[Pkg-fedora-ds-maintainers] 389-ds-base: Changes to 'debian-unstable'
Timo Aaltonen
tjaalton-guest at alioth.debian.org
Thu Sep 27 08:21:45 UTC 2012
Makefile.am | 25
VERSION.sh | 4
configure.ac | 15
debian/changelog | 7
debian/patches/fix-cve-2012-4450.diff | 366 ++
debian/patches/series | 1
ldap/admin/src/scripts/DSCreate.pm.in | 3
ldap/admin/src/scripts/template-cleanallruv.pl.in | 186 +
ldap/ldif/50posix-winsync-plugin.ldif | 20
ldap/schema/01core389.ldif | 18
ldap/schema/02common.ldif | 3
ldap/servers/plugins/automember/automember.c | 19
ldap/servers/plugins/dna/dna.c | 12
ldap/servers/plugins/linkedattrs/fixup_task.c | 2
ldap/servers/plugins/linkedattrs/linked_attrs.h | 2
ldap/servers/plugins/memberof/memberof.c | 345 +-
ldap/servers/plugins/memberof/memberof.h | 2
ldap/servers/plugins/posix-winsync/README | 50
ldap/servers/plugins/posix-winsync/posix-group-func.c | 484 ++
ldap/servers/plugins/posix-winsync/posix-group-func.h | 21
ldap/servers/plugins/posix-winsync/posix-group-task.c | 303 +
ldap/servers/plugins/posix-winsync/posix-winsync-config.c | 286 +
ldap/servers/plugins/posix-winsync/posix-winsync.c | 1700 ++++++++++
ldap/servers/plugins/posix-winsync/posix-wsp-ident.h | 51
ldap/servers/plugins/referint/referint.c | 47
ldap/servers/plugins/replication/cl5_api.c | 75
ldap/servers/plugins/replication/cl5_api.h | 9
ldap/servers/plugins/replication/cl5_clcache.c | 16
ldap/servers/plugins/replication/repl.h | 14
ldap/servers/plugins/replication/repl5.h | 65
ldap/servers/plugins/replication/repl5_agmt.c | 213 +
ldap/servers/plugins/replication/repl5_agmtlist.c | 15
ldap/servers/plugins/replication/repl5_connection.c | 13
ldap/servers/plugins/replication/repl5_inc_protocol.c | 23
ldap/servers/plugins/replication/repl5_init.c | 46
ldap/servers/plugins/replication/repl5_plugins.c | 21
ldap/servers/plugins/replication/repl5_replica.c | 508 ++-
ldap/servers/plugins/replication/repl5_replica_config.c | 2295 ++++++++++----
ldap/servers/plugins/replication/repl5_ruv.c | 87
ldap/servers/plugins/replication/repl5_ruv.h | 2
ldap/servers/plugins/replication/repl5_tot_protocol.c | 2
ldap/servers/plugins/replication/repl_bind.c | 1
ldap/servers/plugins/replication/repl_connext.c | 156
ldap/servers/plugins/replication/repl_extop.c | 544 +--
ldap/servers/plugins/replication/repl_globals.c | 6
ldap/servers/plugins/replication/windows_inc_protocol.c | 7
ldap/servers/plugins/replication/windows_private.c | 1436 +++++++-
ldap/servers/plugins/replication/windows_protocol_util.c | 156
ldap/servers/plugins/replication/windows_tot_protocol.c | 7
ldap/servers/plugins/replication/windowsrepl.h | 11
ldap/servers/plugins/replication/winsync-plugin.h | 653 ---
ldap/servers/plugins/rootdn_access/rootdn_access.c | 82
ldap/servers/plugins/schema_reload/schema_reload.c | 11
ldap/servers/plugins/syntaxes/nameoptuid.c | 3
ldap/servers/plugins/syntaxes/string.c | 63
ldap/servers/plugins/uiduniq/plugin-utils.h | 4
ldap/servers/plugins/uiduniq/uid.c | 84
ldap/servers/plugins/uiduniq/utils.c | 6
ldap/servers/plugins/usn/usn_cleanup.c | 2
ldap/servers/slapd/apibroker.c | 58
ldap/servers/slapd/attr.c | 73
ldap/servers/slapd/attrlist.c | 6
ldap/servers/slapd/attrsyntax.c | 83
ldap/servers/slapd/back-ldbm/cache.c | 24
ldap/servers/slapd/back-ldbm/dblayer.c | 41
ldap/servers/slapd/back-ldbm/index.c | 4
ldap/servers/slapd/back-ldbm/ldbm_add.c | 2
ldap/servers/slapd/back-ldbm/ldbm_delete.c | 22
ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c | 6
ldap/servers/slapd/back-ldbm/ldbm_search.c | 6
ldap/servers/slapd/back-ldbm/proto-back-ldbm.h | 1
ldap/servers/slapd/back-ldbm/start.c | 36
ldap/servers/slapd/entry.c | 39
ldap/servers/slapd/entrywsi.c | 6
ldap/servers/slapd/ldaputil.c | 37
ldap/servers/slapd/libglobs.c | 63
ldap/servers/slapd/log.c | 27
ldap/servers/slapd/main.c | 13
ldap/servers/slapd/opshared.c | 31
ldap/servers/slapd/pw_mgmt.c | 2
ldap/servers/slapd/slapi-plugin.h | 92
ldap/servers/slapd/slapi-private.h | 4
ldap/servers/slapd/ssl.c | 5
ldap/servers/slapd/task.c | 56
ldap/servers/slapd/utf8compare.c | 19
ldap/servers/slapd/value.c | 11
ldap/servers/slapd/valueset.c | 4
wrappers/initscript.in | 3
88 files changed, 8958 insertions(+), 2424 deletions(-)
New commits:
commit 19c83138b4c0a13838cf02f0627f9e1a5a8749d0
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Thu Sep 27 11:16:37 2012 +0300
Add fix-cve-2012-4450.diff. (Closes: #688942)
diff --git a/debian/changelog b/debian/changelog
index 93e9cbd..bf0a038 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
389-ds-base (1.2.11.15-1) UNRELEASED; urgency=low
* New upstream release.
+ * Add fix-cve-2012-4450.diff. (Closes: #688942)
-- Timo Aaltonen <tjaalton at ubuntu.com> Thu, 27 Sep 2012 11:11:38 +0300
diff --git a/debian/patches/fix-cve-2012-4450.diff b/debian/patches/fix-cve-2012-4450.diff
new file mode 100644
index 0000000..35a6a45
--- /dev/null
+++ b/debian/patches/fix-cve-2012-4450.diff
@@ -0,0 +1,366 @@
+commit 7399cbd53d6289df592d3414a84972eacb4dc97d
+Author: Noriko Hosoi <nhosoi at totoro.usersys.redhat.com>
+Date: Fri Sep 21 12:35:18 2012 -0700
+
+ Trac Ticket #340 - Change on SLAPI_MODRDN_NEWSUPERIOR is not
+ evaluated in acl
+
+ https://fedorahosted.org/389/ticket/340
+
+ Bug Description: When modrdn operation was executed, only newrdn
+ change was passed to the acl plugin. Also, the change was used
+ only for the acl search, but not for the acl target in the items
+ in the acl cache.
+
+ Fix Description: This patch also passes the newsuperior update
+ to the acl plugin. And the modrdn updates are applied to the
+ acl target in the acl cache.
+ (cherry picked from commit 5beb93d42efb807838c09c5fab898876876f8d09)
+
+diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
+index 15e474e..3389404 100644
+--- a/ldap/servers/plugins/acl/acl.c
++++ b/ldap/servers/plugins/acl/acl.c
+@@ -170,9 +170,9 @@ acl_access_allowed_modrdn(
+ * Test if have access to make the first rdn of dn in entry e.
+ */
+
+-static int check_rdn_access( Slapi_PBlock *pb, Slapi_Entry *e, const char *dn,
+- int access) {
+-
++static int
++check_rdn_access( Slapi_PBlock *pb, Slapi_Entry *e, const char *dn, int access)
++{
+ char **dns;
+ char **rdns;
+ int retCode = LDAP_INSUFFICIENT_ACCESS;
+@@ -655,7 +655,8 @@ cleanup_and_ret:
+
+ }
+
+-static void print_access_control_summary( char *source, int ret_val, char *clientDn,
++static void
++print_access_control_summary( char *source, int ret_val, char *clientDn,
+ struct acl_pblock *aclpb,
+ char *right,
+ char *attr,
+@@ -1524,11 +1525,12 @@ acl_check_mods(
+ *
+ **************************************************************************/
+ extern void
+-acl_modified (Slapi_PBlock *pb, int optype, char *n_dn, void *change)
++acl_modified (Slapi_PBlock *pb, int optype, Slapi_DN *e_sdn, void *change)
+ {
+ struct berval **bvalue;
+ char **value;
+ int rv=0; /* returned value */
++ const char* n_dn;
+ char* new_RDN;
+ char* parent_DN;
+ char* new_DN;
+@@ -1537,10 +1539,12 @@ acl_modified (Slapi_PBlock *pb, int optype, char *n_dn, void *change)
+ int j;
+ Slapi_Attr *attr = NULL;
+ Slapi_Entry *e = NULL;
+- Slapi_DN *e_sdn;
+ aclUserGroup *ugroup = NULL;
+
+- e_sdn = slapi_sdn_new_normdn_byval ( n_dn );
++ if (NULL == e_sdn) {
++ return;
++ }
++ n_dn = slapi_sdn_get_dn(e_sdn);
+ /* Before we proceed, Let's first check if we are changing any groups.
+ ** If we are, then we need to change the signature
+ */
+@@ -1768,45 +1772,64 @@ acl_modified (Slapi_PBlock *pb, int optype, char *n_dn, void *change)
+ }
+
+ break;
+- }/* case op is modify*/
++ }/* case op is modify*/
+
+- case SLAPI_OPERATION_MODRDN:
+-
+- new_RDN = (char*) change;
+- slapi_log_error (SLAPI_LOG_ACL, plugin_name,
+- "acl_modified (MODRDN %s => \"%s\"\n",
+- n_dn, new_RDN);
++ case SLAPI_OPERATION_MODRDN:
++ {
++ char **rdn_parent;
++ rdn_parent = (char **)change;
++ new_RDN = rdn_parent[0];
++ parent_DN = rdn_parent[1];
+
+ /* compute new_DN: */
+- parent_DN = slapi_dn_parent (n_dn);
+- if (parent_DN == NULL) {
+- new_DN = new_RDN;
++ if (NULL == parent_DN) {
++ parent_DN = slapi_dn_parent(n_dn);
++ }
++ if (NULL == parent_DN) {
++ if (NULL == new_RDN) {
++ slapi_log_error (SLAPI_LOG_ACL, plugin_name,
++ "acl_modified (MODRDN %s => \"no change\"\n",
++ n_dn);
++ break;
++ } else {
++ new_DN = new_RDN;
++ }
+ } else {
+- new_DN = slapi_create_dn_string("%s,%s", new_RDN, parent_DN);
++ if (NULL == new_RDN) {
++ Slapi_RDN *rdn= slapi_rdn_new();
++ slapi_sdn_get_rdn(e_sdn, rdn);
++ new_DN = slapi_create_dn_string("%s,%s", slapi_rdn_get_rdn(rdn),
++ parent_DN);
++ slapi_rdn_free(&rdn);
++ } else {
++ new_DN = slapi_create_dn_string("%s,%s", new_RDN, parent_DN);
++ }
+ }
++ slapi_log_error (SLAPI_LOG_ACL, plugin_name,
++ "acl_modified (MODRDN %s => \"%s\"\n", n_dn, new_RDN);
+
+ /* Change the acls */
+- acllist_acicache_WRITE_LOCK();
++ acllist_acicache_WRITE_LOCK();
+ /* acllist_moddn_aci_needsLock expects normalized new_DN,
+ * which is no need to be case-ignored */
+ acllist_moddn_aci_needsLock ( e_sdn, new_DN );
+ acllist_acicache_WRITE_UNLOCK();
+
+ /* deallocat the parent_DN */
+- if (parent_DN != NULL) {
+- slapi_ch_free ( (void **) &new_DN );
+- slapi_ch_free ( (void **) &parent_DN );
++ if (parent_DN != NULL) {
++ slapi_ch_free_string(&new_DN);
++ if (parent_DN != rdn_parent[1]) {
++ slapi_ch_free_string(&parent_DN);
++ }
+ }
+ break;
+-
+- default:
++ } /* case op is modrdn */
++ default:
+ /* print ERROR */
+ break;
+ } /*optype switch */
+-
+- slapi_sdn_free ( &e_sdn );
+-
+ }
++
+ /***************************************************************************
+ *
+ * acl__scan_for_acis
+diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h
+index 4fa3e3f..28c38e7 100644
+--- a/ldap/servers/plugins/acl/acl.h
++++ b/ldap/servers/plugins/acl/acl.h
+@@ -796,7 +796,8 @@ int acl_read_access_allowed_on_attr ( Slapi_PBlock *pb, Slapi_Entry *e, char
+ struct berval *val, int access);
+ void acl_set_acllist (Slapi_PBlock *pb, int scope, char *base);
+ void acl_gen_err_msg(int access, char *edn, char *attr, char **errbuf);
+-void acl_modified ( Slapi_PBlock *pb, int optype, char *dn, void *change);
++void acl_modified (Slapi_PBlock *pb, int optype, Slapi_DN *e_sdn, void *change);
++
+ int acl_access_allowed_disjoint_resource( Slapi_PBlock *pb, Slapi_Entry *e,
+ char *attr, struct berval *val, int access );
+ int acl_access_allowed_main ( Slapi_PBlock *pb, Slapi_Entry *e, char **attrs,
+@@ -866,7 +867,7 @@ void acllist_print_tree ( Avlnode *root, int *depth, char *start, char *side);
+ AciContainer *acllist_get_aciContainer_new ( );
+ void acllist_done_aciContainer ( AciContainer *);
+
+-aclUserGroup* aclg_find_userGroup (char *n_dn);
++aclUserGroup* aclg_find_userGroup (const char *n_dn);
+ void aclg_regen_ugroup_signature( aclUserGroup *ugroup);
+ void aclg_markUgroupForRemoval ( aclUserGroup *u_group );
+ void aclg_reader_incr_ugroup_refcnt(aclUserGroup* u_group);
+diff --git a/ldap/servers/plugins/acl/aclgroup.c b/ldap/servers/plugins/acl/aclgroup.c
+index c694293..2231304 100644
+--- a/ldap/servers/plugins/acl/aclgroup.c
++++ b/ldap/servers/plugins/acl/aclgroup.c
+@@ -213,7 +213,7 @@ aclg_reset_userGroup ( struct acl_pblock *aclpb )
+ */
+
+ aclUserGroup*
+-aclg_find_userGroup(char *n_dn)
++aclg_find_userGroup(const char *n_dn)
+ {
+ aclUserGroup *u_group = NULL;
+ int i;
+diff --git a/ldap/servers/plugins/acl/acllist.c b/ldap/servers/plugins/acl/acllist.c
+index 9b5363a..e8198af 100644
+--- a/ldap/servers/plugins/acl/acllist.c
++++ b/ldap/servers/plugins/acl/acllist.c
+@@ -600,7 +600,6 @@ void
+ acllist_init_scan (Slapi_PBlock *pb, int scope, const char *base)
+ {
+ Acl_PBlock *aclpb;
+- int i;
+ AciContainer *root;
+ char *basedn = NULL;
+ int index;
+@@ -671,11 +670,6 @@ acllist_init_scan (Slapi_PBlock *pb, int scope, const char *base)
+ aclpb->aclpb_state &= ~ACLPB_SEARCH_BASED_ON_LIST ;
+
+ acllist_acicache_READ_UNLOCK();
+-
+- i = 0;
+- while ( i < aclpb_max_selected_acls && aclpb->aclpb_base_handles_index[i] != -1 ) {
+- i++;
+- }
+ }
+
+ /*
+@@ -893,34 +887,50 @@ acllist_acicache_WRITE_LOCK( )
+ int
+ acllist_moddn_aci_needsLock ( Slapi_DN *oldsdn, char *newdn )
+ {
+-
+-
+ AciContainer *aciListHead;
+ AciContainer *head;
++ aci_t *acip;
++ const char *oldndn;
+
+ /* first get the container */
+
+ aciListHead = acllist_get_aciContainer_new ( );
+ slapi_sdn_free(&aciListHead->acic_sdn);
+- aciListHead->acic_sdn = oldsdn;
+-
++ aciListHead->acic_sdn = oldsdn;
+
+ if ( NULL == (head = (AciContainer *) avl_find( acllistRoot, aciListHead,
+- (IFP) __acllist_aciContainer_node_cmp ) ) ) {
++ (IFP) __acllist_aciContainer_node_cmp ) ) ) {
+
+ slapi_log_error ( SLAPI_PLUGIN_ACL, plugin_name,
+- "Can't find the acl in the tree for moddn operation:olddn%s\n",
+- slapi_sdn_get_ndn ( oldsdn ));
++ "Can't find the acl in the tree for moddn operation:olddn%s\n",
++ slapi_sdn_get_ndn ( oldsdn ));
+ aciListHead->acic_sdn = NULL;
+ __acllist_free_aciContainer ( &aciListHead );
+- return 1;
++ return 1;
+ }
+
+-
+- /* Now set the new DN */
+- slapi_sdn_done ( head->acic_sdn );
+- slapi_sdn_set_normdn_byval ( head->acic_sdn, newdn );
+-
++ /* Now set the new DN */
++ slapi_sdn_set_normdn_byval(head->acic_sdn, newdn);
++
++ /* If necessary, reset the target DNs, as well. */
++ oldndn = slapi_sdn_get_ndn(oldsdn);
++ for (acip = head->acic_list; acip; acip = acip->aci_next) {
++ const char *ndn = slapi_sdn_get_ndn(acip->aci_sdn);
++ char *p = PL_strstr(ndn, oldndn);
++ if (p) {
++ if (p == ndn) {
++ /* target dn is identical, replace it with new DN*/
++ slapi_sdn_set_normdn_byval(acip->aci_sdn, newdn);
++ } else {
++ /* target dn is a descendent of olddn, merge it with new DN*/
++ char *mynewdn;
++ *p = '\0';
++ mynewdn = slapi_ch_smprintf("%s%s", ndn, newdn);
++ slapi_sdn_set_normdn_passin(acip->aci_sdn, mynewdn);
++ }
++ }
++ }
++
+ aciListHead->acic_sdn = NULL;
+ __acllist_free_aciContainer ( &aciListHead );
+
+diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
+index 568871f..35c0700 100644
+--- a/ldap/servers/slapd/dn.c
++++ b/ldap/servers/slapd/dn.c
+@@ -2037,7 +2037,7 @@ slapi_sdn_set_normdn_byval(Slapi_DN *sdn, const char *normdn)
+ slapi_sdn_done(sdn);
+ sdn->flag = slapi_setbit_uchar(sdn->flag, FLAG_DN);
+ if(normdn == NULL) {
+- sdn->dn = slapi_ch_strdup(normdn);
++ sdn->dn = NULL;
+ sdn->ndn_len = 0;
+ } else {
+ sdn->dn = slapi_ch_strdup(normdn);
+diff --git a/ldap/servers/slapd/plugin_acl.c b/ldap/servers/slapd/plugin_acl.c
+index b878156..3bc3f21 100644
+--- a/ldap/servers/slapd/plugin_acl.c
++++ b/ldap/servers/slapd/plugin_acl.c
+@@ -134,11 +134,10 @@ int
+ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype )
+ {
+ struct slapdplugin *p;
+- char *dn;
+ int rc = 0;
+- void *change = NULL;
+- Slapi_Entry *te = NULL;
+- Slapi_DN *sdn = NULL;
++ void *change = NULL;
++ Slapi_Entry *te = NULL;
++ Slapi_DN *sdn = NULL;
+ Operation *operation;
+
+ slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
+@@ -146,7 +145,7 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype )
+ (void)slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
+
+ switch ( optype ) {
+- case SLAPI_OPERATION_MODIFY:
++ case SLAPI_OPERATION_MODIFY:
+ (void)slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &change );
+ break;
+ case SLAPI_OPERATION_ADD:
+@@ -158,11 +157,27 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype )
+ }
+ break;
+ case SLAPI_OPERATION_MODRDN:
++ {
++ void *mychange[2];
++ char *newrdn = NULL;
++ Slapi_DN *psdn = NULL;
++ char *pdn = NULL;
++
+ /* newrdn: "change" is normalized but not case-ignored */
+ /* The acl plugin expects normalized newrdn, but no need to be case-
+ * ignored. */
+- (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &change );
++ (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn );
++ (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &psdn );
++ if (psdn) {
++ pdn = (char *)slapi_sdn_get_dn(psdn);
++ } else {
++ (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR, &pdn );
++ }
++ mychange[0] = newrdn;
++ mychange[1] = pdn;
++ change = mychange;
+ break;
++ }
+ }
+
+ if (NULL == sdn) {
+@@ -172,10 +187,9 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype )
+ }
+
+ /* call the global plugins first and then the backend specific */
+- dn = (char*)slapi_sdn_get_ndn(sdn); /* jcm - Had to cast away const */
+ for ( p = get_plugin_list(PLUGIN_LIST_ACL); p != NULL; p = p->plg_next ) {
+ if (plugin_invoke_plugin_sdn(p, SLAPI_PLUGIN_ACL_MODS_UPDATE, pb, sdn)){
+- rc = (*p->plg_acl_mods_update)(pb, optype, dn, change );
++ rc = (*p->plg_acl_mods_update)(pb, optype, sdn, change );
+ if ( rc != LDAP_SUCCESS ) break;
+ }
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 4c983c0..498a070 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
default_user
+fix-cve-2012-4450.diff
commit 6c3a0601f7dcccf8cb4f432f25b2967700f85c28
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Thu Sep 27 11:14:23 2012 +0300
bump the changelog
diff --git a/debian/changelog b/debian/changelog
index ff514b4..93e9cbd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+389-ds-base (1.2.11.15-1) UNRELEASED; urgency=low
+
+ * New upstream release.
+
+ -- Timo Aaltonen <tjaalton at ubuntu.com> Thu, 27 Sep 2012 11:11:38 +0300
+
389-ds-base (1.2.11.7-5) unstable; urgency=low
* control: Drop debconf-utils and po-debconf from build-depends.
commit cf42a2f2523bdd06ced9a1d349242c373f720654
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue Sep 25 10:16:09 2012 -0600
bump version to 1.2.11.15
diff --git a/VERSION.sh b/VERSION.sh
index 5062025..8584891 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=2
-VERSION_MAINT=11.14
+VERSION_MAINT=11.15
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
commit 03d1cbd785fbc4f193b4aa33b40ebfc9c8e39e69
Author: Noriko Hosoi <nhosoi at totoro.usersys.redhat.com>
Date: Mon Sep 24 17:24:18 2012 -0700
Trac Ticket #470 - 389 prevents from adding a posixaccount
with userpassword after schema reload
https://fedorahosted.org/389/ticket/470
Bug description: Schema reload task reloads schema files in the
schema directory. Not just them, DS has several internal schema
which are not stored in the schema file, which were lost after
the schema reload task is executed. One of them unhashed#
user#password was necessary for adding a posixaccount.
Fix description: When registering an internal schema, the schema
is stashed in a hash table. When schema reload is executed, the
internal schema are reloaded with the external schema.
(cherry picked from commit 628e2b353e2dd6ac6aaac39067667ed27cacfb59)
diff --git a/ldap/servers/plugins/schema_reload/schema_reload.c b/ldap/servers/plugins/schema_reload/schema_reload.c
index 82d8e2e..efc0de2 100644
--- a/ldap/servers/plugins/schema_reload/schema_reload.c
+++ b/ldap/servers/plugins/schema_reload/schema_reload.c
@@ -170,6 +170,13 @@ schemareload_thread(void *arg)
slapi_task_log_notice(task, "Schema reload task finished.");
slapi_task_log_status(task, "Schema reload task finished.");
slapi_log_error(SLAPI_LOG_FATAL, "schemareload", "Schema reload task finished.\n");
+
+ slapi_log_error(SLAPI_LOG_FATAL, "schemareload",
+ "Register internal schema.\n");
+ rv = slapi_reload_internal_attr_syntax();
+ slapi_log_error(SLAPI_LOG_FATAL, "schemareload",
+ "Register internal schema finished.\n");
+
} else {
slapi_task_log_notice(task, "Schema reload task failed.");
slapi_task_log_status(task, "Schema reload task failed.");
@@ -209,8 +216,8 @@ schemareload_destructor(Slapi_Task *task)
if (task) {
task_data *mydata = (task_data *)slapi_task_get_data(task);
if (mydata) {
- slapi_ch_free_string(&mydata->schemadir);
- slapi_ch_free_string(&mydata->bind_dn);
+ slapi_ch_free_string(&mydata->schemadir);
+ slapi_ch_free_string(&mydata->bind_dn);
/* Need to cast to avoid a compiler warning */
slapi_ch_free((void **)&mydata);
}
diff --git a/ldap/servers/slapd/attrsyntax.c b/ldap/servers/slapd/attrsyntax.c
index 62dfea1..ff137a8 100644
--- a/ldap/servers/slapd/attrsyntax.c
+++ b/ldap/servers/slapd/attrsyntax.c
@@ -56,6 +56,7 @@
static PLHashTable *oid2asi = NULL;
/* read/write lock to protect table */
static Slapi_RWLock *oid2asi_lock = NULL;
+static PLHashTable *internalasi = NULL;
/*
* This hashtable maps the name or alias of the attribute to the
@@ -911,13 +912,23 @@ attr_syntax_enumerate_internal(PLHashEntry *he, PRIntn i, void *arg)
return rc;
}
-void
-attr_syntax_enumerate_attrs(AttrEnumFunc aef, void *arg, PRBool writelock )
+static void
+attr_syntax_enumerate_attrs_ext( PLHashTable *ht,
+ AttrEnumFunc aef, void *arg )
{
struct enum_arg_wrapper eaw;
eaw.aef = aef;
eaw.arg = arg;
+ if (!ht)
+ return;
+
+ PL_HashTableEnumerateEntries(ht, attr_syntax_enumerate_internal, &eaw);
+}
+
+void
+attr_syntax_enumerate_attrs(AttrEnumFunc aef, void *arg, PRBool writelock )
+{
if (!oid2asi)
return;
@@ -929,7 +940,7 @@ attr_syntax_enumerate_attrs(AttrEnumFunc aef, void *arg, PRBool writelock )
AS_LOCK_READ(name2asi_lock);
}
- PL_HashTableEnumerateEntries(oid2asi, attr_syntax_enumerate_internal, &eaw);
+ attr_syntax_enumerate_attrs_ext(oid2asi, aef, arg);
if ( writelock ) {
AS_UNLOCK_WRITE(oid2asi_lock);
@@ -1076,6 +1087,36 @@ slapi_attr_syntax_exists(const char *attr_name)
}
/*
+ * Keep the internally added schema in the hash table,
+ * which are re-added if the schema is reloaded.
+ */
+static int
+attr_syntax_internal_asi_add_ht(struct asyntaxinfo *asip)
+{
+ if (!internalasi) {
+ internalasi = PL_NewHashTable(64, hashNocaseString,
+ hashNocaseCompare,
+ PL_CompareValues, 0, 0);
+ }
+ if (!internalasi) {
+ slapi_log_error(SLAPI_LOG_FATAL, "attr_syntax_internal_asi_add_ht",
+ "Failed to create HashTable.\n");
+ return 1;
+ }
+ if (!PL_HashTableLookup(internalasi, asip->asi_oid)) {
+ struct asyntaxinfo *asip_copy = attr_syntax_dup(asip);
+ if (!asip_copy) {
+ slapi_log_error(SLAPI_LOG_FATAL, "attr_syntax_internal_asi_add_ht",
+ "Failed to duplicate asyntaxinfo: %s.\n",
+ asip->asi_name);
+ return 1;
+ }
+ PL_HashTableAdd(internalasi, asip_copy->asi_oid, asip_copy);
+ }
+ return 0;
+}
+
+/*
* Add an attribute syntax using some default flags, etc.
* Returns an LDAP error code (LDAP_SUCCESS if all goes well)
*/
@@ -1106,7 +1147,43 @@ slapi_add_internal_attr_syntax( const char *name, const char *oid,
if ( rc == LDAP_SUCCESS ) {
rc = attr_syntax_add( asip );
+ if ( rc == LDAP_SUCCESS ) {
+ if (attr_syntax_internal_asi_add_ht(asip)) {
+ slapi_log_error(SLAPI_LOG_FATAL,
+ "slapi_add_internal_attr_syntax",
+ "Failed to stash internal asyntaxinfo: %s.\n",
+ asip->asi_name);
+ }
+ }
}
return rc;
}
+
+/* Adding internal asyncinfo via slapi_reload_internal_attr_syntax */
+static int
+attr_syntax_internal_asi_add(struct asyntaxinfo *asip, void *arg)
+{
+ struct asyntaxinfo *asip_copy;
+ if (!asip) {
+ return 1;
+ }
+ /* Copy is needed since when reloading the schema,
+ * existing syntax info is cleaned up. */
+ asip_copy = attr_syntax_dup(asip);
+ return attr_syntax_add(asip_copy);
+}
+
+/* Reload internal attribute syntax stashed in the internalasi hashtable. */
+int
+slapi_reload_internal_attr_syntax()
+{
+ int rc = LDAP_SUCCESS;
+ if (!internalasi) {
+ slapi_log_error(SLAPI_LOG_TRACE, "attr_reload_internal_attr_syntax",
+ "No internal attribute syntax to reload.\n");
+ return rc;
+ }
+ attr_syntax_enumerate_attrs_ext(internalasi, attr_syntax_internal_asi_add, NULL);
+ return rc;
+}
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index a9d7dfe..4316833 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -4871,6 +4871,15 @@ void slapi_filter_normalize(Slapi_Filter *f, PRBool norm_values);
*/
int slapi_attr_syntax_exists(const char *type);
+/**
+ * Reload internally registered attribute syntaxes.
+ *
+ * \param none
+ * \return \c 0 if the reload was successful.
+ * \return non-0 if the reload failed.
+ */
+int slapi_reload_internal_attr_syntax();
+
/*
* slapi_filter_apply() is used to apply a function to each simple filter
* component within a complex filter. A 'simple filter' is anything other
commit 535511db8738e320c9305442c863b8a7ec11401f
Author: Mark Reynolds <mreynolds at redhat.com>
Date: Mon Sep 24 13:22:09 2012 -0400
Ticket 477 - CLEANALLRUV if there are only winsync agmts task will hang
Bug Description: If there are only winsync agmts, the task will loop forever.
Fix Description: Need to clear a flag after skipping over invalid agmts. The same issue
would apply for agmts that were all disabled.
https://fedorahosted.org/389/ticket/477
Reviewed by: richm(Thanks!)
(cherry picked from commit 47c44d4e61723bb3013e614c1dafce5b37694e3c)
diff --git a/ldap/servers/plugins/replication/repl5_replica_config.c b/ldap/servers/plugins/replication/repl5_replica_config.c
index 9d47100..c5ca965 100644
--- a/ldap/servers/plugins/replication/repl5_replica_config.c
+++ b/ldap/servers/plugins/replication/repl5_replica_config.c
@@ -1552,6 +1552,7 @@ replica_cleanallruv_thread(void *arg)
agmt = (Repl_Agmt*)object_get_data (agmt_obj);
if(!agmt_is_enabled(agmt) || get_agmt_agreement_type(agmt) == REPLICA_TYPE_WINDOWS){
agmt_obj = agmtlist_get_next_agreement_for_replica (data->replica, agmt_obj);
+ agmt_not_notified = 0;
continue;
}
if(replica_cleanallruv_send_extop(agmt, data->rid, data->task, data->payload, 1) == 0){
@@ -1605,6 +1606,7 @@ replica_cleanallruv_thread(void *arg)
agmt = (Repl_Agmt*)object_get_data (agmt_obj);
if(!agmt_is_enabled(agmt) || get_agmt_agreement_type(agmt) == REPLICA_TYPE_WINDOWS){
agmt_obj = agmtlist_get_next_agreement_for_replica (data->replica, agmt_obj);
+ found_dirty_rid = 0;
continue;
}
if(replica_cleanallruv_check_ruv(agmt, rid_text, data->task) == 0){
@@ -1698,6 +1700,7 @@ check_agmts_are_caught_up(Replica *replica, ReplicaId rid, char *maxcsn, Slapi_T
agmt = (Repl_Agmt*)object_get_data (agmt_obj);
if(!agmt_is_enabled(agmt) || get_agmt_agreement_type(agmt) == REPLICA_TYPE_WINDOWS){
agmt_obj = agmtlist_get_next_agreement_for_replica (replica, agmt_obj);
+ not_all_caughtup = 0;
continue;
}
if(replica_cleanallruv_check_maxcsn(agmt, rid_text, maxcsn, task) == 0){
@@ -1753,6 +1756,7 @@ check_agmts_are_alive(Replica *replica, ReplicaId rid, Slapi_Task *task)
agmt = (Repl_Agmt*)object_get_data (agmt_obj);
if(!agmt_is_enabled(agmt) || get_agmt_agreement_type(agmt) == REPLICA_TYPE_WINDOWS){
agmt_obj = agmtlist_get_next_agreement_for_replica (replica, agmt_obj);
+ not_all_alive = 0;
continue;
}
if(replica_cleanallruv_replica_alive(agmt) == 0){
@@ -2364,6 +2368,7 @@ replica_abort_task_thread(void *arg)
agmt = (Repl_Agmt*)object_get_data (agmt_obj);
if(!agmt_is_enabled(agmt) || get_agmt_agreement_type(agmt) == REPLICA_TYPE_WINDOWS){
agmt_obj = agmtlist_get_next_agreement_for_replica (data->replica, agmt_obj);
+ agmt_not_notified = 0;
continue;
}
if(replica_cleanallruv_send_abort_extop(agmt, data->task, data->payload)){
commit 969bf99e098e569e52c191177861b03124ce672f
Author: Mark Reynolds <mreynolds at redhat.com>
Date: Mon Sep 24 12:34:59 2012 -0400
Ticket 457 - dirsrv init script returns 0 even when few or all instances fail to start
Bug Description: We don't return an error code when one or more instances fails to start.
Fix Description: Return error 1 when an instance fails to start.
https://fedorahosted.org/389/ticket/457
Reviewed by: richm(Thanks!)
(cherry picked from commit ef48c93ded0f766d8dab679b976ca032d6297c32)
diff --git a/wrappers/initscript.in b/wrappers/initscript.in
index da5f6bb..7601784 100644
--- a/wrappers/initscript.in
+++ b/wrappers/initscript.in
@@ -264,7 +264,8 @@ start() {
[ -x /sbin/restorecon ] && /sbin/restorecon $lockfile
fi
if [ $errors -ge 1 ]; then
- echo " *** Warning: $errors instance(s) failed to start"
+ echo " *** Error: $errors instance(s) failed to start"
+ exit 1
fi
}
commit 162f4b104d431523b5458f866776431fab486c7a
Author: Noriko Hosoi <nhosoi at totoro.usersys.redhat.com>
Date: Mon Sep 24 09:56:50 2012 -0700
Undo commit db792dbc7141b03bd33b710b79ed0942c34d6530
This ticket should not be applied to 389-ds-base-1.2.11 branch:
Trac Ticket #466 - entry_apply_mod - ADD: Failed to set
unhashed#user#password to extension
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index f696563..84ce01d 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -1164,13 +1164,6 @@ main( int argc, char **argv)
/* init the thread data index for bind dn's */
slapi_td_dn_init();
- /*
- * Initialize password storage in entry extension.
- * Need to be initialized before plugin_startall in case stucked
- * changes are replicated as soon as the replication plugin is started.
- */
- pw_exp_init ();
-
plugin_print_lists();
plugin_startall(argc, argv, 1 /* Start Backends */, 1 /* Start Globals */);
if (housekeeping_start((time_t)0, NULL) == NULL) {
diff --git a/ldap/servers/slapd/pw_mgmt.c b/ldap/servers/slapd/pw_mgmt.c
index 22d49b7..f173128 100644
--- a/ldap/servers/slapd/pw_mgmt.c
+++ b/ldap/servers/slapd/pw_mgmt.c
@@ -309,8 +309,7 @@ pw_init ( void ) {
OCTETSTRING_SYNTAX_OID, 0,
/* Clients don't need to directly modify
* PSEUDO_ATTR_UNHASHEDUSERPASSWORD */
- SLAPI_ATTR_FLAG_NOUSERMOD|
- SLAPI_ATTR_FLAG_NOEXPOSE);
+ SLAPI_ATTR_FLAG_NOUSERMOD);
}
commit 3383f6718cbfcf597d812557b1167a2a178162cd
Author: Mark Reynolds <mreynolds at redhat.com>
Date: Fri Sep 21 18:17:26 2012 -0400
Ticket 473 - change VERSION.sh to have console version be major.minor
Removed ".6" from the console version
https://fedorahosted.org/389/ticket/473
Reviewed by: richm(Thanks!)
diff --git a/VERSION.sh b/VERSION.sh
index 757c49f..5062025 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -50,4 +50,4 @@ PACKAGE_BUGREPORT="${PACKAGE_BUGREPORT}enter_bug.cgi?product=$brand"
PACKAGE_STRING="$PACKAGE_TARNAME $PACKAGE_VERSION"
# the version of the ds console package that this directory server
# is compatible with
-CONSOLE_VERSION=$VERSION_MAJOR.$VERSION_MINOR.6
+CONSOLE_VERSION=$VERSION_MAJOR.$VERSION_MINOR
commit 7733afd87119b46cd56e70c4b6fff7b0c67161bb
Author: Mark Reynolds <mreynolds at redhat.com>
Date: Fri Sep 21 18:12:40 2012 -0400
Ticket 475 - Root DN Access Control - improve value checking for config
Bug Description: Plugin was not checking the time values, and the "allowed-days"
Fix Description: Make sure the open and close times are with 0000-2359, and make
sure that each day in "rootdn-days-allowed" is a valid day.
https://fedorahosted.org/389/ticket/475
Reviewed by: noriko(Thanks!)
diff --git a/ldap/servers/plugins/rootdn_access/rootdn_access.c b/ldap/servers/plugins/rootdn_access/rootdn_access.c
index bae2703..ad1e125 100644
--- a/ldap/servers/plugins/rootdn_access/rootdn_access.c
+++ b/ldap/servers/plugins/rootdn_access/rootdn_access.c
@@ -219,8 +219,10 @@ rootdn_load_config(Slapi_PBlock *pb)
Slapi_Entry *e = NULL;
char *openTime = NULL;
char *closeTime = NULL;
+ char *token, *iter, *copy;
char hour[3], min[3];
int result = 0;
+ int time;
int i;
slapi_log_error(SLAPI_LOG_PLUGIN, ROOTDN_PLUGIN_SUBSYSTEM, "--> rootdn_load_config\n");
@@ -240,19 +242,41 @@ rootdn_load_config(Slapi_PBlock *pb)
* Validate out settings
*/
if(daysAllowed){
- if(strcspn(daysAllowed, "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ,")){
+ daysAllowed = strToLower(daysAllowed);
+ if(strcspn(daysAllowed, "abcdefghijklmnopqrstuvwxyz ,")){
slapi_log_error(SLAPI_LOG_FATAL, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_load_config: "
- "invalid rootdn-days-allowed value (%s), must be all letters, and comma separators\n",closeTime);
+ "invalid rootdn-days-allowed value (%s), must be all letters, and comma separators\n", daysAllowed);
slapi_ch_free_string(&daysAllowed);
result = -1;
goto free_and_return;
}
- daysAllowed = strToLower(daysAllowed);
+ /* make sure the "days" are valid "days" */
+ copy = slapi_ch_strdup(daysAllowed);
+ token = ldap_utf8strtok_r(copy, ", ", &iter);
+ while(token){
+ if(strstr("mon tue wed thu fri sat sun",token) == 0){
+ slapi_log_error(SLAPI_LOG_FATAL, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_load_config: "
+ "invalid rootdn-days-allowed day value(%s), must be \"Mon, Tue, Wed, Thu, Fri, Sat, or Sun\".\n", token);
+ slapi_ch_free_string(&daysAllowed);
+ slapi_ch_free_string(©);
+ result = -1;
+ goto free_and_return;
+ }
+ token = ldap_utf8strtok_r(iter, ", ", &iter);
+ }
+ slapi_ch_free_string(©);
}
if(openTime){
if (strcspn(openTime, "0123456789")){
slapi_log_error(SLAPI_LOG_FATAL, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_load_config: "
- "invalid rootdn-open-time value (%s), must be all digits\n",openTime);
+ "invalid rootdn-open-time value (%s), must be all digits\n", openTime);
+ result = -1;
+ goto free_and_return;
+ }
+ time = atoi(openTime);
+ if(time > 2359 || time < 0){
+ slapi_log_error(SLAPI_LOG_FATAL, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_load_config: "
+ "invalid value for rootdn-open-time value (%s), value must be between 0000-2359\n", openTime);
result = -1;
goto free_and_return;
}
@@ -272,13 +296,20 @@ rootdn_load_config(Slapi_PBlock *pb)
if(closeTime){
if (strcspn(closeTime, "0123456789")){
slapi_log_error(SLAPI_LOG_FATAL, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_load_config: "
- "invalid rootdn-open-time value (%s), must be all digits, and should be HHMM\n",closeTime);
+ "invalid rootdn-close-time value (%s), must be all digits, and should be HHMM\n",closeTime);
+ result = -1;
+ goto free_and_return;
+ }
+ time = atoi(closeTime);
+ if(time > 2359 || time < 0){
+ slapi_log_error(SLAPI_LOG_FATAL, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_load_config: "
+ "invalid value for rootdn-close-time value (%s), value must be between 0000-2359\n", closeTime);
result = -1;
goto free_and_return;
}
if(strlen(closeTime) != 4){
slapi_log_error(SLAPI_LOG_FATAL, ROOTDN_PLUGIN_SUBSYSTEM, "rootdn_load_config: "
- "invalid format for rootdn-open-time value (%s), should be HHMM\n", closeTime);
+ "invalid format for rootdn-close-time value (%s), should be HHMM\n", closeTime);
result = -1;
goto free_and_return;
}
@@ -661,7 +692,7 @@ char *
strToLower(char *str){
int i;
- for(i = 0; i < strlen(str); i++){
+ for(i = 0; str && i < strlen(str); i++){
str[i] = tolower(str[i]);
}
return str;
commit db792dbc7141b03bd33b710b79ed0942c34d6530
Author: Noriko Hosoi <nhosoi at totoro.usersys.redhat.com>
Date: Fri Sep 21 14:12:15 2012 -0700
Trac Ticket #466 - entry_apply_mod - ADD: Failed to set
unhashed#user#password to extension
More information about the Pkg-fedora-ds-maintainers
mailing list