Resolves: bug 469261
Bug Description: Support server-to-server SASL - part 2
Reviewed by: ???
Files: see diff
Fix Description: This part focuses on chaining backend - allowing the
mux server to use SASL to connect to the farm server, and allowing SASL
authentication to chain. I had to add two new config parameters for
nsUseStartTLS - on or off - tell connection to use startTLS - default is off
nsBindMechanism - if absent, will just use simple auth. If present,
this must be one of the supported mechanisms (EXTERNAL, GSSAPI,
DIGEST-MD5) - default is absent (simple bind)
The chaining code uses a timeout, so I had to add a timeout to
slapi_ldap_bind, and correct the replication code to pass in a NULL for
the timeout parameter.
Fixed a bug in the starttls code in slapi_ldap_init_ext.
The sasl code uses an internal search to find the entry corresponding to
the sasl user id. This search could not be chained due to the way it
was coded. So I added a new chainable component called cn=sasl and
changed the sasl internal search code to use this component ID. This
allows the sasl code to work with a chained backend. In order to use
chaining with sasl, this component must be set in the chaining
configuration nsActiveChainingComponents. I also discovered that
password policy must be configured too, in order for the sasl code to
determine if the account is locked out.
I fixed a bug in the sasl mapping debug trace code.
Still to come - sasl mappings to work with all of this new code -
kerberos code improvements - changes to pta and dna
Platforms tested: Fedora 8, Fedora 9
Flag Day: yes
Doc impact: yes
Summary: vlvindex should not give an error message when the vlvindex is
Description of problem:
vlvindex should not give an error message - either its a real error (not sure
why) or the error message is spurious and should not be printed by default
[error message sample]
$ vlvindex -n userRoot -T "by roomNumber"
[03/Nov/2008:18:16:05 -0800] - userRoot: Indexing VLV: by roomNumber
[03/Nov/2008:18:16:05 -0800] - warning: entrydn not indexed on
[03/Nov/2008:18:16:05 -0800] - userRoot: WARNING: Failed to fetch subtree
lists: (-30989) DB_NOTFOUND: No matching key/data pair found
[03/Nov/2008:18:16:05 -0800] - userRoot: Possibly the entrydn or ancestorid
index is corrupted or does not exist.
[03/Nov/2008:18:16:05 -0800] - userRoot: Attempting brute-force method instead.
[03/Nov/2008:18:16:05 -0800] - userRoot: Finished indexing.
[03/Nov/2008:18:16:05 -0800] - All database threads now stopped
When ou=payroll, dc=example, dc=com or its descendants do not exist,
this "Possibly broken or does not exist" message is issued. This is not
a false message since it mentions the case the entry does not exist.
Internally, we could distinguish the broken case from not existing
case. Thus, we'd better suppress unnecessary warnings. This proposed
code does so.
Created an attachment (id=322519)
cvs diff ldap/servers/slapd/back-ldbm/ldif2ldbm.c
In ldbm_fetch_subtrees (ldif2ldbm.c), if the parent entry to be vlvindexed
('ou=payroll,dc=example,dc=com' in this example) does not exist, then vlvindex
with the proposed code issues this warning but no further messages.
warning: entrydn not indexed on 'ou=payroll,dc=example,dc=com';
entry ou=payroll,dc=example,dc=com may not be added to the database yet.
If the parent entry exists (entry id 10 in this example), but no descendant
entries to be vlvindexed do not, then vlvindex with the proposed code issues
this warning but no further messages.
warning: ancestorid not indexed on 10;
possibly, the entry id 10 has no descendants yet.
The bug 469792 has the test cases and vlvindex output samples.
[Bug 462922] Import of data does not record timestamps...
During the setup, I import a ldif file, which contains just the suffix object
(with the InstallLdifFile option during silent setup).
The createTimestamp and modifyTimestamp operational attributes were not
generated during this import. This eventually leads into a WARNING message,
when I create vlv indexes for the timestamp attributes.
See the following thread from the mailing list.
Comment by Rich in the mailing list: createTimestamp should be present, unless
you have nsslapd-lastmod turned off.
cvs diff ldap/servers/slapd/back-ldbm/import-threads.c
Description: add a static function import_add_created_attrs to add
CreatorsName, ModifiersName, CreateTimestamp, ModifyTimestamp to each imported
entry. I also added a check if nsslapd-lastmod is on or off. It adds the created
info only if the lastmod is on.
Please note: creatorsName and modifiersName are empty. I followed the
"add" case, which leaves the names empty when the creator's name is not
available. For the imported entries, we can choose not to put the name
lines at all. I'd like to have your comments on it, which would be more