[Pkg-fedora-ds-maintainers] 389-ds-base: Changes to 'debian-unstable'
Timo Aaltonen
tjaalton-guest at alioth.debian.org
Thu Jun 28 06:14:28 UTC 2012
VERSION.sh | 2 -
debian/changelog | 2 -
debian/watch | 2 -
ldap/servers/plugins/deref/deref.c | 2 +
ldap/servers/plugins/replication/replutil.c | 2 -
ldap/servers/slapd/ldaputil.c | 47 ++++++++++++++++++++++++++++
ldap/servers/slapd/pw.c | 15 +++-----
ldap/servers/slapd/pw_retry.c | 42 ++++++++++++++-----------
8 files changed, 83 insertions(+), 31 deletions(-)
New commits:
commit b437357f1b9c291f7b61d705ebcb75df2b2939d6
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Thu Jun 28 09:14:23 2012 +0300
bump the version
diff --git a/debian/changelog b/debian/changelog
index bcf0fe5..4580ac5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-389-ds-base (1.2.11.6-1) UNRELEASED; urgency=low
+389-ds-base (1.2.11.7-1) UNRELEASED; urgency=low
[ Timo Aaltonen ]
* New upstream release.
commit a2d2d2441aa7bd06748a1ab3106cac7b8c67b9b2
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Thu Jun 28 09:13:26 2012 +0300
fix the watch file again
diff --git a/debian/watch b/debian/watch
index 01ece3e..2109aac 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,2 +1,2 @@
version=3
-http://directory.fedoraproject.org/sources/389-ds-base-(.*).tar.bz2
+http://directory.fedoraproject.org/wiki/Source .*/389-ds-base-(.*).tar.bz2
commit 607abfe8df42963361e1cf4f2c85bfd18d1e2845
Author: Rich Megginson <rmeggins at redhat.com>
Date: Wed Jun 27 10:57:12 2012 -0600
bump version to 1.2.11.7
diff --git a/VERSION.sh b/VERSION.sh
index 87f74d8..50bfbe8 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=2
-VERSION_MAINT=11.6
+VERSION_MAINT=11.7
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
commit 4bf9444a082f25f289a973128c243583831cc848
Author: Rich Megginson <rmeggins at redhat.com>
Date: Wed Jun 27 10:32:38 2012 -0600
Ticket 378 - unhashed#user#password visible after changing password
declare is_type_forbidden in deref.c
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
index d97dc0a..7c502df 100644
--- a/ldap/servers/plugins/deref/deref.c
+++ b/ldap/servers/plugins/deref/deref.c
@@ -46,6 +46,8 @@
#include "deref.h"
#include <nspr.h>
+int is_type_forbidden(const char *type); /* from proto-slap.h */
+
#ifndef DN_SYNTAX_OID
#define DN_SYNTAX_OID "1.3.6.1.4.1.1466.115.121.1.12"
#endif
commit 5b715ab9d55a7c40b3c636b0adad26c9e30c693a
Author: Mark Reynolds <mreynolds at redhat.com>
Date: Wed Jun 27 10:35:08 2012 -0400
Ticket 366 - Change DS to purge ticket from krb cache in case of authentication error
Bug Description: Under certain circumstances, a replica can be removed, and readded,
but the master replica still holds its old kerberos credentials in
a cache(ccache). Until the mater replica is restarted, replication
will not resume.
Fix Description: If a sasl bind fails, ands it a GSSAPI, and the errror is 49, clear
out the ccache.
I also noticed that when this situation arises we report errors when
trying to update the referrals in the repl agreement to this replica.
The error is 20(type or value exists), and it will log at least one of
these messages per update. The error should not be written to the
error log, as it's not a problem that needs reporting.
https://fedorahosted.org/389/ticket/366
reviewed by: richm(Thanks!)
(cherry picked from commit 14cb1d07ee1864de8ca54083ef6901d5b4627758)
diff --git a/ldap/servers/plugins/replication/replutil.c b/ldap/servers/plugins/replication/replutil.c
index b09bf53..5e8019c 100644
--- a/ldap/servers/plugins/replication/replutil.c
+++ b/ldap/servers/plugins/replication/replutil.c
@@ -788,7 +788,7 @@ repl_set_mtn_state_and_referrals(
}
}
- if (rc != LDAP_SUCCESS) {
+ if (rc != LDAP_SUCCESS && rc != LDAP_TYPE_OR_VALUE_EXISTS) {
slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "repl_set_mtn_referrals: could "
"not set referrals for replica %s: %d\n",
slapi_sdn_get_dn(repl_root_sdn), rc);
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
index 80ab8cb..12f01c6 100644
--- a/ldap/servers/slapd/ldaputil.c
+++ b/ldap/servers/slapd/ldaputil.c
@@ -126,6 +126,10 @@ static char **mozldap_ldap_explode( const char *dn, const int notypes, const int
static char **mozldap_ldap_explode_dn( const char *dn, const int notypes );
static char **mozldap_ldap_explode_rdn( const char *rdn, const int notypes );
+#ifdef HAVE_KRB5
+static void clear_krb5_ccache();
+#endif
+
#ifdef MEMPOOL_EXPERIMENTAL
void _free_wrapper(void *ptr)
{
@@ -1155,6 +1159,12 @@ slapi_ldap_bind(
bindid ? bindid : "(anon)",
mech, /* mech cannot be SIMPLE here */
rc, ldap_err2string(rc));
+#ifdef HAVE_KRB5
+ if(mech && !strcmp(mech, "GSSAPI") && rc == 49){
+ /* only on err 49 should we clear out the credential cache */
+ clear_krb5_ccache();
+ }
+#endif
}
}
@@ -2058,6 +2068,43 @@ cleanup:
return;
}
+static void
+clear_krb5_ccache()
+{
+ krb5_context ctx = NULL;
+ krb5_ccache cc = NULL;
+ int rc = 0;
+
+ PR_Lock(krb5_lock);
+
+ /* initialize the kerberos context */
+ if ((rc = krb5_init_context(&ctx))) {
+ slapi_log_error(SLAPI_LOG_FATAL, "clear_krb5_ccache", "Could not initialize kerberos context: %d (%s)\n",
+ rc, error_message(rc));
+ goto done;
+ }
+ /* get the default ccache */
+ if ((rc = krb5_cc_default(ctx, &cc))) {
+ slapi_log_error(SLAPI_LOG_FATAL, "clear_krb5_ccache", "Could not get default kerberos ccache: %d (%s)\n",
+ rc, error_message(rc));
+ goto done;
+ }
+ /* destroy the ccache */
+ if((rc = krb5_cc_destroy(ctx, cc))){
+ slapi_log_error(SLAPI_LOG_FATAL, "clear_krb5_ccache", "Could not destroy kerberos ccache: %d (%s)\n",
+ rc, error_message(rc));
+ } else {
+ slapi_log_error(SLAPI_LOG_TRACE,"clear_krb5_ccache", "Successfully cleared kerberos ccache\n");
+ }
+
+done:
+ if(ctx){
+ krb5_free_context(ctx);
+ }
+
+ PR_Unlock(krb5_lock);
+}
+
#endif /* HAVE_KRB5 */
#define LDAP_DN 1
commit 1889546920a69c4790d7bea5f87274f3e288f8f3
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Tue Jun 26 16:56:19 2012 -0700
Trac Ticket 396 - Account Usability Control Not Working [Bug 835238]
https://fedorahosted.org/389/ticket/396
Fix Description: Commit 003812911f56619f0db58ba627037644fb0f68fb
broke the feature. This patch is backing off the change so that
get_entry accepts NULL pblock, which is necessary for the
Account Usability plugin.
(cherry picked from commit b2a926948b974ac8c64faf80dd0d3b99583e3f33)
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index 8cef61d..93fc899 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -1548,23 +1548,20 @@ new_passwdPolicy(Slapi_PBlock *pb, const char *dn)
slapdFrontendConfig_t *slapdFrontendConfig;
int optype = -1;
- /* RFE - is there a way to make this work for non-existent entries
- * when we don't pass in pb? We'll need to do this if we add support
- * for password policy plug-ins. */
- if (NULL == pb) {
- LDAPDebug0Args(LDAP_DEBUG_ANY,
- "new_passwdPolicy: NULL pblock was passed.\n");
- return NULL;
- }
slapdFrontendConfig = getFrontendConfig();
pwdpolicy = (passwdPolicy *)slapi_ch_calloc(1, sizeof(passwdPolicy));
- slapi_pblock_get( pb, SLAPI_OPERATION_TYPE, &optype );
+ if (pb) {
+ slapi_pblock_get( pb, SLAPI_OPERATION_TYPE, &optype );
+ }
if (dn && (slapdFrontendConfig->pwpolicy_local == 1)) {
/* If we're doing an add, COS does not apply yet so we check
parents for the pwdpolicysubentry. We look only for virtual
attributes, because real ones are for single-target policy. */
+ /* RFE - is there a way to make this work for non-existent entries
+ * when we don't pass in pb? We'll need to do this if we add support
+ * for password policy plug-ins. */
if (optype == SLAPI_OPERATION_ADD) {
char *parentdn = slapi_ch_strdup(dn);
char *nextdn = NULL;
diff --git a/ldap/servers/slapd/pw_retry.c b/ldap/servers/slapd/pw_retry.c
index 09d0ed0..74e575e 100644
--- a/ldap/servers/slapd/pw_retry.c
+++ b/ldap/servers/slapd/pw_retry.c
@@ -210,43 +210,49 @@ int set_retry_cnt ( Slapi_PBlock *pb, int count)
}
+/*
+ * If "dn" is passed, get_entry returns an entry which dn is "dn".
+ * If "dn" is not passed, it returns an entry which dn is set in
+ * SLAPI_TARGET_SDN in pblock.
+ * Note: pblock is not mandatory for get_entry (e.g., new_passwdPolicy).
+ */
Slapi_Entry *get_entry ( Slapi_PBlock *pb, const char *dn)
{
int search_result = 0;
Slapi_Entry *retentry = NULL;
Slapi_DN *target_sdn = NULL;
+ char *target_dn = (char *)dn;
Slapi_DN sdn;
- if (NULL == pb) {
- LDAPDebug(LDAP_DEBUG_ANY, "get_entry - no pblock specified.\n",
- 0, 0, 0);
- goto bail;
- }
-
- slapi_pblock_get( pb, SLAPI_TARGET_SDN, &target_sdn );
-
- if (dn == NULL) {
- dn = slapi_sdn_get_dn(target_sdn);
+ if (pb) {
+ slapi_pblock_get( pb, SLAPI_TARGET_SDN, &target_sdn );
+ if (target_dn == NULL) {
+ target_dn = slapi_sdn_get_dn(target_sdn);
+ }
}
- if (dn == NULL) {
- LDAPDebug (LDAP_DEBUG_TRACE, "WARNING: 'get_entry' - no dn specified.\n", 0, 0, 0);
+ if (target_dn == NULL) {
+ LDAPDebug0Args(LDAP_DEBUG_TRACE,
+ "WARNING: 'get_entry' - no dn specified.\n");
goto bail;
}
- slapi_sdn_init_dn_byref(&sdn, dn);
-
- if (slapi_sdn_compare(&sdn, target_sdn)) { /* does not match */
- target_sdn = &sdn;
+ if (target_dn == dn) { /* target_dn is NOT from target_sdn */
+ slapi_sdn_init_dn_byref(&sdn, target_dn);
+ target_sdn = &sdn;
}
search_result = slapi_search_internal_get_entry(target_sdn, NULL,
&retentry,
pw_get_componentID());
if (search_result != LDAP_SUCCESS) {
- LDAPDebug (LDAP_DEBUG_TRACE, "WARNING: 'get_entry' can't find entry '%s', err %d\n", dn, search_result, 0);
+ LDAPDebug2Args(LDAP_DEBUG_TRACE,
+ "WARNING: 'get_entry' can't find entry '%s', err %d\n",
+ target_dn, search_result);
+ }
+ if (target_dn == dn) { /* target_dn is NOT from target_sdn */
+ slapi_sdn_done(&sdn);
}
- slapi_sdn_done(&sdn);
bail:
return retentry;
}
More information about the Pkg-fedora-ds-maintainers
mailing list