[389-commits] Changes to 'Directory_Server_8_2_Branch'
Nathan Kinder
nkinder at fedoraproject.org
Mon Feb 8 18:16:20 UTC 2010
New branch 'Directory_Server_8_2_Branch' available with the following commits:
commit 84ac47513ba85192c0afbd73601a423a7d632f62
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Wed Feb 3 14:16:29 2010 -0800
560827 - Admin Server templates: DistinguishName validation fails
https://bugzilla.redhat.com/show_bug.cgi?id=560827
Description: adding a perl subroutine dnEscape to escape special
characters and eliminate spaces around ',', which is to make
the given dn compliant with RFC4514.
commit c5bd809930162816c708832e918e9eb75673bd83
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Thu Jan 28 10:36:40 2010 -0800
247413 - Incorrect error on multiple identical value add
https://bugzilla.redhat.com/show_bug.cgi?id=247413
[Problem Description] Adding multiple identical values returns
"Operations error (LDAP_OPERATIONS_ERROR == 0x1)" instead of
"Type or value exists (LDAP_TYPE_OR_VALUE_EXISTS == 0x14)"
E.g.,
dn: ou=test,dc=example,dc=com
changetype: modify
replace: description
description: test
description: test
modifying entry "ou=test,dc=example,dc=com"
ldap_modify: Operations error (1)
[Fix Description] API valueset_replace used to override any
error from the lower layer with LDAP_OPERATIONS_ERROR. If
the error is LDAP_TYPE_OR_VALUE_EXISTS, the error is now
returned as is.
commit 396e5f20f27e0abf5960455e3ef79b3bbc3a6423
Author: Nathan Kinder <nkinder at redhat.com>
Date: Wed Jan 27 15:11:23 2010 -0800
Bug 549554 - Trim single-valued attributes before sending to AD
There are a number of attributes that AD defines as single-valued
that are multi-valued in the LDAP RFCs. We already had a few
special cases in the winsync code where we only send one attribute
to AD to allow the change to be accepted. We then simply check if
the value in AD is present in DS when comparing entries for further
changes.
This fix cleans up that old implementation a bit by adding a static
list of these single-valued attributes and a helper function to
check if a particular type is in that list. I also had to extend
the attr_compare_present() function to allow a length to be passed
in for limiting the comparison to a portion of the values. This is
needed for the initials attribute, which is single-valued and length
constrained in AD.
commit 0c8be3774487186817607280e31b39ab0c98ae72
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue Jan 26 11:15:18 2010 -0700
Bug 537466 - nsslapd-distribution-plugin should not require plugin name to begin with "lib"
https://bugzilla.redhat.com/show_bug.cgi?id=537466
Resolves: bug 537466
Bug Description: nsslapd-distribution-plugin should not require plugin name to begin with "lib"
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: We use the function PL_GetLibraryName from NSPR to get the
platform specific DLL/shared lib filename suffix. Unfortunately, this function
also prepends the string "lib" to the given name if the given file has no
suffix. If the given name already has the correct suffix, it does not prepend
the "lib" to the name. get_plugin_name() should look for the original
library name in the string returned by PL_GetLibraryName. If it is there, and
has something before it in the string, see if it is "/lib" - if so, remove the
extraneous "lib" string. If "/lib" is not there, then just pass the string
through as is.
To summarize:
/full/path/to/name.so -> /full/path/to/name.so - error if /full/path/to/name.so does not exist
name -> /default/plugin/path/libname.so -> /default/plugin/path/name.so
name.so -> /default/plugin/path/name.so
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
commit 538e38276d6eb6653b072b92606f26b1c85db60f
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue Jan 26 09:51:05 2010 -0700
Bug 543080 - Bitwise plugin fails to return the exact matched entries for Bitwise search filter
https://bugzilla.redhat.com/show_bug.cgi?id=543080
Resolves: bug 543080
Bug Description: Bitwise plugin fails to return the exact matched entries for Bitwise search filter
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: The Microsoft Windows AD bitwise filters do not work exactly
like the usual bitwise AND (&) and OR (|) operators.
For the AND case the matching rule is true only if all bits from the value
given in the filter value match the value from the entry.
For the OR case, the matching rule is true if any bits from the value given
in the filter match the value from the entry.
For the AND case, this means that even though (a & b) is True,
if (a & b) != b, the matching rule will return False.
For the OR case, this means that even though (a | b) is True,
this may be because there are bits in a. But we only care
about bits in a that are also in b. So we do (a & b) - this
will return what we want, which is to return True if any of
the bits in b are also in a.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
commit c8514b36d226598b60384caff1331a8fde0b15c6
Author: Rich Megginson <rmeggins at redhat.com>
Date: Mon Jan 25 17:30:23 2010 -0700
Net::LDAP password modify extop breaks; msgid in response is 0xFF
https://bugzilla.redhat.com/show_bug.cgi?id=554887
Resolves: bug 554887
Bug Description: Net::LDAP password modify extop breaks; msgid in response is 0xFF
Reviewed by: ???
Branch: HEAD
Fix Description: We use a fake conn for the internal password modify operation
so that we can use the real credentials. Unfortunately, this messes up the
result code - because there is a real, non-NULL conn, it thinks it needs to
send the result back to a real client rather than handle it as an internal
operation. It looks as though o_result_handler is only used for internal
operations. The fix is to change the result handling code to check for
an internal op OR conn == NULL to see if we should use the result handler
instead.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
commit c24536e308d6c601142bbd0cfda7083af074d8d1
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Mon Jan 25 15:05:59 2010 -0800
544089 - Referential Integrity Plugin does not take into account the attribute
subtypes
Bug Description: Referential Integrity Plugin does not change the references
in subtyped attributes like "manager;en" or "ou;19"
Fix Description: The problem is in the way the function int update_integrity
(char **argv, char *origDN, char *newrDN, int logChanges) in referint.c makes
the changes. The initial search with the filter ldap_create_filter( filter,
filtlen, "(%a=%e)", NULL, NULL, argv[i], origDN, NULL) finds the entries with
attributes and with attribute subtypes. But after that when generating the
necessary changes (attribute1.mod_type = argv[i] and attribute2.mod_type =
argv[i]) the function takes care only of the "base" attributes listed in the
plugin arguments. We should parse each found entry to find all the attribute
subtypes with the value concerned and then make changes to them all.
Note: This bug was reported by andrey.ivanov at polytechnique.fr, and the bug
fix was also provided by him. The patch was reviewed by rmeggins at redhat.com
as well as nhosoi at redhat.com.
commit 82d9707e7c158c3734e3ec4b338b549c096a4904
Author: Rich Megginson <rmeggins at redhat.com>
Date: Mon Jan 25 08:25:36 2010 -0700
several spelling errors
https://bugzilla.redhat.com/show_bug.cgi?id=558518
Resolves: bug 558518
Bug Description: several spelling errors
Reviewed by: ???
Branch: HEAD
Fix Description: Fix several spelling errors in error messages and man pages.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
commit 45a42f1ebf418adfd29dbe07f02f9cd1e4184df9
Author: Rich Megginson <rmeggins at redhat.com>
Date: Fri Jan 22 09:17:33 2010 -0700
Bug 519459 - Semi-hardcoded include and lib directories in db.m4
https://bugzilla.redhat.com/show_bug.cgi?id=519459
Resolves: bug 519459
Bug Description: Semi-hardcoded include and lib directories in db.m4
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: Added --with-db-inc and --with-db-lib to configure. For the
default case, check first in /usr/include/db4, then in /usr/include.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
commit 0f013808e5796d798d7eaae864b1585fa2580e50
Author: Nathan Kinder <nkinder at redhat.com>
Date: Fri Jan 22 09:37:08 2010 -0800
Bug 536703 - Don't send empty mod to AD for mapped DN values
When using winsync, setting a mapped DN attribute (such as seeAlso) to
a DN outside the scope of the sync agreement causes an empty modify
operation to be sent to AD. This causes AD to respond with LDAP error
89, which triggers the update to abort.
The problem is that windows_update_remote_entry() uses a flag to
determine if it has a modify to send to AD. This flag is set by
windows_generate_update_mods(), but the mods are empty since it is
detecting that the DN used in seeAlso is not in the scope of the sync
agreement.
The fix is to only set the modify flag if we actually have mods to send.
commit ad9f90b14d03f4a1bdb178f1d75c62e3f77041ed
Author: Noriko Hosoi <nhosoi at jiji.localdomain>
Date: Thu Jan 14 10:58:12 2010 -0800
ldclt: -e randombinddnfromfile fails with LDAP_UNWILLING_TO_PERFORM (53)
https://bugzilla.redhat.com/show_bug.cgi?id=555189
Resolves: bug 555189
Bug Description:
ldclt code is not passing the password correctly to ldap_sasl_bind_s.
The server receives NULL credential. Due to the default configuration:
nsslapd-allow-unauthenticated-binds: off
the unauthenticated bind fails with LDAP_UNWILLING_TO_PERFORM.
Reviewed by: rmeggins at redhat.com
Files: see diff
Branch: HEAD
Fix Description:
When "-e randombinddnfromfile=file" is given, bind dn and password pair
is retrieved from the file and is supposed to pass to ldap_sasl_bind_s.
Although the password was read from the file, but it was not set to the
berval "cred" which was passed to ldap_sasl_bind_s. Therefore, the
bind operation tried to bind with bind dn and NULL password, which now
fails since it's considered as an unauthenticated bind. This change
fixes the problem. Also, a usage typo is being fixed.
Platforms tested: Fedora 11
Flag Day: no
Doc impact: no
commit 15f2fc38002279317d1c07a71408c6da0a1dfd45
Author: Rich Megginson <rmeggins at redhat.com>
Date: Thu Jan 14 09:38:28 2010 -0700
rhds81 hub with 71 master - err=32 on replica base search during replication
https://bugzilla.redhat.com/show_bug.cgi?id=509201
Resolves: bug 509201
Bug Description: rhds81 hub with 71 master - err=32 on replica base search during replication
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: This patch doesn't fix the problem, but it makes it less likely to occur in the future. The problem is that we are not consistent about using normalized DNs everywhere. Without using a normalized DN, it is impossible to construct a DN containing another DN (e.g. cn="dc=example, dc=com", cn=mapping tree, cn=config) that another client can match on. This patch at least forces setup to use a normalized DN for the suffix.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: Yes - we will need to document what to do when running into this problem, as in the workaround in the bug report
commit 22d1aaef3bcc415b58bb0e6c979d2f2e3c8a0367
Author: Nathan Kinder <nkinder at redhat.com>
Date: Tue Jan 12 16:03:52 2010 -0800
Add Doxygen comments for SLAPI attr, value, and valueset functions.
This adds Doxygen comment blocks to the public header file for the
attr, value, and valueset related fucntions and defines.
commit 69a2b842328d9ca7ee59e318397d276322c348e1
Author: Endi S. Dewata <endisd at gmail.com>
Date: Tue Jan 12 04:00:30 2010 -0600
Uninitialized mutex in Retro Changelog Plugin. https://bugzilla.redhat.com/show_bug.cgi?id=554841 Resolves: bug 554841 Bug Description: Enabling Retro Changelog Plugin on a DS instance provisioned by Samba will crash slapd during startup. Branch: HEAD Fix Description: Apparently the retrocl_internal_lock is still NULL when it's used in retrocl_get_first_changenumber(). The solution is to initialize the lock in the retrocl_plugin_init(). Platforms tested: F12 i386
commit 9c698f2c256ae4057ff96fec4c2b591e08ce49f3
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue Jan 12 14:57:51 2010 -0700
bump version to 1.2.6.a1
commit 282ef3a8896a61016c2eb0d73fd9da82e256adf5
Author: Rich Megginson <rmeggins at redhat.com>
Date: Mon Jan 11 11:51:39 2010 -0700
Workaround bogus base64 encoded passwords that end in newline
https://bugzilla.redhat.com/show_bug.cgi?id=552421
Resolves: bug 552421
Bug Description: Cannot log into admin server after upgrade (fedora-ds-admin-1.1.6 -> 389-admin-1.1.9
Reviewed by: nkinder (Thanks!)
Branch: HEAD
Fix Description: Some older versions of setup encoded the admin password in SHA and added a trailing newline to the userPassword attribute when adding the admin entry. This changes the SHA passsword compare routine to ignore a trailing
newline character in the dbpwd. newline is not a valid base64 character.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
commit 48b0a02528d7de037bf3cf01e10d6612759872b4
Author: Nathan Kinder <nkinder at redhat.com>
Date: Fri Jan 8 16:09:11 2010 -0800
Bug 553455 - fix segfault when changing a password
If a local password policy is set that does not have a storage
scheme specified, the server can crash since it tries to dereference
a NULL pointer to access the hashing function. This fix simply
checks if the storage scheme is set before trying to access the
hashing function.
commit 56fefdcef31d2cafffac9a1346d5c1fee51fde14
Author: Rich Megginson <rmeggins at redhat.com>
Date: Mon Jan 4 11:14:52 2010 -0700
version 1.2.5.rc4
commit 7f8317c633e6ee8d96c3167f655bb0dd97ad940d
Author: Rich Megginson <rmeggins at redhat.com>
Date: Mon Jan 4 10:54:47 2010 -0700
Password replication from 389DS to AD fails
https://bugzilla.redhat.com/show_bug.cgi?id=537956
Resolves: bug 537956
Bug Description: Password replication from 389DS to AD2008(64bit) fails, all other replication continues
Reviewed by: nhosoi (Thanks!)
Branch: HEAD
Fix Description: Broken during adding support for openldap API. I added the
function slapi_ldap_bind which returns the result code. The old function
being used by the winsync code expected the function to return the msgid, which
is now returned as one of the function arguments instead.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
commit 0211dbb22a6ae5041012d424d53d47769d21a8b7
Author: Rich Megginson <rmeggins at redhat.com>
Date: Thu Dec 17 17:01:36 2009 -0700
bump version to 1.2.5.rc3
commit d9e33093b024d260e87ad926d3396fd0b7e21edc
Author: Nathan Kinder <nkinder at redhat.com>
Date: Thu Dec 17 14:12:16 2009 -0800
Bug 548537 - Fix memory leaks in DNA plugin
This fixes three small memory leaks in the DNA plugin. We were
leaking the extended operation request data and response data for
range requests as well as an attribute value for ADD operations
when checking for the magic value.
commit 66f081858aa512f98d485b2d2ac53a6f4656d982
Author: Nathan Kinder <nkinder at redhat.com>
Date: Wed Dec 16 10:58:07 2009 -0800
Add missing paran from fix for bug 518084
The fix for bug 518084 was missing a paran on one line of source
for the pblock functions. This corrects the syntax error.
commit 945d14483eefb2e9656dbeed8375e1ab0f4a0b24
Author: Nathan Kinder <nkinder at redhat.com>
Date: Wed Dec 9 08:27:29 2009 -0800
Document SLAPI DN related functions.
This patch adds Doxygen comment blocks for the DN related functions
in slapi-plugin.h.
commit d73a44afaf4ff21992c2ec031df3eb7888aa745a
Author: Nathan Kinder <nkinder at redhat.com>
Date: Tue Dec 15 14:16:04 2009 -0800
Bug 518084 - Fix out of order retro changelog entries
When using the retro changelog plugin, post-op plugins that perform
internal operations (such as memberOf) can result in the internal
operation preceeding the original operation in the changelog.
The fix is to give the retro changelog a higher precedence than the
other post-op plugins. This required some core server changes to
be made around the plugin precedence to allow an object plugin to
pass it's precedence into it's calls to slapi_register_plugin()
when it registers other plugin types.
I added an update LDIF to set the plugin precedence when running
"setup-ds.pl -u".
commit 224a856826906867a7525ece654e98caf600276c
Author: Nathan Kinder <nkinder at redhat.com>
Date: Fri Dec 11 08:54:16 2009 -0800
Set unknown attribute syntax to Octet String.
When an unknown attribute type is used (when adding an entry using
the extensibleObject objectclass for example), the syntax of the
attribute defaults to "Directory String". This places syntax
restrictions on the attribute, limiting the attribtues use to
specific types of values. This patch changes the syntax for
unknown attribute to "Octet String", which allows 0 or more UTF-8
bytes. This will allow unknown attributes to store binary or empty
values.
commit ba4956207cca2fda5c4865f694dab8f4409d4111
Author: Nathan Kinder <nkinder at redhat.com>
Date: Wed Dec 9 14:25:38 2009 -0800
Bug 497556 - LDAPI connections cause TCP performance degradation
If a slot from the connection table had previously been used for
an LDAPI connection, it would cause serious performance degradation
(20 times worse on my system) to a TCP connection that reused the
same slot. The problem was that we were not clearing the flag
that indicates that a connection is a UNIX local socket in the
connection cleanup function. Clearing this flag makes the reused
slots perform as expected.
commit ca2f12161c44d7764398afbf3875f6c8639b7967
Author: Rich Megginson <rmeggins at redhat.com>
Date: Mon Dec 7 15:58:16 2009 -0700
bump version to 1.2.5.rc2
commit 001dbad1bc7e8285ac2a8ec11e869722bfb99487
Author: Nathan Kinder <nkinder at redhat.com>
Date: Mon Dec 7 09:25:09 2009 -0800
Bug 195302 - Fix crash regression from previous fix
The previous fix for bug 195302 caused a crash during import. We
need to check if sdn is NULL before trying to get the dn member
from it in pw_encodevals_ext().
commit 0987ef9dee862ba997266b055ce4ad7a664e57a4
Author: Nathan Kinder <nkinder at redhat.com>
Date: Wed Dec 2 14:03:47 2009 -0800
Bug 201275 - Make SASL EXTERNAL bind obey account lock
This patch makes SASL EXTERNAL binds obey the account lock. The
previous code was allowing the bind through even if the account
was locked.
This patch was contributed by Ulf Weltman of Hewlett Packard.
commit c3711962240acff64e63bf1c669df466702455d9
Author: Nathan Kinder <nkinder at redhat.com>
Date: Wed Dec 2 10:47:46 2009 -0800
Bug 193297 - Call bind pre-op and post-op plug-ins for SASL binds
This patch makes SASL binds call the pre-op and post-op plug-ins.
The previous code was not calling the plug-ins for SASL binds.
This fix was contributed by Ulf Weltman of Hewlett Packard.
commit d2c3df96d7ebfe51b446c16fc251c8b0d445b8be
Author: Rich Megginson <rmeggins at redhat.com>
Date: Wed Dec 2 10:42:13 2009 -0700
bump version to 1.2.5.rc1
commit a52cbe4af2fabcc8b336fedd2d0ed67dc8399419
Author: Nathan Kinder <nkinder at redhat.com>
Date: Tue Dec 1 16:27:23 2009 -0800
Bug 195302 - Allow fine-grained password storage scheme to be set
This patch makes the server use the password storage scheme set in
the appropriate fine-grained password policy (if it is set). The
previous code was always using the global storage scheme.
This fix was based off of a fix contributed by Ulf Weltman of
Hewlett Packard.
commit 9358f2403681c55a93f0d59aa083a48a9792aa78
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue Nov 24 12:16:23 2009 -0700
Add Named Pipe Log Script, plugins, man page
The Named Pipe Log Script allows you to replace a log file with a named pipe attached to a script. The server can then send the log output to a script instead of to a log file. This allows you to do many different things such as:
* log only certain events e.g. failed binds, connections from certain ip addresses, etc.
* log only lines that match a certain pattern
* log only the last N lines - useful for enabling full error log debug levels in production environments
* send an email or other notification when a certain event is detected
The script is written in python, and allows plugins. By default, the script will log the last N lines (default 1000). There are two plugins provided - one to log only failed bind attempts, and one that will log only lines that match given regular expressions.
Reviewed by: nkinder (Thanks!) - found a bug in a comment
Resolves: bug 486171
Bug Description: [RFE] Access log - Failed binds
commit 61de51b42c634be93363e8dafa6dedd269c6c94e
Author: Nathan Kinder <nkinder at redhat.com>
Date: Wed Nov 18 22:05:57 2009 -0800
Add bounds checking in DN unescape function
My previous patch for bug 504817 could cause us to read past the
end of the RDN string if it ended with a single escape character.
This fix adds a bounds check to ensure that we don't read past
the end of the string.
commit ab59afa8b6876caeec7f7133f1b347bec10be80e
Author: Nathan Kinder <nkinder at redhat.com>
Date: Mon Nov 16 15:49:57 2009 -0800
Avoid freeing NULL trimmed passwords list
My previous patch for removing the fixed length buffer used in
the password history checking code introduced a problem where we
could attempt to free a NULL pointer.
commit ed94076581357589124340ad71347f2e0c04aa8a
Author: Nathan Kinder <nkinder at redhat.com>
Date: Mon Nov 16 12:03:26 2009 -0800
Bug 515329 - Correct attribute value inconsistency on replica
When performing operations with multiple mods to the same multi-valued
attribute on a single modify operation, a replica was not resolving
the attribute values correctly. This would lead to an inconsistency
between the master the change was initially performed against and the
replicas. The problem would occur with a modify operation such as
this:
dn: uid=testuser,dc=example,dc=com
changetype: modify
add: cn
cn: 2
-
replace: cn
cn: 3
The problem is that we use the CSNs from the attribute state data
to determine which values should remain after the operation (this is
done to merge with later occuring changes from other masters). The
CSN for all mods within the same modify operation is exactly the same.
The old code was looking for attributes older than the deletion that
occurs as a part of the replace, then deleting those values. This
would cause the value of "2" in the above example to remain. Simply
changing this comparision to look for values with the same or older
CSN to delete would cause the new value of "3" to be removed as well
when we get around to resolving the attribute after the second half
of the replace operation.
The fix is to use a different CSN comparison when we are removing all
values of an attribute during attribute resolution (remove values with
the same or older CSN). This is safe becuse the only present values
at this time are older values or values added in a previous mod in the
same modify operation. When processing other mods that are not
removing all values of an attribute, we only want to remove values
with a CSN older that that of the current modify operation. This
prevents us from removing a newly added value, such as "3" in the
example above. This is safe since we resolve the attribute after
each mod in the modify operation.
commit a50733f9e6fe2c0d34c6837099e448c167172a44
Author: Rich Megginson <rmeggins at redhat.com>
Date: Thu Nov 12 11:20:16 2009 -0700
Implement support for versioning and release engineering procedures - version 1.2.5.a1
Instead of changing configure.ac AC_INIT for each version change, there
is a new file - VERSION.sh. This file also contains support for creating
version numbers for pre-releases, and pre-release strings containing git
commit hashes.
One of the complications is that AC_INIT does not allow you to override the version and package tarname fields. We can override them after the fact everywhere
except in config.h. AC_INIT defines the following which we would like to override but cannot: PACKAGE_VERSION PACKAGE_TARNAME PACKAGE_STRING PACKAGE_BUGREPORT
Instead, we define DS_ versions of these e.g. DS_PACKAGE_VERSION etc. and make
these available with AC_DEFINE(DS_PACKAGE_VERSION,...) etc.
As an extra added precaution, we undefine these in Makefile.am like this:
DS_DEFINES = ... \
-UPACKAGE_VERSION -UPACKAGE_TARNAME -UPACKAGE_STRING -UPACKAGE_BUGREPORT
If someone tries to use PACKAGE_VERSION in C code, they will not be able to,
and will have to use DS_PACKAGE_VERSION instead. All of the DS code that used
PACKAGE_VERSION has been changed to use DS_PACKAGE_VERSION instead.
There is a new make target - git-archive - as a convenience for creating source
tarballs from git. By default, the source archive will be placed in the build
directory - you can specify SRCDISTDIR=/path/to/SOURCES to use an alternate
dir (e.g. make SRCDISTDIR=/path/to/rpmbuild/SOURCES git-archive to make a
source tarball for rpmbuild)
configure will print the branded package name and version
Reviewed by: nkinder (Thanks!)
commit d4f478cc49d5f83c22fd8b58b7d7a92e86f3b820
Author: Nathan Kinder <nkinder at redhat.com>
Date: Wed Nov 11 09:43:09 2009 -0800
Bug 504817 - Handle LDAPv2 quoted RDN values correctly
The bug fix for bug 438139 introduced a regression that causes the
server to not handle LDAPv2 quoted RDN values correctly. We were
including the '"' characters used to contain an unescaped value in
the actual value itself.
The proper thing to do is to eliminate any '"' characters that are
not escaped when we unescape the value. I have tested this new fix
with the oringinal issue from bug 438139 to ensure that it does not
introduce a regression for that bug.
commit a5f8bd62875c7d958be03d1f53b21b1dda972bb0
Author: Nathan Kinder <nkinder at redhat.com>
Date: Mon Nov 9 17:10:52 2009 -0800
Bug 497199 - Skip dirsync if disconnected during incremental update
If some sort of error occurs during the sending updates to AD phase
of an incremental winsync update, we still attempt to send the dirsync
control to AD. This can cause spurious error messages to be logged to
the errors log stating that we can't send the control since we are not
connected to AD anymore.
This patch simply skips sending the dirsync control if we encountered
an error sending updates to AD.
commit d9132c84a36ff42f38f1d74066bf9ffc02cfce5f
Author: Yi Zhang <yzhang at redhat.com>
Date: Mon Nov 9 13:59:46 2009 -0800
516089 - add dereference search option into ldclt
This option will accept format like "-e deref=derefAttr:attr"
to ldclt when "-e esearch" is requested.
example: -e esearch -e deref=secretary:mail
search will dereference the "secretary" attribute and then return the "mail" attribute value
commit 7da999d4a394e9237bfc91d81d3df9b2f7a7aa7d
Author: Nathan Kinder <nkinder at redhat.com>
Date: Mon Nov 9 11:47:11 2009 -0800
Bug 511112 - Eliminate fixed length array in password history code.
The password history code was using a fixed length array to store
the historical password values that are used to compare to the new
password. The array was hardcoded to 25 values. The server will
allow a maximum 24 password history values to be kept by limiting
the passwordInHistory configuration value, though it would be
possible to do something such as import an LDIF with more than 24
historical password values in an entry, causing the server to crash
when the next password change occurs.
This patch eliminates the fixed length array and dynamically
allocates the array based off of the number of values that exist
in the entry whose password is being modified.
commit d85866e446ea1576c682c0c4a9049016363fed11
Author: Nathan Kinder <nkinder at redhat.com>
Date: Fri Oct 30 10:28:09 2009 -0700
387681 - Fix errors in mapping AD tombstones
The AD tombstone mapping code is not behaving correctly if a
cn contains a comma (such as a "last, first" type value). The
code is supposed to locate the first ":" in the tombstone DN,
then scan for the first "," after that. Everything between is
the GUID. The problem is that the code is starting at the
beginning of the string when searching for the "," instead of
starting at the ":" that was previously found. This causes the
"," in the cn to be found instead, which makes us fail to find
the GUID.
The fix is to simply start searching for the "," from the ":"
in the tombstone DN.
commit 05fa63ab42dca287ee3be08340cafdd6301fd1bc
Author: Nathan Kinder <nkinder at redhat.com>
Date: Wed Nov 4 14:39:44 2009 -0800
Allow plugin execution order to be defined
This patch adds support for assigning a precedence to each plugin.
This precedence value is used to determine what order the plugins
should be called in within a given plugin type.
The precedence value is an integer between 1 and 99. The value is
set in the nsslapd-pluginPrecedence attribute in a plugin config
entry in "cn=config". If a plugin does not have a precedence
value set, the plugin is treated as if it has a precedence of 50.
For more details, see the feature design document at:
http://directory.fedoraproject.org/wiki/Plugin_Ordering
I also removed an incorrect log message in the linked attrs plugin
that I noticed while debugging this patch.
commit 8b8a828a546f2b0e1076afde5dc52c5817c7af64
Author: Yi Zhang <yzhang at redhat.com>
Date: Mon Nov 2 15:09:40 2009 -0800
459181 - Add attreplacefile option to ldclt
This option will accept format like "-e attreplacefile=jpegPhoto:/some/binary.file"
to ldclt. The content of the given file will be used to replace the attribute
"jpegPhoto" (in this case). The given file could be plain text or binary file.
commit 529f3bf54449a0bc8f8b513c0170ca1a377c7ad0
Author: Nathan Kinder <nkinder at redhat.com>
Date: Thu Oct 29 15:10:01 2009 -0700
Make removeds.pl remove instance initconfig script
When removing an instance, we need to be sure to remove the
instance specific initconfig script.
commit 4ac911d7d54a7ee443939d9be8c272f46b601da5
Author: Rich Megginson <rmeggins at redhat.com>
Date: Thu Oct 29 10:51:39 2009 -0600
bump version to 1.2.4
commit d587b15f17fd935fdb4564a08b403796a8dcaf21
Author: Nathan Kinder <nkinder at redhat.com>
Date: Wed Oct 28 18:49:31 2009 -0700
Bug 529258 - Make upgrade remove obsolete schema from 99user.ldif
Due to a previously fixed bug (bz 474254), standard schema may
have been duplicated in 99user.ldif. When running an upgrade, we
need to check the 99user.ldif file to see if any obsolete standard
schema is defined there and remove it.
This patch makes upgrade backup the original 99user.ldif, and
scans it to see if any of the obsolete attributeTypes or
objectClasses attributes that we are removing from the standard
schema exist in 99user.ldif. We trim the obsolete definitions
and write out a new 99user.ldif with the proper permissions.
commit 8b93bfff18e6fbdf9842592a3cfc69cd5c7085b8
Author: Nathan Kinder <nkinder at redhat.com>
Date: Mon Oct 26 15:18:09 2009 -0700
BZ 221905 - Add SMD5 password storage support.
This adds SMD5 password storage support to the existing password
storage plug-in. Add upgrade LDIF has been added to ensure that
this new functionality will be available to servers that are
upgraded from previous versions.
commit 81b11a0edfe799b1283996d4d0a4eaafe3bf7dbd
Author: Rich Megginson <rmeggins at redhat.com>
Date: Thu Oct 1 15:56:20 2009 -0600
more updates - add missing rundir - remove ldapiautodnsuffix
Some older releases did not have nsslapd-rundir - upgrading from
those releases will cause the server not to start - we must add
nsslapd-rundir if it is missing
We also got rid of nsslapd-ldapiautodnsuffix, so remove that from
the config - it doesn't hurt anything to leave it, but the error
message is annoying
Tested on Fedora 11 i386 and x86_64
Reviewed by: nkinder (Thanks!)
commit f10bd4fe0f39edf4cf4546291954bfe3761de542
Author: Nathan Kinder <nkinder at redhat.com>
Date: Mon Oct 5 15:34:12 2009 -0700
Allow anonymous bind resource limits to be set.
This patch adds a new config setting named nsslapd-anonlimitsdn
that one can set to the DN of an entry containing the bind-based
resource limit attributes to use for operations performed by an
anonymous user. This allows the defaults to still be used for
all other actual bound users who do not have any user specific
resource settings.
This implementation approach allows any resource limits that
are registered via the reslimit API to work with this anonymous
limits template entry.
commit 639589c44b0e10b285dc65d3064810d7b243c5c5
Author: Nathan Kinder <nkinder at redhat.com>
Date: Fri Oct 2 13:47:38 2009 -0700
Add ssf bind rule to access control plug-in.
This patch adds a new ssf bind rule keyword to the access control
plug-in. This allows you to write ACIs that require a specific
level of encryption for the rule to apply. The new keyword can
be used with '=', '!=', '<', '>', '<=' and '>=' comparators.
I added code that stores the SSF in effect for an operation into
the operation struct. The value that we store is the higher of
the two between the SASL SSF and the SSL/TLS SSF.
commit c63bc3e09992894dc2a333609e02a6b9e312eb03
Author: Nathan Kinder <nkinder at redhat.com>
Date: Wed Sep 30 09:33:29 2009 -0700
Add minimum SSF setting
This adds a new configuration setting to the cn=config entry named
nsslapd-minssf. This can be set to a non-negative integer representing
the minimum key strength required to process operations. The default
setting will be 0.
The SSF for a particular connection will be determined by the key
strength cipher used to protect the connection. If the SSF used for a
connection does not meet the minimum requirement, the operation will be
rejected with an error code of LDAP_UNWILLING_TO_PERFORM (53) along
with a message stating that the minimum SSF was not met. Notable
exceptions to this are operations that attempt to protect a connection.
These operations are:
* SASL BIND
* startTLS
These operations will be allowed to occur on a connection with a SSF
less than the minimum. If the results of these operations end up with
a SSF smaller than the minimum, they will be rejected. Additionally,
we allow UNBIND and ABANDON operations to go through.
I also corrected a few issues with the anonymous access switch code
that I noticed while testing. We need to allow the startTLS extended
operation to go through when sent by an anonymous user since it is
common to send startTLS prior to a BIND to protect the credentials.
I also noticed that we were using the authtype from the operation
struct to determine is a user was anonymous when we really should
have been using the DN. This was causing anonymous operations to
get through on SSL/TLS connections.
commit 69e3b0ed1676602a2b8a4dfcd7808d26ddcfbd01
Author: Rich Megginson <rmeggins at redhat.com>
Date: Wed Sep 30 11:28:39 2009 -0600
Updated man page with the new update options and documentation.
commit 2c05737996b3d87044d8e829f9c248a9cb158d55
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue Sep 29 14:08:35 2009 -0600
SASL IO sometimes loops with "error: would block"
https://bugzilla.redhat.com/show_bug.cgi?id=526319
Resolves: bug 526319
Bug Description: SASL IO sometimes loops with "error: would block"
Reviewed by: nkinder (Thanks!)
Fix Description: The semantics for recv() are that it returns -1 for errors, 0 for connection closed, and non-zero for some bytes received. The sasl code was not using those semantics - it was returning 0 for successful read and -1 for error. Although I have not been able to reproduce the exact failure, what I believe is happening is that the initial read of the packet length in sasl_io_start_packet() works, and the sasl IO is received. At some point, the connection is
closed by the client, and the PR_Recv return of 0 is not handled correctly, and somehow the errno gets set to EWOULDBLOCK. From this point on, PR_Recv() will return -1 (since the socket has been closed) and errno is not reset from EWOULDBLOCK.
The fix is to make sure the sasl IO code handles the PR_Recv() return value
correctly.
Note that with CONNS (8) error log level, you may still occasionally see "would block" errors, but as long as they are not endlessly repeating, this should
be ok.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
commit 257e6c24286914ec5ba40c348090b8753b7289f0
Author: Noriko Hosoi <nhosoi at jiji.localdomain>
Date: Fri Sep 25 11:08:36 2009 -0700
525007 ldif2db replaces existing modify/create name and timestamps
Fix contributed by Ulf Weltman (ulf.weltman at hp.com)
Description From Ulf Weltman (ulf.weltman at hp.com)
In previous releases, if LDIF being imported contained createTimestamp,
creatorsName, modifyTimestamp, or modifiersName, those values would be kept in
the imported entries. BZ# 462922 added code to insert those attributes during
import but it clobbers any values existing in the LDIF being imported. I think
the imported values should take precedence, this would be useful during
migration for example.
If anyone wants to take advantage of the new behavior where the server
provisions new values, they can strip out the values from the LDIF before
importing or they can set nsslapd-exclude-from-export to not export those
attributes before importing.
See also https://bugzilla.redhat.com/show_bug.cgi?id=525007
Reviewed by richm, nkinder, and nhosoi
commit 9b067fd28121087b787639d2cae0cb51ef4e7e71
Author: Rich Megginson <rmeggins at redhat.com>
Date: Fri Sep 25 11:44:22 2009 -0600
Bitwise Plugin: Bitwise filter doesn't return except the first entry if its multi-valued
http://bugzilla.redhat.com/show_bug.cgi?id=518514
Resolves: bug 518514
Bug Description: Bitwise Plugin: Bitwise filter doesn't return except the first entry if its multi-valued
Reviewed by: nhosoi (Thanks!)
Fix Description: Get the values as a char ** - look through each one until
we find one that matches.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
commit bcd7df8a6c8a3dc94b39dac7ef3beefb81d922e9
Author: Nathan Kinder <nkinder at redhat.com>
Date: Thu Sep 24 12:02:29 2009 -0700
Allow anonymous access to be disabled.
This adds a new config switch (nsslapd-allow-anonymous-access) that
allows one to restrict all anonymous access. When this is enabled,
the connection displatch code will only allow BIND operations through
for an unauthenticated user. The BIND code will only allow the
operation through if it's not an anonymous or unauthenticated BIND.
commit 55fddb04a20d0375794a3290127032ac00fa558c
Author: Rich Megginson <rmeggins at redhat.com>
Date: Thu Sep 24 10:38:55 2009 -0600
MODIFY/replace with empty values does not ignore missing or unknown attributes
https://bugzilla.redhat.com/show_bug.cgi?id=516305
Resolves: bug 516305
Bug Description: MODIFY/replace with empty values does not ignore missing or unknown attributes
Reviewed by: nhosoi (Thanks!)
Fix Description: The function mods_have_effect() did not work correctly. It
would set the flag have_effect = 0 the first time a type was not found.
Then if a subsequent mod would apply, it would still return have_effect = 0.
What it should do is keep looking for all mod types in the list of mods to
see if any of them would apply, and return have_effect = 1 if at least one
of them would apply. This corresponds to RFC 4511 section 4.6:
replace: replace all existing values of the modification
attribute with the new values listed, creating the attribute
if it did not already exist. A replace with no value will
delete the entire attribute if it exists, and it is ignored
if the attribute does not exist.
So the proper behavior is to ignore attributes that do not exist, and to
apply the rest.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
commit b6efe5cefa1fade2797a949b1ebad793d7904a99
Author: Noriko Hosoi <nhosoi at jiji.localdomain>
Date: Wed Sep 23 15:31:35 2009 -0700
518112 rhds 81 el53 64b ns-slapd seg fault
Fixing the contention over LAS_cookie.
Considering the case 2 threads try to evaluate the IP/DNS aci almost at the
same time, one comes in first and creates context in the critical section
(between ACL_CritEnter and ACL_CritExit); another thread sees *LAS_cookie
is non NULL and assumes the context is already made. But it could be half
baked then since the second thread does not respect the critical section.
This patch is putting the line assigning *LAS_cookie to context into the
critical section, which prevents for the second thread to pick up the half
baked *LAS_cookie.
Fix proposed in the comment#19 by Rich Megginson is included, as well:
Because what if *LAS_cookie is set to a valid value after the first if() test
and before the call to ACL_CritEnter(); ? There is similar code in LASIpEval()
too.
commit 79b0b35a290cb2ba6a2bf1672ede902c22048639
Author: Rich Megginson <rmeggins at redhat.com>
Date: Wed Sep 23 10:39:00 2009 -0600
empty principal name used when using server to server sasl for db chaining
https://bugzilla.redhat.com/show_bug.cgi?id=513308
Resolves: bug 513308
Bug Description: empty principal name used when using server to server sasl for db chaining
Reviewed by: nhosoi (Thanks!)
Fix Description: Change the logic to check if the username is a valid principal name. A valid principal name in this context will be a non-empty string that
does not contain the '=' character (which will be a bind DN in this context).
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
commit 7ab1f8c21f8ca156cfb2a53c2392a1e91d21c581
Author: Rich Megginson <rmeggins at redhat.com>
Date: Wed Sep 23 09:52:29 2009 -0600
Should not attempt to pop SASL IO layer if not using SASL IO
https://bugzilla.redhat.com/show_bug.cgi?id=519455
Resolves: bug 519455
Bug Description: Should not attempt to pop SASL IO layer if not using SASL IO
Reviewed by: nkinder (Thanks!)
Fix Description: Before attempting to pop the SASL IO layer from the prfd,
first make sure we are using sasl IO, the prfd is not NULL, and the prfd
has a SASL IO layer on it.
This also fixes a bug with setting nsslapd-localhost in the bootstrap code -
if you are using a system that does not have DNS configured correctly, you
may want to force the SASL code to use the nsslapd-localhost for the FQDN.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
commit 48f0a6992f9114b707b353e084e9bd5ad6b4e76c
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue Sep 22 17:04:19 2009 -0600
logs created at startup can get wrong file mode
https://bugzilla.redhat.com/show_bug.cgi?id=518279
Resolves: bug 518279
Bug Description: logs created at startup can get wrong file mode
Reviewed by: nkinder (Thanks!)
Fix Description: Try to apply the mode using chmod() if a log file has been specified. If and only if the log file has not been set, or if the chmod() succeeds, apply the changes to the internal config.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
commit 9eac4a92449ca62b34722255340caba272fa0f80
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue Sep 22 15:47:17 2009 -0600
Start script hardcodes file permissions mask to 077 (600), so the nsslapd-*log-mode configuration attributes don't work
https://bugzilla.redhat.com/show_bug.cgi?id=495522
Resolves: bug 495522
Bug Description: Start script hardcodes file permissions mask to 077 (600), so the nsslapd-*log-mode configuration attributes don't work
Reviewed by: nkinder (Thanks!)
Fix Description: Use umask 002 for the directory server process
Platforms tested: Fedora 11 x86_64
Flag Day: no
Doc impact: no
commit 5a2826c6479e452f8486177dacb668b20271cef7
Author: Rich Megginson <rmeggins at redhat.com>
Date: Mon Sep 21 15:30:00 2009 -0600
389-ds-base/glibmm24: conflicting perl provides
https://bugzilla.redhat.com/show_bug.cgi?id=523476
Resolves: bug 523476
Bug Description: 389-ds-base/glibmm24: conflicting perl provides
Reviewed by: nhosoi (Thanks!)
Files: see diff
Fix Description: Rename "Util" to "DSUtil"
Platforms tested: Fedora 11 x86_64
Flag Day: no
Doc impact: no
commit 0c699fb56a55f097d6d7400c667167d52c3f5d84
Author: Rich Megginson <rmeggins at redhat.com>
Date: Wed Sep 9 17:01:49 2009 -0600
Add update code - make setup-ds.pl -u do updates
Updates are implemented in:
perl - code that plugs in to setup - scriptlets that are imported into
the setup perl interpreter and executed in process, giving access to all
of the packages and context provided by setup
ldif - applied to instances, in the same manner as ConfigFile directives
to setup
other - any executable file, shell script, etc. can be invoked, with a limited
amount of context from the setup process
An update directory is added to the package - /usr/share/dirsrv/update - this
directory contains the update files - the update filenames begin with two digits
and are executed in numeric order (00 first, then 01, etc. up to 99) which
should provide enough flexibility
In addition, there are 5 stages of update:
pre - invoked before any instance specific code
preinst, runinst, postinst - invoked for each instance
post - invoked after any instance specific code
Example files are provided which demonstrate how to get the context.
There are two different modes of operation for update:
online - must supply a bind dn and password for each instance - servers must
be up and running
offline - operates directly on the dse.ldif - servers must be shutdown first
A new section is added to the .inf file that can be passed in
[slapd-instancename]
RootDN = binddn
RootDNPwd = bindpw
The RootDN is optional - if not supplied, it will get the nsslapd-rootdn attribute from the dse.ldif for the instance.
I also fixed some problems with error messages.
The pam pta plugin entry was giving object class violations, so I added the
missing attributes - note that these are replaced by the plugin code when
the plugin is loaded - they are only needed during setup.
Fixed usage of $_ - $_ behaves like a dynamically scoped variable - which
means if you use it in an outer context, you cannot use it in an inner
context, even if it is used in a different function. Rather than attempting
to figure out how to use $_ safely in lower level functions, I just removed
the use of it altogether, which also makes the code easier to read.
Reviewed by: nhosoi (Thanks!) - fixed minor issues found
Platforms tested: Fedora 11
commit f7d456945941feefbbcfebacd28c1e052ac9dc1f
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Thu Sep 3 10:22:08 2009 -0700
Add EntryUSN to the nsslapd-exclude-from-export list
See also http://directory.fedoraproject.org/wiki/Entry_USN#Standalone.
commit ae149b462a1050f786bdea313058cc9691d9f9d5
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Tue Sep 1 13:44:14 2009 -0700
516089 RFE: ldclt utility should support new dereferencing control searches
Adding "-e deref" option to ldclt.
Add mode (-e add): "-e deref" adds "secretary: <DN>" to the entry.
This is true when the entry's objectclass is
inetOrgPerson (-e inetOrgPerson").
Search mode (-e esearch): "-e deref" sets dereference control to the search,
where the dereference attribute and dereferenced
attribute are hardcoded to "secretary" and "cn",
respectively.
Usage:
ldclt [...] -e add -e random -e inetOrgPerson -e deref -f test_XX
ldclt [...] -e esearch -e random -e inetOrgPerson -e deref -f test_XX
commit b53d1ab26dcf556cba9b7f6807adb041460b27fc
Author: Rich Megginson <rmeggins at redhat.com>
Date: Mon Aug 31 12:24:54 2009 -0600
Clean up build warnings
This cleans up the following warnings:
ds.git/ldap/servers/slapd/back-ldbm/ldbm_usn.c:102: warning: unused variable 'li'
ds.git/ldap/servers/plugins/replication/repl5_agmt.c:1184: warning: too many arguments for format
ds.git/ldap/servers/plugins/syntaxes/dn.c:143: warning: unused variable 'val_copy'
ds.git/ldap/servers/plugins/syntaxes/deliverymethod.c:264: warning: unused variable 'p'
ds.git/ldap/servers/plugins/syntaxes/facsimile.c:269: warning: unused variable 'p'
ds.git/ldap/servers/plugins/usn/usn.c:107: warning: value computed is not used
ds.git/ldap/servers/plugins/usn/usn.c:263: warning: control reaches end of non-void function
ds.git/ldap/servers/plugins/usn/usn.c:525: warning: control reaches end of non-void function
The only one I'm not sure about is changing usn_get_attr to always return a 0 - please review that usage.
With these fixes, I only see the llu and lld format warnings on RHEL5 with the default rpmbuild compiler flags.
Reviewed by: nhosoi (Thanks!)
commit 460158ab6c91fcdb3e2ec70f28bc6001c65adadb
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Mon Aug 31 08:51:03 2009 -0700
Plugin Default Config Entry
Design doc:
http://directory.fedoraproject.org/wiki/Entry_USN#Plugin_Default_Config_Entr
New slapi APIs in libslapd:
int slapi_set_plugin_default_config(const char *type, Slapi_Value *value);
Description: Add given "type: value" to the plugin default config entry
(cn=plugin default config,cn=config) unless the same "type:
value" pair already exists in the entry.
Parameters: type - Attribute type to add to the default config entry
value - Attribute value to add to the default config entry
Return Value: 0 if the operation was successful
non-0 if the operation was not successful
int slapi_get_plugin_default_config(char *type, Slapi_ValueSet **valueset);
Description: Get attribute values of given type from the plugin default
config entry (cn=plugin default config,cn=config).
Parameters: type - Attribute type to get from the default config entry
valueset - Valueset holding the attribute values
Return Value: 0 if the operation was successful
non-0 if the operation was not successful
warning: Caller is responsible to free attrs by slapi_ch_array_free
Changes in the Replication plugin:
1) Functions to set replicated attributes
agmt_set_replicated_attributes_from_attr and
agmt_set_replicated_attributes_from_entry
call _agmt_set_default_fractional_attrs to sets the default excluded
attribute list from the plugin default config entry before setting
them from each replication agreement.
To support it, agmt_parse_excluded_attrs_config_attr is changed to be
re-entrant.
2) Fixed a minor memory leak in the fractional attributes (ra->frac_attrs).
3) Added a check for the duplicated fractional attributes.
Changes in the USN plugin:
1) usn_start calls slapi_set_plugin_default_config to add "entryusn" to
the EXCLUDE list of the value of nsds5ReplicatedAttributeList in the
plugin default config entry.
2) fix for the bug 518673 - entryusn: wrong lastusn value; When the entryusn
is not assigned yet, the next value to be set is 0. Lastusn is calculate
as (the next entryusn - 1). Although the entryusn is 64-bit unsigned
long, it should be printed as a 64-bit signed integer for lastusn.
Other:
Fixed a compiler error in ldap/servers/slapd/dse.c.
commit 60151da7f579956ea6171c4c9bcb0d1477b2006f
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue Aug 25 11:44:58 2009 -0600
Fails to start if attrcrypt can't unwrap keys
https://bugzilla.redhat.com/show_bug.cgi?id=519065
Resolves: 519065
Bug Description: Fails to start if attrcrypt can't unwrap keys
Reviewed by: nhosoi (Thanks!)
Fix Description: If not using the attrcrypt feature, just return success
if the keys could not be unwrapped.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
commit 1ec7f4538d4dc4f78927632c74cccb5878ac52fd
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue Aug 25 11:09:52 2009 -0600
https://bugzilla.redhat.com/show_bug.cgi?id=487425
Resolves: bug 487425
Bug Description: slapd crashes after changelog is moved
Reviewed by: rmeggins
Fix Description: Call clcache_set_config after the global changelog cache pool has been allocated.
Platforms tested: HPUX 11 (PA-RISC 2.0 64-bit)
Flag Day: no
Doc impact: no
<diffs>
commit 65b9840a17a00897c131f7723155588d889d1aef
Author: Rich Megginson <rmeggins at redhat.com>
Date: Thu Aug 20 12:59:08 2009 -0600
Retry SASL writes if buffer not fully sent
https://bugzilla.redhat.com/show_bug.cgi?id=518544
Resolves: bug 518544
Bug Description: large entries cause server SASL responses to fail
Reviewed by: nhosoi (Thanks!)
Branch: HEAD and 1.2
Fix Description: The SASL server code was broken when we switched over to
use NSPR I/O for the SASL IO layer. If the entire encrypted buffer could
not be sent to the client, the server was just failing. Instead, the server
must keep track of how many encrypted bytes were sent. If all of the
encrypted bytes could not be sent, we must return the appropriate error
to the caller to let them know the operation would block. The caller in
this case is the write_function() which does a poll() to see if the socket
is available for writing again, then will attempt the send again.
I also cleaned up usage of the various Debug macros.
Finally, I discovered that the sasl init code was calling config_get_localhost()
before that value could be set. In most cases, it is ok, because it will
fall back to the default hostname from the system. However, if for some
reason you want to use a different localhost, it will fail. Now it will be
set in the boostrap config code.
Platforms tested: RHEL5 x86_64
Flag Day: no
Doc impact: no
commit d4c11622e9914da56461c726dc4020d96202ef84
Author: Rich Megginson <rmeggins at redhat.com>
Date: Thu Aug 20 12:59:08 2009 -0600
bump version to 1.2.2
Reviewed by: nhosoi (Thanks!)
commit 94b02a19ad679152f6e42a9ef1c620b041d65b81
Author: Rich Megginson <rmeggins at redhat.com>
Date: Thu Aug 20 11:28:14 2009 -0600
Fix usage of pre-hashed salted passwords
Pre-hashed passwords may not use the standard internal salt length. The old
ldif base64 decode function would return the number of bytes in the decoded
string - the new NSPR function does not. We can't use strlen on the decoded
value since it is binary and may contain nulls. The solution is to use a
function to calculate exactly how many bytes the encode string will have
when decoded, taking into account padding. Since we know exactly how many
bytes are decoded, and we know exactly how many bytes of that decoded value
are the hash, the remainder must be the salt, however many bytes that is.
I tested this code with salt lengths from 1 to 99.
Reviewed by: nkinder (Thanks!)
commit 7bb211fcf816c6bd65d832dbbe941f4869970885
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Thu Aug 20 10:31:13 2009 -0700
509472 db2index all does not reindex all the db backends correctly
The commit a26ba73fb5040383c27872997bc07ab0c2006459 made to fix the bug 509472
put the assertion at the wrong place. It should be applied just for the worker
thread.
commit e18e1d32140d8cb41ba3094327177154232fa9a9
Author: Nathan Kinder <nkinder at redhat.com>
Date: Fri Aug 14 08:28:01 2009 -0700
Add centralized start/stop/restart scipts.
This adds centralized start, stop, and restart scripts
for ns-slapd. These scripts live in the sbin directory
and will act upon all instances if an instance identifier
is not specified (similar to the init script). The
instance specific scripts have been modified to call the
new centralized scripts.
The instance specific parameters needed by the new scripts
are located in the instance specific initconfig scripts,
which are now created by setup-ds.pl with values mapped
from the inf file.
commit 73025a62b72751c407a62f74f8339ac717c0fe3e
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Wed Aug 12 08:36:58 2009 -0700
506786 Index maintenance mechanism causes wrong search results when
modifying attributes with subtypes
Andrey Ivanov (andrey.ivanov at polytechnique.fr) pointed out my previous
check-in for bug 506786 had an inefficient code. To determine whether
to delete an equality index key or not, the code checks the key still
exists in the value array having the same attribute type. The check
should be done as soon as one value is found in the value array instead
of checking through all of them.
commit 623fdabae92376b3081f15f8802726241d869d86
Author: Rich Megginson <rmeggins at redhat.com>
Date: Wed Aug 12 09:03:32 2009 -0600
fix pcre build issues
Reviewed by: nkinder (Thanks!)
commit b01ab94e8c57a4b4c5f38025cb56b0d1a22a126a
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue Aug 11 14:37:44 2009 -0600
Change default branding to 389 - remove lite code
The vendor, brand, and capbrand are set in configure - we should use those
everywhere rather than have to run some sort of script over the code to
change vendor, brand, version, etc. I've added VENDOR, BRAND, CAPBRAND
to the default defines passed to the compiler, and changed the code to use
these defines. And instead of the unintuitively named PRODUCTTEXT macro,
we should use the already defined PRODUCT_VERSION.
This allowed me to get rid of some code. The version was from a generated
file called dirver.h which we don't need anymore, and we don't need the perl
script dirver.pl which generated it.
The vendor string was coming from the dirlite header file. So I also used this
as an excuse to get rid of all references to dirlite once and for all (yay!).
For the places in plain text files which are not substituted, I just used the
generic name Dirsrv or Directory Server instead of having an explicit brand
and/or version in there.
Reviewed by: nkinder (Thanks!)
commit bd8747deef192c26faa62f92489ff91638bf1ec9
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Mon Aug 10 17:36:36 2009 -0700
506786 Index maintenance mechanism causes wrong search results when
modifying attributes with subtypes
When there are identical attribute value pairs except subtypes exist
in an entry, if one of the pairs are deleted, it should not affect the
index the attribute value is the key.
e.g.,
mail: abc
mail;en: abc
mail;fr: xyz
removing mail=abc or mail;en=abc, should not remove =abc from the
mail.db#.
This fix uses the value array evals to determine if the equality key
in the index should be deleted or not. The value array evals stores
the values of the attribute in the entry after the deletion is done.
If evals is empty, it means the to-be-deleted attribute value pair is
the only pair in the entry. Thus, the equality key can be removed fom
the index.
If evals has values, then the to-be-deleted attribute (curr_attr,
which was retrieved from the old entry) value needs to be checked if
it's in evals or not. If it is in evals, the equality key is still
used by other pair(s). So, leave it. Otherwise, the key can be
removed.
In the above example, let's assume removing mail=abc. evals holds
{"abc", "xyz"}. curr_attr abc is in evals, thus =abc will not be
removed.
commit e1b6c6418552a42a23c04b6c211c99daf9e47913
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Thu Aug 6 13:16:01 2009 -0700
509472 db2index all does not reindex all the db backends correctly
db2index all (internally, called upgradedb) reads through the main db
id2entry.db# and reindex all the associated indexed attributes. The
reindex borrows the import code where the entry id is newly assigned.
The new entry id's are connective. On the other hand, entry id's of the
entries in the db to be reindexed are not. The borrowed import code
assumes the entry id and the index of the fifo are tightly coupled and
the timing when the writing to and reading from the fifo are calculated
based upon the
assumption.
The assumption should have been revised so that the entry id which is
available up to is kept in ready_EID in the job structure and entry id from
each entry (entry->ep_id) is compared with ready_EID instead of ready_ID
that holds the sequential number.
Additionally, I eliminated unused variable "shift" from import_fifo_fetch.
Also, _dblayer_delete_instance_dir cleans up files and directories, recursively.
commit 954bb3d9b49a2ac9d66e4d78a9acb44a20f58ba9
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Tue Aug 4 11:54:34 2009 -0700
513916 Server doesn't ignore paged control, if page size and server's estimate of total no of entries are same
The code processing search results were returning the PAGE END without
knowing there are more entries to return or not. To learn it, introduced
"read ahead" one entry when it comes to the PAGE END. If there are more
entries, the code undo the read ahead, which prompts for the next page
on the client side. If there is no more entries, it returns the status
SEARCH END instead of PAGE END.
In addition to the read ahead implementation to fix the bug 513916,
* supporting Simple Paged Results for chaining backend is added.
* fixed a bug in idl_new_fetch (idl_new.c) -- idlistscanlimit was not
checked when the cursor comes to the end of an index file.
commit 0e2ad741bdd6390d0eb7edf2ddba978e7cee3f12
Author: Nathan Kinder <nkinder at boraras.localdomain>
Date: Fri Jul 31 22:53:48 2009 -0700
Bug 514955 - Make DNA handle multiple mods
DNA doesn't handle multiple mods to a managed attribute
in the same modify operation properly. If an operation
such as deleting a managed value triggers generation, we
aren't checking if another mod in the same operation is
actually adding a new value. This triggers us to generate
a value when we really shouldn't. The fix is to unset the
generate flag if we find a subsequent mod to the same
managed type. It will be reset if we truly need to
generate a new value.
commit 6cb163231d0940b20e25e35b69d3ca8db747e905
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Fri Jul 31 13:39:24 2009 -0700
GroupOfUniqueNames in template.ldif must have uniqueMember
%rootdn% (Directory Manager) has all rights on every entry by nature.
Thus, it is not needed to give any acis. This template has several
groupOfUniqueNames objects which MUST have uniqueMember. At this
moment, there is no entry which could be a uniqueMember. Just to
satisfy the objectclass, set %rootdn% to uniqueMember of the objectclass.
commit 3936a698f07e1d8382be9e92b8b042528dc0406e
Author: Nathan Kinder <nkinder at boraras.localdomain>
Date: Thu Jul 30 19:18:20 2009 -0700
Bug 514848: Make selfwrite ACI keyword with with Name And Optional UID syntax attributes.
The selfwrite ACI keyword currently only applies when writing to attributes
using the Distringuished Name syntax. It needs to also work with the Name And
Optional UID syntax since that is the syntax used for the uniqueMember
attribute.
commit 3148e1140b858d656118a36d1a5009a67aaa1ef2
Author: Nathan Kinder <nkinder at boraras.localdomain>
Date: Thu Jul 30 16:52:26 2009 -0700
Bug 514824: Fix double free in macro ACI code.
If you have an ACI with multiple macros in it and the second attribtue does not
exist in the entry you are bound as, the in-memory list used for macro
substitution is free'd twice.
The code swaps hands the charray it plans to return after substitution over to
a working list, but it doesn't set the return list to NULL. When the second
macro attribute is not found, the working list is free'd, yet the address is
returned to the caller, who then tries to free the list a second time. The fix
is to set the list to be returned to NULL when the memory is handed over to the
working list.
commit c23c09d85cbb208a5efe962204bd8230306451c1
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Thu Jul 30 10:34:21 2009 -0700
514770 remove per-entry response control for GER and Paged Results
Since per entry-response controls are ignored by the ldapsearch client,
we are getting rid of the unnecessary write_controls calls for Simple Paged
Results and GER.
commit 52f23f12f49f822bbffcc4f2eabf271e09f2cad9
Author: Rich Megginson <rmeggins at redhat.com>
Date: Wed Jul 29 11:15:50 2009 -0600
Dereference support
This adds support for the newly proposed LDAP Dereference feature (not to
be confused with alias dereferencing). The details of the proposed feature
can be found here:
http://www.openldap.org/devel/cvsweb.cgi/~checkout~/doc/drafts/draft-masarati-ldap-deref-xx.txt
This adds a new deref plugin to the directory server. This is a pre op search
plugin. In order to allow the plugin to rewrite the controls sent back with
each entry, I changed the way pre-search and pre-entry plugins work. They now
have the ability to alter the entry and controls just before being sent back
to the client.
This plugin does not currently support internal operations. It should be easy
to add a call to register the plugin for internal ops if we need to do that.
The code supports real, computed (e.g. memberOf), and virtual attributes
both as the attibute to dereference and in the list of attributes to return
from each dereferenced entry. This will allow us to use attributes such as
nsRole as the derefattr.
Tested on RHEL5 x86_64 with various openldap 2.4.15+ and Net::LDAP clients.
valgrind output is clean
commit f0b3fa0b5dbda2f1c8bf7b99bc8e030124224e9a
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Wed Jul 29 18:28:01 2009 -0700
Apply SYNTAX_DN to Name And Optional UID
Based on RFC2252, NameAndOptionalUID = DistinguishedName [ "#" bitstring ]
commit 4d9c1647479d701f46dfdad7835057c01e3b2857
Author: Nathan Kinder <nkinder at boraras.localdomain>
Date: Mon Jul 27 15:09:04 2009 -0700
Change aci syntax to Directory String.
The aci attribute is currently defined with a syntax of IA5 String.
This syntax only allows 7-bit characters. Now that the server has
support for syntax validation, this would prevent one from using
international characters in aci rules. This patch defines the aci
attribute with the Directory String syntax, which allows any valid
UTF8 character.
commit c3f5ddcb0843ec7fb5c674040ba6d1467528c6c1
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Thu Jul 23 16:00:45 2009 -0700
Revert "513019 nsslapd-lookthroughlimit is not respected"
This reverts commit 1e3138f1d41562d6f42a8fdf0934af23219bb8e1.
Misunderstood nsslapd-lookthroughlimit. Regardless of the filter test result,
once hit the lookthroughlimit, search should be aborted there. That's what
the original code does and that is correct.
commit 03315a20ae02e1da631ba5ee2721a40fa218efcc
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Wed Jul 22 16:03:02 2009 -0700
513172 Simple Paged Results does not respect nsslapd-sizelimit
SPR returns one page in one operation. Let the search_result_set keep the
current sizelimit and make the sizelimit work beyond operations.
commit 88f7d3d1d98b2c4c8f40413ebe8c354c9da3d74c
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Wed Jul 22 11:34:23 2009 -0700
513170 NULL search result does not return sort control
When sort request control is given, even if the search result is NULL,
sort response control should be created and passed to the client.
commit 689e3b98b91d375de97a47d7c26b415fd53fae05
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Tue Jul 21 12:59:38 2009 -0700
Entry USN
First cut for implementing Entry USN.
See http://directory.fedoraproject.org/wiki/Entry_USN for the design details.
This change includes a bug fix for "db2ldif -r"; event queue system was not
shutdown before the plugins are closed, which could have crashed the command
line utility.
commit 98426142d06ade9ac347b8b2344279dca964681b
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Tue Jul 21 10:23:16 2009 -0700
513019 nsslapd-lookthroughlimit is not respected
When filter test is necessary against the search results and the test fails,
lookthroughcount attached to the search result structure should have been
decremented since the entry will not be sent to the client, but it was not.
This change fixes it.
commit 616296f9f43ce3ca5c55cb3df33e1495a3b110e6
Author: Nathan Kinder <nkinder at boraras.localdomain>
Date: Tue Jul 21 07:09:52 2009 -0700
Use LDAPv3 DN values in ns-newpwpolicy script.
The DN used by the ns-newpwpolicy script to refer to the pwpolicy
subentries are not legal. We need to escape ',' chars in the value
instead of just trying to use double-quotes around the value.
commit 8de8ad3667c810f476d8cb3eae335aa7170fbe8e
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Mon Jul 20 15:40:10 2009 -0700
510147 clean up the replication log msg
_cl5DBOpen removes a changelog db if there is no matching replica for the file.
The manner to remove the changelog db file was not good -- not using the API
that Berkeley DB provided, but removing it with NSPR delete function PR_Delete.
This fix replaces PR_Delete with the Berkeley DB API dbremove.
commit de4697916a8499497da5ebaf1008751d90ce255b
Author: Nathan Kinder <nkinder at boraras.localdomain>
Date: Mon Jul 20 09:30:15 2009 -0700
Skip syntax check of encrypted attributes during import.
When importing an ldif with pre-encrypted attributes, we
need to skip the syntax check to avoid the import of those
entries being skipped. The fix makes a copy of an entry
with encrypted attributes, removes the encrypted attribtues,
and uses this trimmed copy for the syntax check.
commit b1bf201d0bebbeb96e25546c141e73324524ff1e
Author: Rich Megginson <rmeggins at redhat.com>
Date: Wed Jul 15 10:31:00 2009 -0600
Fix unsalted password comparisons
Unsalted password comparison was broken by the switch from using the ldif base64 function to using the NSPR base64 function. The old function used to return the number of bytes. The new one does not. The code was assuming there was
always a salt, but this is not the case. Now, the code determines if there
is a salt by comparing the calculated length (hash_len) with the actual number
of bytes in the hash (shaLen).
Reviewed by: nhosoi (Thanks!)
commit f088374561bd3b361b0c89d1c1cf71f8971a1d9a
Author: Nathan Kinder <nkinder at triton.usersys.redhat.com>
Date: Tue Jul 14 14:25:05 2009 -0700
Add additional standard syntaxes.
This adds support for the following standard syntaxes, complete
with validation functions:
Bit String
Delivery Method
Enhanced Guide
Facsimile Telephone Number
Fax
Guide
Name And Optional UID
Printable String
Teletex Terminal Identifier
Telex Number
This patch does not change the schema to use any of these syntaxes
yet. That will come when we update to the current versions of the
standard schema from the LDAP RFCs.
I also fixed an error in makefile.am where Setup.pm was listed
twice in perl_DATA.
commit 4dac1363821951d289ee76ced6a87400225e8375
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue Jul 14 12:50:36 2009 -0600
Fix attrcrypt usage of nsSymmetricKey
The current attrcrypt is failing because it attempts to store the encryption
symkey in the nsSymmetricKey attribute. This attribute is not defined in the
schema, so it defaults to DirectoryString syntax. Storing the value then fails
syntax validation because the binary values in the key do not conform to
DirectoryString. The code was poorly designed to handle and report errors of
this nature. The real fix is to add nsSymmetricKey as a BINARY syntax
attribute. I also cleaned up the error detection and reporting for this case.
Reviewed by: nkinder (Thanks!)
commit 6071678c5874c016055d87221a24010a2fc9c7b6
Author: Rich Megginson <rmeggins at redhat.com>
Date: Wed Jul 8 09:57:04 2009 -0600
Reduce noise reported by valgrind
valgrind is a very useful tool - however, the directory server produces a lot
of false positives that have to be suppressed in order to get to the useful
information. These patches attempt to reduce some of that noise.
1) aclparse - should calculate the length of the string _after_ trimming the
spaces
2) something about random number generation causes some of the bits to be uninitialized, and valgrind doesn't like it - this patch doesn't eliminate the error, just reduces it
3) use initialized memory when generating hashes - also remove "magic numbers"
4) bin.c - slapi_value_get_string must not be used with unterminated (binary) values
5) we get these odd valgrind reports from deep within bdb about invalid reads and uninitialized memory - I thought perhaps because we were initializing DBT structures with = {0} which the bdb docs says is not sufficient - they recommend memset or bzero
6) There are some small memory leaks during attrcrypt initialization and in error cases
7) error message in ldif2ldbm.c was attempting to print the Slapi_DN structure rather than getting the char *dn
8) After we call NSS_Initialize, we must call the NSS shutdown functions to clean up the caches and other data structures, otherwise NSS will leak memory. This is harmless since it happens at exit, but valgrind reports hundreds of memory leaks. The solution is to make sure we go through a single exit point after NSS_Initialize. This means many places that just called exit() must instead return with a real return value. This mostly affected main.c, detach.c, and a couple of other places called during startup.
9) minor memory leaks in mapping tree initialization
10) sasl_map.c - should not call this in referral mode
11) minor memory leaks during ssl init
Reviewed by: nkinder, nhosoi (Thanks!)
commit 0979cb60c8ceff3bbe463821b6b17751c2174075
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue Jul 7 13:22:45 2009 -0600
Clean up compiler warnings
This cleans up all of the compiler warnings produced with -Wall on RHEL/Fedora platforms.
The warnings about the %lld and %llu formats are still produced and cannot be helped.
Reviewed by: nkinder (Thanks!)
commit a5ed16a5dc1883dcacb2918b42558789d45d5746
Author: Rich Megginson <rmeggins at redhat.com>
Date: Mon Jul 6 12:11:01 2009 -0600
OpenLDAP support
These changes allow the server to be built with OpenLDAP (2.4.17+). A brief summary of the changes:
* #defines not provided by OpenLDAP were copied into slapi-plugin.h and protected with #ifndef blocks
* where it made sense, I created slapi wrapper functions for things like URL and LDIF processing to abstract way the differences in the APIs
* I created a new file utf8.c which contains the UTF8 functions from MozLDAP - this is only compiled when using OpenLDAP
* I tried to clean up the code - use the _ext versions of LDAP functions everywhere since the older versions should be considered deprecated
* I removed some unused code
NOTE that this should still be considered a work in progress since it depends on functionality not yet present in a released version of OpenLDAP, for NSS crypto and for the LDIF public API.
commit 5b85ddb9b27e5e901fb8a9c4882ba4ecc8f7ab79
Author: Noriko Hosoi <nhosoi at kiki.usersys.redhat.com>
Date: Sun Jul 5 14:49:41 2009 -0700
509269 Simple paged result crashes/hangs the server
1) Commit 281f14adb012a54d8b10c9d51dbce6f5c6f3e549 was based on the wrong
observation and testing. Backing off the change.
2) Search result set is retrieved from pblock and used for simple paged results.
When the search result set is released, the address stashed in pblock should
have been set NULL not to access the address again.
commit a92874a8c62383266a8dd7a0167a0c61f0fa0efc
Author: Nathan Kinder <nkinder at redhat.com>
Date: Thu Jul 2 08:49:52 2009 -0700
Bug: 509401 - dnaNextValue not updated when dnaMaxValue set to -1
When "dnaMaxValue" is set to "-1" or omitted from a range configuration entry
(which defautls to "-1" internally), the "dnaNextValue" attribute is not
updated in the range configuration entry when a value is allocated from that
range.
We were only updating the configuration entry if the new nextvalue was >=
the maxval plus the interval (1). We need to check if the maxval is -1
specifically, and update the config entry if so.
commit f8bb84d95817b4ab66d97bdf85be1ed287d8996d
Author: Noriko Hosoi <nhosoi at kiki.usersys.redhat.com>
Date: Wed Jul 1 15:59:27 2009 -0700
509269 Simple paged result crashes/hangs the server
There was a contention between the connection table cleanup thread (main)
and the search thread. The cleanup code should have been protected by
the same mutex we do in the paged result code (c_mutex).
commit f78c499d0f0904d0ae22a50b76b386881e2b4cce
Author: Noriko Hosoi <nhosoi at kiki.usersys.redhat.com>
Date: Fri Jun 26 15:18:09 2009 -0700
506137 ns-slapd hang while group aci performance testing
Bug description: If a group has more than 32767 members (max short),
a variable 'n' declared as short overflows. The value is used to calculate an
array size to store group member info, which memory is not properly allocated
and it ends up crashing up the server.
Fix description: Replaced the problematic short variable type with integer.
Plus, the each member info was storing a pointer pointing to an element inside
of the array. When the array is "realloc"ed, it's possible for the addresses
to be relocated. To solve the problem, the new code stores the index of array
instead of the address.
commit f3970f58b05e01f038ff075c79e7b5f6872b2287
Author: Nathan Kinder <nkinder at redhat.com>
Date: Thu Jun 25 14:28:56 2009 -0700
Add linked attributes plug-in.
This patch implements a linked attribute plug-in. Details of the
plug-in features and design are available on the 389 wiki at:
http://directory.fedoraproject.org/wiki/Linked_Attributes_Design
In addition, I encountered a memory leak when testing the new plug-in
with valgrind. There was a fix to the dse add code for a double free
a few months back, which causes a leak in certain situations. This
previous fix was for bz#489763. The proper thing to do is to make
the dse backend add function consume the passed in entry upon success
and leave it for the caller to deal with upon failure. This is the
way the back-ldbm add function works.
commit 0581d8addc80a389c8a43244e94aaf20f7ef1e3c
Author: Noriko Hosoi <nhosoi at kiki.usersys.redhat.com>
Date: Tue Jun 23 16:46:29 2009 -0700
507460 Access log could mistakenly report notes=U for VLV searches
Summary: Access log reports 'notes=U' for VLV indexed searches if there are no records to be found
Fix Description: VLV creates an empty IDL if no matched entries are found. To do so, VLV code was calling idl_alloc with argument 0, which generated ALLID. It's changed to call idl_alloc with 1. It creates a normal empty IDL.
commit d6378ed604386fe1f6e0ee4c4a28fdda473e1530
Author: Noriko Hosoi <nhosoi at kiki.usersys.redhat.com>
Date: Tue Jun 23 13:51:14 2009 -0700
504383 PCRE breaks SASL Mapping
Fix Description: unescape parenthesis in the regular expression.
E.g., ^u:\(.*\) ==> ^u:(.*)
This unescape is necessary for the new regex code using PCRE
to keep the backward compatibility.
commit bf933e8f666460c13226d9beaaa83f64783ceb86
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue Jun 9 10:41:50 2009 -0600
initial commit of io function improvements
This patch consolidates the functionality of read_function and secure_read_function into a single read_function that deals with NSPR PRFileDesc objects. It does the same for write_function and secure_write_function. Since there is only one write function, there is no need to push a separate secure read/write function to the lber layer - importing the prfd into ssl (SSL_ImportFd) does that.
I've also added some more debugging.
Reviewed by: nkinder (Thanks!)
commit f5dddbb0572dbc52fc087d047767744f13cf5098
Author: Rich Megginson <rmeggins at redhat.com>
Date: Fri Jun 5 14:16:48 2009 -0600
Implement SASL I/O as an NSPR I/O layer
This is part of the port to OpenLDAP, to simplify the code that
interacts with the BER I/O layer. Ideally, since we only deal
with NSPR I/O, not raw I/O, in the directory server, we can push
any additional layers, such as SASL, as NSPR I/O layers. This
is how NSS works, to push the SSL codec layer on top of the regular
NSPR network I/O layer.
Only 3 functions are implemented - PR_Send (sasl_io_send), PR_Recv
(sasl_io_recv), and PR_Write (sasl_io_write).
This simplified the code in saslbind.c and connection.c, and removed
special handling for SASL connections - now they are just treated as
regular NSPR connections - the app has not nor does not need to know
the connection is a SASL connection.
In addition, this gives us the ability to use SASL and SSL at the same
time. The SASL I/O layer can be pushed on top of the SSL layer, so
that we can use SSL for connection encryption, and SASL for authentication,
without having to worry about mixing the two.
Reviewed by: nkinder (Thanks!)
Platforms tested: RHEL5 x86_64, Fedora 9 x86_64
commit 43abea725fbf25a565e85699b072007b9d8f65e2
Author: Noriko Hosoi <nhosoi at kiki.usersys.redhat.com>
Date: Wed Jun 3 08:48:14 2009 -0700
Compiler warnings and paged results on DSE
1) Fixing compiler warnings on regex.c.
2) Adding dse_search_set_release to dse.c to support simple paged results on DSE.
commit 1fe3b4e59ef9f58ea13291e0cbe85dd1e0b2d35a
Author: Noriko Hosoi <nhosoi at kiki.usersys.redhat.com>
Date: Mon Jun 1 11:09:53 2009 -0700
Initialize smods in ldmb_back_modify
To avoid unnecessary ldap_mods_free for the early error_returns
which could be called before mods are set to smods.
commit c089a52f4febd0b08cad5bdd81726efe5afafa0c
Author: Nathan Kinder <nkinder at redhat.com>
Date: Fri May 29 14:11:41 2009 -0700
Bug: 181465 - Handle spacing issues in objectClass SUP list.
Our schema parser requires a space after the opening paran
when multiple SUP objectclasses are listed in the definition
of an objectclass. The RFCs show that a space is not required.
This patch simply removes the requirement that a space be
present after the opening paran.
commit c26b8a172db8db07a524c719916a3e7a76d9cdb0
Author: Nathan Kinder <nkinder at redhat.com>
Date: Fri May 29 08:38:35 2009 -0700
Add require secure binds switch.
This adds a new configuration attribute named
nsslapd-require-secure-binds. When enabled, a simple bind
will only be allowed over a secure transport (SSL/TLS or a
SASL privacy layer). An attempt to do a simple bind over
an insecure transport will return a LDAP result of
LDAP_CONFIDENTIALITY_REQUIRED. This new setting will not
affect anonymous or unauthenticated binds.
The default setting is to have this option disabled.
commit a7e5f917111426c70b0cf24ec82ea47f669f71c5
Author: Noriko Hosoi <nhosoi at kiki.usersys.redhat.com>
Date: Thu May 28 09:55:06 2009 -0700
Use thread aware library for complex regex searches
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Thread_Aware_Regex
Additional 2 unrelated changes are being made:
1) dbgen.pl.in: secretary and manager are having a dn format value "cn=...".
2) slapi_counter_sunos_sparcv9.S: adding "#define _ASM 1" to force to set an assembler code macro _ASM.
commit 52090b3e4d6b03c46578178d5fb80147a28e23e0
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue May 26 08:57:29 2009 -0600
Added full text of GPLv2 license
Added the file LICENSE.GPLv2 which contains the full text
of the GPLv2 license - the file LICENSE refers to this
file.
commit 6426db64794d194069778df801a54779879a3e5d
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue May 19 14:45:58 2009 -0600
Resolves: bug 501490 - Error creating view on FDS 1.2
Reviewed by: nhosoi (Thanks!)
The problem is when the views code calls views_cache_discover_children()
and there are no children. The code should check to see if the child_count
is 0, and only attempt to alloc space for the pChildren array if the
child_count is greater than 0.
Platforms tested: RHEL5 x86_64
commit 3b3232f3e3282314f5fa19d4dd8c90632c1242b1
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue May 19 13:17:11 2009 -0600
Fix various compiler warnings
1) Make sure we use "const" consistently
2) Make sure we use "unsigned char" consistently
for some reason (unsigned char)*p did not compare to '\xHH' literals unless the literal was also cast to (unsigned char)
3) added some missing function prototypes
4) removed some unused variables/functions, or commented out for use when debugging
5) various other compiler warnings
With all of these, the code compiles cleanly on RHEL5 x86_64 using
gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-44)
and
CFLAGS="-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic"
The only warning now is the spurious message about %llu or %lld having the wrong format argument.
Reviewed by: nhosoi (Thanks!)
commit 32b570d995453f7fe21ce0a664f6dae159e92613
Author: Rich Megginson <rmeggins at redhat.com>
Date: Sun May 17 10:02:54 2009 -0600
fix rpmlint issues - config files and perl modules should not be executable
commit 745768189b54e6752ac8bdac0b96bf3b8bee603a
Author: Rich Megginson <rmeggins at redhat.com>
Date: Sun May 17 08:56:41 2009 -0600
bump version to 1.2.1 - added .gitignore
commit b6e1db6567e4244878667898968727b5742f1e13
Author: Noriko Hosoi <nhosoi at kiki.usersys.redhat.com>
Date: Fri May 15 16:10:32 2009 -0700
Add Simple Paged Results
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Simple_Paged_Results_Design
commit febb239923efa4b0f7ce79e0920e5e4ae03cba1b
Author: Nathan Kinder <nkinder at redhat.com>
Date: Wed May 13 11:12:11 2009 -0700
Add strict DN syntax enforcement option.
The DN syntax has become more restrictive over time, and the
current rules are quite strict. Strict adherence to the rules
defined in RFC 4514, section 3, would likely cause some pain to
client applications. Things such as spaces between the RDN
components are not allowed, yet many people use them still since
they were allowed in the previous specification outlined in RFC
1779.
To deal with the special circumstances around validation of the DN
syntax, a configuration attribute is provided named
nsslapd-dn-validate-strict. This configuration attribute will
ensure that the value strictly adheres to the rules defined in RFC
4514, section 3 if it is set to on. If it is set to off, the server
will normalize the value before checking it for syntax violations.
Our current normalization function was designed to handle DN values
adhering to RFC 1779 or RFC 2253
commit df4dea7f6f7b6ee132a0424ba11d3ea6ab6466fa
Author: Rich Megginson <rmeggins at redhat.com>
Date: Wed May 13 10:28:55 2009 -0600
Rename to 389
changed brand and capbrand to 389
changed vendor to "389 Project"
I had to redo my earlier patch - I should have used the newer
automake and autoconf to reduce the size of the patch
This commit uses automake 1.10.1 and autoconf 2.63 from F10
Reviewed by nkinder (Thanks!)
commit 26abe453789d613a4b6737c4d1502ef06d5ceda5
Author: Nathan Kinder <nkinder at redhat.com>
Date: Mon May 11 16:07:42 2009 -0700
Auto-generate SLAPI docs - first pass.
This starts the effort to be able to use Doxygen to
auto-generate the SLAPI documentation.
I started documenting everything in slapi-plugin.h
from the top down. There is a TODO comment indicating
where the effort needs to be picked up from in the
header file.
To build the SLAPI docs, run "doxygen slapi.doxy" in
the top of the source tree. The resulting doc files
will be in a subdirectory named "docs". The build of
the docs still needs to be integrated with the rest of
the build.
commit 9082ce15439ca9bd8457385ac8c8896de766b8dc
Author: Nathan Kinder <nkinder at redhat.com>
Date: Mon May 11 10:23:34 2009 -0700
Generated autotools files for syntax validation feature.
A change was also made to Makefile.am to avoid library versioning
for our C++ plug-in libraries. This change should allow us to use
autogen.sh on recent platforms without running into issues during
build-time.
commit c224355f2fd45ce3067fbabefb0b3289e75d9654
Author: Nathan Kinder <nkinder at redhat.com>
Date: Fri May 8 09:14:42 2009 -0700
Added capability to validate syntax of values being added to the database. Also added numericstring syntax support.
For more details, see the design doc at http://directory.fedoraproject.org/wiki/Syntax_Validation_Design
More information about the 389-commits
mailing list