https://fedorahosted.org/389/ticket/402 Fix description: This patch adds the method to use entry extension to stash the unhashed password in addition to the existing one which uses the ordinary attribute. It introduces the definition "USE_OLD_UNHASHED" in configure.ac to keep the old method to use the attribute. Once all the plugins' migration is done, the old method can be disabled by removing the definition. We could also remove the code in "#if defined(USE_OLD_UNHASHED)" then. The first proposal was reviewed and commented by nkinder. (Regarding the comments, see also the trac ticket. Thanks a lot, Nathan!) This second patch includes the fixes pointed out by him.
RFE Description: There is no way to restrict when and where some one can attempt root DN binds. An intruder can brute force guess the password all day long until they succeed, especailly if the DS is publicly available. Fix Description: Created a new plugin, type "internalpreoperation" and an internal preop bind function. You can configure the plugin with some basic access control: rootdn-open-time: 0800 rootdn-close-time: 1700 rootdn-days-allowed: Mon, Tue, Wed, Thu, Fri rootdn-allow-host: *.redhat.com rootdn-allow-host: *.fedora.com rootdn-deny-host: dangerous.boracle.com rootdn-allow-ip: 127.0.0.1 rootdn-allow-ip: 2000:db8:de30::11 rootdn-deny-ip: 192.168.1.* As with our other ACL code, deny's always override the allow rules. https://fedorahosted.org/389/ticket/110 Reviewed by: richm(Thanks Rich!)
https://fedorahosted.org/389/ticket/351 Resolves: Ticket #351 Bug Description: use betxn plugins by default Reviewed by: nhosoi (Thanks!) Branch: master Fix Description: added 90betxn-plugins.ldif that gets used during instance creation (but not upgrade). This makes every betxn-aware plugin to be a betxn plugin, except for Class of Service, Roles, and Views - they will need further rewriting in order to make them betxn aware. Platforms tested: RHEL6 x86_64, Fedora 17 Flag Day: no Doc impact: no
https://fedorahosted.org/389/ticket/261 Resolves: Ticket #261 Bug Description: Add Solaris i386 Reviewed by: rmeggins Branch: master Fix Description: Allow building on Solaris i386 Platforms tested: RHEL6 x86_64 (build only) Flag Day: yes - configure changes Doc impact: no Contributed by: cgrzemba (Thanks!)
…ternalCreatorsName Bug Description: use thread local storage for internalModifiersName & internalCreatorsName Fix description: Created new thread local storage slapi functions for initializing, setting/getting thread local storage data in a new file thread_data.c. This was built on top of some of the changes for ticket 111. We create the index in main.c right before we start the plugins and worker threads. Then we set the bind dn in bind_credentials_set_nolock(), nad we also set the thread data when we copy the operation in op_copy_indentity so can maintian the bind dn through different threads from the same connection. For plugins that create new threads we need to pass the new thread the bind dn(char *), and then set the thread data(slapi_td_set_dn()). https://fedorahosted.org/389/ticket/302
Bug Description: Add schema for DNA plugin Fix Description: Created a new ldif file: 10dna-plugin.ldif for the new schema. In the code, we just needed to replace extensibleObject withthe new objectclass "dnaSharedConfig". Also updated the makefile for the new scheam file Creating new bug for the admin guide doc changes. https://fedorahosted.org/389/ticket/74 `
https://fedorahosted.org/389/ticket/169 Fix description: 1. DB suffix ".db4" is changed to ".db" if the server is linked with db5 (libdb); it remains ".db4" if linked with db4. 2. Fixed DB_VERSION macro to pick up the correct APIs for db5. 3. DB upgrade flag DBVERSION_UPGRADE_4_5 is introduced and set once it is found the db4 to db5 upgrade is necessary. Upgrade from db4 to 5 requires cleaning up the region files (__db.##) then update transaction log files. The database files are compatible. 4. Added a code to db.m4 to check /usr/include/libdb/db.h. If /usr/include/db4/db.h does not exists AND libdb does, the db5 (libdb) header file is used. Note: package db4-devel and libdb-devel cannot coexist.
We currently carry around some standard MIB files in our soruce tree and install them as well. Aside from our DS specific MIB file, these are all included as a part of the Net-SNMP distribution. We should not be carrying these files around as well. This patch removes the standard MIB files from our tree and updates the Makefile to avoid installing them.
https://fedorahosted.org/389/ticket/22 Resolves: Ticket #22 Bug Description: RFE: Support sendmail LDAP routing schema Reviewed by: nhosoi (Thanks!) Branch: master Fix Description: First I had to fix the OID for ntGroupType. I assigned a new OID to it from our OID range. Next, I added a new file 60sendmail.ldif containing the new sendmail schema. This must be in a separate file. The problem is that the new schema is incompatible with the existing schema of the same name - different syntaxes and matching rules. So if you use 60sendmail.ldif, you must not use 50ns-mail.ldif, 60inetmail.ldif, or 60qmail.ldif. Platforms tested: RHEL6 x86_64 Flag Day: no Doc impact: no
https://fedorahosted.org/389/ticket/263 Resolves: Ticket #263 Bug Description: add systemd include directive Reviewed by: nhosoi (Thanks!) Branch: master Fix Description: Include the file /etc/sysconfig/dirsrv.systemd in the dirsrv@.service file, and add an empty /etc/sysconfig/dirsrv.systemd file. Applications that want to customize the dirsrv@.service file do not need to copy the file into /etc/systemd/system they can just edit the /etc/sysconfig/dirsrv.systemd file. Platforms tested: Fedora 16 Flag Day: no Doc impact: no
…nstead https://fedorahosted.org/389/ticket/15 Resolves: Ticket #15 Bug Description: Get rid of rwlock.h/rwlock.c and just use slapi_rwlock instead Reviewed by: nhosoi (Thanks!) Branch: master Fix Description: Get rid of slapd rwlock rwl API and use slapi_rwlock instead. the lib/base/rwlock code was not used at all, so get rid of it Platforms tested: RHEL6 x86_64 Flag Day: Yes - header file and autoconf file changes Doc impact: no
subordinate entries fail to get the full DN. https://fedorahosted.org/389/ticket/2 Related Bugs: Bug 736431 - parent tombstone entry could be reaped even if its child tombstone entries still exist Bug 767024 - MMR: when a subtree is deleted and the backend is exported with -r, importing the ldif fails Fix Descriptions: - The key format of entryrdn index has been modified to allow traversing tombstoned node entries. old key format: [PC]entryID: <rdn> (nsuniqueid=<UNIQUEID>,<rdn>) new key format: [PC]entryID To traverse the DIT on entryrdn, rdn's are not needed. Just using entryID should work. Also, the rdn strings are stored in the entryrdn value. Thus, this key format change eliminates the redundancy. The main motivation of the change: a tombstone entry has a DN format "nsuniqueid=<UNIQUEID>,<original_dn>". If any of the ancestor entries of the tombstone entry were trying to get the full DN using entryrdn, there was no way to figure out the node's nsuniqueid from the leaf DN. That is, once an entire subtree was deleted, the leaf entries lost the ability to get the full DN using the entryrdn index. This fix makes entryrdn to regain it. - Once an entry has become a tombstone entry, ordinary operation such as search does not expect the entry is returned. But it is needed when reaping the tombstone entries. To support the 2 conflicting requirements, a flag TOMBSTONE_INCLUDED is added. Passing the flag to dn2entry_ext, it returns the tombstoned entry. Also, there could be an entry which rdn attribute is nsuniqueid, but is not a tombstone entry. To support such a case, a set of new get parent APIs, which take a flag ls_tombstone to switch between the 2 behaviors. slapi_dn_find_parent_ext slapi_dn_parent_ext slapi_sdn_get_parent_ext slapi_sdn_get_backend_parent_ext - Introduced a system attribute tombstoneNumSubordinates to hold the subordinate count of the tombstone'd node. Once a normal entry is turned to be a tombstone entry, it loses the numSubordinates attribute. The attribute value is used to determine the normal entry is a leaf or a node. The analogous knowledge is necessary to determine if the tomb stone entry can be reaped or not. TombstoneNumSubordinates has been introduced to fulfill the goal. As long as the tombstoneNum- subordinates value is not 0, the tombstone entry won't be reaped. The tombstoneNumsubordinates attribute value pair is added/modified when the child entries are deleted (note: child entries never be added since we don't allow to add a subordinate entry to a tombstone entry). Also, when an ldif file which contains tombstone entries is imported, the tombstoneNumSubordinates value is added to a tomb- stone node entry in the same way as the numSubordinates is to a normal node entry. To support the new behavior, parentid index is now main- tained for the tombstone entries, as well. - Added an upgrade script: 91subtreereindex.pl to reformat entryrdn index file. - To check the upgrade is needed or not, introduced BDB_RDNFORMAT_VERSION: The current version is 1. bdb/4.8/libback-ldbm/newidl/rdn-format-1/dn-4514 - Modified an upgrade script 81changelog.pl to force to remove the unnecessary changelog related files.
https://bugzilla.redhat.com/show_bug.cgi?id=755725 Resolves: bug 755725 Bug Description: 389 programs linked against openldap crash during shutdown Reviewed by: nhosoi (Thanks!) Branch: master Fix Description: With recent versions of openldap, you cannot link with both ldap_r and ldap - when the shared object _fini is run, the _fini from the one will stomp on the _fini from the other, and the program will crash. The fix is to link with ldap_r only in a threaded program, and ldap otherwise. Platforms tested: Fedora 16, RHEL6 x86_64 Flag Day: no Doc impact: no
…ystemd https://bugzilla.redhat.com/show_bug.cgi?id=695736 Resolves: bug 695736 Bug Description: Providing native systemd file for upcoming F15 Feature Systemd Reviewed by: nhosoi, nkinder (Thanks!) Branch: master Fix Description: Since we support multiple instances of directory server, create a dirsrv.target, and have the instances "want" that target. There is a service template file dirsrv@.service that supports replaceable parameters which are instance specific. When a new instance is created, we create a symlink called dirsrv@$instance.service which links to the template file. systemd fills in the %i with the correct instance name. The service command will not work. You have to use the systemctl command: systemctl stop firstname.lastname@example.org - single instance systemctl stop dirsrv.target - all instances There are still some outstanding issues with systemd: * systemctl restart dirsrv.target - will hang after shutting down the instances When using systemd, have to use the systemctl start command in startServer or other systemd commands like status, restart, stop will not work Note: the "group" name dirsrv.target is flexible - just change the --with-systemdgroupname=NAME when running configure Platforms tested: Fedora 16 x86_64 Flag Day: yes Doc impact: yes
This adds support for the account usability request and response controls that are used by Solaris clients. This control allows one to check if an account is usable without actually performing a bind attempt as that entry. The OpenDS documentation describes the control in greater detail. Various information about the password policy is returned in the response control. To allow the new plug-in to get the password policy info (and to make password policy checks), I added some new SLAPI functions around password policies. I did this in such a way that we can add support for password policy plug-ins in the future if we expand upon this new API. The password policy is represented by an opaque Slapi_PWPolicy struct, which is currently just our internal pwpolicy struct. This will allow password policy plug-ins to have their own struct that meets their needs if we add support for constructor and destructor callbacks. By default, we only allow the root DN to use this control, though one can set an aci in the control entry under cn=features to allow others to use the control.
This adds a new slapi_rwlock API and uses it throughout the server. Internally, this API can allow either NSPR or POSIX rwlocks to be used for different platforms. This patch makes it use the POSIX implementation on Linux platforms since the NSPR implementation does not safely allow re-entrant reader locks to be used.
https://bugzilla.redhat.com/show_bug.cgi?id=703990 Resolves: bug 703990 Bug Description: Support upgrade from Red Hat Directory Server Reviewed by: nkinder (Thanks!) Branch: master Fix Description: added 50fixNsState.pl - if upgrading from a machine of a different arch, we need to fix the nsState attribute value used by the uniqueid generator and the CSN generator. If upgrading from a 32-bit to a 64-bit, we cannot update the uniqueid generator due to a bug in the generator code, so we just delete the entry and let the server recreate it. Platforms tested: RHEL6 x86_64 (from RHEL 5 32-bit and 64-bit) Flag Day: no Doc impact: yes
https://bugzilla.redhat.com/show_bug.cgi?id=703990 Resolves: bug 703990 Bug Description: Support upgrade from Red Hat Directory Server Reviewed by: nkinder (Thanks!) When doing an upgrade to a machine of a new architecture, allow the database to be upgraded "in place" by setup-ds.pl -u with LDIF files. If there is a file in the database ldif directory called backendname.upgrade.ldif, this file will be imported and renamed if the import was successful. Also fixed a bug in setup-ds.res Flag Day: yes Docs: yes
The memberOf plug-in is not currently triggered by internal modify, add, delete, or rename operations. This patch makes it work with internal operations so it can play nicely with other plug-ins that make membership changes, such as the new Auto Membership plug-in. The precedence for the referential integrity plug-in needed to be lowered to ensure consistency of membership attributes when both memberOf and referential integrity plug-ins are in use.
This adds a new auto-membership plug-in. This plug-in allows one to define rules that can assign newly added entries to groups. For details, see the design document on the 389 wiki, located at http://directory.fedoraproject.org/wiki/Auto_Membership_Design
The managed entry plug-in config entry is not added to "cn=config" when "setup-ds.pl -u" is run during an in place upgrade. This adds an upgrade LDIF that adds the managed entry config entry.
https://bugzilla.redhat.com/show_bug.cgi?id=677774 Resolves: bug 677774 Bug Description: DS fails to start after reboot Reviewed by: nkinder (Thanks!) Branch: master Fix Description: Added a new configure switch --with-tmpfiles-d - this is the path to the tmpfiles.d directory. If this is set, ds create/update/migration will create the appropriate instance specific tmpfiles.d file. Platforms tested: Fedora 15 x86_64 Flag Day: no Doc impact: no
…ne utilities https://bugzilla.redhat.com/show_bug.cgi?id=576534 Resolves: bug 576534 Bug Description: Password displayed on console when entered in command-line utilities Reviewed by: nhosoi (Thanks!) Branch: master Fix Description: Add a new configurable path - sttyexec - to configure.ac. This is the absolute path and filename of the stty command to use with the -echo and echo options to disable and enable tty echo for password entry with perl scripts. By default it is set to /bin/stty but it can be overridden on a per-platform basis in configure.ac. I had to move DialogManager.pm to DialogManager.pm.in in order to replace the stty command used there (which actually worked with just stty - not sure why that worked but other perl scripts did not). Platforms tested: RHEL6 x86_64 Flag Day: yes - file renamed - autoconf file changes Doc impact: no
This adds a pkg-config file to aid plug-in developers. With this new file, one can determine the cflags and library locations to link with by simply using pkg-config.
https://bugzilla.redhat.com/show_bug.cgi?id=669205 Description: Introduced backup plugin hooks: SLAPI_PLUGIN_BE_PRE_BACKUP_FN and SLAPI_PLUGIN_BE_POST_BACKUP_FN to call back cl5WriteRUV and cl5DeleteRUV, respectively. cl5WriteRUV adds RUVs to changelog and cl5DeleteRUV reads and deletes RUVs in changelog. The call- back functions are avaiable only when the process is initialized as a server, which must have started with a backend normal mode flag (DBLAYER_NORMAL_MODE) not with other utility modes such as DBLAYER_ARCHIVE_MODE. With this restriction, db2bak is not allowed to use to back up the database including changelog db when the server is up. If launched, the utility fails with this error message: [...] - db2archive: pre-backup-plugin failed (1). [...] - ERROR: Standalone db2bak is not supported \ when a multimaster replication enabled server is coexisting. Please use db2bak.pl, instead. As mentioned in the message, db2bak.pl is supposed to be used. See also: http://directory.fedoraproject.org/wiki/Move_changelog#Backing_up_Changelog
…gelogged https://bugzilla.redhat.com/show_bug.cgi?id=182507 Description: Replication drops unhashed passwords which is necessary for the AD password sync. This patch allows the passwords replicated and introduces a method to encrypt logs in the changelog. See also http://directory.fedoraproject.org/wiki/Changelog_Encryption
Added a new file 50replication-plugins.ldif which contains the replication plugin config entries - this file is used during installation to create the initial dse.ldif, and during upgrade to add the replication plugin config entries if they do not exist Reviewed by: nhosoi (Thanks!)
https://bugzilla.redhat.com/show_bug.cgi?id=491733 Description: Getting rid of the dbtest.c file and its command line option in main.c. The tool is obsolete (new idl format is not supported).
This patch makes the access log entries for search, add, mod, del, and modrdn operations display the authzid that is used when the proxy authorization control is sent by the client.
…nfig Add the account policy plugin and related server code, schema, and config A new switch to configure has been added --enable-acctpolicy - this is enabled by default - so the plugin and the schema will be built and installed by default the plugin will be in dse.ldif, but will be disabled by default The original contribution had some minor problems with the schema and config entries - these have been cleaned up The original contribution had a few memory leaks - these have been cleaned up
https://bugzilla.redhat.com/show_bug.cgi?id=633168 Description: * cl5_api.c, cl5_api.h - fetches dbEnv from backend using slapi_back_get_info. - unused macros and DB helper functions and APIs are removed. * cl5_config.c - local changelog DB related config parameters are removed. * Added SLAPI_PLUGIN_BE_PRE_CLOSE_FN and SLAPI_PLUGIN_BE_POST_OPEN_FN to close changelog DB before dbEnv is closed and to open changelog DB after dbEnv is opened, respectively. * Added slapi APIs slapi_back_get_info and slapi_back_set_info to get/set the backend info. * back-ldbm - db2bak[.pl] and bak2db[.pl] backs up and restores the database files including changelog db. - changelog dir is backed up in <backupdir>/.repl_changelog_backup. - underlying implementation ldbm_back_get_info for slapi_back_get_info is added. * Added an upgrade script 81changelog.pl See also: http://directory.fedoraproject.org/wiki/Move_changelog
forgot to add ldaptool_opts for the non BUNDLE case in Makefile.am