a1 diff --git a/VERSION.sh b/VERSION.sh index ed0472d..352a1ef 100644 --- a/VERSION.sh +++ b/VERSION.sh @@ -11,11 +11,11 @@ vendorurl=http://port389.org # PACKAGE_VERSION is constructed from these VERSION_MAJOR=1 VERSION_MINOR=1 -VERSION_MAINT=10 +VERSION_MAINT=11 # if this is a PRERELEASE, set VERSION_PREREL # otherwise, comment it out # be sure to include the dot prefix in the prerel -#VERSION_PREREL=.rc1 +VERSION_PREREL=.a1 # NOTES on VERSION_PREREL # use aN for an alpha release e.g. a1, a2, etc. # use rcN for a release candidate e.g. rc1, rc2, etc.

13 years, 10 months

1
0
0 / 0

ldap/servers

by Noriko Hosoi

ldap/servers/plugins/referint/referint.c | 152 +++++++++++++++++-------------- 1 file changed, 84 insertions(+), 68 deletions(-) New commits: commit 1a769808a6e169913be66ffbabc7f278594798a7 Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Mon Jan 25 15:05:59 2010 -0800 544089 - Referential Integrity Plugin does not take into account the attribute subtypes Bug Description: Referential Integrity Plugin does not change the references in subtyped attributes like "manager;en" or "ou;19" Fix Description: The problem is in the way the function int update_integrity (char **argv, char *origDN, char *newrDN, int logChanges) in referint.c makes the changes. The initial search with the filter ldap_create_filter( filter, filtlen, "(%a=%e)", NULL, NULL, argv[i], origDN, NULL) finds the entries with attributes and with attribute subtypes. But after that when generating the necessary changes (attribute1.mod_type = argv[i] and attribute2.mod_type = argv[i]) the function takes care only of the "base" attributes listed in the plugin arguments. We should parse each found entry to find all the attribute subtypes with the value concerned and then make changes to them all. Note: This bug was reported by andrey.ivanov(a)polytechnique.fr, and the bug fix was also provided by him. The patch was reviewed by rmeggins(a)redhat.com as well as nhosoi(a)redhat.com. diff --git a/ldap/servers/plugins/referint/referint.c b/ldap/servers/plugins/referint/referint.c index 70fccd2..1c36982 100644 --- a/ldap/servers/plugins/referint/referint.c +++ b/ldap/servers/plugins/referint/referint.c @@ -317,6 +317,7 @@ int update_integrity(char **argv, char *origDN, char *newrDN, int logChanges){ Slapi_Entry **search_entries = NULL; int search_result; Slapi_DN *sdn = NULL; + Slapi_Value *oldDNslv = NULL; void *node = NULL; LDAPMod attribute1, attribute2; const LDAPMod *list_of_mods[3]; @@ -338,6 +339,7 @@ int update_integrity(char **argv, char *origDN, char *newrDN, int logChanges){ goto free_and_return; } + oldDNslv = slapi_value_new_string(origDN); /* for now, just putting attributes to keep integrity on in conf file, until resolve the other timing mode issue */ @@ -355,9 +357,9 @@ int update_integrity(char **argv, char *origDN, char *newrDN, int logChanges){ if (( search_result = ldap_create_filter( filter, filtlen, "(%a=%e)", NULL, NULL, argv[i], origDN, NULL )) == LDAP_SUCCESS ) { - /* Don't need any attribute */ + /* Need only the current attribute and its subtypes */ char * attrs[2]; - attrs[0]="1.1"; + attrs[0]=argv[i]; attrs[1]=NULL; /* Use new search API */ @@ -378,76 +380,88 @@ int update_integrity(char **argv, char *origDN, char *newrDN, int logChanges){ for(j=0; search_entries[j] != NULL; j++) { - /* no matter what mode in always going to delete old dn so set that up */ - values_del[0]= origDN; - values_del[1]= NULL; - attribute1.mod_type = argv[i]; - attribute1.mod_op = LDAP_MOD_DELETE; - attribute1.mod_values = values_del; - list_of_mods[0] = &attribute1; - - if(newrDN == NULL){ - /* in delete mode so terminate list of mods cause this is the only one */ - list_of_mods[1] = NULL; - }else if(newrDN != NULL){ - /* in modrdn mode */ - - /* need to put together rdn into a dn */ - dnParts = ldap_explode_dn( origDN, 0 ); + Slapi_Attr *attr = NULL; + char *attrName = NULL; + + /* Loop over all the attributes of the entry and search for the integrity attribute and its subtypes */ + for (slapi_entry_first_attr(search_entries[j], &attr); attr; slapi_entry_next_attr(search_entries[j], attr, &attr)) + { + /* Take into account only the subtypes of the attribute in argv[i] having the necessary value - origDN */ + slapi_attr_get_type(attr, &attrName); + if ((slapi_attr_type_cmp(argv[i], attrName, SLAPI_TYPE_CMP_SUBTYPE) == 0) && + (slapi_attr_value_find(attr, slapi_value_get_berval(oldDNslv)) == 0)) + { + /* no matter what mode in always going to delete old dn so set that up */ + values_del[0]= origDN; + values_del[1]= NULL; + attribute1.mod_type = attrName; + attribute1.mod_op = LDAP_MOD_DELETE; + attribute1.mod_values = values_del; + list_of_mods[0] = &attribute1; + + if(newrDN == NULL){ + /* in delete mode so terminate list of mods cause this is the only one */ + list_of_mods[1] = NULL; + }else if(newrDN != NULL){ + /* in modrdn mode */ + + /* need to put together rdn into a dn */ + dnParts = ldap_explode_dn( origDN, 0 ); - /* skip original rdn so start at 1*/ - dnsize = 0; - for(x=1; dnParts[x] != NULL; x++) - { - /* +1 for comma adding later */ - dnsize += strlen(dnParts[x]) + 1; - } - /* add the newrDN length */ - dnsize += strlen(newrDN) + 1; - - newDN = slapi_ch_calloc(dnsize, sizeof(char)); - strcat(newDN, newrDN); - for(x=1; dnParts[x] != NULL; x++) - { - strcat(newDN, ","); - strcat(newDN, dnParts[x]); - } + /* skip original rdn so start at 1*/ + dnsize = 0; + for(x=1; dnParts[x] != NULL; x++) + { + /* +1 for comma adding later */ + dnsize += strlen(dnParts[x]) + 1; + } + /* add the newrDN length */ + dnsize += strlen(newrDN) + 1; + + newDN = slapi_ch_calloc(dnsize, sizeof(char)); + strcat(newDN, newrDN); + for(x=1; dnParts[x] != NULL; x++) + { + strcat(newDN, ","); + strcat(newDN, dnParts[x]); + } - values_add[0]=newDN; - values_add[1]=NULL; - attribute2.mod_type = argv[i]; - attribute2.mod_op = LDAP_MOD_ADD; - attribute2.mod_values = values_add; - - /* add the new dn to list of mods and terminate list of mods */ - list_of_mods[1] = &attribute2; - list_of_mods[2] = NULL; - - } - - /* try to cleanup entry */ - - /* Use new internal operation API */ - mod_result_pb=slapi_pblock_new(); - slapi_modify_internal_set_pb(mod_result_pb,slapi_entry_get_dn(search_entries[j]), - (LDAPMod **)list_of_mods,NULL,NULL,referint_plugin_identity,0); - slapi_modify_internal_pb(mod_result_pb); - - /* could check the result code here if want to log it or something later - for now, continue no matter what result is */ - - slapi_pblock_destroy(mod_result_pb); - - /* cleanup memory allocated for dnParts and newDN */ - if(dnParts != NULL){ - for(x=0; dnParts[x] != NULL; x++) - { - slapi_ch_free_string(&dnParts[x]); + values_add[0]=newDN; + values_add[1]=NULL; + attribute2.mod_type = attrName; + attribute2.mod_op = LDAP_MOD_ADD; + attribute2.mod_values = values_add; + + /* add the new dn to list of mods and terminate list of mods */ + list_of_mods[1] = &attribute2; + list_of_mods[2] = NULL; + + } + + /* try to cleanup entry */ + + /* Use new internal operation API */ + mod_result_pb=slapi_pblock_new(); + slapi_modify_internal_set_pb(mod_result_pb,slapi_entry_get_dn(search_entries[j]), + (LDAPMod **)list_of_mods,NULL,NULL,referint_plugin_identity,0); + slapi_modify_internal_pb(mod_result_pb); + + /* could check the result code here if want to log it or something later + for now, continue no matter what result is */ + + slapi_pblock_destroy(mod_result_pb); + + /* cleanup memory allocated for dnParts and newDN */ + if(dnParts != NULL){ + for(x=0; dnParts[x] != NULL; x++) + { + slapi_ch_free_string(&dnParts[x]); + } + slapi_ch_free((void **)&dnParts); + } + slapi_ch_free_string(&newDN); } - slapi_ch_free((void **)&dnParts); } - slapi_ch_free_string(&newDN); - } @@ -480,6 +494,8 @@ int update_integrity(char **argv, char *origDN, char *newrDN, int logChanges){ free_and_return: + slapi_value_free(&oldDNslv); + /* free filter and search_results_pb */ slapi_ch_free_string(&filter);

13 years, 10 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-commits January 2010