[Pkg-fedora-ds-maintainers] 389-ds-base: Changes to 'debian-unstable'
Timo Aaltonen
tjaalton-guest at alioth.debian.org
Wed Jun 27 17:03:36 UTC 2012
Makefile.am | 25
VERSION.sh | 4
configure.ac | 20
debian/389-ds-base.prerm | 13
debian/changelog | 7
debian/control | 2
debian/patches/format-security.diff | 114 -
debian/patches/series | 1
ldap/admin/src/logconv.pl | 224 +-
ldap/admin/src/scripts/DSCreate.pm.in | 15
ldap/admin/src/scripts/DSDialogs.pm | 2
ldap/admin/src/scripts/DSUtil.pm.in | 124 +
ldap/admin/src/scripts/dnaplugindepends.ldif | 3
ldap/admin/src/scripts/remove-ds.pl.in | 6
ldap/ldif/template-dnaplugin.ldif.in | 2
ldap/ldif/template-dse.ldif.in | 11
ldap/schema/01core389.ldif | 10
ldap/schema/10dna-plugin.ldif | 204 ++
ldap/schema/60pam-plugin.ldif | 3
ldap/schema/60qmail.ldif | 20
ldap/schema/60sabayon.ldif | 10
ldap/servers/plugins/acctpolicy/acct_plugin.c | 21
ldap/servers/plugins/acctpolicy/acct_util.c | 6
ldap/servers/plugins/acctpolicy/acctpolicy.h | 2
ldap/servers/plugins/acl/acl.c | 54
ldap/servers/plugins/acl/aclanom.c | 11
ldap/servers/plugins/acl/acllas.c | 2
ldap/servers/plugins/acl/acllist.c | 4
ldap/servers/plugins/acl/aclparse.c | 5
ldap/servers/plugins/acl/aclutil.c | 7
ldap/servers/plugins/automember/automember.c | 783 +++++++++
ldap/servers/plugins/chainingdb/cb_add.c | 2
ldap/servers/plugins/chainingdb/cb_compare.c | 2
ldap/servers/plugins/chainingdb/cb_config.c | 7
ldap/servers/plugins/chainingdb/cb_delete.c | 2
ldap/servers/plugins/chainingdb/cb_modify.c | 2
ldap/servers/plugins/chainingdb/cb_modrdn.c | 32
ldap/servers/plugins/chainingdb/cb_search.c | 4
ldap/servers/plugins/cos/cos.c | 52
ldap/servers/plugins/cos/cos_cache.c | 5
ldap/servers/plugins/deref/deref.c | 10
ldap/servers/plugins/dna/dna.c | 1163 +++++++++-----
ldap/servers/plugins/linkedattrs/fixup_task.c | 51
ldap/servers/plugins/linkedattrs/linked_attrs.c | 51
ldap/servers/plugins/linkedattrs/linked_attrs.h | 1
ldap/servers/plugins/memberof/memberof.c | 466 ++---
ldap/servers/plugins/memberof/memberof.h | 3
ldap/servers/plugins/memberof/memberof_config.c | 33
ldap/servers/plugins/mep/mep.c | 81 -
ldap/servers/plugins/pam_passthru/pam_passthru.h | 48
ldap/servers/plugins/pam_passthru/pam_ptconfig.c | 715 ++++++--
ldap/servers/plugins/pam_passthru/pam_ptimpl.c | 55
ldap/servers/plugins/pam_passthru/pam_ptpreop.c | 580 ++++++-
ldap/servers/plugins/referint/referint.c | 90 -
ldap/servers/plugins/replication/cl5_api.c | 138 +
ldap/servers/plugins/replication/cl5_api.h | 4
ldap/servers/plugins/replication/csnpl.c | 30
ldap/servers/plugins/replication/llist.c | 8
ldap/servers/plugins/replication/repl5.h | 33
ldap/servers/plugins/replication/repl5_agmt.c | 136 +
ldap/servers/plugins/replication/repl5_agmtlist.c | 13
ldap/servers/plugins/replication/repl5_connection.c | 26
ldap/servers/plugins/replication/repl5_inc_protocol.c | 1212 ++++++---------
ldap/servers/plugins/replication/repl5_init.c | 63
ldap/servers/plugins/replication/repl5_plugins.c | 15
ldap/servers/plugins/replication/repl5_protocol_util.c | 54
ldap/servers/plugins/replication/repl5_replica.c | 118 -
ldap/servers/plugins/replication/repl5_replica_config.c | 551 ++++++
ldap/servers/plugins/replication/repl5_ruv.c | 37
ldap/servers/plugins/replication/repl_extop.c | 372 ++++
ldap/servers/plugins/replication/repl_globals.c | 2
ldap/servers/plugins/replication/replutil.c | 3
ldap/servers/plugins/replication/urp.c | 123 -
ldap/servers/plugins/replication/urp.h | 10
ldap/servers/plugins/replication/urp_glue.c | 17
ldap/servers/plugins/replication/urp_tombstone.c | 14
ldap/servers/plugins/replication/windows_connection.c | 3
ldap/servers/plugins/replication/windows_private.c | 328 +++-
ldap/servers/plugins/replication/windows_protocol_util.c | 188 ++
ldap/servers/plugins/replication/windowsrepl.h | 35
ldap/servers/plugins/replication/winsync-plugin.h | 334 ++++
ldap/servers/plugins/retrocl/retrocl.c | 48
ldap/servers/plugins/retrocl/retrocl_po.c | 5
ldap/servers/plugins/roles/roles_plugin.c | 52
ldap/servers/plugins/rootdn_access/rootdn_access.c | 663 ++++++++
ldap/servers/plugins/rootdn_access/rootdn_access.h | 57
ldap/servers/plugins/schema_reload/schema_reload.c | 53
ldap/servers/plugins/statechange/statechange.c | 29
ldap/servers/plugins/uiduniq/7bit.c | 28
ldap/servers/plugins/uiduniq/plugin-utils.h | 6
ldap/servers/plugins/uiduniq/uid.c | 68
ldap/servers/plugins/uiduniq/utils.c | 29
ldap/servers/plugins/usn/usn.c | 197 +-
ldap/servers/plugins/usn/usn_cleanup.c | 13
ldap/servers/plugins/views/views.c | 9
ldap/servers/slapd/abandon.c | 11
ldap/servers/slapd/add.c | 87 -
ldap/servers/slapd/attr.c | 12
ldap/servers/slapd/auditlog.c | 24
ldap/servers/slapd/auth.c | 38
ldap/servers/slapd/back-ldbm/back-ldbm.h | 12
ldap/servers/slapd/back-ldbm/backentry.c | 4
ldap/servers/slapd/back-ldbm/cache.c | 63
ldap/servers/slapd/back-ldbm/dbhelp.c | 6
ldap/servers/slapd/back-ldbm/dblayer.c | 707 ++++++++
ldap/servers/slapd/back-ldbm/filterindex.c | 27
ldap/servers/slapd/back-ldbm/id2entry.c | 16
ldap/servers/slapd/back-ldbm/idl_new.c | 61
ldap/servers/slapd/back-ldbm/import-threads.c | 23
ldap/servers/slapd/back-ldbm/index.c | 132 +
ldap/servers/slapd/back-ldbm/ldbm_add.c | 198 +-
ldap/servers/slapd/back-ldbm/ldbm_bind.c | 5
ldap/servers/slapd/back-ldbm/ldbm_compare.c | 5
ldap/servers/slapd/back-ldbm/ldbm_config.c | 12
ldap/servers/slapd/back-ldbm/ldbm_delete.c | 378 +++-
ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c | 875 ++++++++--
ldap/servers/slapd/back-ldbm/ldbm_instance_config.c | 8
ldap/servers/slapd/back-ldbm/ldbm_modify.c | 422 +++--
ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 397 +++-
ldap/servers/slapd/back-ldbm/ldbm_search.c | 46
ldap/servers/slapd/back-ldbm/ldif2ldbm.c | 4
ldap/servers/slapd/back-ldbm/misc.c | 2
ldap/servers/slapd/back-ldbm/perfctrs.c | 2
ldap/servers/slapd/back-ldbm/proto-back-ldbm.h | 3
ldap/servers/slapd/back-ldbm/seq.c | 3
ldap/servers/slapd/back-ldbm/start.c | 3
ldap/servers/slapd/back-ldbm/upgrade.c | 56
ldap/servers/slapd/back-ldbm/vlv.c | 7
ldap/servers/slapd/bind.c | 47
ldap/servers/slapd/charray.c | 5
ldap/servers/slapd/compare.c | 4
ldap/servers/slapd/config.c | 17
ldap/servers/slapd/configdse.c | 5
ldap/servers/slapd/connection.c | 10
ldap/servers/slapd/daemon.c | 541 ++++++
ldap/servers/slapd/delete.c | 5
ldap/servers/slapd/dse.c | 584 ++++---
ldap/servers/slapd/entry.c | 61
ldap/servers/slapd/entrywsi.c | 30
ldap/servers/slapd/ldaputil.c | 36
ldap/servers/slapd/libglobs.c | 341 +++-
ldap/servers/slapd/log.c | 67
ldap/servers/slapd/main.c | 3
ldap/servers/slapd/modify.c | 67
ldap/servers/slapd/modrdn.c | 28
ldap/servers/slapd/modutil.c | 65
ldap/servers/slapd/operation.c | 11
ldap/servers/slapd/opshared.c | 153 +
ldap/servers/slapd/pagedresults.c | 527 +++++-
ldap/servers/slapd/passwd_extop.c | 12
ldap/servers/slapd/pblock.c | 90 +
ldap/servers/slapd/plugin.c | 22
ldap/servers/slapd/plugin_acl.c | 5
ldap/servers/slapd/plugin_internal_op.c | 58
ldap/servers/slapd/proto-slap.h | 78
ldap/servers/slapd/psearch.c | 3
ldap/servers/slapd/pw.c | 58
ldap/servers/slapd/pw.h | 2
ldap/servers/slapd/pw_mgmt.c | 21
ldap/servers/slapd/pw_retry.c | 64
ldap/servers/slapd/regex.c | 28
ldap/servers/slapd/resourcelimit.c | 4
ldap/servers/slapd/result.c | 22
ldap/servers/slapd/sasl_map.c | 6
ldap/servers/slapd/saslbind.c | 14
ldap/servers/slapd/schema.c | 44
ldap/servers/slapd/search.c | 3
ldap/servers/slapd/slap.h | 59
ldap/servers/slapd/slapi-plugin.h | 40
ldap/servers/slapd/slapi-private.h | 2
ldap/servers/slapd/sort.c | 9
ldap/servers/slapd/thread_data.c | 174 ++
ldap/servers/slapd/tools/ldclt/ldapfct.c | 25
ldap/servers/slapd/tools/ldclt/ldclt.c | 2
ldap/servers/slapd/tools/rsearch/addthread.c | 26
ldap/servers/slapd/tools/rsearch/searchthread.c | 32
ldap/servers/snmp/main.c | 1
lib/base/pool.cpp | 10
m4/db.m4 | 6
179 files changed, 13194 insertions(+), 4276 deletions(-)
New commits:
commit 5f01f68d087aaa0676fdc33a6b93f300e8a1ac61
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Jun 27 20:02:55 2012 +0300
wrap a line that's too long
diff --git a/debian/changelog b/debian/changelog
index e231aaf..bcf0fe5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -53,7 +53,8 @@
* control: Add 389-ds metapackage.
* control: Change libdb4.8-dev build-depends to libdb-dev, since this version
supports db5.x.
- * 389-ds-base.prerm: Add prerm script for removing installed instances on purge.
+ * 389-ds-base.prerm: Add prerm script for removing installed instances on
+ purge.
[ Krzysztof Klimonda ]
* dirsrv.init:
commit 477f3cdfbc1be838eec371b835b3d1da3da50e89
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Jun 27 20:02:04 2012 +0300
catch errors on the prerm scripts
diff --git a/debian/389-ds-base.prerm b/debian/389-ds-base.prerm
index 727e49f..8679d81 100644
--- a/debian/389-ds-base.prerm
+++ b/debian/389-ds-base.prerm
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/sh -e
#DEBHELPER#
commit 692eb1188dbda2c1234751985d7d9af8e16da648
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Jun 27 19:52:16 2012 +0300
drop path from prerm
diff --git a/debian/389-ds-base.prerm b/debian/389-ds-base.prerm
index b1e52c1..727e49f 100644
--- a/debian/389-ds-base.prerm
+++ b/debian/389-ds-base.prerm
@@ -4,7 +4,7 @@
if [ "$1" = "purge" ]; then
# remove all installed instances
- for FILE in `/bin/ls -d $CONFDIR/slapd-* 2>/dev/null | sed -n '/\.removed$/!$'`
+ for FILE in `ls -d $CONFDIR/slapd-* 2>/dev/null | sed -n '/\.removed$/!$'`
do
if [ -d "$FILE" ] ; then
remove-ds -f -i $FILE
commit d8d570286d81ee679f77b374618ecd8c273a44bc
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Jun 27 19:50:54 2012 +0300
389-ds-base.prerm: Add prerm script for removing installed instances on purge.
diff --git a/debian/389-ds-base.prerm b/debian/389-ds-base.prerm
new file mode 100644
index 0000000..b1e52c1
--- /dev/null
+++ b/debian/389-ds-base.prerm
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+#DEBHELPER#
+
+if [ "$1" = "purge" ]; then
+ # remove all installed instances
+ for FILE in `/bin/ls -d $CONFDIR/slapd-* 2>/dev/null | sed -n '/\.removed$/!$'`
+ do
+ if [ -d "$FILE" ] ; then
+ remove-ds -f -i $FILE
+ fi
+ done
+fi
diff --git a/debian/changelog b/debian/changelog
index 04f28cb..e231aaf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -53,6 +53,7 @@
* control: Add 389-ds metapackage.
* control: Change libdb4.8-dev build-depends to libdb-dev, since this version
supports db5.x.
+ * 389-ds-base.prerm: Add prerm script for removing installed instances on purge.
[ Krzysztof Klimonda ]
* dirsrv.init:
commit 39e345769ee43c521772a49c84e966a45a294f38
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Jun 27 19:45:33 2012 +0300
control: Change libdb4.8-dev build-depends to libdb-dev, since this version supports db5.x.
diff --git a/debian/changelog b/debian/changelog
index b6ed631..04f28cb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -51,6 +51,8 @@
- Fix starting multiple instances
- Use '-b' for start-stop-daemon, since ns-slapd doesn't detach properly
* control: Add 389-ds metapackage.
+ * control: Change libdb4.8-dev build-depends to libdb-dev, since this version
+ supports db5.x.
[ Krzysztof Klimonda ]
* dirsrv.init:
diff --git a/debian/control b/debian/control
index 5d8d120..5c6bd4c 100644
--- a/debian/control
+++ b/debian/control
@@ -12,7 +12,7 @@ Build-Depends: quilt, debhelper (>= 9), dpkg-dev (>= 1.13.19),
libldap2-dev (>= 2.4.28),
libicu-dev,
libsnmp-dev,
- libdb4.8-dev,
+ libdb-dev,
zlib1g-dev,
libbz2-dev,
libssl-dev,
commit 537497ee86d5ea1d5d6347ddef3bdf0819654f49
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Jun 27 19:31:48 2012 +0300
drop format-security.diff, applied upstream
diff --git a/debian/changelog b/debian/changelog
index 06ec1f7..b6ed631 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -19,7 +19,6 @@
* Build against libldap2-dev (>= 2.4.28).
* Rename binary package to 389-ds-base.
* -dev.install: Install the pkgconfig file.
- * Add format-security.diff to fix FTBFS with current hardening flags.
* rules: Enable PIE hardening.
* Add a default file, currently sets LD_BIND_NOW=1.
* control: 'dbgen' uses old perl libs, add libperl4-corelibs-perl
diff --git a/debian/patches/format-security.diff b/debian/patches/format-security.diff
deleted file mode 100644
index 7d4833a..0000000
--- a/debian/patches/format-security.diff
+++ /dev/null
@@ -1,114 +0,0 @@
-Description: fix build errors with --format-security
-Forwarded: https://fedorahosted.org/389/ticket/285
-
-Index: 389-ds-base/ldap/servers/plugins/replication/repl5_ruv.c
-===================================================================
---- 389-ds-base.orig/ldap/servers/plugins/replication/repl5_ruv.c 2012-02-27 13:22:48.128678099 +0200
-+++ 389-ds-base/ldap/servers/plugins/replication/repl5_ruv.c 2012-02-27 13:22:50.900749285 +0200
-@@ -1364,7 +1364,7 @@
- }
- else
- {
-- slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, buff);
-+ slapi_log_error(SLAPI_LOG_REPL, "%s", repl_plugin_name, buff);
- }
- for (replica = dl_get_first (ruv->elements, &cookie); replica;
- replica = dl_get_next (ruv->elements, &cookie))
-@@ -1389,7 +1389,7 @@
- }
- else
- {
-- slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, buff);
-+ slapi_log_error(SLAPI_LOG_REPL, "%s", repl_plugin_name, buff);
- }
- }
-
-Index: 389-ds-base/ldap/servers/slapd/passwd_extop.c
-===================================================================
---- 389-ds-base.orig/ldap/servers/slapd/passwd_extop.c 2012-02-27 13:22:48.140678409 +0200
-+++ 389-ds-base/ldap/servers/slapd/passwd_extop.c 2012-02-27 13:22:50.900749285 +0200
-@@ -489,7 +489,7 @@
- errMesg = "Could not get OID value from request.\n";
- rc = LDAP_OPERATIONS_ERROR;
- slapi_log_error( SLAPI_LOG_PLUGIN, "passwd_modify_extop",
-- errMesg );
-+ "%s", errMesg );
- goto free_and_return;
- } else {
- slapi_log_error( SLAPI_LOG_PLUGIN, "passwd_modify_extop",
-@@ -515,7 +515,7 @@
- errMesg = "Could not get SASL SSF from connection\n";
- rc = LDAP_OPERATIONS_ERROR;
- slapi_log_error( SLAPI_LOG_PLUGIN, "passwd_modify_extop",
-- errMesg );
-+ "%s", errMesg );
- goto free_and_return;
- }
-
-@@ -523,7 +523,7 @@
- errMesg = "Could not get local SSF from connection\n";
- rc = LDAP_OPERATIONS_ERROR;
- slapi_log_error( SLAPI_LOG_PLUGIN, "passwd_modify_extop",
-- errMesg );
-+ "%s", errMesg );
- goto free_and_return;
- }
-
-@@ -846,7 +846,7 @@
- /* Free anything that we allocated above */
- free_and_return:
- slapi_log_error( SLAPI_LOG_PLUGIN, "passwd_modify_extop",
-- errMesg ? errMesg : "success" );
-+ "%s", errMesg ? errMesg : "success" );
-
- if ((rc == LDAP_REFERRAL) && (referrals)) {
- send_referrals_from_entry(pb, referrals);
-Index: 389-ds-base/lib/base/pool.cpp
-===================================================================
---- 389-ds-base.orig/lib/base/pool.cpp 2012-02-27 13:22:48.116677793 +0200
-+++ 389-ds-base/lib/base/pool.cpp 2012-02-27 13:22:50.900749285 +0200
-@@ -178,7 +178,7 @@
- crit_exit(freelist_lock);
- if (((newblock = (block_t *)PERM_MALLOC(sizeof(block_t))) == NULL) ||
- ((newblock->data = (char *)PERM_MALLOC(bytes)) == NULL)) {
-- ereport(LOG_CATASTROPHE, XP_GetAdminStr(DBT_poolCreateBlockOutOfMemory_));
-+ ereport(LOG_CATASTROPHE, "%s", XP_GetAdminStr(DBT_poolCreateBlockOutOfMemory_));
- if (newblock)
- PERM_FREE(newblock);
- return NULL;
-@@ -270,7 +270,7 @@
- }
-
- if ( (newpool->curr_block =_create_block(BLOCK_SIZE)) == NULL) {
-- ereport(LOG_CATASTROPHE, XP_GetAdminStr(DBT_poolCreateOutOfMemory_));
-+ ereport(LOG_CATASTROPHE, "%s", XP_GetAdminStr(DBT_poolCreateOutOfMemory_));
- PERM_FREE(newpool);
- return NULL;
- }
-@@ -291,7 +291,7 @@
- crit_exit(known_pools_lock);
- }
- else
-- ereport(LOG_CATASTROPHE, XP_GetAdminStr(DBT_poolCreateOutOfMemory_1));
-+ ereport(LOG_CATASTROPHE, "%s", XP_GetAdminStr(DBT_poolCreateOutOfMemory_1));
-
- return (pool_handle_t *)newpool;
- }
-@@ -388,7 +388,7 @@
- */
- blocksize = ( (size + BLOCK_SIZE-1) / BLOCK_SIZE ) * BLOCK_SIZE;
- if ( (pool->curr_block = _create_block(blocksize)) == NULL) {
-- ereport(LOG_CATASTROPHE, XP_GetAdminStr(DBT_poolMallocOutOfMemory_));
-+ ereport(LOG_CATASTROPHE, "%s", XP_GetAdminStr(DBT_poolMallocOutOfMemory_));
- #ifdef POOL_LOCKING
- crit_exit(pool->lock);
- #endif
-@@ -410,7 +410,7 @@
-
- void _pool_free_error()
- {
-- ereport(LOG_WARN, XP_GetAdminStr(DBT_freeUsedWherePermFreeShouldHaveB_));
-+ ereport(LOG_WARN, "%s", XP_GetAdminStr(DBT_freeUsedWherePermFreeShouldHaveB_));
-
- return;
- }
diff --git a/debian/patches/series b/debian/patches/series
index 1ceb200..4c983c0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1 @@
default_user
-format-security.diff
commit b127228f1cb1626dbe12b21bacc20121ad4b5cda
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Wed Jun 27 19:30:41 2012 +0300
bump the upstream version
diff --git a/debian/changelog b/debian/changelog
index 8c3916e..06ec1f7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-389-ds-base (1.2.10.4-1) UNRELEASED; urgency=low
+389-ds-base (1.2.11.6-1) UNRELEASED; urgency=low
[ Timo Aaltonen ]
* New upstream release.
commit ff00f1db991e91420d1d0d8d5b8218bdede4b38e
Author: Rich Megginson <rmeggins at redhat.com>
Date: Thu Jun 21 15:12:36 2012 -0600
bump version to 1.2.11.6
diff --git a/VERSION.sh b/VERSION.sh
index 1fa17c4..87f74d8 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=2
-VERSION_MAINT=11.5
+VERSION_MAINT=11.6
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
commit 18f324124dfcb374fab8085939c72ae1bcc33b04
Author: Noriko Hosoi <nhosoi at totoro.usersys.redhat.com>
Date: Thu Jun 14 14:40:27 2012 -0700
audit log does not log unhashed password: enabled, by default.
(cherry picked from commit df5293373d49c3a875d6fba3fec44babfff7b4f6)
diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c
index 81afe3e..f6afd10 100644
--- a/ldap/servers/slapd/auditlog.c
+++ b/ldap/servers/slapd/auditlog.c
@@ -55,7 +55,7 @@ char *attr_changetype = ATTR_CHANGETYPE;
char *attr_newrdn = ATTR_NEWRDN;
char *attr_deleteoldrdn = ATTR_DELETEOLDRDN;
char *attr_modifiersname = ATTR_MODIFIERSNAME;
-static int hide_unhashed_pw = 0;
+static int hide_unhashed_pw = 1;
/* Forward Declarations */
static void write_audit_file( int optype, const char *dn, void *change, int flag, time_t curtime );
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 2540e25..59561c7 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -1075,7 +1075,7 @@ FrontendConfig_init () {
cfg->auditlog_minfreespace = 5;
cfg->auditlog_exptime = 1;
cfg->auditlog_exptimeunit = slapi_ch_strdup("month");
- cfg->auditlog_logging_hide_unhashed_pw = LDAP_OFF;
+ cfg->auditlog_logging_hide_unhashed_pw = LDAP_ON;
cfg->entryusn_global = LDAP_OFF;
cfg->entryusn_import_init = slapi_ch_strdup("0");
commit cfee4234ff1676fc4afa904192544d6f373f6f88
Author: Noriko Hosoi <nhosoi at totoro.usersys.redhat.com>
Date: Tue Jun 12 16:41:39 2012 -0700
Bug 829213 - unhashed#user#password visible after changing password https://bugzilla.redhat.com/show_bug.cgi?id=829213
Bug 830001 - unhashed#user#password visible after changing password [rhel-6.3]
https://bugzilla.redhat.com/show_bug.cgi?id=830001
Bug Description: unhashed#user#password is skipped to check acl
in acl_check_mod.
Fix Description: Set SLAPI_ATTR_FLAG_NOUSERMOD to unhashed#user#
password schema. It makes clients' modifying the unhashed password
fail by UNWILLING TO PERFORM.
(cherry picked from commit 1629311d7201a6a7842db15865e02042a2894383)
(cherry picked from commit 75224010ef566f96a953e9070dff10542a7a20a1)
diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c
index 8d99879..f6f3cf3 100644
--- a/ldap/servers/slapd/pw_mgmt.c
+++ b/ldap/servers/slapd/pw_mgmt.c
@@ -306,7 +306,10 @@ pw_init ( void ) {
slapi_add_internal_attr_syntax( PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
PSEUDO_ATTR_UNHASHEDUSERPASSWORD_OID,
- OCTETSTRING_SYNTAX_OID, 0, 0 );
+ OCTETSTRING_SYNTAX_OID, 0,
+ /* Clients don't need to directly modify
+ * PSEUDO_ATTR_UNHASHEDUSERPASSWORD */
+ SLAPI_ATTR_FLAG_NOUSERMOD );
}
commit b4dddacb9aed0a44f8cb8a05213f3c9ffa9b77e1
Author: Noriko Hosoi <nhosoi at totoro.usersys.redhat.com>
Date: Mon Jun 11 16:57:50 2012 -0700
Bug 829213 - unhashed#user#password visible after changing password https://bugzilla.redhat.com/show_bug.cgi?id=829213
Bug 830001 - unhashed#user#password visible after changing password [rhel-6.3]
https://bugzilla.redhat.com/show_bug.cgi?id=830001
Bug Description: Deref still retrieved unhashed password.
Fix Description: Added code to Deref plugin to check the deref attribute.
If it is unhashed password, skip it.
(cherry picked from commit 26b5121d84232cf453fa917f11ba6518a40358ea)
(cherry picked from commit 9e15a73380e32947f08e2d8cc3bce87f467fab80)
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
index fb6a54a..d97dc0a 100644
--- a/ldap/servers/plugins/deref/deref.c
+++ b/ldap/servers/plugins/deref/deref.c
@@ -632,6 +632,12 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
int needpartialattr = 1; /* need PartialAttribute sequence? */
int needvalsset = 1;
+ if (is_type_forbidden(retattrs[ii])) {
+ slapi_log_error(SLAPI_LOG_PLUGIN, DEREF_PLUGIN_SUBSYSTEM,
+ "skip forbidden attribute [%s]\n", derefdn);
+ continue;
+ }
+
deref_get_values(entries[0], retattrs[ii], &results, &type_name_disposition,
&actual_type_name, flags, &buffer_flags);
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index c3ebd79..1b62c13 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -639,7 +639,7 @@ int is_rootdse( const char *dn );
int get_entry_object_type();
int entry_computed_attr_init();
void send_referrals_from_entry(Slapi_PBlock *pb, Slapi_Entry *referral);
-
+int is_type_forbidden(const char *type);
/*
* dse.c
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index 2f0afc7..75f8e8f 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -331,7 +331,6 @@ int entry_next_deleted_attribute( const Slapi_Entry *e, Slapi_Attr **a);
/* entry.c */
int entry_apply_mods( Slapi_Entry *e, LDAPMod **mods );
int is_type_protected(const char *type);
-int is_type_forbidden(const char *type);
int slapi_entries_diff(Slapi_Entry **old_entries, Slapi_Entry **new_entries, int testall, const char *logging_prestr, const int force_update, void *plg_id);
commit 2ebeb4a56b7ce4359b4601133889293d1546ffe1
Author: Noriko Hosoi <nhosoi at totoro.usersys.redhat.com>
Date: Fri Jun 8 11:39:56 2012 -0700
Bug 829213 - unhashed#user#password visible after changing password https://bugzilla.redhat.com/show_bug.cgi?id=829213
Bug 830001 - unhashed#user#password visible after changing password [rhel-6.3]
https://bugzilla.redhat.com/show_bug.cgi?id=830001
Bug Description: unhashed password is stored in the entry in memory
when an entry/a password is added or the password is modified.
The password could be visible by the ordinary search if the type
"unhashed#user#password" is specified in the attribute list.
Fix Description:
1. Set "unhashed#user#password" to the forbidden attribute list,
which is dropped from the search attribute list.
2. Get effective right does not return "unhashed#user#password"
3. In the modify operation, adding "unhashed#user#password" to or
deleting "unhashed#user#password" from the entry never returns
an error regardless of the attribute value. Internally, the
operation is ignored.
(cherry picked from commit 9df3c438ebd05bbaa5e7b2506fc5d5e9f3ff4a95)
(cherry picked from commit 8f0811a86a1b233cf9566349653ef7f184278144)
(Fixed conflicts in ldap/servers/slapd/{entry.c,entrywsi.c,slapi-private.h)
(cherry picked from commit 8f9e49e73efb45f6741dee371b7dec3cd2fc1ddd)
diff --git a/ldap/servers/slapd/attr.c b/ldap/servers/slapd/attr.c
index 95a7808..eab20e5 100644
--- a/ldap/servers/slapd/attr.c
+++ b/ldap/servers/slapd/attr.c
@@ -805,7 +805,14 @@ attr_add_valuearray(Slapi_Attr *a, Slapi_Value **vals, const char *dn)
for ( i = 0; vals[i] != NULL; ++i ) {
if ( slapi_attr_value_find( a, slapi_value_get_berval(vals[i]) ) == 0 ) {
duplicate_index = i;
- rc = LDAP_TYPE_OR_VALUE_EXISTS;
+ if (is_type_forbidden(a->a_type)) {
+ /* If the attr is in the forbidden list
+ * (e.g., unhashed password),
+ * we don't return any useful info to the clients. */
+ rc = LDAP_OTHER;
+ } else {
+ rc = LDAP_TYPE_OR_VALUE_EXISTS;
+ }
break;
}
}
diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c
index 03ec117..4f60703 100644
--- a/ldap/servers/slapd/entry.c
+++ b/ldap/servers/slapd/entry.c
@@ -70,6 +70,9 @@ static char *protected_attrs_all [] = {PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
SLAPI_ATTR_ENTRYDN,
NULL};
+static char *forbidden_attrs [] = {PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
+ NULL};
+
/*
* An attribute name is of the form 'basename[;option]'.
* The state informaion is encoded in options. For example:
@@ -1624,6 +1627,18 @@ is_type_protected(const char *type)
return 0;
}
+int
+is_type_forbidden(const char *type)
+{
+ char **paap = NULL;
+ for (paap = forbidden_attrs; paap && *paap; paap++) {
+ if (0 == strcasecmp(type, *paap)) {
+ return 1;
+ }
+ }
+ return 0;
+}
+
static void
entry2str_internal_put_attrlist( const Slapi_Attr *attrlist, int attr_state, int entry2str_ctrl, char **ecur, char **typebuf, size_t *typebuf_len)
{
@@ -3408,7 +3423,7 @@ delete_values_sv_internal(
* add/mod operation is done, while the retried entry from the db does not
* contain the attribute.
*/
- if (is_type_protected(type)) {
+ if (is_type_protected(type) || is_type_forbidden(type)) {
flags |= SLAPI_VALUE_FLAG_IGNOREERROR;
}
@@ -3419,7 +3434,6 @@ delete_values_sv_internal(
retVal = attrlist_delete( &e->e_attrs, type);
if (flags & SLAPI_VALUE_FLAG_IGNOREERROR) {
return LDAP_SUCCESS;
- } else {
}
return(retVal ? LDAP_NO_SUCH_ATTRIBUTE : LDAP_SUCCESS);
}
@@ -3429,6 +3443,9 @@ delete_values_sv_internal(
if ( a == NULL ) {
LDAPDebug( LDAP_DEBUG_ARGS, "could not find attribute %s\n",
type, 0, 0 );
+ if (flags & SLAPI_VALUE_FLAG_IGNOREERROR) {
+ return LDAP_SUCCESS;
+ }
return( LDAP_NO_SUCH_ATTRIBUTE );
}
@@ -3457,8 +3474,11 @@ delete_values_sv_internal(
"value for attribute type %s found in "
"entry %s\n", a->a_type, slapi_entry_get_dn_const(e), 0 );
}
+ if (flags & SLAPI_VALUE_FLAG_IGNOREERROR) {
+ retVal = LDAP_SUCCESS;
+ }
}
- }
+ }
return( retVal );
}
diff --git a/ldap/servers/slapd/entrywsi.c b/ldap/servers/slapd/entrywsi.c
index 05dbb36..8c6a122 100644
--- a/ldap/servers/slapd/entrywsi.c
+++ b/ldap/servers/slapd/entrywsi.c
@@ -634,7 +634,13 @@ entry_delete_present_values_wsi(Slapi_Entry *e, const char *type, struct berval
}
else if (attr_state==ATTRIBUTE_DELETED)
{
- retVal= LDAP_NO_SUCH_ATTRIBUTE;
+ /* If the type is in the forbidden attr list (e.g., unhashed password),
+ * we don't return the reason of the failure to the clients. */
+ if (is_type_forbidden(type)) {
+ retVal = LDAP_SUCCESS;
+ } else {
+ retVal= LDAP_NO_SUCH_ATTRIBUTE;
+ }
}
else if (attr_state==ATTRIBUTE_NOTFOUND)
{
@@ -643,8 +649,10 @@ entry_delete_present_values_wsi(Slapi_Entry *e, const char *type, struct berval
* failure, as the attribute could only exist in the entry in the
* memory when the add/mod operation is done, while the retried entry
* from the db does not contain the attribute.
+ * So is in the forbidden_attrs list. We don't return the reason
+ * of the failure.
*/
- if (is_type_protected(type)) {
+ if (is_type_protected(type) || is_type_forbidden(type)) {
retVal = LDAP_SUCCESS;
} else {
if (!urp) {
diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c
index 4be8efd..baee7a7 100644
--- a/ldap/servers/slapd/pblock.c
+++ b/ldap/servers/slapd/pblock.c
@@ -3060,6 +3060,22 @@ slapi_pblock_set( Slapi_PBlock *pblock, int arg, void *value )
case SLAPI_SEARCH_ATTRS:
if(pblock->pb_op!=NULL)
{
+ char **attrs;
+ for (attrs = (char **)value; attrs && *attrs; attrs++) {
+ /* Get rid of forbidden attr, e.g.,
+ * PSEUDO_ATTR_UNHASHEDUSERPASSWORD,
+ * which never be returned. */
+ if (is_type_forbidden(*attrs)) {
+ char **ptr;
+ for (ptr = attrs; ptr && *ptr; ptr++) {
+ if (ptr == attrs) {
+ slapi_ch_free_string(ptr); /* free unhashed type */
+ }
+ *ptr = *(ptr + 1); /* attrs is NULL terminated;
+ the NULL is copied here. */
+ }
+ }
+ }
pblock->pb_op->o_params.p.p_search.search_attrs = (char **) value;
}
break;
diff --git a/ldap/servers/slapd/plugin_internal_op.c b/ldap/servers/slapd/plugin_internal_op.c
index cf65c2c..4c7462d 100644
--- a/ldap/servers/slapd/plugin_internal_op.c
+++ b/ldap/servers/slapd/plugin_internal_op.c
@@ -291,6 +291,7 @@ slapi_search_internal_set_pb (Slapi_PBlock *pb, const char *base,
int operation_flags)
{
Operation *op;
+ char **tmp_attrs = NULL;
if (pb == NULL || base == NULL)
{
slapi_log_error(SLAPI_LOG_FATAL, NULL,
@@ -304,7 +305,9 @@ slapi_search_internal_set_pb (Slapi_PBlock *pb, const char *base,
slapi_pblock_set(pb, SLAPI_SEARCH_SCOPE, &scope);
slapi_pblock_set(pb, SLAPI_SEARCH_STRFILTER, (void*)filter);
slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
- slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, attrs);
+ /* forbidden attrs could be removed in slapi_pblock_set. */
+ tmp_attrs = slapi_ch_array_dup(attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, tmp_attrs);
slapi_pblock_set(pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly);
if (uniqueid)
{
@@ -322,6 +325,7 @@ slapi_search_internal_set_pb_ext (Slapi_PBlock *pb, Slapi_DN *sdn,
int operation_flags)
{
Operation *op;
+ char **tmp_attrs = NULL;
if (pb == NULL || sdn == NULL)
{
slapi_log_error(SLAPI_LOG_FATAL, NULL,
@@ -337,7 +341,9 @@ slapi_search_internal_set_pb_ext (Slapi_PBlock *pb, Slapi_DN *sdn,
slapi_pblock_set(pb, SLAPI_SEARCH_SCOPE, &scope);
slapi_pblock_set(pb, SLAPI_SEARCH_STRFILTER, (void*)filter);
slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
- slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, attrs);
+ /* forbidden attrs could be removed in slapi_pblock_set. */
+ tmp_attrs = slapi_ch_array_dup(attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, tmp_attrs);
slapi_pblock_set(pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly);
if (uniqueid)
{
@@ -351,6 +357,7 @@ void slapi_seq_internal_set_pb(Slapi_PBlock *pb, char *base, int type, char *att
Slapi_ComponentId *plugin_identity, int operation_flags)
{
Operation *op;
+ char **tmp_attrs = NULL;
if (pb == NULL || base == NULL)
{
slapi_log_error(SLAPI_LOG_FATAL, NULL,
@@ -364,8 +371,10 @@ void slapi_seq_internal_set_pb(Slapi_PBlock *pb, char *base, int type, char *att
slapi_pblock_set(pb, SLAPI_SEQ_TYPE, &type);
slapi_pblock_set(pb, SLAPI_SEQ_ATTRNAME, attrname);
slapi_pblock_set(pb, SLAPI_SEQ_VAL, val);
- slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, attrs);
- slapi_pblock_set(pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly);
+ /* forbidden attrs could be removed in slapi_pblock_set. */
+ tmp_attrs = slapi_ch_array_dup(attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, tmp_attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRSONLY, &attrsonly);
slapi_pblock_set(pb, SLAPI_CONTROLS_ARG, controls);
slapi_pblock_set(pb, SLAPI_PLUGIN_IDENTITY, plugin_identity);
}
@@ -383,6 +392,7 @@ static int seq_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
char *base;
char *attrname, *val;
Slapi_DN *sdn = NULL;
+ char **tmp_attrs = NULL;
slapi_pblock_get(pb, SLAPI_ORIGINAL_TARGET_DN, (void *)&base );
slapi_pblock_get(pb, SLAPI_CONTROLS_ARG, &controls);
@@ -445,6 +455,9 @@ static int seq_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
slapi_pblock_get(pb, SLAPI_SEARCH_TARGET_SDN, &sdn);
slapi_sdn_free(&sdn);
slapi_pblock_set(pb, SLAPI_SEARCH_TARGET_SDN, NULL);
+ slapi_pblock_get(pb, SLAPI_SEARCH_ATTRS, &tmp_attrs);
+ slapi_ch_array_free(tmp_attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, NULL);
return rc;
}
@@ -731,6 +744,7 @@ search_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
char *ifstr;
int opresult;
int rc = 0;
+ char **tmp_attrs = NULL;
PR_ASSERT (pb);
@@ -801,10 +815,13 @@ search_internal_callback_pb (Slapi_PBlock *pb, void *callback_data,
done:
slapi_ch_free((void **) & fstr);
- if (filter != NULL)
+ if (filter != NULL)
{
slapi_filter_free(filter, 1 /* recurse */);
}
+ slapi_pblock_get(pb, SLAPI_SEARCH_ATTRS, &tmp_attrs);
+ slapi_ch_array_free(tmp_attrs);
+ slapi_pblock_set(pb, SLAPI_SEARCH_ATTRS, NULL);
return(rc);
}
diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c
index 50b1cbc..12f11c3 100644
--- a/ldap/servers/slapd/schema.c
+++ b/ldap/servers/slapd/schema.c
@@ -1381,15 +1381,18 @@ schema_list_attributes_callback(struct asyntaxinfo *asi, void *arg)
return ATTR_SYNTAX_ENUM_NEXT;
}
if (aew->flag && (asi->asi_flags & aew->flag)) {
- charray_add(&aew->attrs, slapi_ch_strdup(asi->asi_name));
+ /* skip unhashed password */
+ if (!is_type_forbidden(asi->asi_name)) {
+ charray_add(&aew->attrs, slapi_ch_strdup(asi->asi_name));
if (NULL != asi->asi_aliases) {
- int i;
+ int i;
- for ( i = 0; asi->asi_aliases[i] != NULL; ++i ) {
+ for ( i = 0; asi->asi_aliases[i] != NULL; ++i ) {
charray_add(&aew->attrs,
- slapi_ch_strdup(asi->asi_aliases[i]));
- }
- }
+ slapi_ch_strdup(asi->asi_aliases[i]));
+ }
+ }
+ }
}
return ATTR_SYNTAX_ENUM_NEXT;
}
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index 75f8e8f..2f0afc7 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -331,6 +331,7 @@ int entry_next_deleted_attribute( const Slapi_Entry *e, Slapi_Attr **a);
/* entry.c */
int entry_apply_mods( Slapi_Entry *e, LDAPMod **mods );
int is_type_protected(const char *type);
+int is_type_forbidden(const char *type);
int slapi_entries_diff(Slapi_Entry **old_entries, Slapi_Entry **new_entries, int testall, const char *logging_prestr, const int force_update, void *plg_id);
commit 81a82a5aad746cf42d21a040852c1acbbb30821d
Author: Mark Reynolds <mareynol at redhat.com>
Date: Wed May 16 17:53:27 2012 -0400
Ticket 365 - passwords in clear text in the audit log
Bug Description: after changing a user password, an additional modify is added to the
mods: "unhashed#user#password: <clear text password>"
e.g. PSEUDO_ATTR_UNHASHEDUSERPASSWORD
Fix Description: Added new config param "nsslapd-audit-logging-hide-unhashed-pw".
The default is "off". When "on" that single modify op is skipped from
the audit logging.
https://fedorahosted.org/389/ticket/365
Reviewed by: Noriko (Thanks!)
(cherry picked from commit 43fb648fd4d7663c61c7ea7ff649ffddb9cbf006)
diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c
index 9c5ffad..81afe3e 100644
--- a/ldap/servers/slapd/auditlog.c
+++ b/ldap/servers/slapd/auditlog.c
@@ -55,6 +55,7 @@ char *attr_changetype = ATTR_CHANGETYPE;
char *attr_newrdn = ATTR_NEWRDN;
char *attr_deleteoldrdn = ATTR_DELETEOLDRDN;
char *attr_modifiersname = ATTR_MODIFIERSNAME;
+static int hide_unhashed_pw = 0;
/* Forward Declarations */
static void write_audit_file( int optype, const char *dn, void *change, int flag, time_t curtime );
@@ -156,6 +157,10 @@ write_audit_file(
for ( j = 0; mods[j] != NULL; j++ )
{
int operationtype= mods[j]->mod_op & ~LDAP_MOD_BVALUES;
+
+ if((strcmp(mods[j]->mod_type, PSEUDO_ATTR_UNHASHEDUSERPASSWORD) == 0) && hide_unhashed_pw){
+ continue;
+ }
switch ( operationtype )
{
case LDAP_MOD_ADD:
@@ -250,3 +255,15 @@ write_audit_file(
lenstr_free( &l );
}
+
+void
+auditlog_hide_unhashed_pw()
+{
+ hide_unhashed_pw = 1;
+}
+
More information about the Pkg-fedora-ds-maintainers
mailing list