[Fedora-directory-commits] dsgw/config/ja display-ntperson.html.in, 1.2, 1.3 display-orgperson.html.in, 1.2, 1.3
by Doctor Conrad
Author: rmeggins
Update of /cvs/dirsec/dsgw/config/ja
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31194/dsgw/config/ja
Modified Files:
display-ntperson.html.in display-orgperson.html.in
Log Message:
Resolves: bug 171353
Bug Description: Unable to download a certificate from Gateway/Phonebook
Reviewed by: trivial
Fix Description: Have to support both "userCertificate;binary" and "userCertificate"
Platforms tested: HP-UX
Flag Day: no
Doc impact: no
Index: display-ntperson.html.in
===================================================================
RCS file: /cvs/dirsec/dsgw/config/ja/display-ntperson.html.in,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- display-ntperson.html.in 6 Mar 2008 22:00:15 -0000 1.2
+++ display-ntperson.html.in 27 Jun 2008 18:49:18 -0000 1.3
@@ -107,6 +107,13 @@
>Download Certificate</A>
<!-- ENDIF -->
+<!-- DS_ATTRIBUTE "attr=userCertificate" "type=hidden" "options=typeonly" -->
+<!-- IF "AttributeHasValues" "userCertificate" -->
+<A HREF=
+<!-- DS_ATTRIBUTE "attr=userCertificate" "options=link" "mimetype=application/x-x509-ca-cert" -->
+>Download Certificate</A>
+<!-- ENDIF -->
+
<!-- DS_ATTRIBUTE "attr=audio" "type=hidden" "options=typeonly" -->
<!-- IF "AttributeHasValues" "audio" -->
Index: display-orgperson.html.in
===================================================================
RCS file: /cvs/dirsec/dsgw/config/ja/display-orgperson.html.in,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- display-orgperson.html.in 6 Mar 2008 22:00:15 -0000 1.2
+++ display-orgperson.html.in 27 Jun 2008 18:49:18 -0000 1.3
@@ -107,6 +107,13 @@
>������������������������������</A>
<!-- ENDIF -->
+<!-- DS_ATTRIBUTE "attr=userCertificate" "type=hidden" "options=typeonly" -->
+<!-- IF "AttributeHasValues" "userCertificate" -->
+<A HREF=""
+<!-- DS_ATTRIBUTE "attr=userCertificate" "options=link" "mimetype=application/x-x509-ca-cert" -->
+>������������������������������</A>
+<!-- ENDIF -->
+
<!-- DS_ATTRIBUTE "attr=audio" "type=hidden" "options=typeonly" -->
<!-- IF "AttributeHasValues" "audio" -->
15 years, 10 months
[Fedora-directory-commits] dsgw/config/fr display-ntperson.html.in, 1.2, 1.3 display-orgperson.html.in, 1.2, 1.3
by Doctor Conrad
Author: rmeggins
Update of /cvs/dirsec/dsgw/config/fr
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31194/dsgw/config/fr
Modified Files:
display-ntperson.html.in display-orgperson.html.in
Log Message:
Resolves: bug 171353
Bug Description: Unable to download a certificate from Gateway/Phonebook
Reviewed by: trivial
Fix Description: Have to support both "userCertificate;binary" and "userCertificate"
Platforms tested: HP-UX
Flag Day: no
Doc impact: no
Index: display-ntperson.html.in
===================================================================
RCS file: /cvs/dirsec/dsgw/config/fr/display-ntperson.html.in,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- display-ntperson.html.in 6 Mar 2008 22:00:14 -0000 1.2
+++ display-ntperson.html.in 27 Jun 2008 18:49:18 -0000 1.3
@@ -106,6 +106,13 @@
>Download Certificate</A>
<!-- ENDIF -->
+<!-- DS_ATTRIBUTE "attr=userCertificate" "type=hidden" "options=typeonly" -->
+<!-- IF "AttributeHasValues" "userCertificate" -->
+<A HREF=
+<!-- DS_ATTRIBUTE "attr=userCertificate" "options=link" "mimetype=application/x-x509-ca-cert" -->
+>Download Certificate</A>
+<!-- ENDIF -->
+
<!-- DS_ATTRIBUTE "attr=audio" "type=hidden" "options=typeonly" -->
<!-- IF "AttributeHasValues" "audio" -->
Index: display-orgperson.html.in
===================================================================
RCS file: /cvs/dirsec/dsgw/config/fr/display-orgperson.html.in,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- display-orgperson.html.in 6 Mar 2008 22:00:14 -0000 1.2
+++ display-orgperson.html.in 27 Jun 2008 18:49:18 -0000 1.3
@@ -106,6 +106,13 @@
>Télécharger un certificat</A>
<!-- ENDIF -->
+<!-- DS_ATTRIBUTE "attr=userCertificate" "type=hidden" "options=typeonly" -->
+<!-- IF "AttributeHasValues" "userCertificate" -->
+<A HREF=
+<!-- DS_ATTRIBUTE "attr=userCertificate" "options=link" "mimetype=application/x-x509-ca-cert" -->
+>Télécharger un certificat</A>
+<!-- ENDIF -->
+
<!-- DS_ATTRIBUTE "attr=audio" "type=hidden" "options=typeonly" -->
<!-- IF "AttributeHasValues" "audio" -->
15 years, 10 months
[Fedora-directory-commits] dsgw/config/es display-ntperson.html.in, 1.2, 1.3 display-orgperson.html.in, 1.2, 1.3
by Doctor Conrad
Author: rmeggins
Update of /cvs/dirsec/dsgw/config/es
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31194/dsgw/config/es
Modified Files:
display-ntperson.html.in display-orgperson.html.in
Log Message:
Resolves: bug 171353
Bug Description: Unable to download a certificate from Gateway/Phonebook
Reviewed by: trivial
Fix Description: Have to support both "userCertificate;binary" and "userCertificate"
Platforms tested: HP-UX
Flag Day: no
Doc impact: no
Index: display-ntperson.html.in
===================================================================
RCS file: /cvs/dirsec/dsgw/config/es/display-ntperson.html.in,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- display-ntperson.html.in 6 Mar 2008 22:00:14 -0000 1.2
+++ display-ntperson.html.in 27 Jun 2008 18:49:18 -0000 1.3
@@ -106,6 +106,13 @@
>Recibir certificado</A>
<!-- ENDIF -->
+<!-- DS_ATTRIBUTE "attr=userCertificate" "type=hidden" "options=typeonly" -->
+<!-- IF "AttributeHasValues" "userCertificate" -->
+<A HREF=
+<!-- DS_ATTRIBUTE "attr=userCertificate" "options=link" "mimetype=application/x-x509-ca-cert" -->
+>Recibir certificado</A>
+<!-- ENDIF -->
+
<!-- DS_ATTRIBUTE "attr=audio" "type=hidden" "options=typeonly" -->
<!-- IF "AttributeHasValues" "audio" -->
Index: display-orgperson.html.in
===================================================================
RCS file: /cvs/dirsec/dsgw/config/es/display-orgperson.html.in,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- display-orgperson.html.in 6 Mar 2008 22:00:14 -0000 1.2
+++ display-orgperson.html.in 27 Jun 2008 18:49:18 -0000 1.3
@@ -106,6 +106,13 @@
>Recibir certificado</A>
<!-- ENDIF -->
+<!-- DS_ATTRIBUTE "attr=userCertificate" "type=hidden" "options=typeonly" -->
+<!-- IF "AttributeHasValues" "userCertificate" -->
+<A HREF=
+<!-- DS_ATTRIBUTE "attr=userCertificate" "options=link" "mimetype=application/x-x509-ca-cert" -->
+>Recibir certificado</A>
+<!-- ENDIF -->
+
<!-- DS_ATTRIBUTE "attr=audio" "type=hidden" "options=typeonly" -->
<!-- IF "AttributeHasValues" "audio" -->
15 years, 10 months
[Fedora-directory-commits] dsgw/config display-ntperson.html.in, 1.3, 1.4 display-orgperson.html.in, 1.3, 1.4
by Doctor Conrad
Author: rmeggins
Update of /cvs/dirsec/dsgw/config
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv31194/dsgw/config
Modified Files:
display-ntperson.html.in display-orgperson.html.in
Log Message:
Resolves: bug 171353
Bug Description: Unable to download a certificate from Gateway/Phonebook
Reviewed by: trivial
Fix Description: Have to support both "userCertificate;binary" and "userCertificate"
Platforms tested: HP-UX
Flag Day: no
Doc impact: no
Index: display-ntperson.html.in
===================================================================
RCS file: /cvs/dirsec/dsgw/config/display-ntperson.html.in,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- display-ntperson.html.in 20 Mar 2008 02:18:40 -0000 1.3
+++ display-ntperson.html.in 27 Jun 2008 18:49:17 -0000 1.4
@@ -144,6 +144,13 @@
>Download Certificate</A>
<!-- ENDIF -->
+<!-- DS_ATTRIBUTE "attr=userCertificate" "type=hidden" "options=typeonly" -->
+<!-- IF "AttributeHasValues" "userCertificate" -->
+<A HREF=
+<!-- DS_ATTRIBUTE "attr=userCertificate" "options=link" "mimetype=application/x-x509-email-cert" -->
+>Download Certificate</A>
+<!-- ENDIF -->
+
<!-- DS_ATTRIBUTE "attr=audio" "type=hidden" "options=typeonly" -->
<!-- IF "AttributeHasValues" "audio" -->
Index: display-orgperson.html.in
===================================================================
RCS file: /cvs/dirsec/dsgw/config/display-orgperson.html.in,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- display-orgperson.html.in 20 Mar 2008 02:18:40 -0000 1.3
+++ display-orgperson.html.in 27 Jun 2008 18:49:17 -0000 1.4
@@ -146,6 +146,13 @@
>Download Certificate</A>
<!-- ENDIF -->
+<!-- DS_ATTRIBUTE "attr=userCertificate" "type=hidden" "options=typeonly" -->
+<!-- IF "AttributeHasValues" "userCertificate" -->
+<A HREF=
+<!-- DS_ATTRIBUTE "attr=userCertificate" "options=link" "mimetype=application/x-x509-email-cert" -->
+>Download Certificate</A>
+<!-- ENDIF -->
+
<!-- DS_ATTRIBUTE "attr=audio" "type=hidden" "options=typeonly" -->
<!-- IF "AttributeHasValues" "audio" -->
15 years, 10 months
[Fedora-directory-commits] dsgw configure.ac, 1.11, 1.12 aclocal.m4, 1.16, 1.17 configure, 1.19, 1.20 missing, 1.15, 1.16 install-sh, 1.15, 1.16 Makefile.in, 1.20, 1.21 depcomp, 1.15, 1.16 config.sub, 1.15, 1.16 config.guess, 1.15, 1.16 compile, 1.15, 1.16
by Doctor Conrad
Author: rmeggins
Update of /cvs/dirsec/dsgw
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv8590/dsgw
Modified Files:
configure.ac aclocal.m4 configure missing install-sh
Makefile.in depcomp config.sub config.guess compile
Log Message:
Resolves: bug 453052
Bug Description: DSGW uses wrong directory for cookies on HP-UX
Reviewed by: trivial
Fix Description: Use /var/opt/dirsrv/dsgw/run/cookies
Platforms tested: HP-UX
Flag Day: no
Doc impact: no
Index: configure.ac
===================================================================
RCS file: /cvs/dirsec/dsgw/configure.ac,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- configure.ac 20 Mar 2008 02:18:39 -0000 1.11
+++ configure.ac 26 Jun 2008 22:44:17 -0000 1.12
@@ -247,6 +247,8 @@
# relative to libdir
cgibindir=/$PACKAGE_NAME/dsgw-cgi-bin
perldir=/$PACKAGE_NAME/perl
+ # relative to $localstatedir
+ cookiedir=/run/$PACKAGE_BASE_NAME/dsgw/cookies
elif test "$with_fhs_opt" = "yes"; then
# relative to datadir
htmldir=/dsgw/html
@@ -265,6 +267,8 @@
perldir=/perl
# same as server's cgibindir
cgibindir=/dsgw-cgi-bin
+ # relative to $localstatedir
+ cookiedir=/$PACKAGE_BASE_NAME/dsgw/run/cookies
else
# relative to datadir
htmldir=/$PACKAGE_BASE_NAME/dsgw/html
@@ -283,13 +287,13 @@
perldir=/$PACKAGE_BASE_NAME/perl
# CGI program directory
cgibindir=/$PACKAGE_BASE_NAME/dsgw-cgi-bin
+ # relative to $localstatedir
+ cookiedir=/run/$PACKAGE_BASE_NAME/dsgw/cookies
fi
# relative to instconfigdir
contextdir=/dsgw
securitydir=/dsgw
-# relative to $localstatedir
-cookiedir=/run/$PACKAGE_BASE_NAME/dsgw/cookies
# URIs
cgiuri=/dsgwcmd
dsgwuri=/dsgw
Index: configure
===================================================================
RCS file: /cvs/dirsec/dsgw/configure,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- configure 20 Mar 2008 02:18:39 -0000 1.19
+++ configure 26 Jun 2008 22:44:17 -0000 1.20
@@ -21396,6 +21396,8 @@
# relative to libdir
cgibindir=/$PACKAGE_NAME/dsgw-cgi-bin
perldir=/$PACKAGE_NAME/perl
+ # relative to $localstatedir
+ cookiedir=/run/$PACKAGE_BASE_NAME/dsgw/cookies
elif test "$with_fhs_opt" = "yes"; then
# relative to datadir
htmldir=/dsgw/html
@@ -21414,6 +21416,8 @@
perldir=/perl
# same as server's cgibindir
cgibindir=/dsgw-cgi-bin
+ # relative to $localstatedir
+ cookiedir=/$PACKAGE_BASE_NAME/dsgw/run/cookies
else
# relative to datadir
htmldir=/$PACKAGE_BASE_NAME/dsgw/html
@@ -21432,13 +21436,13 @@
perldir=/$PACKAGE_BASE_NAME/perl
# CGI program directory
cgibindir=/$PACKAGE_BASE_NAME/dsgw-cgi-bin
+ # relative to $localstatedir
+ cookiedir=/run/$PACKAGE_BASE_NAME/dsgw/cookies
fi
# relative to instconfigdir
contextdir=/dsgw
securitydir=/dsgw
-# relative to $localstatedir
-cookiedir=/run/$PACKAGE_BASE_NAME/dsgw/cookies
# URIs
cgiuri=/dsgwcmd
dsgwuri=/dsgw
15 years, 10 months
[Fedora-directory-commits] ldapserver/ldap/servers/plugins/memberof memberof.c, 1.9, 1.10
by Doctor Conrad
Author: nkinder
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/memberof
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4002/ldap/servers/plugins/memberof
Modified Files:
memberof.c
Log Message:
Resolves: 452537
Summary: Fixed infinite recursion issues in memberOf plug-in.
Index: memberof.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/memberof/memberof.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- memberof.c 19 Jun 2008 15:18:20 -0000 1.9
+++ memberof.c 25 Jun 2008 18:34:12 -0000 1.10
@@ -901,20 +901,72 @@
op_to_sdn = slapi_sdn_new_dn_byref(op_to);
slapi_search_internal_get_entry( op_to_sdn, attrlist,
&e, memberof_get_plugin_id());
- slapi_sdn_free(&op_to_sdn);
if(!e)
{
+ /* In the case of a delete, we need to worry about the
+ * missing entry being a nested group. There's a small
+ * window where another thread may have deleted a nested
+ * group that our group_dn entry refers to. This has the
+ * potential of us missing some indirect member entries
+ * that need to be updated. */
if(LDAP_MOD_DELETE == mod_op)
{
- /* in the case of delete we must guard against
- * having groups in a nested chain having been
- * deleted during the window of opportunity
- * and we must fall back to testing all members
- * of the (potentially deleted group) for valid
- * membership given the delete operation that
- * triggered this operation
- */
- memberof_test_membership(pb, config, group_dn);
+ Slapi_PBlock *search_pb = slapi_pblock_new();
+ Slapi_DN *base_sdn = 0;
+ Slapi_Backend *be = 0;
+ char *filter_str = 0;
+ int n_entries = 0;
+
+ /* We can't tell for sure if the op_to entry is a
+ * user or a group since the entry doesn't exist
+ * anymore. We can safely ignore the missing entry
+ * if no other entries have a memberOf attribute that
+ * points to the missing entry. */
+ be = slapi_be_select(op_to_sdn);
+ if(be)
+ {
+ base_sdn = (Slapi_DN*)slapi_be_getsuffix(be,0);
+ }
+
+ if(base_sdn)
+ {
+ filter_str = slapi_ch_smprintf("(%s=%s)",
+ config->memberof_attr, op_to);
+ }
+
+ if(filter_str)
+ {
+ slapi_search_internal_set_pb(search_pb, slapi_sdn_get_dn(base_sdn),
+ LDAP_SCOPE_SUBTREE, filter_str, 0, 0, 0, 0,
+ memberof_get_plugin_id(), 0);
+
+ if (slapi_search_internal_pb(search_pb))
+ {
+ /* get result and log an error */
+ int res = 0;
+ slapi_pblock_get(search_pb, SLAPI_PLUGIN_INTOP_RESULT, &res);
+ slapi_log_error( SLAPI_LOG_FATAL, MEMBEROF_PLUGIN_SUBSYSTEM,
+ "memberof_modop_one_replace_r: error searching for members: "
+ "%d", res);
+ } else {
+ slapi_pblock_get(search_pb, SLAPI_NENTRIES, &n_entries);
+
+ if(n_entries > 0)
+ {
+ /* We want to fixup the membership for the
+ * entries that referred to the missing group
+ * entry. This will fix the references to
+ * the missing group as well as the group
+ * represented by op_this. */
+ memberof_test_membership(pb, config, op_to);
+ }
+ }
+
+ slapi_free_search_results_internal(search_pb);
+ slapi_ch_free_string(&filter_str);
+ }
+
+ slapi_pblock_destroy(search_pb);
}
goto bail;
@@ -1108,6 +1160,7 @@
}
bail:
+ slapi_sdn_free(&op_to_sdn);
slapi_value_free(&to_dn_val);
slapi_value_free(&this_dn_val);
slapi_entry_free(e);
@@ -1243,51 +1296,62 @@
{
int rc = 0;
Slapi_Value *val = 0;
+ Slapi_Value *op_this_val = 0;
int last_size = 0;
char *last_str = 0;
int hint = slapi_attr_first_value(attr, &val);
+ op_this_val = slapi_value_new_string(op_this);
+
while(val)
{
char *dn_str = 0;
- struct berval *bv = (struct berval *)slapi_value_get_berval(val);
+ struct berval *bv = 0;
- if(last_size > bv->bv_len)
- {
- dn_str = last_str;
- }
- else
+ /* We don't want to process a memberOf operation on ourselves. */
+ if(0 != memberof_compare(config, &val, &op_this_val))
{
- int the_size = (bv->bv_len * 2) + 1;
+ bv = (struct berval *)slapi_value_get_berval(val);
- if(last_str)
- slapi_ch_free_string(&last_str);
+ if(last_size > bv->bv_len)
+ {
+ dn_str = last_str;
+ }
+ else
+ {
+ int the_size = (bv->bv_len * 2) + 1;
- dn_str = (char*)slapi_ch_malloc(the_size);
+ if(last_str)
+ slapi_ch_free_string(&last_str);
- last_str = dn_str;
- last_size = the_size;
- }
+ dn_str = (char*)slapi_ch_malloc(the_size);
- memset(dn_str, 0, last_size);
+ last_str = dn_str;
+ last_size = the_size;
+ }
- strncpy(dn_str, bv->bv_val, (size_t)bv->bv_len);
+ memset(dn_str, 0, last_size);
- /* If we're doing a replace (as we would in the MODRDN case), we need
- * to specify the new group DN value */
- if(mod == LDAP_MOD_REPLACE)
- {
- memberof_modop_one_replace_r(pb, config, mod, group_dn, op_this, group_dn,
- dn_str, stack);
- }
- else
- {
- memberof_modop_one_r(pb, config, mod, group_dn, op_this, dn_str, stack);
+ strncpy(dn_str, bv->bv_val, (size_t)bv->bv_len);
+
+ /* If we're doing a replace (as we would in the MODRDN case), we need
+ * to specify the new group DN value */
+ if(mod == LDAP_MOD_REPLACE)
+ {
+ memberof_modop_one_replace_r(pb, config, mod, group_dn, op_this,
+ group_dn, dn_str, stack);
+ }
+ else
+ {
+ memberof_modop_one_r(pb, config, mod, group_dn, op_this, dn_str, stack);
+ }
}
hint = slapi_attr_next_value(attr, hint, &val);
}
+ slapi_value_free(&op_this_val);
+
if(last_str)
slapi_ch_free_string(&last_str);
15 years, 10 months
[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication repl5.h, 1.10, 1.11 repl5_inc_protocol.c, 1.12, 1.13 repl5_replica.c, 1.16, 1.17 repl_extop.c, 1.12, 1.13 windows_inc_protocol.c, 1.15, 1.16
by Doctor Conrad
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14162/ldapserver/ldap/servers/plugins/replication
Modified Files:
repl5.h repl5_inc_protocol.c repl5_replica.c repl_extop.c
windows_inc_protocol.c
Log Message:
Resolves: bug 233642
Bug Description: MMR breaks with time skew errors
Reviewed by: nhosoi, nkinder (Thanks!)
Fix Description: CSN remote offset generation seems broken. We seem to accumulate a remote offset that keeps growing until we hit the limit of 1 day, then replication stops. The idea behind the remote offset is that servers may be seconds or minutes off. When replication starts, one of the itmes in the payload of the start extop is the latest CSN from the supplier. The CSN timestamp field is (sampled_time + local offset + remote offset). Sampled time comes from the time thread in the server that updates the time once per second. This allows the consumer, if also a master, to adjust its CSN generation so as not to generate duplicates or CSNs less than those from the supplier. However, the logic in csngen_adjust_time appears to be wrong:
remote_offset = remote_time - gen->state.sampled_time;
That is, remote_offset = (remote sampled_time + remote local offset + remote remote offset) - gen->state.sampled_time
It should be
remote_offset = remote_time - (sampled_time + local offset + remote offset)
Since the sampled time is not the actual current time, it may be off by 1 second. So the new remote_offset will be at least 1 second more than it should be. Since this is the same remote_offset used to generate the CSN to send back to the other master, this offset would keep increasing and increasing over time. The script attached to the bug helps measure this effect. The new code also attempts to refresh the sampled time while adjusting to make sure we have as current a sampled_time as possible. In the old code, the remote_offset is "sent" back and forth between the masters, carried along in the CSN timestamp generation. In the new code, this can happen too, but to a far less extent, and should max out at (real offset + N seconds) where N is the number of masters.
In the old code, you could only call csngen_adjust_time if you first made sure the remote timestamp >= local timestamp. I have removed this restriction and moved that logic into csngen_adjust_time. I also cleaned up the code in the consumer extop - I combined the checking of the CSN from the extop with the max CSN from the supplier RUV - now we only adjust the time once based on the max of all of these CSNs sent by the supplier.
Finally, I cleaned up the error handling in a few places that assumed all errors were time skew errors.
Follow up - I found a bug in my previous patch - _csngen_adjust_local_time must not be called when the sampled time == the current time. So I fixed that where I was calling _csngen_adjust_local_time, and I also changed _csngen_adjust_local_time so that time_diff == 0 is a no-op.
Platforms tested: RHEL5, F8, F9
Flag Day: no
Doc impact: no
QA impact: Should test MMR and use the script to measure the offset effect.
Index: repl5.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5.h,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- repl5.h 12 Sep 2007 23:05:24 -0000 1.10
+++ repl5.h 24 Jun 2008 22:22:09 -0000 1.11
@@ -486,6 +486,7 @@
void replica_get_referrals(const Replica *r, char ***referrals);
void replica_set_referrals(Replica *r,const Slapi_ValueSet *vs);
int replica_update_csngen_state (Replica *r, const RUV *ruv);
+int replica_update_csngen_state_ext (Replica *r, const RUV *ruv, const CSN *extracsn);
CSN *replica_get_purge_csn(const Replica *r);
int replica_log_ruv_elements (const Replica *r);
void replica_enumerate_replicas (FNEnumReplica fn, void *arg);
Index: repl5_inc_protocol.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5_inc_protocol.c,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- repl5_inc_protocol.c 23 Jun 2008 18:38:40 -0000 1.12
+++ repl5_inc_protocol.c 24 Jun 2008 22:22:09 -0000 1.13
@@ -1100,13 +1100,20 @@
rc = replica_update_csngen_state (replica, ruv);
object_release (prp->replica_object);
replica = NULL;
- if (rc != 0) /* too much skew */
+ if (rc == CSN_LIMIT_EXCEEDED) /* too much skew */
{
slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
"%s: Incremental protocol: fatal error - too much time skew between replicas!\n",
agmt_get_long_name(prp->agmt));
next_state = STATE_STOP_FATAL_ERROR;
}
+ else if (rc != 0) /* internal error */
+ {
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
+ "%s: Incremental protocol: fatal internal error updating the CSN generator!\n",
+ agmt_get_long_name(prp->agmt));
+ next_state = STATE_STOP_FATAL_ERROR;
+ }
else
{
rc = send_updates(prp, ruv, &num_changes_sent);
Index: repl5_replica.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5_replica.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- repl5_replica.c 18 Oct 2007 22:40:17 -0000 1.16
+++ repl5_replica.c 24 Jun 2008 22:22:09 -0000 1.17
@@ -1043,7 +1043,7 @@
}
int
-replica_update_csngen_state (Replica *r, const RUV *ruv)
+replica_update_csngen_state_ext (Replica *r, const RUV *ruv, const CSN *extracsn)
{
int rc = 0;
CSNGen *gen;
@@ -1057,34 +1057,42 @@
return -1;
}
- if (csn == NULL) /* ruv contains no csn - we are done */
+ if ((csn == NULL) && (extracsn == NULL)) /* ruv contains no csn and no extra - we are done */
{
return 0;
}
+ if (csn_compare(extracsn, csn) > 0) /* extracsn > csn */
+ {
+ csn_free (&csn); /* free */
+ csn = (CSN*)extracsn; /* use this csn to do the update */
+ }
+
PR_Lock(r->repl_lock);
gen = (CSNGen *)object_get_data (r->repl_csngen);
PR_ASSERT (gen);
rc = csngen_adjust_time (gen, csn);
- if (rc != CSN_SUCCESS)
- {
- rc = -1;
- goto done;
- }
-
- rc = 0;
+ /* rc will be either CSN_SUCCESS (0) or clock skew */
done:
PR_Unlock(r->repl_lock);
- if (csn)
+ if (csn != extracsn) /* do not free the given csn */
+ {
csn_free (&csn);
+ }
return rc;
}
+int
+replica_update_csngen_state (Replica *r, const RUV *ruv)
+{
+ return replica_update_csngen_state_ext(r, ruv, NULL);
+}
+
/*
* dumps replica state for debugging purpose
*/
Index: repl_extop.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl_extop.c,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- repl_extop.c 18 Oct 2007 00:08:31 -0000 1.12
+++ repl_extop.c 24 Jun 2008 22:22:09 -0000 1.13
@@ -550,7 +550,6 @@
Replica *replica = NULL;
void *conn;
consumer_connection_extension *connext = NULL;
- CSN *mycsn = NULL;
char *replicacsnstr = NULL;
CSN *replicacsn = NULL;
int zero = 0;
@@ -703,55 +702,37 @@
gen = object_get_data(gen_obj);
if (NULL != gen)
{
- if (csngen_new_csn(gen, &mycsn, PR_FALSE /* notify */) == CSN_SUCCESS)
+ replicacsn = csn_new_by_string(replicacsnstr);
+ if (NULL != replicacsn)
{
- replicacsn = csn_new_by_string(replicacsnstr);
- if (NULL != replicacsn)
+ /* ONREPL - we used to manage clock skew here. However, csn generator
+ code already does it. The csngen also manages local skew caused by
+ system clock reset, so to keep it consistent, I removed code from here */
+ /* update the state of the csn generator */
+ rc = replica_update_csngen_state_ext (replica, supplier_ruv, replicacsn); /* too much skew */
+ if (rc == CSN_LIMIT_EXCEEDED)
{
- /* ONREPL - we used to manage clock skew here. However, csn generator
- code already does it. The csngen also manages local skew caused by
- system clock reset, so to keep it consistent, I removed code from here */
- time_t diff = 0L;
- diff = csn_time_difference(mycsn, replicacsn);
- if (diff > 0)
- {
- /* update the state of the csn generator */
- rc = csngen_adjust_time (gen, replicacsn);
- if (rc == CSN_LIMIT_EXCEEDED) /* too much skew */
- {
- response = NSDS50_REPL_EXCESSIVE_CLOCK_SKEW;
- goto send_response;
- }
- }
- else if (diff <= 0)
- {
- /* Supplier's clock is behind ours */
- /* XXXggood check if CSN smaller than purge point */
- /* response = NSDS50_REPL_BELOW_PURGEPOINT; */
- /* goto send_response; */
- }
+ response = NSDS50_REPL_EXCESSIVE_CLOCK_SKEW;
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
+ "conn=%d op=%d repl=\"%s\": "
+ "Excessive clock skew from supplier RUV\n",
+ connid, opid, repl_root);
+ goto send_response;
}
- else
+ else if (rc != 0)
{
- /* Oops, csnstr couldn't be converted */
+ /* Oops, problem csn or ruv format, or memory, or .... */
response = NSDS50_REPL_INTERNAL_ERROR;
goto send_response;
}
+
}
else
{
- /* Oops, csn generator failed */
+ /* Oops, csnstr couldn't be converted */
response = NSDS50_REPL_INTERNAL_ERROR;
goto send_response;
}
-
- /* update csn generator's state from the supplier's ruv */
- rc = replica_update_csngen_state (replica, supplier_ruv); /* too much skew */
- if (rc != 0)
- {
- response = NSDS50_REPL_EXCESSIVE_CLOCK_SKEW;
- goto send_response;
- }
}
else
{
@@ -988,11 +969,6 @@
{
object_release(gen_obj);
}
- /* mycsn */
- if (NULL != mycsn)
- {
- csn_free(&mycsn);
- }
/* replicacsn */
if (NULL != replicacsn)
{
Index: windows_inc_protocol.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_inc_protocol.c,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- windows_inc_protocol.c 18 Oct 2007 00:08:31 -0000 1.15
+++ windows_inc_protocol.c 24 Jun 2008 22:22:09 -0000 1.16
@@ -796,13 +796,20 @@
rc = replica_update_csngen_state (replica, ruv);
object_release (prp->replica_object);
replica = NULL;
- if (rc != 0) /* too much skew */
+ if (rc == CSN_LIMIT_EXCEEDED) /* too much skew */
{
- slapi_log_error(SLAPI_LOG_FATAL, windows_repl_plugin_name,
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
"%s: Incremental protocol: fatal error - too much time skew between replicas!\n",
agmt_get_long_name(prp->agmt));
next_state = STATE_STOP_FATAL_ERROR;
}
+ else if (rc != 0) /* internal error */
+ {
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
+ "%s: Incremental protocol: fatal internal error updating the CSN generator!\n",
+ agmt_get_long_name(prp->agmt));
+ next_state = STATE_STOP_FATAL_ERROR;
+ }
else
{
rc = send_updates(prp, ruv, &num_changes_sent);
15 years, 10 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd csngen.c, 1.7, 1.8
by Doctor Conrad
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14162/ldapserver/ldap/servers/slapd
Modified Files:
csngen.c
Log Message:
Resolves: bug 233642
Bug Description: MMR breaks with time skew errors
Reviewed by: nhosoi, nkinder (Thanks!)
Fix Description: CSN remote offset generation seems broken. We seem to accumulate a remote offset that keeps growing until we hit the limit of 1 day, then replication stops. The idea behind the remote offset is that servers may be seconds or minutes off. When replication starts, one of the itmes in the payload of the start extop is the latest CSN from the supplier. The CSN timestamp field is (sampled_time + local offset + remote offset). Sampled time comes from the time thread in the server that updates the time once per second. This allows the consumer, if also a master, to adjust its CSN generation so as not to generate duplicates or CSNs less than those from the supplier. However, the logic in csngen_adjust_time appears to be wrong:
remote_offset = remote_time - gen->state.sampled_time;
That is, remote_offset = (remote sampled_time + remote local offset + remote remote offset) - gen->state.sampled_time
It should be
remote_offset = remote_time - (sampled_time + local offset + remote offset)
Since the sampled time is not the actual current time, it may be off by 1 second. So the new remote_offset will be at least 1 second more than it should be. Since this is the same remote_offset used to generate the CSN to send back to the other master, this offset would keep increasing and increasing over time. The script attached to the bug helps measure this effect. The new code also attempts to refresh the sampled time while adjusting to make sure we have as current a sampled_time as possible. In the old code, the remote_offset is "sent" back and forth between the masters, carried along in the CSN timestamp generation. In the new code, this can happen too, but to a far less extent, and should max out at (real offset + N seconds) where N is the number of masters.
In the old code, you could only call csngen_adjust_time if you first made sure the remote timestamp >= local timestamp. I have removed this restriction and moved that logic into csngen_adjust_time. I also cleaned up the code in the consumer extop - I combined the checking of the CSN from the extop with the max CSN from the supplier RUV - now we only adjust the time once based on the max of all of these CSNs sent by the supplier.
Finally, I cleaned up the error handling in a few places that assumed all errors were time skew errors.
Follow up - I found a bug in my previous patch - _csngen_adjust_local_time must not be called when the sampled time == the current time. So I fixed that where I was calling _csngen_adjust_local_time, and I also changed _csngen_adjust_local_time so that time_diff == 0 is a no-op.
Platforms tested: RHEL5, F8, F9
Flag Day: no
Doc impact: no
QA impact: Should test MMR and use the script to measure the offset effect.
Index: csngen.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/csngen.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- csngen.c 10 Nov 2006 23:45:40 -0000 1.7
+++ csngen.c 24 Jun 2008 22:22:10 -0000 1.8
@@ -60,6 +60,9 @@
#define STATE_FORMAT "%8x%8x%8x%4hx%4hx"
#define STATE_LENGTH 32
#define MAX_VAL(x,y) ((x)>(y)?(x):(y))
+#define CSN_CALC_TSTAMP(gen) ((gen)->state.sampled_time + \
+ (gen)->state.local_offset + \
+ (gen)->state.remote_offset)
/*
* **************************************************************************
@@ -273,8 +276,7 @@
gen->state.seq_num = 0;
}
- (*csn)->tstamp = gen->state.sampled_time + gen->state.local_offset +
- gen->state.remote_offset;
+ (*csn)->tstamp = CSN_CALC_TSTAMP(gen);
(*csn)->seqnum = gen->state.seq_num ++;
(*csn)->rid = gen->state.rid;
(*csn)->subseqnum = 0;
@@ -308,8 +310,9 @@
of time so that it does not generate smaller csns */
int csngen_adjust_time (CSNGen *gen, const CSN* csn)
{
- time_t remote_time, remote_offset;
+ time_t remote_time, remote_offset, cur_time;
PRUint16 remote_seqnum;
+ int rc;
if (gen == NULL || csn == NULL)
return CSN_INVALID_PARAMETER;
@@ -319,21 +322,38 @@
PR_RWLock_Wlock (gen->lock);
- if (remote_seqnum > gen->state.seq_num )
- {
- if (remote_seqnum < CSN_MAX_SEQNUM)
- {
- gen->state.seq_num = remote_seqnum + 1;
- }
- else
- {
- remote_time++;
- }
- }
+ /* make sure we have the current time */
+ csngen_update_time();
+ cur_time = g_sampled_time;
+
+ /* make sure sampled_time is current */
+ /* must only call adjust_local_time if the current time is greater than
+ the generator state time */
+ if ((cur_time > gen->state.sampled_time) &&
+ (CSN_SUCCESS != (rc = _csngen_adjust_local_time(gen, cur_time))))
+ {
+ /* _csngen_adjust_local_time will log error */
+ PR_RWLock_Unlock (gen->lock);
+ csngen_dump_state(gen);
+ return rc;
+ }
- if (remote_time >= gen->state.sampled_time)
+ cur_time = CSN_CALC_TSTAMP(gen);
+ if (remote_time >= cur_time)
{
- remote_offset = remote_time - gen->state.sampled_time;
+ if (remote_seqnum > gen->state.seq_num )
+ {
+ if (remote_seqnum < CSN_MAX_SEQNUM)
+ {
+ gen->state.seq_num = remote_seqnum + 1;
+ }
+ else
+ {
+ remote_time++;
+ }
+ }
+
+ remote_offset = remote_time - cur_time;
if (remote_offset > gen->state.remote_offset)
{
if (remote_offset <= CSN_MAX_TIME_ADJUST)
@@ -346,10 +366,18 @@
"adjustment limit exceeded; value - %ld, limit - %ld\n",
remote_offset, (long)CSN_MAX_TIME_ADJUST);
PR_RWLock_Unlock (gen->lock);
+ csngen_dump_state(gen);
return CSN_LIMIT_EXCEEDED;
}
}
- }
+ }
+ else if (gen->state.remote_offset > 0)
+ {
+ /* decrease remote offset? */
+ /* how to decrease remote offset but ensure that we don't
+ generate a duplicate CSN, or a CSN smaller than one we've already
+ generated? */
+ }
PR_RWLock_Unlock (gen->lock);
@@ -576,7 +604,14 @@
{
time_t time_diff = cur_time - gen->state.sampled_time;
- if (time_diff > 0)
+ if (time_diff == 0) {
+ /* This is a no op - _csngen_adjust_local_time should never be called
+ in this case, because there is nothing to adjust - but just return
+ here to protect ourselves
+ */
+ return CSN_SUCCESS;
+ }
+ else if (time_diff > 0)
{
gen->state.sampled_time = cur_time;
if (time_diff > gen->state.local_offset)
@@ -588,7 +623,7 @@
return CSN_SUCCESS;
}
- else /* time was turend back */
+ else /* time was turned back */
{
if (abs (time_diff) > CSN_MAX_TIME_ADJUST)
{
15 years, 10 months
[Fedora-directory-commits] console/src/com/netscape/management/client/console Console.java, 1.12, 1.13
by Doctor Conrad
Author: rmeggins
Update of /cvs/dirsec/console/src/com/netscape/management/client/console
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14572/bug442187/src/com/netscape/management/client/console
Modified Files:
Console.java
Log Message:
Resolves: bug 442187
Description: [PATCH] support for providing console password in STDIN
Fix Description: Add support for -w - to read password from stdin, and add a new -y argument to read the password from a password file.
Index: Console.java
===================================================================
RCS file: /cvs/dirsec/console/src/com/netscape/management/client/console/Console.java,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- Console.java 7 Dec 2007 20:44:38 -0000 1.12
+++ Console.java 23 Jun 2008 23:03:05 -0000 1.13
@@ -1515,7 +1515,7 @@
*/
static public void main(String argv[]) {
- GetOpt opt = new GetOpt("h:a:A:f:l:u:w:s:D:x:", argv);
+ GetOpt opt = new GetOpt("h:a:A:f:l:u:w:y:s:D:x:", argv);
if (opt.hasOption('f')) {
String outFile = opt.getOptionParam('f');
@@ -1594,6 +1594,10 @@
System.err.println(" -f <file> capture stderr and stdout to <file> (like Unix tee command)");
System.err.println(" -s server DN (cn=...) or instance ID (e.g. slapd-host)");
System.err.println(" -x extra options (javalaf,nowinpos,nologo)");
+ System.err.println(" -u username");
+ System.err.println(" -w password");
+ System.err.println(" -w - (read password from standard input)");
+ System.err.println(" -y password_file (read password from a file)");
System.err.println("\nExample: Console -a https://hostname:10021 -l en");
waitForKeyPress(); // allow the user to read the msg on Win NT
System.exit(0);
@@ -1632,7 +1636,34 @@
String password = null;
if (opt.hasOption('w')) {
password = opt.getOptionParam('w');
+ // GetOpt works in such a twisted way that "-" argument values
+ // result in null values received:
+ if (password == null || password.equals("-")) {
+ try {
+ password = (new BufferedReader(new InputStreamReader(
+ System.in))).readLine();
+ } catch (IOException e) {
+ System.err
+ .println("Problem reading password from standard input "
+ + e.getMessage());
+ }
+ }
}
+
+ if (opt.hasOption('y')) {
+ String passwdFile = opt.getOptionParam('y');
+ try {
+ BufferedReader br = new BufferedReader(new FileReader(passwdFile));
+ password = br.readLine();
+ br.close();
+ } catch (FileNotFoundException e) {
+ System.err.println("Password file not found: " + e.getMessage());
+ } catch (IOException e) {
+ System.err.println("Problem reading from password file: " + e.getMessage());
+ }
+ }
+
+
_console = new Console(sAdminURL, localAdminURL, sLang, host, uid, password);
return;
15 years, 10 months
[Fedora-directory-commits] ldapserver/ldap/servers/plugins/retrocl retrocl_create.c, 1.5, 1.6
by Doctor Conrad
Author: nhosoi
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/retrocl
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv10952
Modified Files:
retrocl_create.c
Log Message:
Resolves: #452328
Summary: range search anomaly on the integer type
Description: Retro changelog plugin automatically creates an index for
changeNumber, which has an integer type. To support the reange search againt
changeNumber, the index should have the matching order "integerOrderingMatch".
Index: retrocl_create.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/retrocl/retrocl_create.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- retrocl_create.c 10 Nov 2006 23:45:18 -0000 1.5
+++ retrocl_create.c 23 Jun 2008 20:41:36 -0000 1.6
@@ -166,6 +166,10 @@
val.bv_len = strlen(val.bv_val);
slapi_entry_add_values( e, "nsindextype", vals );
+ val.bv_val = "integerOrderingMatch";
+ val.bv_len = strlen(val.bv_val);
+ slapi_entry_add_values( e, "nsMatchingRule", vals );
+
pb = slapi_pblock_new ();
slapi_add_entry_internal_set_pb( pb, e, NULL /* controls */,
g_plg_identity[PLUGIN_RETROCL],
15 years, 10 months