[Pkg-fedora-ds-maintainers] 389-ds-base: Changes to 'debian-unstable'
Timo Aaltonen
tjaalton-guest at alioth.debian.org
Sat Oct 19 09:06:22 UTC 2013
Makefile.am | 31
VERSION.sh | 12
configure.ac | 5
debian/changelog | 2
ldap/admin/src/logconv.pl | 2086 ++++++--------
ldap/admin/src/scripts/50contentsync.ldif | 22
ldap/admin/src/scripts/60upgradeconfigfiles.pl | 69
ldap/admin/src/scripts/DSCreate.pm.in | 62
ldap/admin/src/scripts/setup-ds.res.in | 4
ldap/ldif/template-dse.ldif.in | 37
ldap/schema/01core389.ldif | 3
ldap/schema/02common.ldif | 8
ldap/schema/10dna-plugin.ldif | 38
ldap/schema/slapd-collations.conf | 234 +
ldap/servers/plugins/acctpolicy/acct_util.c | 2
ldap/servers/plugins/acl/acl.c | 54
ldap/servers/plugins/acl/acl.h | 16
ldap/servers/plugins/acl/acl_ext.c | 18
ldap/servers/plugins/acl/aclinit.c | 2
ldap/servers/plugins/acl/acllas.c | 19
ldap/servers/plugins/acl/acllist.c | 9
ldap/servers/plugins/acl/aclparse.c | 97
ldap/servers/plugins/automember/automember.c | 40
ldap/servers/plugins/collation/collate.c | 9
ldap/servers/plugins/cos/cos_cache.c | 2
ldap/servers/plugins/dna/dna.c | 265 +
ldap/servers/plugins/linkedattrs/fixup_task.c | 81
ldap/servers/plugins/linkedattrs/linked_attrs.c | 3
ldap/servers/plugins/linkedattrs/linked_attrs.h | 2
ldap/servers/plugins/mep/mep.c | 11
ldap/servers/plugins/posix-winsync/posix-group-func.c | 32
ldap/servers/plugins/posix-winsync/posix-group-task.c | 3
ldap/servers/plugins/posix-winsync/posix-winsync.c | 259 +
ldap/servers/plugins/referint/referint.c | 7
ldap/servers/plugins/replication/cl5.h | 1
ldap/servers/plugins/replication/cl5_api.c | 90
ldap/servers/plugins/replication/cl5_api.h | 3
ldap/servers/plugins/replication/cl5_config.c | 29
ldap/servers/plugins/replication/cl5_init.c | 2
ldap/servers/plugins/replication/repl5.h | 6
ldap/servers/plugins/replication/repl5_agmt.c | 4
ldap/servers/plugins/replication/repl5_agmtlist.c | 9
ldap/servers/plugins/replication/repl5_connection.c | 31
ldap/servers/plugins/replication/repl5_init.c | 3
ldap/servers/plugins/replication/repl5_plugins.c | 33
ldap/servers/plugins/replication/repl5_replica.c | 98
ldap/servers/plugins/replication/repl5_replica_config.c | 396 +-
ldap/servers/plugins/replication/repl5_ruv.c | 108
ldap/servers/plugins/replication/repl5_ruv.h | 3
ldap/servers/plugins/replication/repl_extop.c | 64
ldap/servers/plugins/replication/repl_globals.c | 5
ldap/servers/plugins/replication/repl_shared.h | 2
ldap/servers/plugins/replication/replutil.c | 12
ldap/servers/plugins/replication/windows_connection.c | 255 +
ldap/servers/plugins/replication/windows_inc_protocol.c | 4
ldap/servers/plugins/replication/windows_private.c | 689 ++++
ldap/servers/plugins/replication/windows_protocol_util.c | 1361 ++++++---
ldap/servers/plugins/replication/windows_tot_protocol.c | 125
ldap/servers/plugins/replication/windowsrepl.h | 23
ldap/servers/plugins/retrocl/retrocl.c | 16
ldap/servers/plugins/retrocl/retrocl.h | 1
ldap/servers/plugins/retrocl/retrocl_po.c | 34
ldap/servers/plugins/roles/roles_cache.c | 61
ldap/servers/plugins/roles/roles_cache.h | 2
ldap/servers/plugins/sync/sync.h | 196 +
ldap/servers/plugins/sync/sync_init.c | 174 +
ldap/servers/plugins/sync/sync_persist.c | 693 ++++
ldap/servers/plugins/sync/sync_refresh.c | 737 +++++
ldap/servers/plugins/sync/sync_util.c | 702 ++++
ldap/servers/plugins/uiduniq/7bit.c | 82
ldap/servers/plugins/whoami/whoami.c | 145 +
ldap/servers/slapd/agtmmap.c | 3
ldap/servers/slapd/agtmmap.h | 2
ldap/servers/slapd/attr.c | 6
ldap/servers/slapd/attrsyntax.c | 56
ldap/servers/slapd/auth.c | 2
ldap/servers/slapd/back-ldbm/ancestorid.c | 2
ldap/servers/slapd/back-ldbm/archive.c | 50
ldap/servers/slapd/back-ldbm/back-ldbm.h | 20
ldap/servers/slapd/back-ldbm/dbhelp.c | 53
ldap/servers/slapd/back-ldbm/dblayer.c | 423 ++-
ldap/servers/slapd/back-ldbm/dblayer.h | 3
ldap/servers/slapd/back-ldbm/dbversion.c | 29
ldap/servers/slapd/back-ldbm/filterindex.c | 53
ldap/servers/slapd/back-ldbm/id2entry.c | 4
ldap/servers/slapd/back-ldbm/idl.c | 24
ldap/servers/slapd/back-ldbm/idl_new.c | 33
ldap/servers/slapd/back-ldbm/import-threads.c | 2
ldap/servers/slapd/back-ldbm/index.c | 135
ldap/servers/slapd/back-ldbm/ldbm_add.c | 8
ldap/servers/slapd/back-ldbm/ldbm_attr.c | 496 +++
ldap/servers/slapd/back-ldbm/ldbm_config.c | 96
ldap/servers/slapd/back-ldbm/ldbm_config.h | 6
ldap/servers/slapd/back-ldbm/ldbm_delete.c | 9
ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c | 39
ldap/servers/slapd/back-ldbm/ldbm_modify.c | 67
ldap/servers/slapd/back-ldbm/ldbm_modrdn.c | 2
ldap/servers/slapd/back-ldbm/ldbm_search.c | 6
ldap/servers/slapd/back-ldbm/proto-back-ldbm.h | 6
ldap/servers/slapd/back-ldbm/upgrade.c | 13
ldap/servers/slapd/backend.c | 27
ldap/servers/slapd/charray.c | 9
ldap/servers/slapd/connection.c | 752 +++--
ldap/servers/slapd/conntable.c | 42
ldap/servers/slapd/control.c | 38
ldap/servers/slapd/daemon.c | 95
ldap/servers/slapd/dn.c | 98
ldap/servers/slapd/dynalib.c | 47
ldap/servers/slapd/entry.c | 496 ++-
ldap/servers/slapd/entrywsi.c | 584 ++--
ldap/servers/slapd/fe.h | 5
ldap/servers/slapd/fedse.c | 58
ldap/servers/slapd/globals.c | 7
ldap/servers/slapd/ldaputil.c | 415 +-
ldap/servers/slapd/libglobs.c | 179 +
ldap/servers/slapd/libslapd.def | 5
ldap/servers/slapd/main.c | 6
ldap/servers/slapd/mapping_tree.c | 96
ldap/servers/slapd/modify.c | 91
ldap/servers/slapd/mozldap.h | 45
ldap/servers/slapd/ntperfdll/nsldapctr.cpp | 32
ldap/servers/slapd/ntperfdll/nsldapctrdef.h | 2
ldap/servers/slapd/ntperfdll/nsldapctrs.h | 10
ldap/servers/slapd/operation.c | 140
ldap/servers/slapd/pblock.c | 32
ldap/servers/slapd/plugin.c | 20
ldap/servers/slapd/plugin_acl.c | 2
ldap/servers/slapd/proto-slap.h | 31
ldap/servers/slapd/psearch.c | 26
ldap/servers/slapd/pw.c | 62
ldap/servers/slapd/result.c | 613 +++-
ldap/servers/slapd/sasl_io.c | 221 +
ldap/servers/slapd/schema.c | 2108 +++++++++++----
ldap/servers/slapd/slap.h | 75
ldap/servers/slapd/slapi-plugin.h | 257 +
ldap/servers/slapd/slapi-private.h | 18
ldap/servers/slapd/snmp_collator.c | 6
ldap/servers/slapd/task.c | 2
ldap/servers/slapd/tools/ldclt/ldclt.c | 14
ldap/servers/slapd/util.c | 55
ldap/servers/slapd/valueset.c | 137
ldap/servers/slapd/vattr.c | 30
ldap/servers/snmp/ldap-agent.c | 12
ldap/servers/snmp/ldap-agent.h | 5
ldap/servers/snmp/main.c | 22
ldap/servers/snmp/ntagt/nsldapagt_nt.c | 2
ldap/servers/snmp/ntagt/nsldapagt_nt.h | 2
ldap/servers/snmp/redhat-directory.mib | 41
lib/libaccess/oneeval.cpp | 249 -
man/man1/logconv.pl.1 | 10
rpm.mk | 51
rpm/389-ds-base-devel.README | 4
rpm/389-ds-base-git.sh | 16
rpm/389-ds-base.spec.in | 1583 +++++++++++
rpm/rpmverrel.sh | 15
155 files changed, 15939 insertions(+), 4452 deletions(-)
New commits:
commit 465e8d75c944d4373f82b91a3f1ebbcd435cd76d
Author: Timo Aaltonen <tjaalton at ubuntu.com>
Date: Sat Oct 19 12:06:03 2013 +0300
bump the release
diff --git a/debian/changelog b/debian/changelog
index 78e24e4..4c54bcd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-389-ds-base (1.3.1.9-1) UNRELEASED; urgency=low
+389-ds-base (1.3.2.2-1) UNRELEASED; urgency=low
* New upstream release. (Closes: #718325)
* Drop the cve fix, upstream.
commit 3ceef4b0c12db97e6d3b579c78bbb96162bd810a
Author: Noriko Hosoi <nhosoi at redhat.com>
Date: Fri Oct 11 11:41:30 2013 -0700
bump version to 1.3.2.2
Note: 1.3.2.1 is skipped due to the repo conflict.
diff --git a/VERSION.sh b/VERSION.sh
index ddd2225..fc71481 100644
--- a/VERSION.sh
+++ b/VERSION.sh
@@ -10,7 +10,7 @@ vendor="389 Project"
# PACKAGE_VERSION is constructed from these
VERSION_MAJOR=1
VERSION_MINOR=3
-VERSION_MAINT=2.0
+VERSION_MAINT=2.2
# if this is a PRERELEASE, set VERSION_PREREL
# otherwise, comment it out
# be sure to include the dot prefix in the prerel
commit 2dd2489c7ab23b11327a36aa250cacd4897a7efa
Author: Mark Reynolds <mreynolds at redhat.com>
Date: Mon Oct 7 09:57:47 2013 -0400
Ticket 47517 - memory leak in range searches and other various leaks
Bug Description: Range searches leak memory
Fix Description: Free the db key, if the key changed between calls to c_get.
Also fixed a leak when doing a delete operation(retrieving the
parent id), and fixed a leak in replication incremental protocol
when getting the hostname control.
https://fedorahosted.org/389/ticket/47517
Reviewed by: nhosoi & richm(Thanks!)
(cherry picked from commit b737882146e709aa75771168ffd9db63af23e005)
diff --git a/ldap/servers/slapd/back-ldbm/idl_new.c b/ldap/servers/slapd/back-ldbm/idl_new.c
index 50ad5cb..f0410f9 100644
--- a/ldap/servers/slapd/back-ldbm/idl_new.c
+++ b/ldap/servers/slapd/back-ldbm/idl_new.c
@@ -576,6 +576,11 @@ idl_new_range_fetch(
}
#endif
ret = cursor->c_get(cursor, &cur_key, &data, DB_NEXT_DUP|DB_MULTIPLE);
+ if (saved_key != cur_key.data) {
+ /* key was allocated in c_get */
+ slapi_ch_free(&saved_key);
+ saved_key = cur_key.data;
+ }
if (ret) {
if (upperkey && upperkey->data && DBT_EQ(&cur_key, upperkey)) {
/* this is the last key */
@@ -583,6 +588,11 @@ idl_new_range_fetch(
}
/* First set the cursor (DB_NEXT_NODUP does not take DB_MULTIPLE) */
ret = cursor->c_get(cursor, &cur_key, &data, DB_NEXT_NODUP);
+ if (saved_key != cur_key.data) {
+ /* key was allocated in c_get */
+ slapi_ch_free(&saved_key);
+ saved_key = cur_key.data;
+ }
if (ret) {
break;
}
@@ -633,13 +643,17 @@ idl_new_range_fetch(
}
}
ret = cursor->c_get(cursor,&cur_key,&data,DB_NEXT_DUP);
+ if (saved_key != cur_key.data) {
+ /* key was allocated in c_get */
+ slapi_ch_free(&saved_key);
+ saved_key = cur_key.data;
+ }
count++;
if (ret) {
if (upperkey && upperkey->data && DBT_EQ(&cur_key, upperkey)) {
/* this is the last key */
break;
}
- DBT_FREE_PAYLOAD(cur_key);
ret = cursor->c_get(cursor, &cur_key, &data, DB_NEXT_NODUP);
if (saved_key != cur_key.data) {
/* key was allocated in c_get */
diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c
index c141800..7189d9f 100644
--- a/ldap/servers/slapd/back-ldbm/index.c
+++ b/ldap/servers/slapd/back-ldbm/index.c
@@ -1407,8 +1407,6 @@ index_range_read_ext(
type, prefix, *err );
}
} else if (DBTcmp (&upperkey, &cur_key, ai->ai_key_cmp_fn) > 0) {
- tmpbuf = slapi_ch_realloc (tmpbuf, cur_key.dsize);
- memcpy (tmpbuf, cur_key.dptr, cur_key.dsize);
DBT_FREE_PAYLOAD(upperkey);
upperkey.dptr = NULL; /* x >= a :no need to check upper bound */
upperkey.dsize = 0;
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_delete.c b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
index a447435..42e26de 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_delete.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_delete.c
@@ -457,6 +457,7 @@ ldbm_back_delete( Slapi_PBlock *pb )
* and numsubordinate count could get confused.
*/
ID pid = (ID)strtol(pid_str, (char **)NULL, 10);
+ slapi_ch_free_string(&pid_str);
parent = id2entry(be, pid ,NULL, &retval);
if (parent && cache_lock_entry(&inst->inst_cache, parent)) {
/* Failed to obtain parent entry's entry lock */
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
index f911767..ed3491e 100644
--- a/ldap/servers/slapd/ldaputil.c
+++ b/ldap/servers/slapd/ldaputil.c
@@ -1099,6 +1099,7 @@ slapi_ldap_bind(
if (ptr) {
copy = slapi_ch_strdup(myhostname);
*(copy + (ptr - myhostname)) = '\0';
+ slapi_ch_free_string(&myhostname);
myhostname = copy;
}
}
@@ -1122,7 +1123,7 @@ slapi_ldap_bind(
myerrno ? myerrno : gaierr,
myerrno ? slapd_system_strerror(myerrno) : gai_strerror(gaierr),
myhostname ? myhostname : "unknown host");
- slapi_ch_free_string(©);
+ slapi_ch_free_string(&myhostname);
goto done;
}
commit 181fde98aee96868189bc5557c5f33fefa026952
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue Oct 8 13:59:59 2013 -0600
ticket #47550 wip
(cherry picked from commit 82377636267787be5182457d619d5a0b662d2658)
diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl
index 8b423ca..e7d7507 100755
--- a/ldap/admin/src/logconv.pl
+++ b/ldap/admin/src/logconv.pl
@@ -1911,7 +1911,7 @@ sub parseLineNormal
elsif (m/- U1/){ $hashes->{rsrc}->{"U1"}++; }
else { $hashes->{rsrc}->{"other"}++; }
}
- if ($usage =~ /g/ || $usage =~ /c/ || $usage =~ /i/ || $verb eq "yes"){
+ if ($usage =~ /g/ || $usage =~ /c/ || $usage =~ /i/ || $usage =~ /f/ || $verb eq "yes"){
$exc = "no";
if ($_ =~ /connection from *([0-9A-fa-f\.\:]+)/i ) {
for (my $xxx = 0; $xxx < $#excludeIP; $xxx++){
commit 86000e43d69267d0b6b8110dcdba43352868c173
Author: Rich Megginson <rmeggins at redhat.com>
Date: Thu Oct 10 15:55:29 2013 -0600
Ticket #47550 logconv: failed logins: Use of uninitialized value in numeric comparison at logconv.pl line 949
https://fedorahosted.org/389/ticket/47550
Reviewed by: nhosoi (Thanks!)
Branch: 389-ds-base-1.3.2
Fix Description: Copy/paste error. Changed badPassword to badPasswordIp.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry picked from commit 322fd7996aa810db1b51882d8d1103e11a36cc62)
diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl
index 7381a66..8b423ca 100755
--- a/ldap/admin/src/logconv.pl
+++ b/ldap/admin/src/logconv.pl
@@ -946,7 +946,7 @@ if ($verb eq "yes" || $usage =~ /f/ ){
}
print "\nFrom the IP address(s) :\n\n";
$bpCount = 0;
- foreach my $ip (sort {$badPassword{$b} <=> $badPassword{$a} } keys %badPasswordIp){
+ foreach my $ip (sort {$badPasswordIp{$b} <=> $badPasswordIp{$a} } keys %badPasswordIp){
if ($bpCount > $sizeCount){ last;}
$bpCount++;
printf "%-4s %-16s\n", $badPasswordIp{$ip}, $ip;
commit 0bd980dcc8068c5922ad7ec750622685ed612e48
Author: Nathan Kinder <nkinder at redhat.com>
Date: Thu Oct 10 16:50:51 2013 -0700
Ticket 47513 - tmpfiles.d references /var/lock when they should reference /run/lock
The previous patch was using numeric comparison instead of string
comparison to check if localrundir was empty. This was causing our
tmpfiles.d configuration to use the settings from the inf file,
which evaluates to /var/run when using --with-fhs.
This patch uses a proper string comparison which results in using
/run in the tmpfiles.d config as desired.
(cherry picked from commit 0394b2bb9cae3016eeb975ed194e8c7258ed868b)
diff --git a/ldap/admin/src/scripts/DSCreate.pm.in b/ldap/admin/src/scripts/DSCreate.pm.in
index fd1941b..58408c1 100644
--- a/ldap/admin/src/scripts/DSCreate.pm.in
+++ b/ldap/admin/src/scripts/DSCreate.pm.in
@@ -1104,7 +1104,7 @@ sub updateTmpfilesDotD {
# d /var/run/user 0755 root root 10d
# we don't use age
my $localrundir = set_localrundir("@localrundir@", $inf->{General}->{prefix});
- if( $localrundir != "" && -d "$localrundir"){
+ if( $localrundir ne "" && -d "$localrundir"){
$rundir = "$localrundir/@PACKAGE_NAME@";
$lockdir = "$localrundir/lock/@PACKAGE_NAME@/slapd-$inf->{slapd}->{ServerIdentifier}";
$parentdir = "$localrundir/lock/@PACKAGE_NAME@";
commit 67f7fa94289db2211e5f864180bca74462ff0b0c
Author: Rich Megginson <rmeggins at redhat.com>
Date: Tue Oct 8 11:04:31 2013 -0600
Ticket #47551 logconv: -V does not produce unindexed search report
https://fedorahosted.org/389/ticket/47551
Reviewed by: mreynolds (Thanks!)
Branch: 389-ds-base-1.3.2
Fix Description: Execute the $usage /u/ code also when verb == yes.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
(cherry-picked from commit 87ad36b865f85297feb40c4b61db82101b9a9447)
cherry pick was not clean - had to fix
diff --git a/ldap/admin/src/logconv.pl b/ldap/admin/src/logconv.pl
index 275ce34..7381a66 100755
--- a/ldap/admin/src/logconv.pl
+++ b/ldap/admin/src/logconv.pl
@@ -674,10 +674,10 @@ if ($verb eq "yes" || $usage =~ /u/ || $usage =~ /U/){
my $unindexedIp;
my %uniqFilt = (); # hash of unique filters
while (my ($srcnt_conn_op, $count) = each %{$notesa_conn_op}) {
- my ($srvRstCnt, $conn, $op) = split(",", $srcnt_conn_op);
- $unindexedIp = getIPfromConn($conn, $srvRstCnt);
- if ($usage =~ /u/) {
- print "\n Unindexed Search #".$notesCount."\n";
+ if ($verb eq "yes" || $usage =~ /u/) {
+ my ($srvRstCnt, $conn, $op) = split(",", $srcnt_conn_op);
+ my $unindexedIp = getIPfromConn($conn, $srvRstCnt);
+ print "\n Unindexed Search #".$notesCount." (notes=A)\n";
print " - Date/Time: $time_conn_op->{$srcnt_conn_op}\n";
print " - Connection Number: $conn\n";
print " - Operation Number: $op\n";
@@ -692,7 +692,7 @@ if ($verb eq "yes" || $usage =~ /u/ || $usage =~ /U/){
}
}
if (exists($filter_conn_op->{$srcnt_conn_op}) && defined($filter_conn_op->{$srcnt_conn_op})) {
- if ($usage =~ /u/) {
+ if ($verb eq "yes" || $usage =~ /u/) {
print " - Search Filter: $filter_conn_op->{$srcnt_conn_op}\n";
}
$uniqFilt{$filter_conn_op->{$srcnt_conn_op}}++;
@@ -722,10 +722,10 @@ if ($verb eq "yes" || $usage =~ /u/ || $usage =~ /U/){
my $unindexedIp;
my %uniqFilt = (); # hash of unique filters
while (my ($srcnt_conn_op, $count) = each %{$notesu_conn_op}) {
- my ($srvRstCnt, $conn, $op) = split(",", $srcnt_conn_op);
- $unindexedIp = getIPfromConn($conn, $srvRstCnt);
- if ($usage =~ /u/) {
- print "\n Unindexed Component #".$notesCount."\n";
+ if ($verb eq "yes" || $usage =~ /u/) {
+ my ($srvRstCnt, $conn, $op) = split(",", $srcnt_conn_op);
+ $unindexedIp = getIPfromConn($conn, $srvRstCnt);
+ print "\n Unindexed Component #".$notesCount." (notes=U)\n";
print " - Date/Time: $time_conn_op->{$srcnt_conn_op}\n";
print " - Connection Number: $conn\n";
print " - Operation Number: $op\n";
@@ -740,7 +740,7 @@ if ($verb eq "yes" || $usage =~ /u/ || $usage =~ /U/){
}
}
if (exists($filter_conn_op->{$srcnt_conn_op}) && defined($filter_conn_op->{$srcnt_conn_op})) {
- if ($usage =~ /u/) {
+ if ($verb eq "yes" || $usage =~ /u/) {
print " - Search Filter: $filter_conn_op->{$srcnt_conn_op}\n";
}
$uniqFilt{$filter_conn_op->{$srcnt_conn_op}}++;
commit 6473608d1c6da400d10c3090d8cb075cca2a4dcc
Author: Thierry bordaz (tbordaz) <tbordaz at redhat.com>
Date: Wed Sep 18 15:25:41 2013 +0200
Ticket 47490 - Schema replication between DS versions may overwrite newer base schema
Bug Description:
At the beginning of a replication session, the supplier checks if the schema (that the supplier owns) needs to be pushed
to the consumer. This is based on the comparison of a CSN (nsSchemaCSN).
The problem is that the CSN specifies which is the most recent update but does not garantee that the most recent
update is a superset of a previous update.
In an upgrade scenario a consumer schema can be overwriten by a supplier schema although the consumer schema is a superset
of the supplier schema
Fix Description:
The fix contains two parts:
- one to prevent a supplier to push its schema if it is not a superset of the consumer one
- one to prevent a consumer to accept a schema push, if the supplier schema is not a superset of its schema
To determine that a schema is a superset of an other, this fix only deals objectclasses.
For all objectclasses (of the consumer schema), it checks that
- all required attributes are also required in the supplier objectclasses
- all allowed attributes are also allowed in the supplier objectclasses
https://fedorahosted.org/389/ticket/47490
Reviewed by: Rich Megginson (thanks Rich !)
Platforms tested: unit tests, acceptance mmr, new TC in tet accept/mmr
Flag Day: no
Doc impact: possibly for troubleshooting guide, in case of warning messages
diff --git a/ldap/servers/plugins/replication/repl5_connection.c b/ldap/servers/plugins/replication/repl5_connection.c
index 668abda..4bd14a8 100644
--- a/ldap/servers/plugins/replication/repl5_connection.c
+++ b/ldap/servers/plugins/replication/repl5_connection.c
@@ -52,6 +52,7 @@ replica locked. Seems like right thing to do.
*/
#include "repl5.h"
+#include "slapi-private.h"
#if defined(USE_OPENLDAP)
#include "ldap.h"
#else
@@ -95,6 +96,9 @@ typedef struct repl_connection
/* #define DEFAULT_LINGER_TIME (5 * 60) */ /* 5 minutes */
#define DEFAULT_LINGER_TIME (60)
+/*** from proto-slap.h ***/
+int schema_objectclasses_superset_check(struct berval **remote_schema, char *type);
+
/* Controls we add on every outbound operation */
static LDAPControl manageDSAITControl = {LDAP_CONTROL_MANAGEDSAIT, {0, ""}, '\0'};
@@ -1575,6 +1579,33 @@ conn_push_schema(Repl_Connection *conn, CSN **remotecsn)
/* Need to free the remote_schema_csn_bervals */
ber_bvecfree(remote_schema_csn_bervals);
}
+ if (return_value != CONN_SCHEMA_NO_UPDATE_NEEDED) {
+ struct berval **remote_schema_objectclasses_bervals;
+ /* before pushing the schema do some checking */
+
+ /* First objectclasses */
+ return_value = conn_read_entry_attribute(conn, "cn=schema", "objectclasses", &remote_schema_objectclasses_bervals);
+ if (return_value == CONN_OPERATION_SUCCESS) {
+ /* Check if the consumer objectclasses are a superset of the local supplier schema */
+ if (schema_objectclasses_superset_check(remote_schema_objectclasses_bervals, OC_SUPPLIER)) {
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
+ "Schema %s must not be overwritten (set replication log for additional info)\n",
+ agmt_get_long_name(conn->agmt));
+ return_value = CONN_OPERATION_FAILED;
+ }
+ } else {
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
+ "%s: Fail to retrieve the remote schema objectclasses\n",
+ agmt_get_long_name(conn->agmt));
+ }
+
+ /* In case of success, possibly log a message */
+ if (return_value == CONN_OPERATION_SUCCESS) {
+ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
+ "Schema checking successful: ok to push the schema (%s)\n", agmt_get_long_name(conn->agmt));
+ }
+ }
+
}
}
}
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index e256728..6539f95 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -1001,6 +1001,8 @@ int slapi_validate_schema_files(char *schemadir);
int slapi_reload_schema_files(char *schemadir);
void schema_free_extensions(schemaext *extensions);
schemaext *schema_copy_extensions(schemaext *extensions);
+int schema_objectclasses_superset_check(struct berval **remote_schema, char *type);
+
/*
* schemaparse.c
*/
diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c
index 290e754..6fdb99f 100644
--- a/ldap/servers/slapd/schema.c
+++ b/ldap/servers/slapd/schema.c
@@ -128,7 +128,7 @@ static int strcpy_count( char *dst, const char *src );
static int refresh_user_defined_schema(Slapi_PBlock *pb, Slapi_Entry* entryBefore, Slapi_Entry* e, int *returncode, char *returntext, void *arg);
static int schema_check_oc_attrs ( struct objclass *poc, char *errorbuf,
size_t errorbufsize, int stripOptions );
-static struct objclass *oc_find_nolock( const char *ocname_or_oid );
+static struct objclass *oc_find_nolock( const char *ocname_or_oid, struct objclass *oc_private, PRBool use_private );
static struct objclass *oc_find_oid_nolock( const char *ocoid );
static void oc_free( struct objclass **ocp );
static PRBool oc_equal( struct objclass *oc1, struct objclass *oc2 );
@@ -156,7 +156,7 @@ static size_t strcat_qdlist( char *buf, char *prefix, char **qdlist );
static int parse_attr_str(const char *input, struct asyntaxinfo **asipp, char *errorbuf, size_t errorbufsize,
PRUint32 schema_flags, int is_user_defined, int schema_ds4x_compat, int is_remote);
static int parse_objclass_str(const char *input, struct objclass **oc, char *errorbuf, size_t errorbufsize,
- PRUint32 schema_flags, int is_user_defined, int schema_ds4x_compat );
+ PRUint32 schema_flags, int is_user_defined, int schema_ds4x_compat, struct objclass* private_schema );
#else
/*
@@ -228,10 +228,10 @@ static int parse_at_str(const char *input, struct asyntaxinfo **asipp, char *err
static int parse_oc_str(const char *input, struct objclass **oc, char *errorbuf,
size_t errorbufsize, PRUint32 schema_flags, int is_user_defined,
- int schema_ds4x_compat )
+ int schema_ds4x_compat, struct objclass* private_schema )
{
#ifdef USE_OPENLDAP
- return parse_objclass_str (input, oc, errorbuf, errorbufsize, schema_flags, is_user_defined, schema_ds4x_compat );
+ return parse_objclass_str (input, oc, errorbuf, errorbufsize, schema_flags, is_user_defined, schema_ds4x_compat, private_schema );
#else
return read_oc_ldif (input, oc, errorbuf, errorbufsize, schema_flags, is_user_defined, schema_ds4x_compat );
#endif
@@ -560,7 +560,7 @@ slapi_entry_schema_check_ext( Slapi_PBlock *pb, Slapi_Entry *e, int repl_check )
continue;
}
- if ((oc = oc_find_nolock( ocname )) != NULL ) {
+ if ((oc = oc_find_nolock( ocname, NULL, PR_FALSE )) != NULL ) {
oclist[oc_count++] = oc;
} else {
/* we don't know about the oc; return an appropriate error message */
@@ -795,7 +795,7 @@ oc_find_name( const char *name_or_oid )
char *ocname = NULL;
oc_lock_read();
- if ( NULL != ( oc = oc_find_nolock( name_or_oid ))) {
+ if ( NULL != ( oc = oc_find_nolock( name_or_oid, NULL, PR_FALSE ))) {
ocname = slapi_ch_strdup( oc->oc_name );
}
oc_unlock();
@@ -810,13 +810,18 @@ oc_find_name( const char *name_or_oid )
* NULL is returned if no match is found or `name_or_oid' is NULL.
*/
static struct objclass *
-oc_find_nolock( const char *ocname_or_oid )
+oc_find_nolock( const char *ocname_or_oid, struct objclass *oc_private, PRBool use_private)
{
struct objclass *oc;
if ( NULL != ocname_or_oid ) {
if ( !schema_ignore_trailing_spaces ) {
- for ( oc = g_get_global_oc_nolock(); oc != NULL; oc = oc->oc_next ) {
+ if (use_private) {
+ oc = oc_private;
+ } else {
+ oc = g_get_global_oc_nolock();
+ }
+ for ( ; oc != NULL; oc = oc->oc_next ) {
if ( ( strcasecmp( oc->oc_name, ocname_or_oid ) == 0 )
|| ( oc->oc_oid &&
strcasecmp( oc->oc_oid, ocname_or_oid ) == 0 )) {
@@ -834,8 +839,13 @@ oc_find_nolock( const char *ocname_or_oid )
p++, len++ ) {
; /* NULL */
}
-
- for ( oc = g_get_global_oc_nolock(); oc != NULL; oc = oc->oc_next ) {
+
+ if (use_private) {
+ oc = oc_private;
+ } else {
+ oc = g_get_global_oc_nolock();
+ }
+ for ( ; oc != NULL; oc = oc->oc_next ) {
if ( ( (strncasecmp( oc->oc_name, ocname_or_oid, len ) == 0)
&& (len == strlen(oc->oc_name)) )
||
@@ -1885,11 +1895,34 @@ modify_schema_dse (Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry *entr
*returncode = schema_replace_attributes( pb, mods[i], returntext,
SLAPI_DSE_RETURNTEXT_SIZE );
} else if (strcasecmp (mods[i]->mod_type, "objectclasses") == 0) {
- /*
- * Replace all objectclasses
- */
- *returncode = schema_replace_objectclasses( pb, mods[i],
- returntext, SLAPI_DSE_RETURNTEXT_SIZE );
+
+ if (is_replicated_operation) {
+ /* before accepting the schema checks if the local consumer schema is not
+ * a superset of the supplier schema
+ */
+ if (schema_objectclasses_superset_check(mods[i]->mod_bvalues, OC_CONSUMER)) {
+
+ schema_create_errormsg( returntext, SLAPI_DSE_RETURNTEXT_SIZE,
+ schema_errprefix_generic, mods[i]->mod_type,
+ "Replace is not possible, local consumer schema is a superset of the supplier" );
+ slapi_log_error(SLAPI_LOG_FATAL, "schema",
+ "Local %s must not be overwritten (set replication log for additional info)\n",
+ mods[i]->mod_type);
+ *returncode = LDAP_UNWILLING_TO_PERFORM;
+ } else {
+ /*
+ * Replace all objectclasses
+ */
+ *returncode = schema_replace_objectclasses(pb, mods[i],
+ returntext, SLAPI_DSE_RETURNTEXT_SIZE);
+ }
+ } else {
+ /*
+ * Replace all objectclasses
+ */
+ *returncode = schema_replace_objectclasses(pb, mods[i],
+ returntext, SLAPI_DSE_RETURNTEXT_SIZE);
+ }
} else if (strcasecmp (mods[i]->mod_type, "nsschemacsn") == 0) {
if (is_replicated_operation) {
/* Update the schema CSN */
@@ -2155,13 +2188,13 @@ schema_delete_objectclasses( Slapi_Entry *entryBefore, LDAPMod *mod,
for (i = 0; mod->mod_bvalues[i]; i++) {
if ( LDAP_SUCCESS != ( rc = parse_oc_str (
(const char *)mod->mod_bvalues[i]->bv_val, &delete_oc,
- errorbuf, errorbufsize, 0, 0, schema_ds4x_compat))) {
+ errorbuf, errorbufsize, 0, 0, schema_ds4x_compat, NULL))) {
return rc;
}
oc_lock_write();
- if ((poc = oc_find_nolock(delete_oc->oc_name)) != NULL) {
+ if ((poc = oc_find_nolock(delete_oc->oc_name, NULL, PR_FALSE)) != NULL) {
/* check to see if any objectclasses inherit from this oc */
for (poc2 = g_get_global_oc_nolock(); poc2 != NULL; poc2 = poc2->oc_next) {
@@ -2382,8 +2415,8 @@ add_oc_internal(struct objclass *pnew_oc, char *errorbuf, size_t errorbufsize,
if (!(flags & DSE_SCHEMA_LOCKED))
oc_lock_write();
- oldoc_by_name = oc_find_nolock (pnew_oc->oc_name);
- oldoc_by_oid = oc_find_nolock (pnew_oc->oc_oid);
+ oldoc_by_name = oc_find_nolock (pnew_oc->oc_name, NULL, PR_FALSE);
+ oldoc_by_oid = oc_find_nolock (pnew_oc->oc_oid, NULL, PR_FALSE);
/* Check to see if the objectclass name and the objectclass oid are already
* in use by an existing objectclass. If an existing objectclass is already
@@ -2421,7 +2454,7 @@ add_oc_internal(struct objclass *pnew_oc, char *errorbuf, size_t errorbufsize,
/* check to see if the superior oc exists */
if (!rc && pnew_oc->oc_superior &&
- ((psup_oc = oc_find_nolock (pnew_oc->oc_superior)) == NULL)) {
+ ((psup_oc = oc_find_nolock (pnew_oc->oc_superior, NULL, PR_FALSE)) == NULL)) {
schema_create_errormsg( errorbuf, errorbufsize, schema_errprefix_oc,
pnew_oc->oc_name, "Superior object class \"%s\" does not exist",
pnew_oc->oc_superior);
@@ -2628,7 +2661,7 @@ schema_add_objectclass ( Slapi_PBlock *pb, LDAPMod *mod, char *errorbuf,
newoc_ldif = (char *) mod->mod_bvalues[j]->bv_val;
if ( LDAP_SUCCESS != (rc = parse_oc_str ( newoc_ldif, &pnew_oc,
errorbuf, errorbufsize, 0, 1 /* user defined */,
- schema_ds4x_compat))) {
+ schema_ds4x_compat, NULL))) {
oc_free( &pnew_oc );
return rc;
}
@@ -2706,7 +2739,7 @@ schema_replace_objectclasses ( Slapi_PBlock *pb, LDAPMod *mod, char *errorbuf,
if ( LDAP_SUCCESS != ( rc = parse_oc_str( mod->mod_bvalues[i]->bv_val,
&newocp, errorbuf, errorbufsize, DSE_SCHEMA_NO_GLOCK,
- 1 /* user defined */, 0 /* no DS 4.x compat issues */ ))) {
+ 1 /* user defined */, 0 /* no DS 4.x compat issues */ , NULL))) {
rc = LDAP_INVALID_SYNTAX;
goto clean_up_and_return;
}
@@ -3090,7 +3123,7 @@ read_oc_ldif ( const char *input, struct objclass **oc, char *errorbuf,
keyword_strstr_fn ))) {
pOcSup = get_tagged_oid( " SUP ", &nextinput, keyword_strstr_fn );
}
- psup_oc = oc_find_nolock ( pOcSup );
+ psup_oc = oc_find_nolock ( pOcSup, NULL, PR_FALSE);
if ( schema_ds4x_compat ) nextinput = input;
@@ -4085,7 +4118,7 @@ parse_attr_str(const char *input, struct asyntaxinfo **asipp, char *errorbuf,
static int
parse_objclass_str ( const char *input, struct objclass **oc, char *errorbuf,
size_t errorbufsize, PRUint32 schema_flags, int is_user_defined,
- int schema_ds4x_compat )
+ int schema_ds4x_compat, struct objclass *private_schema )
{
LDAPObjectClass *objClass;
struct objclass *pnew_oc = NULL, *psup_oc = NULL;
@@ -4194,8 +4227,15 @@ parse_objclass_str ( const char *input, struct objclass **oc, char *errorbuf,
/* needed because we access the superior oc */
oc_lock_read();
}
- if(objClass->oc_sup_oids && objClass->oc_sup_oids[0]){
- psup_oc = oc_find_nolock ( objClass->oc_sup_oids[0] );
+ if(objClass->oc_sup_oids && objClass->oc_sup_oids[0]) {
+ if (schema_flags & DSE_SCHEMA_USE_PRIV_SCHEMA) {
+ /* We have built an objectclass list on a private variable
+ * This is used to check the schema of a remote consumer
+ */
+ psup_oc = oc_find_nolock(objClass->oc_sup_oids[0], private_schema, PR_TRUE);
+ } else {
+ psup_oc = oc_find_nolock(objClass->oc_sup_oids[0], NULL, PR_FALSE);
+ }
}
/*
* Walk the "oc_extensions" and set the schema extensions
@@ -4760,7 +4800,7 @@ load_schema_dse(Slapi_PBlock *pb, Slapi_Entry *e, Slapi_Entry *ignored,
if ( LDAP_SUCCESS != (*returncode = parse_oc_str(s, &oc, returntext,
SLAPI_DSE_RETURNTEXT_SIZE, flags,
primary_file /* force user defined? */,
- schema_ds4x_compat)))
+ schema_ds4x_compat, NULL)))
{
oc_free( &oc );
break;
@@ -5584,7 +5624,7 @@ va_expand_one_oc( const char *dn, const Slapi_Attr *a, Slapi_ValueSet *vs, const
Slapi_Value **va = vs->va;
- this_oc = oc_find_nolock( ocs );
+ this_oc = oc_find_nolock( ocs, NULL, PR_FALSE );
if ( this_oc == NULL ) {
return; /* skip unknown object classes */
@@ -5594,7 +5634,7 @@ va_expand_one_oc( const char *dn, const Slapi_Attr *a, Slapi_ValueSet *vs, const
return; /* no superior */
}
- sup_oc = oc_find_nolock( this_oc->oc_superior );
+ sup_oc = oc_find_nolock( this_oc->oc_superior, NULL, PR_FALSE );
if ( sup_oc == NULL ) {
return; /* superior is unknown -- ignore */
}
@@ -5770,7 +5810,7 @@ slapi_schema_list_objectclass_attributes(const char *ocname_or_oid,
}
oc_lock_read();
- oc = oc_find_nolock(ocname_or_oid);
+ oc = oc_find_nolock(ocname_or_oid, NULL, PR_FALSE);
if (oc) {
switch (flags & mask) {
case SLAPI_OC_FLAG_REQUIRED:
@@ -5806,7 +5846,7 @@ slapi_schema_get_superior_name(const char *ocname_or_oid)
char *superior = NULL;
oc_lock_read();
- oc = oc_find_nolock(ocname_or_oid);
+ oc = oc_find_nolock(ocname_or_oid, NULL, PR_FALSE);
if (oc) {
superior = slapi_ch_strdup(oc->oc_superior);
}
@@ -5814,3 +5854,221 @@ slapi_schema_get_superior_name(const char *ocname_or_oid)
return superior;
}
+
+
+/* Check if the oc_list1 is a superset of oc_list2.
+ * oc_list1 is a superset if it exists objectclass in oc_list1 that
+ * do not exist in oc_list2. Or if a OC in oc_list1 required more attributes
+ * that the OC in oc_list2. Or if a OC in oc_list1 allowed more attributes
+ * that the OC in oc_list2.
+ *
+ * It returns 1 if oc_list1 is a superset of oc_list2, else it returns 0
+ *
+ * If oc_list1 or oc_list2 is global_oc, the caller must hold the oc_lock
+ */
+static int
+schema_oc_superset_check(struct objclass *oc_list1, struct objclass *oc_list2, char *message) {
+ struct objclass *oc_1, *oc_2;
+ char *description;
+ int rc, i, j;
+ int found;
+
+ if (message == NULL) {
+ description = "";
+ } else {
+ description = message;
+ }
+
+ /* by default assum oc_list1 == oc_list2 */
+ rc = 0;
+
+ /* Check if all objectclass in oc_list1
+ * - exists in oc_list2
+ * - required attributes are also required in oc_2
+ * - allowed attributes are also allowed in oc_2
+ */
+ for (oc_1 = oc_list1; oc_1 != NULL; oc_1 = oc_1->oc_next) {
+
+ /* Retrieve the remote objectclass in our local schema */
+ oc_2 = oc_find_nolock(oc_1->oc_oid, oc_list2, PR_TRUE);
+ if (oc_2 == NULL) {
+ /* try to retrieve it with the name*/
+ oc_2 = oc_find_nolock(oc_1->oc_name, oc_list2, PR_TRUE);
+ }
+ if (oc_2 == NULL) {
+ slapi_log_error(SLAPI_LOG_REPL, "schema", "Fail to retrieve in the %s schema [%s or %s]\n",
+ description,
+ oc_1->oc_name,
+ oc_1->oc_oid);
+
+ /* The oc_1 objectclasses is supperset */
+ rc = 1;
+
+ continue; /* we continue to check all the objectclass */
+ }
+
+ /* First check the MUST */
+ if (oc_1->oc_orig_required) {
+ for (i = 0; oc_1->oc_orig_required[i] != NULL; i++) {
+ /* For each required attribute from the remote schema check that
+ * it is also required in the local schema
+ */
+ found = 0;
+ if (oc_2->oc_orig_required) {
+ for (j = 0; oc_2->oc_orig_required[j] != NULL; j++) {
+ if (strcasecmp(oc_2->oc_orig_required[j], oc_1->oc_orig_required[i]) == 0) {
+ found = 1;
+ break;
+ }
+ }
+ }
+ if (!found) {
+ /* The required attribute in the remote protocol (remote_oc->oc_orig_required[i])
+ * is not required in the local protocol
+ */
+ slapi_log_error(SLAPI_LOG_REPL, "schema", "Attribute %s is not required in '%s' of the %s schema\n",
+ oc_1->oc_orig_required[i],
+ oc_1->oc_name,
+ description);
+
+ /* The oc_1 objectclasses is supperset */
+ rc = 1;
+
+ continue; /* we continue to check all attributes */
+ }
+ }
+ }
+
+ /* Second check the MAY */
+ if (oc_1->oc_orig_allowed) {
+ for (i = 0; oc_1->oc_orig_allowed[i] != NULL; i++) {
+ /* For each required attribute from the remote schema check that
+ * it is also required in the local schema
+ */
+ found = 0;
+ if (oc_2->oc_orig_allowed) {
+ for (j = 0; oc_2->oc_orig_allowed[j] != NULL; j++) {
+ if (strcasecmp(oc_2->oc_orig_allowed[j], oc_1->oc_orig_allowed[i]) == 0) {
+ found = 1;
+ break;
+ }
+ }
+ }
+ if (!found) {
+ /* The required attribute in the remote protocol (remote_oc->oc_orig_allowed[i])
+ * is not required in the local protocol
+ */
+ slapi_log_error(SLAPI_LOG_REPL, "schema", "Attribute %s is not allowed in '%s' of the %s schema\n",
+ oc_1->oc_orig_allowed[i],
+ oc_1->oc_name,
+ description);
+
+ /* The oc_1 objectclasses is supperset */
+ rc = 1;
+
+ continue; /* we continue to check all attributes */
+ }
+ }
+ }
+ }
+
+ return rc;
+}
+
+static void
+schema_oclist_free(struct objclass *oc_list)
+{
+ struct objclass *oc, *oc_next;
+
+ for (oc = oc_list; oc != NULL; oc = oc_next) {
+ oc_next = oc->oc_next;
+ oc_free(&oc);
+ }
+}
+
+static
+struct objclass *schema_berval_to_oclist(struct berval **oc_berval) {
+ struct objclass *oc, *oc_list, *oc_tail;
+ char errorbuf[BUFSIZ];
+ int schema_ds4x_compat, rc;
+ int i;
+
+ schema_ds4x_compat = config_get_ds4_compatible_schema();
+ rc = 0;
+
+ oc_list = NULL;
+ oc_tail = NULL;
+ if (oc_berval != NULL) {
+ for (i = 0; oc_berval[i] != NULL; i++) {
+ /* parse the objectclass value */
+ if (LDAP_SUCCESS != (rc = parse_oc_str(oc_berval[i]->bv_val, &oc,
+ errorbuf, sizeof (errorbuf), DSE_SCHEMA_NO_CHECK | DSE_SCHEMA_USE_PRIV_SCHEMA, 0,
+ schema_ds4x_compat, oc_list))) {
+ oc_free(&oc);
+ rc = 1;
+ break;
+ }
+
+ /* Add oc at the end of the oc_list */
+ oc->oc_next = NULL;
+ if (oc_list == NULL) {
+ oc_list = oc;
+ oc_tail = oc;
+ } else {
+ oc_tail->oc_next = oc;
+ oc_tail = oc;
+ }
+ }
+ }
+ if (rc) {
+ schema_oclist_free(oc_list);
+ oc_list = NULL;
+ }
+ return oc_list;
More information about the Pkg-fedora-ds-maintainers
mailing list