admserv/newinst
by Noriko Hosoi
admserv/newinst/src/AdminServer.pm.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
New commits:
commit e5b5830d74879aa1cc2cea0fe6d1bb1531f1185c
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Apr 27 14:26:32 2016 -0700
Ticket #48429 - running remove-ds-admin.pl multiple times will make it so you cannot install DS
Bug Description: remove-ds-admin.pl resets the files in /etc/dirsrv/admin-
serv and put it to the original state just after "rpm -i 389-admin" is
executed.
To recover the original state, remove-ds-admin.pl restores the config
files backed up by setup-ds-admin.pl. That is, if remove-ds-admin.pl is
executed without setup-ds-admin.pl or remove-ds-admin.pl is repeatedly
run, the config files are failed to restore. It makes the following
setup-ds-admin.pl fail.
Fix Description: This patch changes the remove-ds-admin.pl behaviour so
that the config files are not touched regardless of the existence of the
back up. If the back up exists, the files are overridden by the back up.
But even if it does not exist, the current config files remain in the
directory, which leads the next setup-ds-admin.pl successfully finish.
https://fedorahosted.org/389/ticket/48429
Reviewed by lkrispen(a)redhat.com (Thank you, Ludwig!!)
diff --git a/admserv/newinst/src/AdminServer.pm.in b/admserv/newinst/src/AdminServer.pm.in
index 3e31e70..480fb3a 100644
--- a/admserv/newinst/src/AdminServer.pm.in
+++ b/admserv/newinst/src/AdminServer.pm.in
@@ -826,9 +826,9 @@ sub removeAdminServer {
}
# remove config files
- my @savefiles = @savesecfiles; # save security files by default
+ my @savefiles = (@savesecfiles, @saveconffiles); # save security and conf files by default
if ($all) {
- @savefiles = (); # $all means remove everything, save nothing
+ @savefiles = @saveconffiles; # $all means remove everything, except the files in rpm.
}
if (opendir(CONFDIR, $configdir)) {
while ($file = readdir(CONFDIR)) {
7 years, 5 months
Branch '389-ds-base-1.2.11' - ldap/servers
by Noriko Hosoi
ldap/servers/plugins/replication/repl5_plugins.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
New commits:
commit 423c15c6ab074ee5497c58d8429c2f59395e2bc3
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Mar 4 15:05:09 2015 -0800
Ticket #47801 - RHDS keeps on logging write_changelog_and_ruv: failed to update RUV for unknown
Description: When no operation is given to write_changelog_and_ruv
(consumer has the chance just to update ruv) and opcsn is NULL,
update_ruv_component immediately returns the default return value
RUV_NOTFOUND, which should not be logged as SLAPI_LOG_FATAL but
just ignored.
https://fedorahosted.org/389/ticket/47801
Reviewed by rmeggins(a)redhat.com (Thank you, Rich!!)
(cherry picked from commit c170d9541cca17031e2663c24a1a1e97d8b3172a)
(cherry picked from commit 1e38fbea783704d021950e03b57df0c54a1f7545)
diff --git a/ldap/servers/plugins/replication/repl5_plugins.c b/ldap/servers/plugins/replication/repl5_plugins.c
index 7127395..e6b0629 100644
--- a/ldap/servers/plugins/replication/repl5_plugins.c
+++ b/ldap/servers/plugins/replication/repl5_plugins.c
@@ -1134,17 +1134,17 @@ write_changelog_and_ruv (Slapi_PBlock *pb)
opcsn = operation_get_csn(op);
rc = update_ruv_component(r, opcsn, pb);
if (RUV_COVERS_CSN == rc) {
- slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
"write_changelog_and_ruv: RUV already covers csn for "
"%s (uniqid: %s, optype: %lu) csn %s\n",
dn, uniqueid, optype,
csn_as_string(oppcsn, PR_FALSE, csn_str));
- } else if (rc != RUV_SUCCESS) {
- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
+ } else if ((rc != RUV_SUCCESS) && (rc != RUV_NOTFOUND)) {
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
"write_changelog_and_ruv: failed to update RUV for "
- "%s (uniqid: %s, optype: %lu) to changelog csn %s\n",
+ "%s (uniqid: %s, optype: %lu) to changelog csn %s - rc %d\n",
dn, uniqueid, optype,
- csn_as_string(oppcsn, PR_FALSE, csn_str));
+ csn_as_string(oppcsn, PR_FALSE, csn_str), rc);
}
}
7 years, 5 months
ldap/admin
by Noriko Hosoi
ldap/admin/src/scripts/db2index.in | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
New commits:
commit b2ef43edddb4316a479ab57d47a82e607404330a
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue Apr 26 14:05:46 2016 -0700
Ticket #48662 - db2index with no attribute args fail.
Description: commit 5a33dc002205d2167c786dd2c05f23218f28341d for #48662
failed to support the case:
db2index -Z SERVERID -n BACKEND
When the command line satisfies the condition, it executes indexing all.
https://fedorahosted.org/389/ticket/48662
Reviewed by wibrown(a)redhat.com (Thank you, William!!)
diff --git a/ldap/admin/src/scripts/db2index.in b/ldap/admin/src/scripts/db2index.in
index ad28757..748c58b 100755
--- a/ldap/admin/src/scripts/db2index.in
+++ b/ldap/admin/src/scripts/db2index.in
@@ -72,8 +72,10 @@ elif [ -z $benameopt ] && [ -z $includeSuffix ]; then
fi
if [ -z $servid ] && [ $# -lt 2 ]; then
print_usage=1
-elif [ "$servid" ] && [ $# -lt 4 ]; then
+elif [ -n "$servid" ] && [ $# -lt 4 ]; then
print_usage=1
+elif [ -n "$servid" ] && [ $# -eq 4 ]; then
+ idxall=1
fi
servid=`normalize_server_id $initfile`
7 years, 5 months
ldap/servers
by William Brown
ldap/servers/slapd/plugin.c | 1 -
1 file changed, 1 deletion(-)
New commits:
commit d5589b59e6cccb375b2ba1094ce81886693b4f89
Author: William Brown <firstyear(a)redhat.com>
Date: Thu Apr 28 10:05:20 2016 +1000
Ticket 48770 - Improve extended op plugin handling
Bug Description: warning: unused variable 'l' [-Wunused-variable]
Fix Description: remove the variable definition.
https://fedorahosted.org/389/ticket/48770
Author: wibrown
Review: One line fix
diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c
index 43ea1e3..5b81779 100644
--- a/ldap/servers/slapd/plugin.c
+++ b/ldap/servers/slapd/plugin.c
@@ -562,7 +562,6 @@ plugin_extended_op_oid2string( const char *oid )
{
struct slapdplugin *p;
int j = 0;
- int l = 0;
int rc = 0;
const char *rval = NULL;
7 years, 5 months
ldap/servers
by William Brown
ldap/servers/slapd/extendop.c | 27 ++----
ldap/servers/slapd/plugin.c | 175 ++++++++++++++++++----------------------
ldap/servers/slapd/proto-slap.h | 5 -
3 files changed, 96 insertions(+), 111 deletions(-)
New commits:
commit b57fe6473d5b1c44910a4f87d49efbaa0d27e5e4
Author: William Brown <firstyear(a)redhat.com>
Date: Tue Apr 26 18:07:57 2016 +1000
Ticket 48770 - Improve extended op plugin handling
Bug Description: In plugin.c we had a number of in-efficenty control paths, and
loops that were repeated.
Fix Description: This reduces code duplication, and looping in un-neccesary
places.
https://fedorahosted.org/389/ticket/48770
Author: wibrown
Review: nhosoi (Thanks!)
diff --git a/ldap/servers/slapd/extendop.c b/ldap/servers/slapd/extendop.c
index 50506a5..5154602 100644
--- a/ldap/servers/slapd/extendop.c
+++ b/ldap/servers/slapd/extendop.c
@@ -206,6 +206,7 @@ do_extended( Slapi_PBlock *pb )
{
char *extoid = NULL, *errmsg;
struct berval extval = {0};
+ struct slapdplugin *p = NULL;
int lderr, rc;
ber_len_t len;
ber_tag_t tag;
@@ -334,23 +335,19 @@ do_extended( Slapi_PBlock *pb )
slapi_pblock_set( pb, SLAPI_EXT_OP_REQ_VALUE, &extval );
slapi_pblock_set( pb, SLAPI_REQUESTOR_ISROOT, &pb->pb_op->o_isroot);
- /* wibrown 201603 I want to rewrite this to get plugin p, and use that
- * rather than all these plugin_call_, that loop over the plugin lists
- * We do "get plugin (oid).
- * then we just hand *p into the call functions.
- * much more efficient! :)
- */
-
- slapi_log_error(SLAPI_LOG_TRACE, NULL, "extendop.c calling plugins ... \n");
+ rc = plugin_determine_exop_plugins( extoid, &p );
+ slapi_log_error(SLAPI_LOG_TRACE, NULL, "exendop.c plugin_determine_exop_plugins rc %d\n", rc);
+ if (rc == SLAPI_PLUGIN_EXTENDEDOP && p != NULL) {
+ slapi_log_error(SLAPI_LOG_TRACE, NULL, "extendop.c calling plugin ... \n");
+ rc = plugin_call_exop_plugins( pb, p);
- rc = plugin_call_exop_plugins( pb, extoid, SLAPI_PLUGIN_EXTENDEDOP);
+ slapi_log_error(SLAPI_LOG_TRACE, NULL, "extendop.c called exop, got %d \n", rc);
- slapi_log_error(SLAPI_LOG_TRACE, NULL, "extendop.c called exop, got %d \n", rc);
+ } else if (rc == SLAPI_PLUGIN_BETXNEXTENDEDOP && p != NULL) {
- if (rc == SLAPI_PLUGIN_EXTENDED_NOT_HANDLED) {
- slapi_log_error(SLAPI_LOG_TRACE, NULL, "extendop.c calling betxn plugins ... \n");
+ slapi_log_error(SLAPI_LOG_TRACE, NULL, "extendop.c calling betxn plugin ... \n");
/* Look up the correct backend to use. */
- Slapi_Backend *be = plugin_extended_op_getbackend( pb, extoid );
+ Slapi_Backend *be = plugin_extended_op_getbackend( pb, p );
if ( be == NULL ) {
slapi_log_error(SLAPI_LOG_FATAL, NULL, "extendop.c plugin_extended_op_getbackend was unable to retrieve a backend!!!\n");
@@ -368,7 +365,7 @@ do_extended( Slapi_PBlock *pb )
if (txn_rc) {
slapi_log_error(SLAPI_LOG_FATAL, NULL, "exendop.c Failed to start be_txn for plugin_call_exop_plugins %d\n", txn_rc);
} else {
- rc = plugin_call_exop_plugins( pb, extoid, SLAPI_PLUGIN_BETXNEXTENDEDOP);
+ rc = plugin_call_exop_plugins( pb, p );
slapi_log_error(SLAPI_LOG_TRACE, NULL, "extendop.c called betxn exop, got %d \n", rc);
if (rc == LDAP_SUCCESS || rc == SLAPI_PLUGIN_EXTENDED_SENT_RESULT) {
/* commit */
@@ -387,7 +384,6 @@ do_extended( Slapi_PBlock *pb )
if (be_pb != NULL) {
slapi_pblock_destroy(be_pb); /* Clean up after ourselves */
}
- slapi_log_error(SLAPI_LOG_TRACE, NULL, "exendop.c plugin_call_exop_plugins rc final %d\n", rc);
} /* if be */
}
@@ -396,6 +392,7 @@ do_extended( Slapi_PBlock *pb )
lderr = LDAP_PROTOCOL_ERROR; /* no plugin handled the op */
errmsg = "unsupported extended operation";
} else {
+ slapi_log_error(SLAPI_LOG_FATAL, NULL, "extendop.c failed with result %d \n", rc);
errmsg = NULL;
lderr = rc;
}
diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c
index 96169e6..43ea1e3 100644
--- a/ldap/servers/slapd/plugin.c
+++ b/ldap/servers/slapd/plugin.c
@@ -475,6 +475,46 @@ plugin_call_entryfetch_plugins(char **entrystr, uint *size)
}
/*
+ * plugin_determine_exop_plugins
+ *
+ * A call to this function will determine the correct plugin that is required
+ * based on the extended operation ID.
+ *
+ * extoid : The extended operation oid as a *char
+ * plugin: A pointer to a struct slapdplugin *. IE &*p This will be set by the function.
+ * return: SLAPI_PLUGIN_EXTENDED_NOT_HANDLED if no plugin. Otherwise, the SLAPI_PLUGIN_* type that the plugin is.
+ */
+int
+plugin_determine_exop_plugins( const char *oid, struct slapdplugin **plugin)
+{
+ struct slapdplugin *p = NULL;
+ int list_type = 0;
+ int i = 0;
+ int l = 0;
+ int rc = SLAPI_PLUGIN_EXTENDED_NOT_HANDLED;
+
+ int list_types[] = {PLUGIN_LIST_EXTENDED_OPERATION, PLUGIN_LIST_BE_TXN_EXTENDED_OPERATION};
+
+ for ( l = 0; l < 2; ++l ) {
+ list_type = list_types[l];
+
+ for ( p = global_plugin_list[list_type]; p != NULL; p = p->plg_next ) {
+ if ( p->plg_exhandler != NULL && p->plg_exoids != NULL ) {
+ for ( i = 0; p->plg_exoids[i] != NULL; i++ ) {
+ if ( strcasecmp( oid, p->plg_exoids[i] ) == 0 ) {
+ *plugin = p;
+ rc = p->plg_type;
+ break;
+ }
+ }
+ }
+ }
+ }
+
+ return rc;
+}
+
+/*
* call extended operation plugins
*
* return SLAPI_PLUGIN_EXTENDED_SENT_RESULT if one of the extended operation
@@ -485,50 +525,21 @@ plugin_call_entryfetch_plugins(char **entrystr, uint *size)
* returned by the plugins we called).
*/
int
-plugin_call_exop_plugins( Slapi_PBlock *pb, char *oid, int whichtype )
+plugin_call_exop_plugins( Slapi_PBlock *pb, struct slapdplugin *p )
{
- struct slapdplugin *p;
- int i, rc;
- int list_type;
+ int rc = LDAP_SUCCESS;
int lderr = SLAPI_PLUGIN_EXTENDED_NOT_HANDLED;
- if (whichtype == SLAPI_PLUGIN_EXTENDEDOP) {
- list_type = PLUGIN_LIST_EXTENDED_OPERATION;
- } else if (whichtype == SLAPI_PLUGIN_BETXNEXTENDEDOP) {
- list_type = PLUGIN_LIST_BE_TXN_EXTENDED_OPERATION;
- } else {
- slapi_log_error(SLAPI_LOG_FATAL, NULL, "plugin_call_exop_plugins unknown plugin list type %d\n", whichtype);
- return( lderr );
- }
-
- for ( p = global_plugin_list[list_type]; p != NULL; p = p->plg_next ) {
- if ( p->plg_exhandler != NULL && p->plg_type == whichtype ) {
- if ( p->plg_exoids != NULL ) {
- for ( i = 0; p->plg_exoids[i] != NULL; i++ ) {
- if ( strcasecmp( oid, p->plg_exoids[i] )
- == 0 ) {
- break;
- }
- }
- if ( p->plg_exoids[i] == NULL ) {
- continue;
- }
- }
-
- slapi_pblock_set( pb, SLAPI_PLUGIN, p );
- set_db_default_result_handlers( pb );
- if ( (rc = (*p->plg_exhandler)( pb ))
- == SLAPI_PLUGIN_EXTENDED_SENT_RESULT ) {
- return( rc ); /* result sent */
- } else if ( rc != SLAPI_PLUGIN_EXTENDED_NOT_HANDLED ) {
- /*
- * simple merge: report last real error
- */
- if ( lderr == SLAPI_PLUGIN_EXTENDED_NOT_HANDLED
- || rc != LDAP_SUCCESS ) {
- lderr = rc;
- }
- }
+ slapi_pblock_set( pb, SLAPI_PLUGIN, p );
+ set_db_default_result_handlers( pb );
+ if ( (rc = (*p->plg_exhandler)( pb )) == SLAPI_PLUGIN_EXTENDED_SENT_RESULT ) {
+ return( rc ); /* result sent */
+ } else if ( rc != SLAPI_PLUGIN_EXTENDED_NOT_HANDLED ) {
+ /*
+ * simple merge: report last real error
+ */
+ if ( lderr == SLAPI_PLUGIN_EXTENDED_NOT_HANDLED || rc != LDAP_SUCCESS ) {
+ lderr = rc;
}
}
@@ -550,75 +561,51 @@ const char *
plugin_extended_op_oid2string( const char *oid )
{
struct slapdplugin *p;
- int i, j, l, list_type;
- const char *rval = NULL;
- int list_types[] = {PLUGIN_LIST_EXTENDED_OPERATION, PLUGIN_LIST_BE_TXN_EXTENDED_OPERATION};
+ int j = 0;
+ int l = 0;
+ int rc = 0;
+ const char *rval = NULL;
+
+ rc = plugin_determine_exop_plugins( oid, &p);
+ if ((rc == SLAPI_PLUGIN_EXTENDEDOP || rc == SLAPI_PLUGIN_BETXNEXTENDEDOP) && p != NULL ) {
+ /* We have the plugin, p set, so lets fill it in */
+ if ( NULL != p->plg_exnames ) {
+ for ( j = 0; p->plg_exnames[j] != NULL; ++j ) {
+ /* I'm not sure what this does ....*/
+ ;
+ }
+ rval = p->plg_exnames[j]; /* OID-related name */
+ }
- /* I feel there may be a better way to achieve this, but it works. */
- for ( l = 0; l < 2; ++l ) {
- list_type = list_types[l];
- for ( p = global_plugin_list[list_type]; p != NULL; p = p->plg_next ) {
- if ( p->plg_exhandler != NULL && p->plg_exoids != NULL ) {
- for ( i = 0; p->plg_exoids[i] != NULL; i++ ) {
- if ( strcasecmp( oid, p->plg_exoids[i] ) == 0 ) {
- if ( NULL != p->plg_exnames ) {
- for ( j = 0; j < i && p->plg_exnames[j] != NULL; ++j ) {
- ;
- }
- rval = p->plg_exnames[j]; /* OID-related name */
- }
-
- if ( NULL == rval ) {
- if ( NULL != p->plg_desc.spd_id ) {
- rval = p->plg_desc.spd_id; /* short name */
- } else {
- rval = p->plg_name; /* RDN */
- }
- }
- break;
- }
- } /* for */
- } /* If */
- } /* for p in global_plugin list */
- } /* list type */
+ if ( NULL == rval ) {
+ if ( NULL != p->plg_desc.spd_id ) {
+ rval = p->plg_desc.spd_id; /* short name */
+ } else {
+ rval = p->plg_name; /* RDN */
+ }
+ }
+ }
return( rval );
}
Slapi_Backend *
-plugin_extended_op_getbackend( Slapi_PBlock *pb, char *oid )
+plugin_extended_op_getbackend( Slapi_PBlock *pb, struct slapdplugin *p )
{
- struct slapdplugin *p;
- int i;
+ // struct slapdplugin *p;
int rc;
/* This could be an error type, but for now we expect the caller to check
* that it's not null
*/
Slapi_Backend *result = NULL;
- for ( p = global_plugin_list[PLUGIN_LIST_BE_TXN_EXTENDED_OPERATION]; p != NULL; p = p->plg_next ) {
- if ( p->plg_be_exhandler != NULL && p->plg_type == SLAPI_PLUGIN_BETXNEXTENDEDOP ) {
- if ( p->plg_exoids != NULL ) {
- for ( i = 0; p->plg_exoids[i] != NULL; i++ ) {
- if ( strcasecmp( oid, p->plg_exoids[i] ) == 0 ) {
- break;
- }
- }
- if ( p->plg_exoids[i] == NULL ) {
- continue;
- }
- }
- rc = (*p->plg_be_exhandler)( pb, &result );
- if (rc != LDAP_SUCCESS) {
- /* Do we need to do anything? Or it is the parents job? */
- result = NULL;
- }
- break;
- }
+ rc = (*p->plg_be_exhandler)( pb, &result );
+ if (rc != LDAP_SUCCESS) {
+ /* Do we need to do anything? Or it is the parents job? */
+ result = NULL;
}
-
return( result );
}
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 255e4bd..f4a5eab 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -879,8 +879,9 @@ void global_plugin_init();
int plugin_call_plugins( Slapi_PBlock *, int );
int plugin_setup(Slapi_Entry *plugin_entry, struct slapi_componentid *group,
slapi_plugin_init_fnptr initfunc, int add_to_dit, char *returntext);
-int plugin_call_exop_plugins( Slapi_PBlock *pb, char *oid, int whichtype );
-Slapi_Backend * plugin_extended_op_getbackend( Slapi_PBlock *pb, char *oid);
+int plugin_determine_exop_plugins( const char *oid, struct slapdplugin **plugin );
+int plugin_call_exop_plugins( Slapi_PBlock *pb, struct slapdplugin *p );
+Slapi_Backend * plugin_extended_op_getbackend( Slapi_PBlock *pb, struct slapdplugin *p);
const char *plugin_extended_op_oid2string( const char *oid );
void plugin_closeall(int close_backends, int close_globals);
void plugin_startall(int argc, char **argv, char **plugin_list);
7 years, 5 months
Changes to 'refs/tags/389-ds-console-1.2.12-2'
by Noriko Hosoi
Changes since the dawn of time:
Endi S. Dewata (3):
Bug 496863 - 'Construct' button creates incorrect referral urls
Resolves: bug 574098
Bug 563513 - New replication -> No changelong configured-msg
Mark Reynolds (10):
Ticket 370 - Opening merge qualifier CoS entry using RHDS console changes the entry
Bumped version to 1.2.7
Ticket 96 - Window too large for Manage password policy
Ticket 47883 - DS Console - java exception when refreshing
Ticket 176 - DS Console should timeout when mismatched port
Ticket 47886 - DS Console - mouse wheel speed very slow
Ticket 47485 - DS instance cannot be restored from remote console
Ticket 47887 - DS Console does not correctly disable SSL
Ticket 135 - DS console - right clicking an object does not select that object
Ticket 47994 - DS Console always sets nsSSL3 to "on" when a securty setting is adjusted
Nathan Kinder (28):
171941 - Adjusted the version number and branding. I had to modify the checkVersion method to deal with running in Console 1.0. I also cleaned up references to consolesdk in the Ant build files. They should be console instead since we dropped the consolesdk naming. The external and internal imports files were adjusted to pick up the new 1.0 Console component.
171941 - checkVersion was comparing versions with greater than when it should have been using greater than or equal to
177696 - Changed usage of enum keyword as a variable name for Java 1.5 compatibility
Bug(s) fixed: 181570
Resolves: 246513
Summary: Initial fedora-ds-console specfile.
Resolves: ?
Resolves: 250137
Resolves: 250145
Resolves: 204510
Resolves: 250636
Resolves: 252036
Add default ldapjdk path as well as a settable parameter
Fixed typo from last checkin
Use less restrictive version of Open Publication License for online help docs.
Resolves: 308221
Resolves: 333171
Resolves: 178247
Resolves: 379191
Bug 599732 - Root node in directory browser shows DN syntax error
Bug 229693 - Update naming attribute when objectclass is removed
Bug 474113 - Allow access log level to be configured from Console
Bug 504803 - Allow nsslapd-*-logmaxdiskspace to be set to -1 in UI
Bug 158262 - Windows Sync UI is inconistent
Bug 533505 - Warn about CA cert trust when enabling SSL in Console
Bug 616707 - Add attribute matching rule UI to Console
Bug 705753 - Refresh problem in Console directory browser
Bug 700908 - Validate matching rules when creating a new attribute
Noriko Hosoi (30):
Changed the ldapconsole package name to <brand>-ds-<version>.jar
Modified ant move syntax to support ant 1.6.2
[186105] Admin Server Makefile updates for Internal build
Resolves: #247215
Resolves: #248073
Resolves: #379191
Resolves: #386041
Resolves: #379191
Resolves: #379191
Resolves: #379191
Resolves: #379191
Resolves: #379191
Resolves: 178947
Bug 553066 - Directory Console: do not display "subtree" index type
Bug 151705 - Need to update Console Cipher Preferences with new ciphers
Bug 661116 - 389-console Configuration tab admin permissions
Bug 387981 - plain files can be chosen on the Restore Directory dialog
Bug 450016 - RFE- Console display values in KB/MB/GB
Bug 211296 - Clean up all HTML pages (Admin Express, Repl Monitor, etc)
Bug 757773 - SSL Port issue in Console
Ticket #47380 - RFE: Winsync loses connection with AD objects when they move from the console.
Bumped version to 1.2.8
Bumped version to 1.2.9
Bug 1022104 - Remove versioned jarfiles from _javadir
Bumped version to 1.2.10
Ticket #48130 - Add "+all" and "-TLS_RSA_WITH_AES_128_GCM_SHA256" to Console Cipher Preference for TLS
Bumped version to 1.2.11
Ticket #48139 - drop support for legacy replication
Bumped version to 1.2.12
Bug 1234441 - Security info from Help should be removed
Rich Megginson (39):
Bug(s) fixed: 167761
allow the definition of the console location on the command line with different directory layouts than the default
Bug(s) fixed: 178478
The console now builds jar files in the format
bump version to 1.0.3
updated spec for Fedora DS 1.1 release
Resolves: bug 428357
Bump version to 1.1.2
this is for the 1.1.2 release
Resolves: bug 469261
Resolves: bug 469261
Resolves: bug 234948
Resolves: bug 452596
Resolves: bug 178947
Resolves: bug 177334
Resolves: bug 249120
Resolves: bug 238762
Resolves: bug 179193
Resolves: bug 179184
change version to 1.1.3
Resolves: bug 487831
Resolves: bug 481213
Resolves: bug 483660
Resolves: bug 483660
updated for 1.1.3
version must correspond to ds base version - 1.2.0
rename to 389
change mode of spec file to 644
added separate doc subpackage
update to version 1.2.1
Bug 586571 - DS Console shows escaped DNs
bump version to 1.2.2
Bug 586571 - DS Console shows escaped DNs
Bug 591989 - [console] mis-matched trademark and text
bump version to 1.2.4
bump version to 1.2.5
add skin support
move dsbanner.gif to the localized jar for l10n/skinning
dsbannerlite.gif is obsolete
foxworth (2):
Import initial source drop of Fedora DirectoryConsole
Import initial source drop of Fedora DirectoryConsole
7 years, 5 months
Changes to 'ds-console-1.2.12'
by Noriko Hosoi
New branch 'ds-console-1.2.12' available with the following commits:
commit baba5abe115a8f78224d820b4d6abda1c3aca397
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Apr 27 15:28:56 2016 -0700
Bug 1234441 - Security info from Help should be removed
File: help/en/help/statustab_general.html
Removed: Security level. Indicates whether the server uses domestic
(US based, 128-bit ciphers) or export (non-US based, 40-bit ciphers)
encryption levels.
7 years, 5 months
admserv/cgi-src40
by Noriko Hosoi
admserv/cgi-src40/ds_remove.in | 6 ++++++
1 file changed, 6 insertions(+)
New commits:
commit edc5dbc514da3aeb6dca5f0a218f3330cea0fce3
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Apr 27 11:28:14 2016 -0700
Ticket #48410 - 389-admin - Unable to remove / unregister a DS instance from admin server
Description: The cgi ds_remove missed to map ServerAdminId.
NMC_ErrInfo: The map value 'ServerAdminID' for key 'as_uid' did
not map to a value in any of the given information files.
This patch adds the mapping using admpw.conf.
https://fedorahosted.org/389/ticket/48410
Reviewed by mreynolds(a)redhat.com (Thank you, Mark!!)
diff --git a/admserv/cgi-src40/ds_remove.in b/admserv/cgi-src40/ds_remove.in
index cb7abe3..851afde 100755
--- a/admserv/cgi-src40/ds_remove.in
+++ b/admserv/cgi-src40/ds_remove.in
@@ -113,6 +113,12 @@ $inf->{General}->{ConfigDirectoryLdapURL} = $query->param('ldap_url') ||
$admConf->{ldapurl};
$inf->{General}->{AdminDomain} = $query->param('admin_domain') ||
$admConf->{AdminDomain};
+my $admpw = AdminUtil::getAdmpw($admConf);
+if ($admpw && %{$admpw}) {
+ unless (defined($inf->{admin}->{ServerAdminID})) {
+ $inf->{admin}->{ServerAdminID} = $admpw->{ServerAdminID};
+ }
+}
# Unregister the server from the configuration ds
# get config ds url from input or admconf
7 years, 5 months
ldap/admin
by Noriko Hosoi
ldap/admin/src/scripts/DSUtil.pm.in | 1 +
1 file changed, 1 insertion(+)
New commits:
commit 0d1c21b0b96f3c42b334a74db0c5aa090a0339b9
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Apr 27 11:31:49 2016 -0700
Ticket #48410 - 389-ds-base - Unable to remove / unregister a DS instance from admin server
Description: In check_and_add_entry (DSUtil.pm), if the operation is delete,
$subentry is exhausted. Thus, the do loop should be finished there without
calling $conn->nextEntry(), which causes the assertion failure in perl-Mozilla-
LDAP.
https://fedorahosted.org/389/ticket/48410
Reviewed by mreynolds(a)redhat.com (Thank you, Mark!!)
diff --git a/ldap/admin/src/scripts/DSUtil.pm.in b/ldap/admin/src/scripts/DSUtil.pm.in
index 3476d67..f53f0c0 100644
--- a/ldap/admin/src/scripts/DSUtil.pm.in
+++ b/ldap/admin/src/scripts/DSUtil.pm.in
@@ -463,6 +463,7 @@ sub check_and_add_entry
return 0;
}
debug(1, "Entry $aentry->{dn} is deleted\n");
+ $sentry = undef;
}
elsif ( 0 < $op ) # modify op
{
7 years, 5 months
Branch '389-ds-base-1.2.11' - dirsrvtests/tests ldap/schema ldap/servers lib/ldaputil
by William Brown
dirsrvtests/tests/tickets/ticket48798_test.py | 146 ++++++++++++++++++++++++++
ldap/schema/01core389.ldif | 3
ldap/servers/slapd/ssl.c | 73 +++++++++++++
lib/ldaputil/cert.c | 8 +
4 files changed, 228 insertions(+), 2 deletions(-)
New commits:
commit 50910ac7101e2ede6bf8211383dea8d5f00539bd
Author: William Brown <firstyear(a)redhat.com>
Date: Thu Apr 21 13:36:28 2016 +1000
Ticket 48798 - Enable DS to offer weaker DH params in NSS
Bug Description: Java is unable to handle DH param's greater than 1024 bit.
As of NSS 2.20 and higher, nss defaults to params of 2048 bit. This breaks
all java clients.
Fix Description: This adds a new option, allowWeakDHParams that allows
nss to generate and use insecure DH params that Java would be capable of
using.
This test case shows the ability to allow weak params, and
that they are indeed 1024 bits
https://fedorahosted.org/389/ticket/48798
Author: wibrown
Review by: nhosoi
diff --git a/dirsrvtests/tests/tickets/ticket48798_test.py b/dirsrvtests/tests/tickets/ticket48798_test.py
new file mode 100644
index 0000000..6872552
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket48798_test.py
@@ -0,0 +1,146 @@
+import os
+import sys
+import time
+import ldap
+import logging
+import pytest
+
+import nss
+
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+
+# Only works in py2.7
+# from subprocess import check_output
+from subprocess import Popen
+
+logging.getLogger(__name__).setLevel(logging.DEBUG)
+log = logging.getLogger(__name__)
+
+
+class TopologyStandalone(object):
+ def __init__(self, standalone):
+ standalone.open()
+ self.standalone = standalone
+
+
+(a)pytest.fixture(scope="module")
+def topology(request):
+ # Creating standalone instance ...
+ standalone = DirSrv(verbose=False)
+ args_instance[SER_HOST] = HOST_STANDALONE
+ args_instance[SER_PORT] = PORT_STANDALONE
+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+ args_standalone = args_instance.copy()
+ standalone.allocate(args_standalone)
+ instance_standalone = standalone.exists()
+ if instance_standalone:
+ standalone.delete()
+ standalone.create()
+ standalone.open()
+
+ # Delete each instance in the end
+ def fin():
+ pass
+ #standalone.delete()
+ request.addfinalizer(fin)
+
+ # Clear out the tmp dir
+ #standalone.clearTmpDir(__file__)
+
+ return TopologyStandalone(standalone)
+
+def check_socket_dh_param_size(hostname, port):
+ ### You know why we have to do this?
+ # Because TLS and SSL suck. Hard. They are impossible. It's all terrible, burn it all down.
+ cmd = "echo quit | openssl s_client -connect {HOSTNAME}:{PORT} -msg -cipher DH | grep -A 1 ServerKeyExchange".format(
+ HOSTNAME=hostname,
+ PORT=port)
+ #output = check_output(cmd, shell=True)
+ p = Popen(cmd, shell=True, stdout=PIPE)
+ (output, _) = p.communicate()
+
+ dhheader = output.split('\n')[1]
+ # Get rid of all the other whitespace.
+ dhheader = dhheader.replace(' ', '')
+ # Example is 0c00040b0100ffffffffffffffffadf8
+ # We need the bits 0100 here. Which means 256 bytes aka 256 * 8, for 2048 bit.
+ dhheader = dhheader[8:12]
+ # make it an int, and times 8
+ i = int(dhheader, 16) * 8
+ return i
+
+
+def test_ticket48798(topology):
+ """
+ Test DH param sizes offered by DS.
+
+ """
+
+ # Create a CA
+ # This is a trick. The nss db that ships with DS is broken fundamentally.
+ ## THIS ASSUMES old nss format. SQLite will bite us!
+ for f in ('key3.db', 'cert8.db', 'key4.db', 'cert9.db', 'secmod.db', 'pkcs11.txt'):
+ try:
+ os.remove("%s/%s" % (topology.standalone.confdir, f ))
+ except:
+ pass
+
+ # Check if the db exists. Should be false.
+ assert(topology.standalone.nss_ssl._db_exists() is False)
+ # Create it. Should work.
+ assert(topology.standalone.nss_ssl.reinit() is True)
+ # Check if the db exists. Should be true
+ assert(topology.standalone.nss_ssl._db_exists() is True)
+
+ # Check if ca exists. Should be false.
+ assert(topology.standalone.nss_ssl._rsa_ca_exists() is False)
+ # Create it. Should work.
+ assert(topology.standalone.nss_ssl.create_rsa_ca() is True)
+ # Check if ca exists. Should be true
+ assert(topology.standalone.nss_ssl._rsa_ca_exists() is True)
+
+ # Check if we have a server cert / key. Should be false.
+ assert(topology.standalone.nss_ssl._rsa_key_and_cert_exists() is False)
+ # Create it. Should work.
+ assert(topology.standalone.nss_ssl.create_rsa_key_and_cert() is True)
+ # Check if server cert and key exist. Should be true.
+ assert(topology.standalone.nss_ssl._rsa_key_and_cert_exists() is True)
+
+ topology.standalone.config.enable_ssl(secport=DEFAULT_SECURE_PORT, secargs={'nsSSL3Ciphers': '+all'} )
+
+ topology.standalone.restart(30)
+
+ # Confirm that we have a connection, and that it has DH
+
+ # Open a socket to the port.
+ # Check the security settings.
+ size = check_socket_dh_param_size(topology.standalone.host, DEFAULT_SECURE_PORT)
+
+ assert(size == 2048)
+
+ # Now toggle the settings.
+ mod = [(ldap.MOD_REPLACE, 'allowWeakDHParam', 'on')]
+ dn_enc = 'cn=encryption,cn=config'
+ topology.standalone.modify_s(dn_enc, mod)
+
+ topology.standalone.restart(30)
+
+ # Check the DH params are less than 1024.
+ size = check_socket_dh_param_size(topology.standalone.host, DEFAULT_SECURE_PORT)
+
+ assert(size == 1024)
+
+ log.info('Test complete')
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index ba5b0aa..8f366a8 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -155,6 +155,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2155 NAME 'nsds5ReplicaBackoffMax' DESC
attributeTypes: ( 2.16.840.1.113730.3.1.2156 NAME 'nsslapd-sasl-max-buffer-size' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
attributeTypes: ( 2.16.840.1.113730.3.1.2310 NAME 'nsds5ReplicaFlowControlWindow' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
attributeTypes: ( 2.16.840.1.113730.3.1.2311 NAME 'nsds5ReplicaFlowControlPause' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2332 NAME 'allowWeakDHParam' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )
#
# objectclasses
#
@@ -170,5 +171,5 @@ objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC
objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' )
-objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers) X-ORIGIN 'Netscape' )
+objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakDHParam ) X-ORIGIN 'Netscape' )
objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation ) X-ORIGIN 'Netscape' )
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 529dbc6..fcf7ba9 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -89,6 +89,10 @@
#define NSS_TLS10 1
#endif
+#if NSS_VMAJOR * 100 + NSS_VMINOR >= 320
+#define HAVE_NSS_DHE 1
+#endif
+
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
static SSLVersionRange enabledNSSVersions;
static SSLVersionRange slapdNSSVersions;
@@ -117,6 +121,7 @@ static int stimeout;
static char *ciphers = NULL;
static char * configDN = "cn=encryption,cn=config";
+
/* Copied from libadmin/libadmin.h public/nsapi.h */
#define SERVER_KEY_NAME "Server-Key"
#define MAGNUS_ERROR_LEN 1024
@@ -125,6 +130,15 @@ static char * configDN = "cn=encryption,cn=config";
#define FILE_PATHSEP '/'
/* ----------------------- Multiple cipher support ------------------------ */
+#ifdef HAVE_NSS_DHE
+#define CIPHER_SET_DEFAULTWEAKDHPARAM 0x100 /* allowWeakDhParam is not set in cn=encryption */
+#define CIPHER_SET_ALLOWWEAKDHPARAM 0x200 /* allowWeakDhParam is on */
+#define CIPHER_SET_DISALLOWWEAKDHPARAM 0x400 /* allowWeakDhParam is off */
+#endif
+
+#ifdef HAVE_NSS_DHE
+static int allowweakdhparam = CIPHER_SET_DEFAULTWEAKDHPARAM;
+#endif
static char **cipher_names = NULL;
@@ -244,6 +258,33 @@ getSupportedCiphers()
return cipher_names;
}
+#ifdef HAVE_NSS_DHE
+int
+get_allow_weak_dh_param(Slapi_Entry *e)
+{
+ /* Check if the user wants weak params */
+ int allow = CIPHER_SET_DEFAULTWEAKDHPARAM;
+ char *val;
+ val = slapi_entry_attr_get_charptr(e, "allowWeakDHParam");
+ if (val) {
+ if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") ||
+ !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) {
+ allow = CIPHER_SET_DISALLOWWEAKDHPARAM;
+ } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") ||
+ !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) {
+ allow = CIPHER_SET_ALLOWWEAKDHPARAM;
+ slapd_SSL_warn("The value of allowWeakDHParam is set to %s. THIS EXPOSES YOU TO CVE-2015-4000.", val);
+ } else {
+ slapd_SSL_warn("The value of allowWeakDHParam \"%s\" is invalid.",
+ "Ignoring it and set it to default.", val);
+ }
+ }
+ slapi_ch_free((void **) &val);
+ return allow;
+}
+#endif
+
+
char **
getEnabledCiphers()
{
@@ -841,6 +882,9 @@ slapd_ssl_init() {
int rv = 0;
PK11SlotInfo *slot;
Slapi_Entry *entry = NULL;
+#ifdef HAVE_NSS_DHE
+ SECStatus nss_rv = SECFailure;
+#endif
/* Get general information */
@@ -849,6 +893,17 @@ slapd_ssl_init() {
val = slapi_entry_attr_get_charptr( entry, "nssslSessionTimeout" );
ciphers = slapi_entry_attr_get_charptr( entry, "nsssl3ciphers" );
+#ifdef HAVE_NSS_DHE
+ allowweakdhparam = get_allow_weak_dh_param(entry);
+ if (allowweakdhparam & CIPHER_SET_ALLOWWEAKDHPARAM) {
+ slapd_SSL_warn("notice, generating new WEAK DH param");
+ nss_rv = SSL_EnableWeakDHEPrimeGroup(NULL, PR_TRUE);
+ if (nss_rv != SECSuccess) {
+ slapd_SSL_warn("Warning, unable to generate weak dh parameters");
+ }
+ }
+#endif
+
/* We are currently using the value of sslSessionTimeout
for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */
/* Note from Tom Weinstein on the meaning of the timeout:
@@ -1192,6 +1247,24 @@ int slapd_ssl_init2(PRFileDesc **fd, int startTLS)
}
if (SECSuccess == rv) {
+
+#ifdef HAVE_NSS_DHE
+ /* Step If we want weak dh params, flag it on the socket now! */
+
+ rv = SSL_OptionSet(*fd, SSL_ENABLE_SERVER_DHE, PR_TRUE);
+ if (rv != SECSuccess) {
+ slapd_SSL_warn("Warning, unable to start DHE");
+ }
+
+ if (allowweakdhparam & CIPHER_SET_ALLOWWEAKDHPARAM) {
+ slapd_SSL_warn("notice, allowing weak parameters on socket.");
+ rv = SSL_EnableWeakDHEPrimeGroup(*fd, PR_TRUE);
+ if (rv != SECSuccess) {
+ slapd_SSL_warn("Warning, unable to allow weak DH params on socket.");
+ }
+ }
+#endif
+
if( slapd_pk11_fortezzaHasKEA(cert) == PR_TRUE ) {
rv = SSL_ConfigSecureServer(*fd, cert, key, kt_fortezza);
}
diff --git a/lib/ldaputil/cert.c b/lib/ldaputil/cert.c
index c26ff41..d617741 100644
--- a/lib/ldaputil/cert.c
+++ b/lib/ldaputil/cert.c
@@ -50,6 +50,7 @@
#include "prmem.h"
#include "key.h"
#include "cert.h"
+#include <nss.h>
#include <ldaputil/certmap.h>
#include <ldaputil/errors.h>
#include <ldaputil/cert.h>
@@ -285,7 +286,12 @@ _replaceAVA (char* attr, char** avas)
}
struct _attr_getter_pair {
- char* (*getter) (CERTName* dn);
+#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 15)
+ char* (*getter) ( CERTName* dn);
+#else
+ /* in 3.15.x "const" was added to the declarations */
+ char* (*getter) (const CERTName* dn);
+#endif
const char* name1;
const char* name2;
} _attr_getter_table[] =
7 years, 5 months