[Fedora-directory-commits] ldapserver/ldap/schema 60nss-ldap.ldif, NONE, 1.1
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/schema
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28313/ldap/schema
Added Files:
60nss-ldap.ldif
Log Message:
Resolves: bug 202134
Description: add sudo and hostObject schemas by default
Fix Description: added 60nss-ldap.ldif for the hostObject and other nss ldap schema
--- NEW FILE 60nss-ldap.ldif ---
# LDAP Name Service Additional Schema
# http://www.iana.org/assignments/gssapi-service-names
dn: cn=schema
attributetypes: (
1.3.6.1.4.1.5322.17.2.1
NAME 'authorizedService'
DESC 'IANA GSS-API authorized service name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256}
X-ORIGIN 'NSS LDAP schema'
)
objectclasses: (
1.3.6.1.4.1.5322.17.1.1
NAME 'authorizedServiceObject'
DESC 'Auxiliary object class for adding authorizedService attribute'
SUP top
AUXILIARY
MAY authorizedService
X-ORIGIN 'NSS LDAP schema'
)
objectclasses: (
1.3.6.1.4.1.5322.17.1.2
NAME 'hostObject'
DESC 'Auxiliary object class for adding host attribute'
SUP top
AUXILIARY
MAY host
X-ORIGIN 'NSS LDAP schema'
)
15 years, 4 months
[Fedora-directory-commits] ldapserver Makefile.am, 1.78, 1.79 aclocal.m4, 1.78, 1.79 configure, 1.98, 1.99 missing, 1.59, 1.60 install-sh, 1.59, 1.60 depcomp, 1.59, 1.60 compile, 1.52, 1.53 Makefile.in, 1.102, 1.103 config.sub, 1.58, 1.59 config.guess, 1.58, 1.59
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28313
Modified Files:
Makefile.am aclocal.m4 configure missing install-sh depcomp
compile Makefile.in config.sub config.guess
Log Message:
Resolves: bug 202134
Description: add sudo and hostObject schemas by default
Fix Description: added 60nss-ldap.ldif for the hostObject and other nss ldap schema
Index: Makefile.am
===================================================================
RCS file: /cvs/dirsec/ldapserver/Makefile.am,v
retrieving revision 1.78
retrieving revision 1.79
diff -u -r1.78 -r1.79
--- Makefile.am 4 Nov 2008 18:23:05 -0000 1.78
+++ Makefile.am 14 Jan 2009 18:48:41 -0000 1.79
@@ -228,6 +228,7 @@
$(srcdir)/ldap/schema/60sabayon.ldif \
$(srcdir)/ldap/schema/60sudo.ldif \
$(srcdir)/ldap/schema/60trust.ldif \
+ $(srcdir)/ldap/schema/60nss-ldap.ldif \
$(srcdir)/ldap/schema/99user.ldif
sbin_SCRIPTS = ldap/admin/src/scripts/setup-ds.pl \
Index: Makefile.in
===================================================================
RCS file: /cvs/dirsec/ldapserver/Makefile.in,v
retrieving revision 1.102
retrieving revision 1.103
diff -u -r1.102 -r1.103
--- Makefile.in 4 Nov 2008 18:23:07 -0000 1.102
+++ Makefile.in 14 Jan 2009 18:48:41 -0000 1.103
@@ -1235,6 +1235,7 @@
$(srcdir)/ldap/schema/60sabayon.ldif \
$(srcdir)/ldap/schema/60sudo.ldif \
$(srcdir)/ldap/schema/60trust.ldif \
+ $(srcdir)/ldap/schema/60nss-ldap.ldif \
$(srcdir)/ldap/schema/99user.ldif
sbin_SCRIPTS = ldap/admin/src/scripts/setup-ds.pl \
15 years, 4 months
[Fedora-directory-commits] ldapserver/wrappers initscript.in, 1.8, 1.9
by Nathan Kinder
Author: nkinder
Update of /cvs/dirsec/ldapserver/wrappers
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19384/wrappers
Modified Files:
initscript.in
Log Message:
Resolves: 253311
Summary: Clean up formatting of init script output.
Index: initscript.in
===================================================================
RCS file: /cvs/dirsec/ldapserver/wrappers/initscript.in,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- initscript.in 8 Dec 2007 17:40:32 -0000 1.8
+++ initscript.in 14 Jan 2009 17:19:32 -0000 1.9
@@ -143,7 +143,8 @@
successes=`expr $successes + 1`
server_running=1
else
- echo_n " not running, but pid file exists - attempt to start anyway..."
+ echo " not running, but pid file exists"
+ echo_n " $instance... attempting to start anyway"
rm -f $pidfile
fi
fi
@@ -218,10 +219,10 @@
touch $lockfile
fi
if [ $errors -ge 1 ]; then
- echo "*** Warning: $errors instance(s) failed to start"
+ echo " *** Warning: $errors instance(s) failed to start"
fi
else
- echo "*** Error: no $prog instances configured"
+ echo " *** Error: no $prog instances configured"
fi
}
@@ -229,10 +230,10 @@
echo "Shutting down $prog: "
errors=0
for instance in $INSTANCES; do
+ echo_n " $instance..."
pidfile=$piddir/slapd-$instance.pid
if [ -f $pidfile ]; then
pid=`cat $pidfile`
- echo_n " $instance..."
server_stopped=0
if kill -0 $pid > /dev/null 2>&1 ; then
kill $pid
@@ -242,6 +243,10 @@
failure; echo
errors=`expr $errors + 1`
fi
+ else
+ echo_n " server not running"
+ failure; echo
+ errors=`expr $errors + 1`
fi
if [ $server_stopped -eq 1 ] ; then
loop_counter=1
@@ -266,10 +271,14 @@
rm -f $pidfile
fi
fi
+ else
+ echo_n " server already stopped"
+ failure; echo
+ errors=`expr $errors + 1`
fi
done
if [ $errors -ge 1 ]; then
- echo_n "*** Error: $errors instance(s) unsuccessfully stopped"
+ echo_n " *** Error: $errors instance(s) unsuccessfully stopped"
failure; echo
else
rm -f $lockfile
15 years, 4 months
[Fedora-directory-commits] ldapserver/ldap/schema 01common.ldif, 1.3, 1.4
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/schema
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4430/ldapserver/ldap/schema
Modified Files:
01common.ldif
Log Message:
Resolves: bug 222055
Bug Description: DirSync interval should be configurable
Reviewed by: nhosoi (Thanks!)
Fix Description: Added a new config attribute - winSyncInterval - this is how often to run the dirsync search, in seconds. The default is 600 (5 minutes) which was the old hard coded value. Due to the way it's coded, the change only takes effect when the agreement is created or restarted, so the value cannot really be dynamically changed.
Platforms tested: RHEL5
Flag Day: no
Doc impact: yes - document the new attribute
Index: 01common.ldif
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/schema/01common.ldif,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- 01common.ldif 3 Dec 2008 00:03:25 -0000 1.3
+++ 01common.ldif 14 Jan 2009 15:07:58 -0000 1.4
@@ -218,6 +218,7 @@
attributeTypes: ( 2.16.840.1.113730.3.1.1003 NAME 'nsds7NewWinGroupSyncEnabled' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
attributeTypes: ( 2.16.840.1.113730.3.1.1004 NAME 'nsds7WindowsDomain' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
attributeTypes: ( 2.16.840.1.113730.3.1.1005 NAME 'nsds7DirsyncCookie' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.1099 NAME 'winSyncInterval' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
attributeTypes: ( 1.3.6.1.1.4 NAME 'vendorName' EQUALITY 1.3.6.1.4.1.1466.109.114.1 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation X-ORIGIN 'RFC 3045' )
attributeTypes: ( 1.3.6.1.1.5 NAME 'vendorVersion' EQUALITY 1.3.6.1.4.1.1466.109.114.1 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation X-ORIGIN 'RFC 3045' )
attributeTypes: ( 2.16.840.1.113730.3.1.3023 NAME 'nsViewFilter' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'Netscape Directory Server' )
@@ -279,7 +280,7 @@
objectClasses: ( 2.16.840.1.113730.3.2.100 NAME 'cosClassicDefinition' DESC 'Netscape defined objectclass' SUP cosSuperDefinition MAY ( cosTemplateDn $ cosspecifier ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.101 NAME 'cosPointerDefinition' DESC 'Netscape defined objectclass' SUP cosSuperDefinition MAY ( cosTemplateDn ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.102 NAME 'cosIndirectDefinition' DESC 'Netscape defined objectclass' SUP cosSuperDefinition MAY ( cosIndirectSpecifier ) X-ORIGIN 'Netscape Directory Server' )
-objectClasses: ( 2.16.840.1.113730.3.2.503 NAME 'nsDSWindowsReplicationAgreement' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsDS5ReplicaHost $ nsDS5ReplicaPort $ nsDS5ReplicaTransportInfo $ nsDS5ReplicaBindDN $ nsDS5ReplicaCredentials $ nsDS5ReplicaBindMethod $ nsDS5ReplicaRoot $ nsDS5ReplicatedAttributeList $ nsDS5ReplicaUpdateSchedule $ nsds5BeginReplicaRefresh $ description $ nsds50ruv $ nsruvReplicaLastModified $ nsds5ReplicaTimeout $ nsds5replicaChangesSentSinceStartup $ nsds5replicaLastUpdateEnd $ nsds5replicaLastUpdateStart $ nsds5replicaLastUpdateStatus $ nsds5replicaUpdateInProgress $ nsds5replicaLastInitEnd $ nsds5replicaLastInitStart $ nsds5replicaLastInitStatus $ nsds5debugreplicatimeout $ nsds5replicaBusyWaitTime $ nsds5replicaSessionPauseTime $ nsds7WindowsReplicaSubtree $ nsds7DirectoryReplicaSubtree $ nsds7NewWinUserSyncEnabled $ nsds7NewWinGroupSyncEnabled $ nsds7WindowsDomain $ nsds7DirsyncCookie) X-ORIGIN 'Netscape Directory Server' )
+objectClasses: ( 2.16.840.1.113730.3.2.503 NAME 'nsDSWindowsReplicationAgreement' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsDS5ReplicaHost $ nsDS5ReplicaPort $ nsDS5ReplicaTransportInfo $ nsDS5ReplicaBindDN $ nsDS5ReplicaCredentials $ nsDS5ReplicaBindMethod $ nsDS5ReplicaRoot $ nsDS5ReplicatedAttributeList $ nsDS5ReplicaUpdateSchedule $ nsds5BeginReplicaRefresh $ description $ nsds50ruv $ nsruvReplicaLastModified $ nsds5ReplicaTimeout $ nsds5replicaChangesSentSinceStartup $ nsds5replicaLastUpdateEnd $ nsds5replicaLastUpdateStart $ nsds5replicaLastUpdateStatus $ nsds5replicaUpdateInProgress $ nsds5replicaLastInitEnd $ nsds5replicaLastInitStart $ nsds5replicaLastInitStatus $ nsds5debugreplicatimeout $ nsds5replicaBusyWaitTime $ nsds5replicaSessionPauseTime $ nsds7WindowsReplicaSubtree $ nsds7DirectoryReplicaSubtree $ nsds7NewWinUserSyncEnabled $ nsds7NewWinGroupSyncEnabled $ nsds7WindowsDomain $ nsds7DirsyncCookie $ winSyncInterval) X-ORIGIN 'Netscape Dir
ectory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.128 NAME 'costemplate' DESC 'Netscape defined objectclass' SUP top MAY ( cn $ cospriority ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.304 NAME 'nsView' DESC 'Netscape defined objectclass' SUP top AUXILIARY MAY ( nsViewFilter $ description ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.316 NAME 'nsAttributeEncryption' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsEncryptionAlgorithm ) X-ORIGIN 'Netscape Directory Server' )
15 years, 4 months
[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication repl5.h, 1.13, 1.14 repl_globals.c, 1.7, 1.8 windows_inc_protocol.c, 1.18, 1.19 windows_private.c, 1.22, 1.23 windowsrepl.h, 1.17, 1.18
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4430/ldapserver/ldap/servers/plugins/replication
Modified Files:
repl5.h repl_globals.c windows_inc_protocol.c
windows_private.c windowsrepl.h
Log Message:
Resolves: bug 222055
Bug Description: DirSync interval should be configurable
Reviewed by: nhosoi (Thanks!)
Fix Description: Added a new config attribute - winSyncInterval - this is how often to run the dirsync search, in seconds. The default is 600 (5 minutes) which was the old hard coded value. Due to the way it's coded, the change only takes effect when the agreement is created or restarted, so the value cannot really be dynamically changed.
Platforms tested: RHEL5
Flag Day: no
Doc impact: yes - document the new attribute
Index: repl5.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5.h,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- repl5.h 4 Nov 2008 18:23:08 -0000 1.13
+++ repl5.h 14 Jan 2009 15:07:58 -0000 1.14
@@ -149,6 +149,7 @@
extern const char *type_nsds7CreateNewGroups;
extern const char *type_nsds7DirsyncCookie;
extern const char *type_nsds7WindowsDomain;
+extern const char *type_winSyncInterval;
/* To Allow Consumer Initialisation when adding an agreement - */
extern const char *type_nsds5BeginReplicaRefresh;
Index: repl_globals.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl_globals.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- repl_globals.c 10 Nov 2006 23:45:17 -0000 1.7
+++ repl_globals.c 14 Jan 2009 15:07:58 -0000 1.8
@@ -126,13 +126,14 @@
const char *type_nsds5ReplicaBusyWaitTime = "nsds5ReplicaBusyWaitTime";
const char *type_nsds5ReplicaSessionPauseTime = "nsds5ReplicaSessionPauseTime";
-/* windows sync specifica attributes */
+/* windows sync specific attributes */
const char *type_nsds7WindowsReplicaArea = "nsds7WindowsReplicaSubtree";
const char *type_nsds7DirectoryReplicaArea = "nsds7DirectoryReplicaSubtree";
const char *type_nsds7CreateNewUsers = "nsds7NewWinUserSyncEnabled";
const char *type_nsds7CreateNewGroups = "nsds7NewWinGroupSyncEnabled";
const char *type_nsds7WindowsDomain = "nsds7WindowsDomain";
const char *type_nsds7DirsyncCookie = "nsds7DirsyncCookie";
+const char *type_winSyncInterval = "winSyncInterval";
/* To Allow Consumer Initialisation when adding an agreement - */
const char *type_nsds5BeginReplicaRefresh = "nsds5BeginReplicaRefresh";
Index: windows_inc_protocol.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_inc_protocol.c,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- windows_inc_protocol.c 5 Dec 2008 22:41:52 -0000 1.18
+++ windows_inc_protocol.c 14 Jan 2009 15:07:58 -0000 1.19
@@ -128,11 +128,6 @@
*/
#define MAX_WAIT_BETWEEN_SESSIONS PR_SecondsToInterval(60 * 5) /* 5 minutes */
/*
- * Periodic synchronization interval. This is used for scheduling the periodic_dirsync event.
- * The time is in milliseconds.
- */
-#define PERIODIC_DIRSYNC_INTERVAL 5 * 60 * 1000 /* DBDB this should probably be configurable. 5 mins fixed for now */
-/*
* tests if the protocol has been shutdown and we need to quit
* event_occurred resets the bits in the bit flag, so whoever tests for shutdown
* resets the flags, so the next one who tests for shutdown won't get it, so we
@@ -345,12 +340,13 @@
if (is_first_start) {
+ unsigned long interval = windows_private_get_sync_interval(prp->agmt) * 1000;
/*
* The function, the arguments, the time (hence) when it is first to be called,
* and the repeat interval.
*/
/* DBDB: we should probably make this polling interval configurable */
- dirsync = slapi_eq_repeat(periodic_dirsync, (void*) prp, (time_t)0 , PERIODIC_DIRSYNC_INTERVAL);
+ dirsync = slapi_eq_repeat(periodic_dirsync, (void*) prp, (time_t)0 , interval);
is_first_start = PR_FALSE;
}
break;
Index: windows_private.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_private.c,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- windows_private.c 5 Dec 2008 22:41:52 -0000 1.22
+++ windows_private.c 14 Jan 2009 15:07:58 -0000 1.23
@@ -73,6 +73,7 @@
Slapi_Filter *deleted_filter; /* Used for checking if an entry is an AD tombstone */
Slapi_Entry *raw_entry; /* "raw" un-schema processed last entry read from AD */
void *api_cookie; /* private data used by api callbacks */
+ time_t sync_interval; /* how often to run the dirsync search, in seconds */
};
static void windows_private_set_windows_domain(const Repl_Agmt *ra, char *domain);
@@ -153,6 +154,16 @@
tmpstr = NULL;
retval = 1;
}
+ if (type == NULL || slapi_attr_types_equivalent(type,type_winSyncInterval))
+ {
+ tmpstr = slapi_entry_attr_get_charptr(e, type_winSyncInterval);
+ if (NULL != tmpstr)
+ {
+ windows_private_set_sync_interval(ra,tmpstr);
+ }
+ slapi_ch_free_string(&tmpstr);
+ retval = 1;
+ }
return retval;
}
@@ -203,6 +214,7 @@
dp->dirsync_maxattributecount = -1;
dp->directory_filter = NULL;
dp->deleted_filter = NULL;
+ dp->sync_interval = PERIODIC_DIRSYNC_INTERVAL;
LDAPDebug0Args( LDAP_DEBUG_TRACE, "<= windows_private_new\n" );
return dp;
@@ -866,6 +878,43 @@
LDAPDebug0Args( LDAP_DEBUG_TRACE, "<= windows_private_set_api_cookie\n" );
}
+time_t
+windows_private_get_sync_interval(const Repl_Agmt *ra)
+{
+ Dirsync_Private *dp;
+
+ LDAPDebug0Args( LDAP_DEBUG_TRACE, "=> windows_private_get_sync_interval\n" );
+
+ PR_ASSERT(ra);
+
+ dp = (Dirsync_Private *) agmt_get_priv(ra);
+ PR_ASSERT (dp);
+
+ LDAPDebug0Args( LDAP_DEBUG_TRACE, "<= windows_private_get_sync_interval\n" );
+
+ return dp->sync_interval;
+}
+
+void
+windows_private_set_sync_interval(Repl_Agmt *ra, char *str)
+{
+ Dirsync_Private *dp;
+ time_t tmpval = 0;
+
+ LDAPDebug0Args( LDAP_DEBUG_TRACE, "=> windows_private_set_sync_interval\n" );
+
+ PR_ASSERT(ra);
+
+ dp = (Dirsync_Private *) agmt_get_priv(ra);
+ PR_ASSERT (dp);
+
+ if (str && (tmpval = (time_t)atol(str))) {
+ dp->sync_interval = tmpval;
+ }
+
+ LDAPDebug0Args( LDAP_DEBUG_TRACE, "<= windows_private_set_sync_interval\n" );
+}
+
/* an array of function pointers */
static void **_WinSyncAPI = NULL;
Index: windowsrepl.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windowsrepl.h,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- windowsrepl.h 23 Sep 2008 21:13:22 -0000 1.17
+++ windowsrepl.h 14 Jan 2009 15:07:58 -0000 1.18
@@ -80,6 +80,8 @@
void windows_private_set_raw_entry(const Repl_Agmt *ra, Slapi_Entry *e);
void *windows_private_get_api_cookie(const Repl_Agmt *ra);
void windows_private_set_api_cookie(Repl_Agmt *ra, void *cookie);
+time_t windows_private_get_sync_interval(const Repl_Agmt *ra);
+void windows_private_set_sync_interval(Repl_Agmt *ra, char *str);
/* in windows_connection.c */
ConnResult windows_conn_connect(Repl_Connection *conn);
@@ -122,6 +124,12 @@
#define NTUNIQUEID_LENGTH 32
#define AD_GUID_LENGTH 36
+/*
+ * Periodic synchronization interval. This is used for scheduling the periodic_dirsync event.
+ * The time is in seconds.
+ */
+#define PERIODIC_DIRSYNC_INTERVAL 5 * 60 /* default value is 5 minutes */
+
/* called for each replication agreement - so the winsync
plugin can be agreement specific and store agreement
specific data
15 years, 4 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd util.c, 1.26, 1.27
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv24442/ldapserver/ldap/servers/slapd
Modified Files:
util.c
Log Message:
Resolves: bug 479313
Bug Description: Server to Server SASL - DIGEST/MD5 - Can not Stop server
Reviewed by: nhosoi (Thanks!)
Fix Description: Using ldap_set_option with LDAP_OPT_X_SASL_SECPROPS is not thread safe. ldap_set_option acquires the OPTION lock, but using LDAP_OPT_X_SASL_SECPROPS just calls return rather than calling break to exit the switch and unlock the lock. A mozilla bug has been filed https://bugzilla.mozilla.org/show_bug.cgi?id=473438. The fix is to use LDAP_OPT_X_SASL_SSF_MAX.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Index: util.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/util.c,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- util.c 9 Jan 2009 21:30:56 -0000 1.26
+++ util.c 13 Jan 2009 22:24:15 -0000 1.27
@@ -1105,6 +1105,7 @@
return slapi_ldap_init_ext(NULL, ldaphost, ldapport, secure, shared, NULL);
}
+#include <sasl.h>
/*
* Does the correct bind operation simple/sasl/cert depending
* on the arguments passed in. If the user specified to use
@@ -1258,7 +1259,8 @@
} else {
/* a SASL mech - set the sasl ssf to 0 if using TLS/SSL */
if (secure) {
- ldap_set_option(ld, LDAP_OPT_X_SASL_SECPROPS, "maxssf=0");
+ sasl_ssf_t max_ssf = 0;
+ ldap_set_option(ld, LDAP_OPT_X_SASL_SSF_MAX, &max_ssf);
}
rc = slapd_ldap_sasl_interactive_bind(ld, bindid, creds, mech,
serverctrls, returnedctrls,
@@ -1282,7 +1284,6 @@
/* the following implements the client side of sasl bind, for LDAP server
-> LDAP server SASL */
-#include <sasl.h>
typedef struct {
char *mech;
15 years, 4 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd ssl.c, 1.21, 1.22
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv727/ldapserver/ldap/servers/slapd
Modified Files:
ssl.c
Log Message:
Resolves: bug 479202
Bug Description: Acceptance test: mmrepl {accept,chainonupdate} : slapd dumps core during accept_cleanup()
Reviewed by: nkinder (Thanks!)
Fix Description: Have to call ldapssl_set_option(ld, SSL_NO_CACHE, PR_TRUE) after setting up the connection for client auth
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Index: ssl.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/ssl.c,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- ssl.c 5 Dec 2008 22:41:52 -0000 1.21
+++ ssl.c 13 Jan 2009 19:01:10 -0000 1.22
@@ -1159,15 +1159,6 @@
/* Free config data */
- /* We cannot allow NSS to cache outgoing client auth connections -
- each client auth connection must have it's own non-shared SSL
- connection to the peer so that it will go through the
- entire handshake protocol every time including the use of its
- own unique client cert - see bug 605457
- */
-
- ldapssl_set_option(ld, SSL_NO_CACHE, PR_TRUE);
-
#ifndef _WIN32
StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj();
err = SVRCORE_StdPinGetPin( &pw, StdPinObj, token );
@@ -1188,6 +1179,15 @@
SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
SERVER_KEY_NAME, cert_name, rc,
errorCode, slapd_pr_strerror(errorCode));
+ } else {
+ /* We cannot allow NSS to cache outgoing client auth connections -
+ each client auth connection must have it's own non-shared SSL
+ connection to the peer so that it will go through the
+ entire handshake protocol every time including the use of its
+ own unique client cert - see bug 605457
+ */
+
+ ldapssl_set_option(ld, SSL_NO_CACHE, PR_TRUE);
}
}
15 years, 4 months
[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication windows_protocol_util.c, 1.48, 1.49
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28075/ldapserver/ldap/servers/plugins/replication
Modified Files:
windows_protocol_util.c
Log Message:
Resolves: bug 204966
Bug Description: WinSync ignores entry if NT attributes are added later.
Reviewed by: nkinder (Thanks!)
Fix Description: If we are replaying a modify operation, we need to check if the ntUser objectclass is being added along with the other attributes that tell the sync service to sync this entry. If the objectclass is being added or replaced, we check the existing entry to see if it is still a sync-able entry. If it is, we call process_replay_add to add the entry. I changed this function to accept a Slapi_Entry to add rather than the operation structure. Finally, I had to change the way we send the Account Control flags to take into account an entry that may have been added as a result of a modify operation.
I fixed a memory leak when setting the Slapi_Attr attribute type, and cleaned up a compiler warning.
NOTE: There will be no clear text password to send (unless the userPassword was modified in the same modify operation). This means the account will be added to Windows, and will be enabled, but will be essentially unusable - the user cannot login - until either the user modifies the password on the directory server side, or the administrator resets the password.
Platforms tested: RHEL5
Flag Day: no
Doc impact: yes - we will have to document the new winsync behavior
Index: windows_protocol_util.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_protocol_util.c,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -r1.48 -r1.49
--- windows_protocol_util.c 9 Jan 2009 21:30:55 -0000 1.48
+++ windows_protocol_util.c 13 Jan 2009 18:28:34 -0000 1.49
@@ -993,8 +993,55 @@
slapi_log_error(SLAPI_LOG_REPL, NULL, "Attempting to add entry %s to AD for local entry %s\n",remote_dn_string,local_dn_string);
}
+/*
+ * The entry may have been modified to make it "sync-able", so the modify operation should
+ * actually trigger the addition of the entry to windows
+ * check the list of mods to see if the sync objectclass/attributes were added to the entry
+ * and if so if the current local entry still has them
+*/
+static int
+sync_attrs_added(LDAPMod **original_mods, Slapi_Entry *local_entry) {
+ int retval = 0;
+ int ii = 0;
+ char *useroc = "ntuser";
+ char *groupoc = "ntgroup";
+ size_t ulen = 6;
+ size_t glen = 7;
+
+ for (ii = 0; (retval == 0) && original_mods && original_mods[ii]; ++ii) {
+ LDAPMod *mod = original_mods[ii];
+ /* look for a mod/add or replace op with valid type and values */
+ if (!(SLAPI_IS_MOD_ADD(mod->mod_op) || SLAPI_IS_MOD_REPLACE(mod->mod_op)) ||
+ !mod->mod_type || !mod->mod_bvalues || !mod->mod_bvalues[0]) {
+ continue; /* skip it */
+ }
+ /* if it has an objectclass mod, see if ntuser or ntgroup is one of them */
+ if (!strcasecmp(mod->mod_type, "objectclass")) {
+ int jj = 0;
+ for (jj = 0; (retval == 0) && mod->mod_bvalues[jj]; ++jj) {
+ struct berval *bv = mod->mod_bvalues[jj];
+ if (((bv->bv_len == ulen) && !PL_strncasecmp(useroc, bv->bv_val, ulen)) ||
+ ((bv->bv_len == glen) && !PL_strncasecmp(groupoc, bv->bv_val, glen))) {
+ retval = 1; /* has magic objclass value */
+ }
+ }
+ }
+ }
+
+ /* if the modify op had the right values, see if they are still present in
+ the local entry */
+ if (retval == 1) {
+ retval = add_remote_entry_allowed(local_entry); /* check local entry */
+ if (retval < 0) {
+ retval = 0;
+ }
+ }
+
+ return retval;
+}
+
static ConnResult
-process_replay_add(Private_Repl_Protocol *prp, slapi_operation_parameters *op, Slapi_Entry *local_entry, Slapi_DN *local_dn, Slapi_DN *remote_dn, int is_user, int missing_entry, char **password)
+process_replay_add(Private_Repl_Protocol *prp, Slapi_Entry *add_entry, Slapi_Entry *local_entry, Slapi_DN *local_dn, Slapi_DN *remote_dn, int is_user, int missing_entry, char **password)
{
int remote_add_allowed = add_remote_entry_allowed(local_entry);
ConnResult return_value = 0;
@@ -1083,7 +1130,7 @@
LDAPMod **entryattrs = NULL;
Slapi_Entry *mapped_entry = NULL;
/* First map the entry */
- rc = windows_create_remote_entry(prp,op->p.p_add.target_entry, remote_dn, &mapped_entry, password);
+ rc = windows_create_remote_entry(prp,add_entry, remote_dn, &mapped_entry, password);
/* Convert entry to mods */
if (0 == rc && mapped_entry)
{
@@ -1212,27 +1259,37 @@
agmt_get_long_name(prp->agmt),
op2string(op->operation_type), op->target_address.dn, slapi_sdn_get_dn(remote_dn));
switch (op->operation_type) {
- /*
- we should check the modify case first and check the list of mods -
- if the magic objectclass (ntuser) and attributes (ntUserCreateNewAccount
- or ntGroupCreateNewAccount) then we should fall through to the ADD case
- since the user wants to add the user to AD - could maybe just change
- process_replay_add slightly, to add the mods list from the modify
- operation - process_replay_add already turns the entry into a mods list
- to pass to the ldap add operation, so it should not be too much more
- trouble to apply the additional mods from the modify operation - we'll
- have to pass in local entry, or perhaps just change the operation from
- modify to an add, and set the op->p.p_add.target_entry to the local_entry
- which gets retrieved above
- */
case SLAPI_OPERATION_ADD:
- return_value = process_replay_add(prp,op,local_entry,local_dn,remote_dn,is_user,missing_entry,&password);
+ return_value = process_replay_add(prp,op->p.p_add.target_entry,local_entry,local_dn,remote_dn,is_user,missing_entry,&password);
break;
case SLAPI_OPERATION_MODIFY:
{
LDAPMod **mapped_mods = NULL;
char *newrdn = NULL;
+ /*
+ * If the magic objectclass and attributes have been added to the entry
+ * to make the entry sync-able, add the entry first, then apply the other
+ * mods
+ */
+ if (sync_attrs_added(op->p.p_modify.modify_mods, local_entry)) {
+ Slapi_Entry *ad_entry = NULL;
+
+ return_value = process_replay_add(prp,local_entry,local_entry,local_dn,remote_dn,is_user,missing_entry,&password);
+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
+ "%s: windows_replay_update: "
+ "The modify operation added the sync objectclass and attribute, so "
+ "the entry was added to windows - result [%d]\n",
+ agmt_get_long_name(prp->agmt), return_value);
+ if (return_value) {
+ break; /* error adding entry - cannot continue */
+ }
+ /* the modify op needs the new remote entry, so retrieve it */
+ windows_get_remote_entry(prp, remote_dn, &ad_entry);
+ slapi_entry_free(ad_entry); /* getting sets windows_private_get_raw_entry */
+ }
+
+
windows_map_mods_for_replay(prp,op->p.p_modify.modify_mods, &mapped_mods, is_user, &password,
windows_private_get_raw_entry(prp->agmt));
if (is_user) {
@@ -1336,18 +1393,19 @@
slapi_log_error(SLAPI_LOG_REPL, windows_repl_plugin_name,
"%s: windows_replay_update: update password returned %d\n",
agmt_get_long_name(prp->agmt), return_value );
- } else {
- /* If we successfully added an entry, and then subsequently changed
- * its password, THEN we need to change its status in AD in order
- * that it can be used (otherwise the user is marked as disabled).
- * To do this we set this attribute and value:
- * userAccountControl: 512 */
- if (op->operation_type == SLAPI_OPERATION_ADD && missing_entry)
- {
- return_value = send_accountcontrol_modify(remote_dn, prp, missing_entry);
- }
}
}
+ /* If we successfully added an entry, and then subsequently changed
+ * its password, THEN we need to change its status in AD in order
+ * that it can be used (otherwise the user is marked as disabled).
+ * To do this we set this attribute and value:
+ * userAccountControl: 512
+ * Or, if we added a new entry, we need to change the useraccountcontrol
+ * to make the new user enabled by default
+ */
+ if ((return_value == CONN_OPERATION_SUCCESS) && remote_dn && (password || missing_entry)) {
+ return_value = send_accountcontrol_modify(remote_dn, prp, missing_entry);
+ }
} else {
/* We ignore operations that target entries outside of our sync'ed subtree, or which are not Windows users or groups */
}
15 years, 4 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd attr.c, 1.9, 1.10 ava.c, 1.9, 1.10
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28075/ldapserver/ldap/servers/slapd
Modified Files:
attr.c ava.c
Log Message:
Resolves: bug 204966
Bug Description: WinSync ignores entry if NT attributes are added later.
Reviewed by: nkinder (Thanks!)
Fix Description: If we are replaying a modify operation, we need to check if the ntUser objectclass is being added along with the other attributes that tell the sync service to sync this entry. If the objectclass is being added or replaced, we check the existing entry to see if it is still a sync-able entry. If it is, we call process_replay_add to add the entry. I changed this function to accept a Slapi_Entry to add rather than the operation structure. Finally, I had to change the way we send the Account Control flags to take into account an entry that may have been added as a result of a modify operation.
I fixed a memory leak when setting the Slapi_Attr attribute type, and cleaned up a compiler warning.
NOTE: There will be no clear text password to send (unless the userPassword was modified in the same modify operation). This means the account will be added to Windows, and will be enabled, but will be essentially unusable - the user cannot login - until either the user modifies the password on the directory server side, or the administrator resets the password.
Platforms tested: RHEL5
Flag Day: no
Doc impact: yes - we will have to document the new winsync behavior
Index: attr.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/attr.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- attr.c 30 Aug 2007 15:56:36 -0000 1.9
+++ attr.c 13 Jan 2009 18:28:34 -0000 1.10
@@ -707,6 +707,7 @@
if((NULL == a) || (NULL == type)) {
rc = -1;
} else {
+ slapi_ch_free_string(&a->a_type);
a->a_type = slapi_ch_strdup(type);
}
return rc;
Index: ava.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/ava.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- ava.c 6 Jan 2009 22:50:30 -0000 1.9
+++ ava.c 13 Jan 2009 18:28:34 -0000 1.10
@@ -50,8 +50,6 @@
#endif
#include "slap.h"
-static void strcpy_special_undo();
-
int
get_ava(
BerElement *ber,
15 years, 4 months
[Fedora-directory-commits] ldapserver/ldap/schema 28pilot.ldif, 1.4, 1.5
by Nathan Kinder
Author: nkinder
Update of /cvs/dirsec/ldapserver/ldap/schema
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3189/ldap/schema
Modified Files:
28pilot.ldif
Log Message:
Resolves: 437900
Summary: Add AUXILIARY keyword to domainRelatedObject and simpleSecurityObject definitions.
Index: 28pilot.ldif
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/schema/28pilot.ldif,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- 28pilot.ldif 19 Apr 2005 22:07:27 -0000 1.4
+++ 28pilot.ldif 12 Jan 2009 23:49:44 -0000 1.5
@@ -88,7 +88,7 @@
objectClasses: ( 0.9.2342.19200300.100.4.6 NAME 'document' DESC 'Standard LDAP objectclass' SUP pilotObject MUST ( documentIdentifier ) MAY ( abstract $ authorCN $ authorSN $ cn $ description $ documentAuthor $ documentLocation $ documentPublisher $ documentStore $ documentTitle $ documentVersion $ keywords $ l $ o $ obsoletedByDocument $ obsoletesDocument $ ou $ seeAlso $ subject $ updatedByDocument $ updatesDocument ) X-ORIGIN 'RFC 1274' )
objectClasses: ( 0.9.2342.19200300.100.4.7 NAME 'room' DESC 'Standard LDAP objectclass' SUP top MUST ( cn ) MAY ( description $ roomNumber $ seeAlso $ telephoneNumber ) X-ORIGIN 'RFC 1274' )
objectClasses: ( 0.9.2342.19200300.100.4.9 NAME 'documentSeries' DESC 'Standard LDAP objectclass' SUP top MUST ( cn ) MAY ( description $ l $ o $ ou $ seeAlso $ telephoneNumber ) X-ORIGIN 'RFC 1274' )
-objectClasses: ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' DESC 'Standard LDAP objectclass' SUP top MUST ( associatedDomain ) X-ORIGIN 'RFC 1274' )
+objectClasses: ( 0.9.2342.19200300.100.4.17 NAME 'domainRelatedObject' DESC 'Standard LDAP objectclass' SUP top AUXILIARY MUST ( associatedDomain ) X-ORIGIN 'RFC 1274' )
objectClasses: ( 0.9.2342.19200300.100.4.18 NAME 'friendlyCountry' DESC 'Standard LDAP objectclass' SUP country MUST ( co ) X-ORIGIN 'RFC 1274' )
-objectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' DESC 'Standard LDAP objectclass' SUP top MUST ( userPassword ) X-ORIGIN 'RFC 1274' )
+objectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' DESC 'Standard LDAP objectclass' SUP top AUXILIARY MUST ( userPassword ) X-ORIGIN 'RFC 1274' )
objectClasses: ( 0.9.2342.19200300.100.4.20 NAME 'pilotOrganization' DESC 'Standard LDAP objectclass' SUP top MUST ( ou $ o ) MAY ( buildingName $ businessCategory $ description $ destinationIndicator $ facsimileTelephoneNumber $ internationaliSDNNumber $ l $ physicalDeliveryOfficeName $ postOfficeBox $ postalAddress $ postalCode $ preferredDeliveryMethod $ registeredAddress $ searchGuide $ seeAlso $ st $ street $ telephoneNumber $ teletexTerminalIdentifier $ telexNumber $ userPassword $ x121Address ) X-ORIGIN 'RFC 1274' )
15 years, 4 months