Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master
Commits on Jul 10, 2012
  1. Trac Ticket #402 - nhashed#user#password in entry extension

    Noriko Hosoi authored
    https://fedorahosted.org/389/ticket/402
    
    Fix description: This patch adds the method to use entry
    extension to stash the unhashed password in addition to the
    existing one which uses the ordinary attribute.
    
    It introduces the definition "USE_OLD_UNHASHED" in configure.ac
    to keep the old method to use the attribute.
    
    Once all the plugins' migration is done, the old method can be
    disabled by removing the definition.  We could also remove the
    code in "#if defined(USE_OLD_UNHASHED)" then.
    
    The first proposal was reviewed and commented by nkinder.
    (Regarding the comments, see also the trac ticket.  Thanks
    a lot, Nathan!) This second patch includes the fixes pointed
    out by him.
Commits on Jul 9, 2012
  1. Ticket #405 - referint modrdn not working if case is different

    Rich Megginson authored
    https://fedorahosted.org/389/ticket/405
    Resolves: Ticket #405
    Bug Description: referint modrdn not working if case is different
    Reviewed by: nhosoi (Thanks!)
    Branch: master
    Fix Description: Pass the Slapi_DN to _update_all_per_mod() and
    _update_one_per_mod().  Use the case normalized dn (ndn) to compare against
    the case normalized member value.
    Platforms tested: RHEL6 x86_64
    Flag Day: no
    Doc impact: no
    (cherry picked from commit 8ef08f85fb29ffe4c17ed900378882e8eb127bc4)
Commits on Jun 29, 2012
  1. @marcus2376

    Ticket 399 - slapi_ldap_bind() doesn't check bind results

    marcus2376 authored
    Bug Description:  There are two issues here.  One, we were not calling ldap_parse_result()
                      for SIMPLE binds.  Two, we were overwriting the error code, with the
                      function result code.
    
    Fix Description:  Always call ldap_parse_result, and use a separate error code variable to
                      preserve the actual result code from the bind operation.
    
    https://fedorahosted.org/389/ticket/399
    
    Reviewed by: nhosoi(Thanks Noriko!)
Commits on Jun 27, 2012
  1. Ticket 378 - unhashed#user#password visible after changing password

    Rich Megginson authored
    declare is_type_forbidden in deref.c
    (cherry picked from commit 4bf9444a082f25f289a973128c243583831cc848)
  2. @marcus2376

    Ticket 366 - Change DS to purge ticket from krb cache in case of auth…

    marcus2376 authored
    …entication error
    
    Bug Description:  Under certain circumstances, a replica can be removed, and readded,
                      but the master replica still holds its old kerberos credentials in
                      a cache(ccache).  Until the mater replica is restarted, replication
                      will not resume.
    
    Fix Description:  If a sasl bind fails, ands it a GSSAPI, and the errror is 49, clear
                      out the ccache.
    
                      I also noticed that when this situation arises we report errors when
                      trying to update the referrals in the repl agreement to this replica.
                      The error is 20(type or value exists), and it will log at least one of
                      these messages per update.  The error should not be written to the
                      error log, as it's not a problem that needs reporting.
    
    https://fedorahosted.org/389/ticket/366
    
    reviewed by: richm(Thanks!)
Commits on Jun 26, 2012
  1. @nhosoi

    Trac Ticket 396 - Account Usability Control Not Working [Bug 835238]

    nhosoi authored
    https://fedorahosted.org/389/ticket/396
    
    Fix Description: Commit 0038129
    broke the feature.  This patch is backing off the change so that
    get_entry accepts NULL pblock, which is necessary for the
    Account Usability plugin.
Commits on Jun 22, 2012
  1. fix for trac #173; update ds-logpipe.py docs about -t option

    authored Rich Megginson committed
Commits on Jun 20, 2012
  1. Bug 829213 - unhashed#user#password visible after changing password h…

    Noriko Hosoi authored
    …ttps://bugzilla.redhat.com/show_bug.cgi?id=829213
    
    Bug 830001 - unhashed#user#password visible after changing password [rhel-6.3]
    https://bugzilla.redhat.com/show_bug.cgi?id=830001
    
    Bug Description: unhashed#user#password is skipped to check acl
    in acl_check_mod.
    
    Fix Description: Set SLAPI_ATTR_FLAG_NOUSERMOD to unhashed#user#
    password schema.  It makes clients' modifying the unhashed password
    fail by UNWILLING TO PERFORM.
    (cherry picked from commit 1629311d7201a6a7842db15865e02042a2894383)
  2. Bug 829213 - unhashed#user#password visible after changing password h…

    Noriko Hosoi authored
    …ttps://bugzilla.redhat.com/show_bug.cgi?id=829213
    
    Bug 830001 - unhashed#user#password visible after changing password [rhel-6.3]
    https://bugzilla.redhat.com/show_bug.cgi?id=830001
    
    Bug Description: Deref still retrieved unhashed password.
    
    Fix Description: Added code to Deref plugin to check the deref attribute.
    If it is unhashed password, skip it.
    (cherry picked from commit 26b5121d84232cf453fa917f11ba6518a40358ea)
  3. Bug 829213 - unhashed#user#password visible after changing password h…

    Noriko Hosoi authored
    …ttps://bugzilla.redhat.com/show_bug.cgi?id=829213
    
    Bug 830001 - unhashed#user#password visible after changing password [rhel-6.3]
    https://bugzilla.redhat.com/show_bug.cgi?id=830001
    
    Bug Description: unhashed password is stored in the entry in memory
    when an entry/a password is added or the password is modified.
    The password could be visible by the ordinary search if the type
    "unhashed#user#password" is specified in the attribute list.
    
    Fix Description:
    1. Set "unhashed#user#password" to the forbidden attribute list,
       which is dropped from the search attribute list.
    2. Get effective right does not return "unhashed#user#password"
    3. In the modify operation, adding "unhashed#user#password" to or
       deleting "unhashed#user#password" from the entry never returns
       an error regardless of the attribute value.  Internally, the
       operation is ignored.
    (cherry picked from commit 9df3c438ebd05bbaa5e7b2506fc5d5e9f3ff4a95)
    (cherry picked from commit 8f0811a86a1b233cf9566349653ef7f184278144)
    (Fixed conflicts in ldap/servers/slapd/{entry.c,entrywsi.c,slapi-private.h)
Commits on Jun 18, 2012
  1. Ticket #387 - managed entry sometimes doesn't delete the managed entry

    Rich Megginson authored
    https://fedorahosted.org/389/ticket/387
    Resolves: Ticket #387
    Bug Description: managed entry sometimes doesn't delete the managed entry
    Reviewed by: nhosoi (Thanks!)
    Branch: master
    Fix Description: A modify just replaces the old entry in the cache with
    the new entry, and the modify code only does the cache_replace if the
    database operations succeed, so we don't have to do any cache cleanup
    in the txn retry loop.  Also cleanup some other cache usage.  If there
    is an error and ec is in the cache, we still have to remove it and restore
    the original e entry.
    Platforms tested: RHEL6 x86_64, Fedora 17
    Flag Day: no
    Doc impact: no
  2. Ticket #387 - managed entry sometimes doesn't delete the managed entry

    Rich Megginson authored
    https://fedorahosted.org/389/ticket/387
    Resolves: Ticket #387
    Bug Description: managed entry sometimes doesn't delete the managed entry
    Reviewed by: nhosoi (Thanks!)
    Branch: master
    Fix Description: A modify just replaces the old entry in the cache with
    the new entry, and the modify code only does the cache_replace if the
    database operations succeed, so we don't have to do any cache cleanup
    in the txn retry loop.  Also cleanup some other cache usage.
    Platforms tested: RHEL6 x86_64, Fedora 17
    Flag Day: no
    Doc impact: no
  3. improve txn test index handling

    Rich Megginson authored
    Sometimes it is difficult to determine which indexes actually have files,
    and the txn thread would keep looping forever looking for missing files.
    This changes the txn thread to retry a few times, then just start skipping
    missing indexes.  The txn thread will log which indexes it uses and which
    it skipped.
  4. Ticket #360 - ldapmodify returns Operations error - fix delete caching

    Rich Megginson authored
    https://fedorahosted.org/389/ticket/360
    Resolves: Ticket #360
    Bug Description: ldapmodify returns Operations error - fix delete caching
    Reviewed by: nkinder
    Branch: master
    Fix Description: Previous commit was wrong.  When retrying the op, have
    to remove the tombstone, if any, from the cache first, then add back
    the original entry.
    Platforms tested: RHEL6 x86_64, Fedora 17
    Flag Day: no
    Doc impact: no
  5. fix coverity issues with uninit vals, no return checking

    Rich Megginson authored
    12766 Uninitialized pointer read
    In _entryrdn_replace_suffix_id(): Reads an uninitialized pointer or its target
    12765 Uninitialized pointer read
    In txn_test_threadmain(): Reads an uninitialized pointer or its target
    12764 Unchecked return value
    In txn_test_threadmain(): Value returned from a function is not checked for errors before being used
    12763 Unchecked return value
    In entrycache_replace(): Value returned from a function is not checked for errors before being used
    12762 Unchecked return value
    In entrycache_add_int(): Value returned from a function is not checked for errors before being used
    Reviewed by: mreynolds (Thanks!)
    (cherry picked from commit 98784ec829061e969c84b3cd5882326a0376ebd6)
  6. @marcus2376

    Coverity Fix

    marcus2376 authored
    issue 12777
    
    Bug Description:  incorrectly used var r instead of rc
Commits on Jun 15, 2012
  1. Trac Ticket #335 - transaction retries need to be cache aware

    Noriko Hosoi authored
    https://fedorahosted.org/389/ticket/335
    
    Fix description:
    Commit bddb5a4 includes this fix:
    > Additinally, error checking for the conflict value in index_add_mods
    > was week (curr_attr). This patch is adding the check.
    
    The fix was incomplete.  If an add-attempted attribute type itself
    does not exist in the entry (not only the attribute value) after
    mods applied, the attribute type/value should not have been indexed.
    This patch fixes it.
Commits on Jun 14, 2012
  1. Ticket #360 - ldapmodify returns Operations error - fix delete caching

    Rich Megginson authored
    https://fedorahosted.org/389/ticket/360
    Resolves: Ticket #360
    Bug Description: ldapmodify returns Operations error - fix delete caching
    Reviewed by: nhosoi (Thanks!)
    Branch: master
    Fix Description: Since creating a tombstone uses the same entryid as the
    original entry to be deleted, we have to use cache_replace to replace the
    existing entry with the tombstone.  This is similar to modify and modrdn.
    Platforms tested: RHEL6 x86_64, Fedora 17
    Flag Day: no
    Doc impact: no
  2. Ticket #389 - ADD operations not in audit log

    Rich Megginson authored
    https://fedorahosted.org/389/ticket/389
    Resolves: Ticket #389
    Bug Description: ADD operations not in audit log
    Reviewed by: nhosoi (Thanks!)
    Branch: master
    Fix Description: Re-add code that was previously deleted.  Also, log the
    unnormalized, raw DN for operations.
    Platforms tested: RHEL6 x86_64, Fedora 17
    Flag Day: no
    Doc impact: no
    (cherry picked from commit ff11cccbba3f60761ca949a2feacc9d0b35451e7)
Commits on Jun 13, 2012
  1. @marcus2376

    COVERITY FIXES

    marcus2376 authored
    12762
    12763
    12764
    12765
    12766
    12767
    12768
    12769
    12771
    
    Reviewed by: Noriko & Richm (Thanks!)
Commits on Jun 12, 2012
  1. @marcus2376

    Ticket #388 - Improve replication agreement status messages

    marcus2376 authored
    Bug Description:  Result codes that were negative values triggered a generic error
                      message (System Error).  This is because of mozLDAP's ldap_err2string()
                      which can only handle positive values, but openldap's ldap_err2string
                      can handle both positive and negative numbers.
    
    Fix Description:  Created a wrapper function (slapi_err2string), that can handle both
                      positive and negative error codes, regardless which ldap library is
                      being used.
    
    Reviewed by:
    
    https://fedorahosted.org/389/ticket/388
Commits on Jun 1, 2012
  1. @marcus2376

    Update the slapi-plugin documentation on new slapi functions, and add…

    marcus2376 authored
    …ed a slapi function for checking on shutdowns
    
    Fix Description:  removed the g_get_shutdown() functions from the plugins, and replaced them with the slapi version
    
    Reviewed by: Richm (Thanks!)
  2. @marcus2376

    Ticket #369 - restore of replica ldif file on second master after del…

    marcus2376 authored
    …eting two records shows only 1 deletion
    
    Bug Description:  If you take a "db2ldif -r" on a consumer and later restore it "ldif2db"
                      any changes made on that consumer after the backup(db2ldif), will not be
                      replayed back to the consumer after it has been restored(ldif2db).
    
    Fix Description:  When we check if we can skip updates from the change log, check if the
                      consumer csn is "newer" than its current max csn.  If it is, then it
                      needs to be replayed back to itself.
    
    https://fedorahosted.org/389/ticket/369
    
    Reviewed by: Nathan & Rich (Thanks!)
Commits on May 29, 2012
  1. @marcus2376

    Ticket #28 - MOD operations with chained delete/add get back error 53…

    marcus2376 authored
    … on backend config
    
    Bug Description:  If you try and delete/add a config attribute, an error 53 is returned.
    
    Fix Description:  Allow a delete of a config attribute if we add it back in the same mod set.
    
    https://fedorahosted.org/389/ticket/28
    
    Reviewed by: Noriko (Thanks!)
Commits on May 25, 2012
  1. @marcus2376

    Ticket 368 - Make the cleanAllRUV task one step

    Mark Reynolds authored marcus2376 committed
    Bug Description:  The first version of this fix required a second releaseRUV step.
    
    Fix Description:  Created a new "monitoring" thread that checks all the replicas RUV's
                      to see if the rid was cleaned.  Once they are cleaned, we automatically
                      release the RID for reuse.
    
                      I also refined the logging so it easy to track the status of the task.
    
    https://fedorahosted.org/389/ticket/368
    
    reviewed by: richm (Thanks Rich!)
  2. @marcus2376

    Ticket #110 - RFE limiting root DN by host, IP, time of day, day of week

    marcus2376 authored
    RFE Description:  There is no way to restrict when and where some one can attempt
                      root DN binds.  An intruder can brute force guess the password all
                      day long until they succeed, especailly if the DS is publicly
                      available.
    
    Fix Description:  Created a new plugin, type "internalpreoperation" and an internal
                      preop bind function.  You can configure the plugin with some basic
                      access control:
    
                rootdn-open-time: 0800
                rootdn-close-time: 1700
                rootdn-days-allowed: Mon, Tue, Wed, Thu, Fri
                rootdn-allow-host: *.redhat.com
                rootdn-allow-host: *.fedora.com
                rootdn-deny-host: dangerous.boracle.com
                rootdn-allow-ip: 127.0.0.1
                rootdn-allow-ip: 2000:db8:de30::11
                rootdn-deny-ip: 192.168.1.*
    
                              As with our other ACL code, deny's always override the allow rules.
    
    https://fedorahosted.org/389/ticket/110
    
    Reviewed by: richm(Thanks Rich!)
Commits on May 24, 2012
  1. Ticket #383 - usn + mmr = deletions are not replicated

    Rich Megginson authored
    https://fedorahosted.org/389/ticket/383
    Resolves: Ticket #383
    Bug Description: usn + mmr = deletions are not replicated
    Reviewed by: mreynolds (Thanks!)
    Branch: master
    Fix Description: The problem was that because usn was creating a tombstone,
    it was also setting the OP_FLAG_TOMBSTONE flag in the operation, which was
    causing the operation to think it was deleting a tombstone.  The fix is to
    not set this flag, and instead have operations that delete tombstones to
    set that flag explicitly when creating the delete op request.
    In addition, the CSN for delete ops was not being logged - the usn bepostop
    was deleting it, even when replication was being used.  Previously the csn
    was needed as a "trigger" to tell the ldbm_back_delete code to create a
    tombstone rather than deleting the entry outright.  Instead, use the
     slapi_operation_get_replica_attr (pb, operation,
                                       "nsds5ReplicaTombstonePurgeInterval,
                                       &create_tombstone_entry)
    to determine whether or not to create a tombstone entry.  Both replication
    and usn configure this, so if using one or both of those, tombstones will
    be created, otherwise, not.
    Platforms tested: RHEL6 x86_64, Fedora 17
    Flag Day: no
    Doc impact: no
    (cherry picked from commit 73e077189820130c93e25e359d5935794dbbf3ee)
  2. Ticket #382 - DS Shuts down intermittently

    Rich Megginson authored
    https://fedorahosted.org/389/ticket/382
    Resolves: Ticket #382
    Bug Description: DS Shuts down intermittently
    Reviewed by: nhosoi (Thanks!)
    Branch: master
    Fix Description: ldbm_back_delete should not touch the backentry to
    be deleted while it is in the cache.  Any mods made by any plugins should
    be made to the tombstone or to a copy of the original entry.
    Platforms tested: Fedora 17
    Flag Day: no
    Doc impact: no
    (cherry picked from commit 7146bb325de67b036dfa39b898c030ee414337f9)
  3. Ticket #360 - ldapmodify returns Operations error

    Rich Megginson authored
    https://fedorahosted.org/389/ticket/360
    Resolves: Ticket #360
    Bug Description: ldapmodify returns Operations error
    Reviewed by: mreynolds (Thanks!)
    Branch: master
    Fix Description:
    1) Fix handling of DB_LOCK_DEADLOCK conditions.  When a database operation
    returns DB_LOCK_DEADLOCK, all cursors must be closed, and the transaction
    aborted and retried.  If not in a transaction, the operation may be retried
    immediately.  This fix adds this logic to many places in the db code where
    it was lacking.
    2) Fix resetting of the data when an operation has to be retried.  When
    a transaction has to be retried, we must reset the data to the same state
    it was before any of the operations in the transaction were attempted.  This
    includes the entry cache state, which was lacking in a number of ways.  One
    major problem with resetting the cache is that cache_add_tentative adds an
    entry to the dncache, but not the idcache, in order to reserve a space in
    the cache, and to prevent other entries with the same DN from being added
    while the operation is in progress.  There was no good way to remove this
    entry.  In the case of modrdn, removing the tentative entry would also
    remove the real entry since they share the same entryid.  This fix also
    makes sure that in error conditions, temporary entries are removed from
    the cache and properly freed, and real entries are "rolled back" into the
    cache.
    3) Added a transaction stress thread.  This thread can simulate various types
    of read and write locking that can cause conflicts and trigger regular
    database operations to return DB_LOCK_DEADLOCK.  The usual culprit is read
    locks which are held on pages that are searched outside of a transaction.
    The stress thread can lock, via read cursors, all of the pages in all of
    the indexes in the database, and hold these pages for some set period of
    time, then loop and do it again.
    4) It is quite easy to get the database in a deadlock situation, where a
    update operation is waiting for a read lock to be released in order to
    write to a page, while a search operation is waiting for a write lock to
    be released in order to read lock the page.  If we are going to allow
    concurrent searches during update operations, without making search requests
    transacted, we need to have some way to detect these deadlocks.  The fastest
    way to do it is to use the DB_TXN_NOWAIT flag when starting transactions.
    This tells bdb to return immediately with a DB_LOCK_DEADLOCK if the
    transaction cannot proceed due to a locked page (e.g. a search request
    has read locked a page).  Alternately, we could have transactions wait
    for some specified period of time, but if we think that this type of thread
    contention is going to be rare, it makes sense to return immediately, if
    our deadlock handling is fast and robust.
    5) Fixed some memory leaks
    6) The txn_test thread needs to know when the backend databases are
    available - had to add a backend flag BE_STATE_STOPPING so that
    the txn_thread knows when the databases are available
    7) If the op was retried RETRY_TIMES times, return LDAP_BUSY instead of
    OPERATIONS_ERROR - the problem really is that the server is busy with
    other transactions, and the operation could go through if the client
    were to retry.
    8) Renaming an entry without changing the dn e.g. changing the case does
    not cache the entry, so handle that
    9) Added a delay when a deadlock is encountered in modrdn - same as the
    other add/mod/del cases
    Platforms tested: RHEL6 x86_64, Fedora 17
    Flag Day: yes
    Doc impact: yes
    (cherry picked from commit 48b8ace54583662306c75f22f2f243fc274251af)
Commits on May 21, 2012
  1. Ticket #321 - krbExtraData is being null modified and replicated on e…

    Rich Megginson authored
    …ach ssh login
    
    Bug Description: Crash during IPA install
    Fix Description: Have to free the mod before moving the unremoved mods
    down the list on top of the freed mod.
    Reviewed by: mreynolds (Thanks!)
  2. console .2 is still compatible with 389 .3 for now

    Rich Megginson authored
Commits on May 18, 2012
  1. Trac Ticket #359 - Database RUV could mismatch the one in changelog u…

    Rich Megginson authored
    …nder the stress
    
    
    https://fedorahosted.org/389/ticket/359
    
    Fix Description:
    . Fix for csnplRollUp - was leaking the node data - since
    llistRemoveCurrentAndGetNext will detach the current node,
    we have to free the data associated with the current node
    first, but not the csn, so set that to NULL first
    Reviewed by: nhosoi (Thanks!)
Commits on May 17, 2012
  1. @marcus2376

    Ticket #321 - krbExtraData is being null modified and replicated on e…

    marcus2376 authored
    …ach ssh login
    
    Bug Description:  When using fractional repl, if you update a attribute that is excluded,
                      a modify op is still sent to the replicas.  The update is basically empty,
                      except we are still updating these attributes for no reason:
    
                         modifiersname
                         modifyTimestamp
                         etc
    
    Fix Description:  Added a new attribute to the replication agmt:  nsds5ReplicaStripAttrs
    
                      Add the attributes that you don't want replicated if the mods are "empty".
                      Separate each attribute by a space:
    
                         nsds5ReplicaStripAttrs: modifiersname modifytimestamp
    
    Side Note:  Did a little optimization in repl5_strip_fractional_mods() as well.
    
    https://fedorahosted.org/389/ticket/321
    
    Reviewed by:
  2. Bug #361: Bad DNs in ACIs can segfault ns-slapd

    Charles Lopes authored Rich Megginson committed
    A bad userdn will make the DN normalization fail.  This sets dn to NULL,
    and the server will attempt to access the NULL dn.
    The fix is to just return with an error if the normalization fails since
    the DN is invalid.
    Reviewed by: rmeggins
Something went wrong with that request. Please try again.