[389-ds-base] branch 389-ds-base-1.4.3 updated: Issue 51076 - prevent unnecessarily duplication of the target entry
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.4.3
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.3 by this push:
new b91683b Issue 51076 - prevent unnecessarily duplication of the target entry
b91683b is described below
commit b91683bcf21a6e488cbecbccc1f2b01c6b2fc758
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Fri May 8 10:52:43 2020 -0400
Issue 51076 - prevent unnecessarily duplication of the target entry
Bug Description: For any update operation the MEP plugin was calling
slapi_search_internal_get_entry() which duplicates
the entry it returns. In this case the entry is just
read from and discarded, but this entry is already
in the pblock (the PRE OP ENTRY).
Fix Description: Just grab the PRE OP ENTRY from the pblock and use
that to read the attribute values from. This saves
two entry duplications for every update operation
from MEP.
fixes: https://pagure.io/389-ds-base/issue/51076
Reviewed by: tbordaz & firstyear(Thanks!!)
---
ldap/servers/plugins/mep/mep.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/ldap/servers/plugins/mep/mep.c b/ldap/servers/plugins/mep/mep.c
index ca9a64b..401d95e 100644
--- a/ldap/servers/plugins/mep/mep.c
+++ b/ldap/servers/plugins/mep/mep.c
@@ -2165,9 +2165,8 @@ mep_pre_op(Slapi_PBlock *pb, int modop)
if (e && free_entry) {
slapi_entry_free(e);
}
-
- slapi_search_internal_get_entry(sdn, 0, &e, mep_get_plugin_id());
- free_entry = 1;
+ slapi_pblock_get(pb, SLAPI_ENTRY_PRE_OP, &e);
+ free_entry = 0;
}
if (e && mep_is_managed_entry(e)) {
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
3 years, 11 months
[389-ds-base] branch 389-ds-base-1.4.1 updated: Issue 50940 - Permissions of some shipped directories may change over time
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mhonek pushed a commit to branch 389-ds-base-1.4.1
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.1 by this push:
new 10c85d6 Issue 50940 - Permissions of some shipped directories may change over time
10c85d6 is described below
commit 10c85d687af0fd7760fbe9ac6d74829e8c358693
Author: Matus Honek <mhonek(a)redhat.com>
AuthorDate: Wed Mar 4 13:17:13 2020 +0000
Issue 50940 - Permissions of some shipped directories may change over time
Bug Description:
Some utilities (e.g. installer, esp. setup-ds.pl) alter permissions of
some folders shipped by default. This is discoverable by running
`rpm -V 389-ds-base` after using these.
Fix Description:
Since Perl tools are deprecated and Python tools do not seem to change
most of those permissions, only fix /var/lock/dirsrv in SPEC file.
Relates: https://pagure.io/389-ds-base/issue/50940
Author: Matus Honek <mhonek(a)redhat.com>
Review By: Simon (Thanks!)
(cherry picked from commit 26c77a4bb02672a63bb2cdeb68f951f3796af29c)
---
rpm/389-ds-base.spec.in | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in
index ede7b79..a927ac9 100644
--- a/rpm/389-ds-base.spec.in
+++ b/rpm/389-ds-base.spec.in
@@ -437,7 +437,8 @@ popd
mkdir -p $RPM_BUILD_ROOT/var/log/%{pkgname}
mkdir -p $RPM_BUILD_ROOT/var/lib/%{pkgname}
-mkdir -p $RPM_BUILD_ROOT/var/lock/%{pkgname}
+mkdir -p $RPM_BUILD_ROOT/var/lock/%{pkgname} \
+ && chmod 770 $RPM_BUILD_ROOT/var/lock/%{pkgname}
# for systemd
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/systemd/system/%{groupname}.wants
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
3 years, 11 months
[389-ds-base] branch 389-ds-base-1.4.2 updated: Issue 50940 - Permissions of some shipped directories may change over time
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mhonek pushed a commit to branch 389-ds-base-1.4.2
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.2 by this push:
new e1e4ef5 Issue 50940 - Permissions of some shipped directories may change over time
e1e4ef5 is described below
commit e1e4ef52413e7d1c466f3fd8152602f01592e08e
Author: Matus Honek <mhonek(a)redhat.com>
AuthorDate: Wed Mar 4 13:17:13 2020 +0000
Issue 50940 - Permissions of some shipped directories may change over time
Bug Description:
Some utilities (e.g. installer, esp. setup-ds.pl) alter permissions of
some folders shipped by default. This is discoverable by running
`rpm -V 389-ds-base` after using these.
Fix Description:
Since Perl tools are deprecated and Python tools do not seem to change
most of those permissions, only fix /var/lock/dirsrv in SPEC file.
Relates: https://pagure.io/389-ds-base/issue/50940
Author: Matus Honek <mhonek(a)redhat.com>
Review By: Simon (Thanks!)
(cherry picked from commit 26c77a4bb02672a63bb2cdeb68f951f3796af29c)
---
rpm/389-ds-base.spec.in | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in
index 34a1fa9..7ee29a3 100644
--- a/rpm/389-ds-base.spec.in
+++ b/rpm/389-ds-base.spec.in
@@ -431,7 +431,8 @@ popd
mkdir -p $RPM_BUILD_ROOT/var/log/%{pkgname}
mkdir -p $RPM_BUILD_ROOT/var/lib/%{pkgname}
-mkdir -p $RPM_BUILD_ROOT/var/lock/%{pkgname}
+mkdir -p $RPM_BUILD_ROOT/var/lock/%{pkgname} \
+ && chmod 770 $RPM_BUILD_ROOT/var/lock/%{pkgname}
# for systemd
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/systemd/system/%{groupname}.wants
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
3 years, 11 months
[389-ds-base] branch 389-ds-base-1.4.2 updated: Bump version to 1.4.2.13
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.4.2
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.2 by this push:
new b97a2c1 Bump version to 1.4.2.13
b97a2c1 is described below
commit b97a2c1c5c11aa1443fd1f3573b2157a47b08edf
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Fri May 8 16:34:08 2020 -0400
Bump version to 1.4.2.13
---
VERSION.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/VERSION.sh b/VERSION.sh
index da42a3e..80ded3d 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=4
-VERSION_MAINT=2.12
+VERSION_MAINT=2.13
# NOTE: VERSION_PREREL is automatically set for builds made out of a git tree
VERSION_PREREL=
VERSION_DATE=$(date -u +%Y%m%d)
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
3 years, 11 months
[389-ds-base] branch 389-ds-base-1.4.1 updated: Ticket 50787 - fix implementation of attr unique
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.4.1
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.1 by this push:
new 4cc6a99 Ticket 50787 - fix implementation of attr unique
4cc6a99 is described below
commit 4cc6a99cf04444e6129ace1723a87769cc23a99a
Author: William Brown <william(a)blackhats.net.au>
AuthorDate: Thu Jan 23 12:40:03 2020 +1000
Ticket 50787 - fix implementation of attr unique
Bug Description: The implementation of attribute unique relies
on a "plugin per config" which is different to most other
handlings. This creates an exception case to the standard
plugin framework in lib389 that was not correctly handled
in the CLI.
Fix Description: Fix the cli to have the correct customised
variants of the commands to support this plugin's behaviour.
> dsconf localhost plugin attr-uniq status uid-test
Plugin 'uid-test' is disabled
> dsconf localhost plugin attr-uniq enable uid-test
Successfully enabled the cn=uid-test,cn=plugins,cn=config
> dsconf localhost plugin attr-uniq enable uid-test
Plugin 'uid-test' already enabled
> dsconf localhost plugin attr-uniq status uid-test
Plugin 'uid-test' is enabled
> dsconf localhost plugin attr-uniq disable uid-test
Successfully disabled the cn=uid-test,cn=plugins,cn=config
> dsconf localhost plugin attr-uniq disable uid-test
Plugin 'uid-test' already disabled
https://pagure.io/389-ds-base/issue/50787
Author: William Brown <william(a)blackhats.net.au>
Review by: ???
---
src/lib389/lib389/cli_conf/plugins/attruniq.py | 40 +++++++++++++++++++++++---
1 file changed, 36 insertions(+), 4 deletions(-)
diff --git a/src/lib389/lib389/cli_conf/plugins/attruniq.py b/src/lib389/lib389/cli_conf/plugins/attruniq.py
index bfea80e..7f5bfb0 100644
--- a/src/lib389/lib389/cli_conf/plugins/attruniq.py
+++ b/src/lib389/lib389/cli_conf/plugins/attruniq.py
@@ -80,6 +80,38 @@ def attruniq_del(inst, basedn, log, args):
log.info("Successfully deleted the %s", plugin.dn)
+def attruniq_enable(inst, basedn, log, args):
+ log = log.getChild('attruniq_enable')
+ plugins = AttributeUniquenessPlugins(inst)
+ plugin = plugins.get(args.NAME)
+ if plugin.status():
+ log.info("Plugin '%s' already enabled" % plugin.rdn)
+ else:
+ plugin.enable()
+ log.info("Successfully enabled the %s", plugin.dn)
+
+
+def attruniq_disable(inst, basedn, log, args):
+ log = log.getChild('attruniq_disable')
+ plugins = AttributeUniquenessPlugins(inst)
+ plugin = plugins.get(args.NAME)
+ if not plugin.status():
+ log.info("Plugin '%s' already disabled" % plugin.rdn)
+ else:
+ plugin.disable()
+ log.info("Successfully disabled the %s", plugin.dn)
+
+
+def attruniq_status(inst, basedn, log, args):
+ log = log.getChild('attruniq_status')
+ plugins = AttributeUniquenessPlugins(inst)
+ plugin = plugins.get(args.NAME)
+ if plugin.status() is True:
+ log.info("Plugin '%s' is enabled" % plugin.rdn)
+ else:
+ log.info("Plugin '%s' is disabled" % plugin.rdn)
+
+
def _add_parser_args(parser):
parser.add_argument('NAME', help='Sets the name of the plug-in configuration record. (cn) You can use any string, '
'but "attribute_name Attribute Uniqueness" is recommended.')
@@ -106,7 +138,7 @@ def _add_parser_args(parser):
def create_parser(subparsers):
attruniq = subparsers.add_parser('attr-uniq', help='Manage and configure Attribute Uniqueness plugin')
subcommands = attruniq.add_subparsers(help='action')
- add_generic_plugin_parsers(subcommands, AttributeUniquenessPlugin)
+ # We can't use the add_generic_plugin_parsers as we need named sub instances.
list = subcommands.add_parser('list', help='List available plugin configs')
list.set_defaults(func=attruniq_list)
@@ -129,12 +161,12 @@ def create_parser(subparsers):
enable = subcommands.add_parser('enable', help='enable plugin')
enable.add_argument('NAME', help='Sets the name of the plug-in configuration record')
- enable.set_defaults(func=generic_enable)
+ enable.set_defaults(func=attruniq_enable)
disable = subcommands.add_parser('disable', help='disable plugin')
disable.add_argument('NAME', help='Sets the name of the plug-in configuration record')
- disable.set_defaults(func=generic_disable)
+ disable.set_defaults(func=attruniq_disable)
status = subcommands.add_parser('status', help='display plugin status')
status.add_argument('NAME', help='Sets the name of the plug-in configuration record')
- status.set_defaults(func=generic_status)
+ status.set_defaults(func=attruniq_status)
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
3 years, 11 months
[389-ds-base] branch 389-ds-base-1.4.2 updated: Ticket 50787 - fix implementation of attr unique
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.4.2
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.2 by this push:
new 3aae8c4 Ticket 50787 - fix implementation of attr unique
3aae8c4 is described below
commit 3aae8c429c3fb6edce6cab64e675d8fc561dbcd0
Author: William Brown <william(a)blackhats.net.au>
AuthorDate: Thu Jan 23 12:40:03 2020 +1000
Ticket 50787 - fix implementation of attr unique
Bug Description: The implementation of attribute unique relies
on a "plugin per config" which is different to most other
handlings. This creates an exception case to the standard
plugin framework in lib389 that was not correctly handled
in the CLI.
Fix Description: Fix the cli to have the correct customised
variants of the commands to support this plugin's behaviour.
> dsconf localhost plugin attr-uniq status uid-test
Plugin 'uid-test' is disabled
> dsconf localhost plugin attr-uniq enable uid-test
Successfully enabled the cn=uid-test,cn=plugins,cn=config
> dsconf localhost plugin attr-uniq enable uid-test
Plugin 'uid-test' already enabled
> dsconf localhost plugin attr-uniq status uid-test
Plugin 'uid-test' is enabled
> dsconf localhost plugin attr-uniq disable uid-test
Successfully disabled the cn=uid-test,cn=plugins,cn=config
> dsconf localhost plugin attr-uniq disable uid-test
Plugin 'uid-test' already disabled
https://pagure.io/389-ds-base/issue/50787
Author: William Brown <william(a)blackhats.net.au>
Review by: ???
---
src/lib389/lib389/cli_conf/plugins/attruniq.py | 40 +++++++++++++++++++++++---
1 file changed, 36 insertions(+), 4 deletions(-)
diff --git a/src/lib389/lib389/cli_conf/plugins/attruniq.py b/src/lib389/lib389/cli_conf/plugins/attruniq.py
index bfea80e..7f5bfb0 100644
--- a/src/lib389/lib389/cli_conf/plugins/attruniq.py
+++ b/src/lib389/lib389/cli_conf/plugins/attruniq.py
@@ -80,6 +80,38 @@ def attruniq_del(inst, basedn, log, args):
log.info("Successfully deleted the %s", plugin.dn)
+def attruniq_enable(inst, basedn, log, args):
+ log = log.getChild('attruniq_enable')
+ plugins = AttributeUniquenessPlugins(inst)
+ plugin = plugins.get(args.NAME)
+ if plugin.status():
+ log.info("Plugin '%s' already enabled" % plugin.rdn)
+ else:
+ plugin.enable()
+ log.info("Successfully enabled the %s", plugin.dn)
+
+
+def attruniq_disable(inst, basedn, log, args):
+ log = log.getChild('attruniq_disable')
+ plugins = AttributeUniquenessPlugins(inst)
+ plugin = plugins.get(args.NAME)
+ if not plugin.status():
+ log.info("Plugin '%s' already disabled" % plugin.rdn)
+ else:
+ plugin.disable()
+ log.info("Successfully disabled the %s", plugin.dn)
+
+
+def attruniq_status(inst, basedn, log, args):
+ log = log.getChild('attruniq_status')
+ plugins = AttributeUniquenessPlugins(inst)
+ plugin = plugins.get(args.NAME)
+ if plugin.status() is True:
+ log.info("Plugin '%s' is enabled" % plugin.rdn)
+ else:
+ log.info("Plugin '%s' is disabled" % plugin.rdn)
+
+
def _add_parser_args(parser):
parser.add_argument('NAME', help='Sets the name of the plug-in configuration record. (cn) You can use any string, '
'but "attribute_name Attribute Uniqueness" is recommended.')
@@ -106,7 +138,7 @@ def _add_parser_args(parser):
def create_parser(subparsers):
attruniq = subparsers.add_parser('attr-uniq', help='Manage and configure Attribute Uniqueness plugin')
subcommands = attruniq.add_subparsers(help='action')
- add_generic_plugin_parsers(subcommands, AttributeUniquenessPlugin)
+ # We can't use the add_generic_plugin_parsers as we need named sub instances.
list = subcommands.add_parser('list', help='List available plugin configs')
list.set_defaults(func=attruniq_list)
@@ -129,12 +161,12 @@ def create_parser(subparsers):
enable = subcommands.add_parser('enable', help='enable plugin')
enable.add_argument('NAME', help='Sets the name of the plug-in configuration record')
- enable.set_defaults(func=generic_enable)
+ enable.set_defaults(func=attruniq_enable)
disable = subcommands.add_parser('disable', help='disable plugin')
disable.add_argument('NAME', help='Sets the name of the plug-in configuration record')
- disable.set_defaults(func=generic_disable)
+ disable.set_defaults(func=attruniq_disable)
status = subcommands.add_parser('status', help='display plugin status')
status.add_argument('NAME', help='Sets the name of the plug-in configuration record')
- status.set_defaults(func=generic_status)
+ status.set_defaults(func=attruniq_status)
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
3 years, 11 months
[389-ds-base] branch 389-ds-base-1.4.3 updated: Bump version to 1.4.3.8
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.4.3
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.3 by this push:
new 91c5bab Bump version to 1.4.3.8
91c5bab is described below
commit 91c5bab09a65c24bd4ae3358b5eee3dc0423f6dc
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Fri May 8 15:46:02 2020 -0400
Bump version to 1.4.3.8
---
VERSION.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/VERSION.sh b/VERSION.sh
index 5998ad3..5b5e12a 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=4
-VERSION_MAINT=3.7
+VERSION_MAINT=3.8
# NOTE: VERSION_PREREL is automatically set for builds made out of a git tree
VERSION_PREREL=
VERSION_DATE=$(date -u +%Y%m%d)
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
3 years, 11 months
[389-ds-base] branch master updated: Bump version to 1.4.4.2
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch master
in repository 389-ds-base.
The following commit(s) were added to refs/heads/master by this push:
new debc684 Bump version to 1.4.4.2
debc684 is described below
commit debc684adc387edc98eb07698f20f11a63964e0a
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Fri May 8 15:25:46 2020 -0400
Bump version to 1.4.4.2
---
VERSION.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/VERSION.sh b/VERSION.sh
index bb7dceb..561818d 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=4
-VERSION_MAINT=4.1
+VERSION_MAINT=4.2
# NOTE: VERSION_PREREL is automatically set for builds made out of a git tree
VERSION_PREREL=
VERSION_DATE=$(date -u +%Y%m%d)
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
3 years, 11 months
[389-ds-base] branch 389-ds-base-1.4.1 updated: Issue 51078 - Add nsslapd-enable-upgrade-hash to the schema
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.4.1
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.1 by this push:
new b6cb5b2 Issue 51078 - Add nsslapd-enable-upgrade-hash to the schema
b6cb5b2 is described below
commit b6cb5b2e84b4b812d696db02b7004f4781236e4b
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Fri May 8 15:05:25 2020 -0400
Issue 51078 - Add nsslapd-enable-upgrade-hash to the schema
Description:
FreeIPA LDAP update code relies on the schema retrieval when
deciding what to do with values of single-valued LDAP attributes.
In the case attribute is single-valued and some value was present
in the original entry for this attribute, it would use MOD_REPLACE.
Otherwise, it uses MOD_DELETE + MOD_ADD.
Many attributes used in cn=config entries have no formal schema
defined. Since by default an attribute is multi-valued, this fails
the logic above for actual single-valued attributes, like
nsslapd-enable-upgrade-hash. It means FreeIPA has to write special
logic to handle just this attribute.
It would be good to expose schema for nsslapd-enable-upgrade-hash.
We need to change its value to off in all FreeIPA installations
because ipa-pwd-extop plugin prevents hashed passwords in updates
due to a need to regenerate Kerberos hashes on a password change.
It means upgrade of a password hash on LDAP bind will never work
in FreeIPA.
Note - this does move us closer to our goal of adding all the
configuration attributes to the schema.
fixes: https://pagure.io/389-ds-base/issue/51078
Reviewed by: mreynolds (one line commit rule)
---
ldap/schema/01core389.ldif | 1 +
1 file changed, 1 insertion(+)
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index f4123f2..24e81f9 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -314,6 +314,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2353 NAME 'nsslapd-encryptionalgorithm'
attributeTypes: ( 2.16.840.1.113730.3.1.2084 NAME 'nsSymmetricKey' DESC 'A symmetric key - currently used by attribute encryption' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'attribute encryption' )
attributeTypes: ( 2.16.840.1.113730.3.1.2364 NAME 'nsds5replicaLastInitStatusJSON' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION X-ORIGIN 'Netscape Directory Server' )
attributeTypes: ( 2.16.840.1.113730.3.1.2365 NAME 'nsds5replicaLastUpdateStatusJSON' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2370 NAME 'nsslapd-enable-upgrade-hash' DESC 'Upgrade password hash on bind' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' )
#
# objectclasses
#
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
3 years, 11 months
[389-ds-base] branch 389-ds-base-1.4.2 updated: Issue 51078 - Add nsslapd-enable-upgrade-hash to the schema
by pagure@pagure.io
This is an automated email from the git hooks/post-receive script.
mreynolds pushed a commit to branch 389-ds-base-1.4.2
in repository 389-ds-base.
The following commit(s) were added to refs/heads/389-ds-base-1.4.2 by this push:
new e71dc27 Issue 51078 - Add nsslapd-enable-upgrade-hash to the schema
e71dc27 is described below
commit e71dc2707950d2a98fa052849793908bf2d7f85f
Author: Mark Reynolds <mreynolds(a)redhat.com>
AuthorDate: Fri May 8 15:05:25 2020 -0400
Issue 51078 - Add nsslapd-enable-upgrade-hash to the schema
Description:
FreeIPA LDAP update code relies on the schema retrieval when
deciding what to do with values of single-valued LDAP attributes.
In the case attribute is single-valued and some value was present
in the original entry for this attribute, it would use MOD_REPLACE.
Otherwise, it uses MOD_DELETE + MOD_ADD.
Many attributes used in cn=config entries have no formal schema
defined. Since by default an attribute is multi-valued, this fails
the logic above for actual single-valued attributes, like
nsslapd-enable-upgrade-hash. It means FreeIPA has to write special
logic to handle just this attribute.
It would be good to expose schema for nsslapd-enable-upgrade-hash.
We need to change its value to off in all FreeIPA installations
because ipa-pwd-extop plugin prevents hashed passwords in updates
due to a need to regenerate Kerberos hashes on a password change.
It means upgrade of a password hash on LDAP bind will never work
in FreeIPA.
Note - this does move us closer to our goal of adding all the
configuration attributes to the schema.
fixes: https://pagure.io/389-ds-base/issue/51078
Reviewed by: mreynolds (one line commit rule)
---
ldap/schema/01core389.ldif | 1 +
1 file changed, 1 insertion(+)
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index f4123f2..24e81f9 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -314,6 +314,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2353 NAME 'nsslapd-encryptionalgorithm'
attributeTypes: ( 2.16.840.1.113730.3.1.2084 NAME 'nsSymmetricKey' DESC 'A symmetric key - currently used by attribute encryption' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'attribute encryption' )
attributeTypes: ( 2.16.840.1.113730.3.1.2364 NAME 'nsds5replicaLastInitStatusJSON' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION X-ORIGIN 'Netscape Directory Server' )
attributeTypes: ( 2.16.840.1.113730.3.1.2365 NAME 'nsds5replicaLastUpdateStatusJSON' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2370 NAME 'nsslapd-enable-upgrade-hash' DESC 'Upgrade password hash on bind' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN '389 Directory Server' )
#
# objectclasses
#
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
3 years, 11 months