March 2011 - 389-commits - Fedora Mailing-Lists

by Nathan Kinder

ldap/servers/slapd/log.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) New commits: commit d79ff62e6b750a365dcee0e63a9c4002fe00a7cf Author: Nathan Kinder <nkinder(a)redhat.com> Date: Mon Mar 7 11:52:26 2011 -0800 Bug 504803 - Allow maxlogsize to be set if logmaxdiskspace is -1 Both the maxlogsize and logmaxdiskspace parameters are allowed to have values of -1. If you set logmaxdiskspace to -1 and then later attempt to set maxlogsize to any other valid value, the server rejects the change with an operations error. The problem is that the two parameters are compared to ensure that maxlogsize is not greater and the logmaxdiskspace. We need to skip this check if logmaxdiskspace is unlimited (-1). I also found that we were converting -1 to a smaller negative number when doing the MB->bytes conversion. This causes other validation errors that expect -1, but not a smaller negative number. The fix is to skip the conversion to bytes and just set a value of -1. diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c index 98090e8..f5ad2dc 100644 --- a/ldap/servers/slapd/log.c +++ b/ldap/servers/slapd/log.c @@ -4162,14 +4162,26 @@ check_log_max_size( char *maxdiskspace_str, if ( maxdiskspace == -1 ) { maxdiskspace = current_maxdiskspace; } - maxdiskspaceB = (PRInt64)maxdiskspace * LOG_MB_IN_BYTES; + + if ( maxdiskspace == -1 ) { + maxdiskspaceB = -1; + } else { + maxdiskspaceB = (PRInt64)maxdiskspace * LOG_MB_IN_BYTES; + } if ( mlogsize == -1 ) { mlogsize = current_mlogsize; } - mlogsizeB = (PRInt64)mlogsize * LOG_MB_IN_BYTES; + + if ( mlogsize == -1 ) { + mlogsizeB = -1; + } else { + mlogsizeB = (PRInt64)mlogsize * LOG_MB_IN_BYTES; + } - if ( maxdiskspace < mlogsize ) + /* If maxdiskspace is negative, it is unlimited. There is + * no need to compate it to the logsize in this case. */ + if (( maxdiskspace >= 0 ) && ( maxdiskspace < mlogsize )) { /* fail */ PR_snprintf ( returntext, SLAPI_DSE_RETURNTEXT_SIZE,

13 years, 1 month

1
0
0 / 0

src/com

by Nathan Kinder

src/com/netscape/admin/dirserv/panel/LogPanel.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) New commits: commit d55444d7439a487857b3a4ad9870eef84123a2f0 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Mon Mar 7 11:25:42 2011 -0800 Bug 504803 - Allow nsslapd-*-logmaxdiskspace to be set to -1 in UI It is not currently possible to set the total log maximum disk space parameter to "-1" in the Console for the access log or the error log. This is a valid parameter in the server that means "unlimited". The problem is that the validation method wants to ensure that the max disk space is not less than the size configured for a single log file. We should not perform this check if the max disk space is unlimited (-1). diff --git a/src/com/netscape/admin/dirserv/panel/LogPanel.java b/src/com/netscape/admin/dirserv/panel/LogPanel.java index 6744df3..395085c 100644 --- a/src/com/netscape/admin/dirserv/panel/LogPanel.java +++ b/src/com/netscape/admin/dirserv/panel/LogPanel.java @@ -596,7 +596,9 @@ abstract public class LogPanel extends BlankPanel { try { int logSizeValue = Integer.parseInt(logSize); int maxDiskSpaceValue = Integer.parseInt(maxDiskSpace); - if (logSizeValue > maxDiskSpaceValue) { + // If max disk space is unlimited (-1), there's no need to compare + // it with the individual log size. + if ((maxDiskSpaceValue >= 0) && (logSizeValue > maxDiskSpaceValue)) { setChangeState(_lLogSize, CHANGE_STATE_ERROR ); setChangeState(_lMaxDiskSpace, CHANGE_STATE_ERROR ); clearValidFlag();

13 years, 1 month

1
0
0 / 0

help/en src/com

by Nathan Kinder

help/en/help/configtab_logs.html | 4 src/com/netscape/admin/dirserv/dirserv.properties | 43 ++++--- src/com/netscape/admin/dirserv/panel/AccessLogConfigurePanel.java | 57 +++++++++- src/com/netscape/admin/dirserv/panel/ErrorLogConfigurePanel.java | 4 4 files changed, 87 insertions(+), 21 deletions(-) New commits: commit c8566dadd049f29308ae736bf6a2cff713a2f768 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Mon Mar 7 10:31:20 2011 -0800 Bug 474113 - Allow access log level to be configured from Console This adds a log level list to the access log configuration in Console. One can select what log levels they want to set for the access log and update the configuration on the server. This was previously only possible for the errors log. diff --git a/help/en/help/configtab_logs.html b/help/en/help/configtab_logs.html index a37ada7..ce3721c 100644 --- a/help/en/help/configtab_logs.html +++ b/help/en/help/configtab_logs.html @@ -69,3 +69,7 @@ Note that the newly configured access mode will only affect new logs that are cr When a file is older than. The server will delete an archived access log when the file is older than the age you specify. + + +Log Level. Specifies the kinds of access messages the server should store in the access log. By default, the connections, operations, and results option is selected. Multiple levels can be selected at the same time. + diff --git a/src/com/netscape/admin/dirserv/dirserv.properties b/src/com/netscape/admin/dirserv/dirserv.properties index 14e9eca..3aa360a 100644 --- a/src/com/netscape/admin/dirserv/dirserv.properties +++ b/src/com/netscape/admin/dirserv/dirserv.properties @@ -971,24 +971,31 @@ log-viewLog-mnemonic=L # log-viewLog-ttip=Show the current log contents in a dialog box log-isAuditingEnabled-default=false log-logLevel-title=Log Level -log-logLevel-label=Log Level -log-logLevel-ttip=Specifies the kinds of error and event messages the server should store. -log-logLevel-default= -log-logLevel-1=Trace function calls -log-logLevel-2=Packet handling -log-logLevel-3=Heavy trace output -log-logLevel-4=Connection management -log-logLevel-5=Packets sent/received -log-logLevel-6=Search filter processing -log-logLevel-7=Config file processing -log-logLevel-8=Access control list processing -log-logLevel-9=Log communications with shell databases -log-logLevel-10=Log entry parsing -log-logLevel-11=Housekeeping -log-logLevel-12=Replication -log-logLevel-13=Entry cache -log-logLevel-14=Plug-ins -log-logLevel-15=Access control summary +log-errorlogLevel-label=Log Level +log-errorlogLevel-ttip=Specifies the kinds of error and event messages the server should store. +log-errorlogLevel-default= +log-errorlogLevel-1=Trace function calls +log-errorlogLevel-2=Packet handling +log-errorlogLevel-3=Heavy trace output +log-errorlogLevel-4=Connection management +log-errorlogLevel-5=Packets sent/received +log-errorlogLevel-6=Search filter processing +log-errorlogLevel-7=Config file processing +log-errorlogLevel-8=Access control list processing +log-errorlogLevel-9=Log communications with shell databases +log-errorlogLevel-10=Log entry parsing +log-errorlogLevel-11=Housekeeping +log-errorlogLevel-12=Replication +log-errorlogLevel-13=Entry cache +log-errorlogLevel-14=Plug-ins +log-errorlogLevel-15=Access control summary +log-accesslogLevel-label=Log Level +log-accesslogLevel-ttip=Specifies the kinds of access messages the server should store. +log-accesslogLevel-default=2 +log-accesslogLevel-1=Internal operations +log-accesslogLevel-2=Connections, operations, and results +log-accesslogLevel-3=Entry access and referrals +log-accesslogLevel-4=Microsecond Timing log-invalid-filename-title=Error Updating Directory log-invalid-filename-msg=Invalid file name: %0 log-save-error-title=Error diff --git a/src/com/netscape/admin/dirserv/panel/AccessLogConfigurePanel.java b/src/com/netscape/admin/dirserv/panel/AccessLogConfigurePanel.java index ddddb5f..bc54ece 100644 --- a/src/com/netscape/admin/dirserv/panel/AccessLogConfigurePanel.java +++ b/src/com/netscape/admin/dirserv/panel/AccessLogConfigurePanel.java @@ -63,12 +63,67 @@ public class AccessLogConfigurePanel extends LogPanel super.init(); createEnableArea(); createConfigArea(); - addBottomGlue (); + createLevelArea(); + addBottomGlue (); enableFields( _cbEnabled.isSelected() ); super.postInit(); } + private void createLevelArea() { + _liLogLevel = makeJList("log","accesslogLevel", ""); + JScrollPane spLogLevel = new JScrollPane(_liLogLevel); + DSEntrySet entries = getDSEntrySet(); + DSEntryBitList logLevelDSEntry = new DSEntryBitList(_liLogLevel, _masks); + + entries.add(LOG_DN, ACCESS_LEVEL_ATTR_NAME, logLevelDSEntry); + setComponentTable(_liLogLevel, logLevelDSEntry); + + JPanel grid = new GroupPanel(_resource.getString( _section, + "logLevel-title" )); + grid.setLayout(new GridBagLayout()); + GridBagConstraints gbc = new GridBagConstraints(); + + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.HORIZONTAL; + gbc.anchor = gbc.CENTER; + gbc.ipady = 0; + gbc.weightx = 1.0; + gbc.weighty = 0.0; + gbc.gridx = gbc.RELATIVE; + gbc.gridy = gbc.RELATIVE; + gbc.insets = getComponentInsets(); + gbc.insets.bottom = UIFactory.getDifferentSpace(); + _myPanel.add(grid, gbc); + + gbc.gridwidth = 1; + gbc.gridheight = 1; + gbc.anchor = gbc.CENTER; + gbc.ipady = 0; + gbc.weighty = 0.0; + gbc.insets = getComponentInsets(); + gbc.anchor = gbc.WEST; + gbc.gridwidth = gbc.REMAINDER; + gbc.weightx = 1.0; + gbc.fill = gbc.HORIZONTAL; + grid.add(spLogLevel,gbc); + } + + protected void enableFields( boolean enable ) { + if ( _liLogLevel != null ) + _liLogLevel.setEnabled(enable); + super.enableFields( enable ); + } + LogContentPanel getViewerPanel() { return new AccessLogContentPanel( getModel() ); } + + static final String ACCESS_LEVEL_ATTR_NAME = "nsslapd-accesslog-level"; + private JList _liLogLevel; + + // The log level to mask mapping is sparse, unfortunately + private static final int[] _masks = { 0x0004, + 0x0100, + 0x0200, + 0x20000 }; } diff --git a/src/com/netscape/admin/dirserv/panel/ErrorLogConfigurePanel.java b/src/com/netscape/admin/dirserv/panel/ErrorLogConfigurePanel.java index f9d6f2d..a3a9a65 100644 --- a/src/com/netscape/admin/dirserv/panel/ErrorLogConfigurePanel.java +++ b/src/com/netscape/admin/dirserv/panel/ErrorLogConfigurePanel.java @@ -61,13 +61,13 @@ public class ErrorLogConfigurePanel extends LogPanel { createEnableArea(); createConfigArea(); createLevelArea(); - addBottomGlue (); + addBottomGlue (); enableFields( _cbEnabled.isSelected() ); super.postInit(); } private void createLevelArea() { - _liLogLevel = makeJList("log","logLevel", ""); + _liLogLevel = makeJList("log","errorlogLevel", ""); JScrollPane spLogLevel = new JScrollPane(_liLogLevel); DSEntrySet entries = getDSEntrySet();

13 years, 1 month

1
0
0 / 0

Branch '389-ds-base-1.2.8' - ldap/servers

by Richard Allen Megginson

ldap/servers/slapd/test-plugins/testbind.c | 1 + 1 file changed, 1 insertion(+) New commits: commit c1bfc3e05a402059b8a95f57897b4622bd7b3813 Author: Rich Megginson <rmeggins(a)redhat.com> Date: Mon Mar 7 11:24:39 2011 -0700 Bug 644784 - Memory leak in "testbind.c" plugin https://bugzilla.redhat.com/show_bug.cgi?id=644784 Resolves: bug 644784 Bug Description: Memory leak in "testbind.c" plugin Reviewed by: rmeggins (submitted by paolo.campegiani(a)gmail.com) Branch: 389-ds-base-1.2.8 Fix Description: Free the entry Platforms tested: RHEL6 x86_64 Flag Day: no Doc impact: no diff --git a/ldap/servers/slapd/test-plugins/testbind.c b/ldap/servers/slapd/test-plugins/testbind.c index a065279..9e44a31 100644 --- a/ldap/servers/slapd/test-plugins/testbind.c +++ b/ldap/servers/slapd/test-plugins/testbind.c @@ -216,6 +216,7 @@ test_bind( Slapi_PBlock *pb ) break; } + slapi_entry_free( e ); slapi_send_ldap_result( pb, rc, NULL, NULL, 0, NULL ); return( 1 ); }

13 years, 1 month

1
0
0 / 0

ldap/servers

by Richard Allen Megginson

ldap/servers/slapd/test-plugins/testbind.c | 1 + 1 file changed, 1 insertion(+) New commits: commit df575d3d65a31237bed4cb89db165ed00c0331a7 Author: Rich Megginson <rmeggins(a)redhat.com> Date: Mon Mar 7 11:24:39 2011 -0700 Bug 644784 - Memory leak in "testbind.c" plugin https://bugzilla.redhat.com/show_bug.cgi?id=644784 Resolves: bug 644784 Bug Description: Memory leak in "testbind.c" plugin Reviewed by: rmeggins (submitted by paolo.campegiani(a)gmail.com) Branch: master Fix Description: Free the entry Platforms tested: RHEL6 x86_64 Flag Day: no Doc impact: no diff --git a/ldap/servers/slapd/test-plugins/testbind.c b/ldap/servers/slapd/test-plugins/testbind.c index a065279..9e44a31 100644 --- a/ldap/servers/slapd/test-plugins/testbind.c +++ b/ldap/servers/slapd/test-plugins/testbind.c @@ -216,6 +216,7 @@ test_bind( Slapi_PBlock *pb ) break; } + slapi_entry_free( e ); slapi_send_ldap_result( pb, rc, NULL, NULL, 0, NULL ); return( 1 ); }

13 years, 1 month

1
0
0 / 0

console/src/com/netscape/management/client/security CertInstallSetTrustPage.java, 1.1.1.1, 1.2 CertificateDialog.java, 1.1.1.1, 1.2

by Noriko Hosoi

Author: nhosoi Update of /cvs/dirsec/console/src/com/netscape/management/client/security In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv5197/src/com/netscape/management/client/security Modified Files: CertInstallSetTrustPage.java CertificateDialog.java Log Message: Bug 158926 - Unable to install CA certificate when using hardware token ( LunaSA ) https://bugzilla.redhat.com/show_bug.cgi?id=158926 Description: CertificateDialog passes the token name selected from the Security Device menu to ServerCertificatePane, but NOT to CACertificatePane. Due to this, when a hardware token was selected as a Security Device on CACertificatePane, installing CA cert was not forwarded to the hardware token. Also, it was missing to send a passowrd for the Security Device on CACertificatePane, which caused the install fail with an error "Password". This patch solves the problems. Index: CertInstallSetTrustPage.java =================================================================== RCS file: /cvs/dirsec/console/src/com/netscape/management/client/security/CertInstallSetTrustPage.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- CertInstallSetTrustPage.java 18 Jul 2005 00:34:15 -0000 1.1.1.1 +++ CertInstallSetTrustPage.java 4 Mar 2011 17:18:58 -0000 1.2 @@ -33,6 +33,7 @@ class CertInstallSetTrustPage extends WizardPage implements SuiConstants { JCheckBox clientTrust, serverTrust; + Hashtable pwdCache = new Hashtable(); public boolean nextInvoked() { boolean canProceed = false; @@ -56,6 +57,10 @@ args.put("dercert" , dataCollectionModel.getValue("dercert")); args.put("certtype" , dataCollectionModel.getValue("certtype")); args.put("certname" , dataCollectionModel.getValue("certname")); + for (Enumeration e=pwdCache.keys(); e.hasMoreElements();) { + Object tokenPwd = e.nextElement(); + args.put(tokenPwd, pwdCache.get(tokenPwd)); + } int t = (clientTrust.isSelected()?EditTrustDialog.TRUSTED_CLIENT_CA:0) | (serverTrust.isSelected()?EditTrustDialog.TRUSTED_CA:0); @@ -70,6 +75,8 @@ consoleInfo.getAuthenticationDN(), consoleInfo.getAuthenticationPassword()); + SecurityUtil.execWithPwdInput(admTask, args, pwdCache); + admTask.setArguments(args); admTask.exec(); Index: CertificateDialog.java =================================================================== RCS file: /cvs/dirsec/console/src/com/netscape/management/client/security/CertificateDialog.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- CertificateDialog.java 18 Jul 2005 00:34:16 -0000 1.1.1.1 +++ CertificateDialog.java 4 Mar 2011 17:18:58 -0000 1.2 @@ -285,6 +285,7 @@ } CertificateDialog.this.serverCertificatePane.setTokenName(token.toString()); + CertificateDialog.this.caCertificatePane.setTokenName(token.toString()); SwingUtilities.invokeLater(new Runnable() { public void run() {

13 years, 1 month

1
0
0 / 0

admserv/cgi-src40

by Noriko Hosoi

admserv/cgi-src40/security.c | 100 +++++++++++++++++++++++++++---------------- 1 file changed, 63 insertions(+), 37 deletions(-) New commits: commit f7554f273e9919890732bc6253297ada56c76d08 Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Thu Mar 3 15:51:47 2011 -0800 Bug 158926 - Unable to install CA certificate when using hardware token ( LunaSA ) https://bugzilla.redhat.com/show_bug.cgi?id=158926 Description: Installing/Importing CA cert to the hardware token was not correctly supported in the security CGI. This patch passes hardware token name to the installCACert helper function and get the correct slot for the hardware token. Then, import the cert to the slot. diff --git a/admserv/cgi-src40/security.c b/admserv/cgi-src40/security.c index c53f065..2941eb3 100644 --- a/admserv/cgi-src40/security.c +++ b/admserv/cgi-src40/security.c @@ -1311,8 +1311,9 @@ static void printDERCert(int isCACert) { /* * Install a server certificate. */ -static void installServerCert(char *tokenName, char *certname) { - +static void +installServerCert(char *tokenName, char *certname) +{ SECStatus rv; CERTCertificate *cert; CERTCertTrust trust; @@ -1397,43 +1398,66 @@ static void installServerCert(char *tokenName, char *certname) { /* * Install a CA cert and set its trust */ -static void installCACert(char *certname) { - - /* need to decode der cert */ - char *derCertBase64 = getParameter("dercert",getResourceString(DBT_DER_CERT)); - CERTDERCerts *collectArgs = decodeDERCert(derCertBase64); - - /* remove leading space in certificate name */ - if (certname) { - while (isspace(*certname)) ++certname; - } - - /* Import CA Cert and set trust */ - { +static void +installCACert(char *tokenName, char *certname) +{ + /* need to decode der cert */ + CERTCertificate *cert; + char *derCertBase64 = NULL; + CERTDERCerts *collectArgs = NULL; + PK11SlotInfo *slot = NULL; CERTCertificate **retCerts = 0; PRBool keepCerts = PR_TRUE; PRBool caOnly = PR_TRUE; - char *nickname = certname; - char *truststr = getParameter("trust_flag",getResourceString(DBT_TRUST)); + char *nickname = certname; + char *truststr = NULL; + char *endptr = NULL; + int trustflag; int trustedCA; - char *endptr = NULL; - int trustflag = strtol(truststr, &endptr, 0); + SECStatus rc = 0; - if ((*truststr == '\0') || !endptr || (*endptr != '\0')) { - /* invalid trust flags */ - errorRpt(GENERAL_FAILURE, getResourceString(DBT_TRUST_SET_FAIL)); - } - trustedCA = (trustflag & CERTDB_TRUSTED_CA); - CERT_ImportCerts(certdb,(trustedCA ? certUsageSSLCA : certUsageAnyCA), + derCertBase64 = getParameter("dercert",getResourceString(DBT_DER_CERT)); + collectArgs = decodeDERCert(derCertBase64); + + truststr = getParameter("trust_flag",getResourceString(DBT_TRUST)); + trustflag = strtol(truststr, &endptr, 0); + if (tokenName) { + slot = PK11_FindSlotByName(tokenName); + } else { + slot = PK11_GetInternalKeySlot(); + } + /* remove leading space in certificate name */ + if (certname) { + while (isspace(*certname)) ++certname; + } + + /* Import CA Cert and set trust */ + if ((*truststr == '\0') || !endptr || (*endptr != '\0')) { + /* invalid trust flags */ + errorRpt(GENERAL_FAILURE, getResourceString(DBT_TRUST_SET_FAIL)); + } + trustedCA = (trustflag & CERTDB_TRUSTED_CA); + rc = CERT_ImportCerts(certdb, (trustedCA ? certUsageSSLCA : certUsageAnyCA), collectArgs->numcerts, &collectArgs->rawCerts, &retCerts, keepCerts, caOnly, nickname); + CERT_FindCertByDERCert(certdb, collectArgs->rawCerts); + cert = retCerts[0]; + rc = PK11_ImportCert(slot, cert, CK_INVALID_HANDLE, certname, PR_FALSE); + if (rc != SECSuccess) { + char *tmpLine = (char *)PR_Malloc(PR_GetErrorTextLength()+1); + PR_GetErrorText(tmpLine); + PR_snprintf(line, sizeof(line), "%d:%s", PR_GetError(), tmpLine); + PR_Free(tmpLine); + /* if unable to import report error */ + rpt_err(SYSTEM_ERROR, getResourceString(DBT_INTERNAL_ERROR), + getResourceString(DBT_INSTALL_FAIL), line); + } - if(!CERT_FindCertByDERCert(certdb, collectArgs->rawCerts)) { - errorRpt(GENERAL_FAILURE, getResourceString(DBT_INSTALL_FAIL)); + if(NULL == PK11_FindCertInSlot(slot, cert, NULL)) { + errorRpt(GENERAL_FAILURE, getResourceString(DBT_INSTALL_FAIL)); } setTrust(processNullString(getMD5Fingerprint(retCerts[0])), trustflag); - } } @@ -1965,18 +1989,21 @@ static void keyCertMigrate() { int main(int argc, char *argv[]) { /* cgi env setup */ - int _ai = ADMUTIL_Init(); - char * m = getenv("REQUEST_METHOD"); + char *m = NULL; char msg[BIG_LINE]; AdmldapInfo ldapInfo; /* our config */ int rc = 0; char *sie; - char *configdir = util_get_conf_dir(); - const char *secdir = util_get_security_dir(); + char *configdir = NULL; + const char *secdir = NULL; #if 0 CGI_Debug("security"); #endif + ADMUTIL_Init(); + m = getenv("REQUEST_METHOD"); + configdir = util_get_conf_dir(); + secdir = util_get_security_dir(); /*setup i18n stuff*/ { @@ -2013,7 +2040,6 @@ int main(int argc, char *argv[]) } securitydir = getSecurityDir(ldapInfo, sie); - { char* operation = getParameter("formop",getResourceString(DBT_OP)); @@ -2079,11 +2105,11 @@ int main(int argc, char *argv[]) else { /* install a certificate */ char *certName = get_cgi_var("certname", NULL, NULL); + char *tokenName = + getParameter("tokenname",getResourceString(DBT_TOKEN_NAME)); if (isCACert) { - installCACert(certName); - } - else { - char *tokenName = getParameter("tokenname",getResourceString(DBT_TOKEN_NAME)); + installCACert(tokenName, certName); + } else { installServerCert(tokenName, certName); } }

13 years, 1 month

1
0
0 / 0

esc/win32 build.sh,1.16,1.17

by Jack Magne

Author: jmagne Update of /cvs/dirsec/esc/win32 In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv11465 Modified Files: build.sh Log Message: Bump xulrunner version. Index: build.sh =================================================================== RCS file: /cvs/dirsec/esc/win32/build.sh,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- build.sh 22 Jan 2011 04:35:32 -0000 1.16 +++ build.sh 3 Mar 2011 21:55:51 -0000 1.17 @@ -100,9 +100,9 @@ XULRUNNER_DIR=xulrunner XULRUNNER_FTP_PATH=http://releases.mozilla.org/pub/mozilla.org/ -XULRUNNER_PATH=xulrunner/releases/1.9.2.13/runtimes/ +XULRUNNER_PATH=xulrunner/releases/1.9.2.14/runtimes/ -XULRUNNER_ARCHIVE=xulrunner-1.9.2.13.en-US.win32.zip +XULRUNNER_ARCHIVE=xulrunner-1.9.2.14.en-US.win32.zip #Base Dirctory calc

13 years, 1 month

1
0
0 / 0

Branch '389-ds-base-1.2.8' - ldap/servers

by Nathan Kinder

ldap/servers/plugins/replication/windows_protocol_util.c | 41 +++++++++++++-- 1 file changed, 37 insertions(+), 4 deletions(-) New commits: commit b6c75e3535fb5084be0ebe3b481885e83e2256d0 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Thu Mar 3 12:10:47 2011 -0800 Bug 680558 - Winsync plugin fails to restrain itself to the configured subtree When an operation against an entry that is in the same database that is used by a sync agreement, but falls outside of the sync agreement, a message is logged at the fatal error level stating that the local entry could not be fetched. The issue is that the sync code searches for the entry by uniqueid within the sync agreement scope, which fails to find the entry. This search is fine, but we should not log it as a fatal message. The fix is to only log a fatal message when we fail to fetch a local entry that falls within the sync agreement. This patch adds a new helper to check if a DN is within the sync agreement scope, which is used to determine if a fatal error should be logged. diff --git a/ldap/servers/plugins/replication/windows_protocol_util.c b/ldap/servers/plugins/replication/windows_protocol_util.c index 428f5f1..dc3754b 100644 --- a/ldap/servers/plugins/replication/windows_protocol_util.c +++ b/ldap/servers/plugins/replication/windows_protocol_util.c @@ -64,6 +64,7 @@ static void extract_guid_from_entry_bv(Slapi_Entry *e, const struct berval **bv) #endif static void windows_map_mods_for_replay(Private_Repl_Protocol *prp,LDAPMod **original_mods, LDAPMod ***returned_mods, int is_user, char** password); static int is_subject_of_agreement_local(const Slapi_Entry *local_entry,const Repl_Agmt *ra); +static int is_dn_subject_of_agreement_local(const Slapi_DN *sdn, const Repl_Agmt *ra); static int windows_create_remote_entry(Private_Repl_Protocol *prp,Slapi_Entry *original_entry, Slapi_DN *remote_sdn, Slapi_Entry **remote_entry, char** password); static int windows_get_local_entry(const Slapi_DN* local_dn,Slapi_Entry **local_entry); static int windows_get_local_entry_by_uniqueid(Private_Repl_Protocol *prp,const char* uniqueid,Slapi_Entry **local_entry, int is_global); @@ -1411,10 +1412,21 @@ windows_replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op op->operation_type = SLAPI_OPERATION_DELETE; is_ours_force = 1; } else { - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: windows_replay_update: failed to fetch local entry for %s operation dn=\"%s\"\n", - agmt_get_long_name(prp->agmt), - op2string(op->operation_type), op->target_address.dn); + /* We only searched within the subtree in the agreement, so we should not print + * an error if we didn't find the entry and the DN is outside of the agreement scope. */ + if (is_dn_subject_of_agreement_local(local_dn, prp->agmt)) { + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, + "%s: windows_replay_update: failed to fetch local entry for %s operation dn=\"%s\"\n", + agmt_get_long_name(prp->agmt), + op2string(op->operation_type), op->target_address.dn); + } else { + slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, + "%s: windows_replay_update: Looking at %s operation local dn=\"%s\" (%s)\n", + agmt_get_long_name(prp->agmt), + op2string(op->operation_type), op->target_address.dn, is_ours ? "ours" : "not ours"); + } + /* Just bail on this change. We don't want to do any + * further checks since we don't have a local entry. */ goto error; } } @@ -3725,6 +3737,27 @@ error: return retval; } +/* Tests if a DN is within the scope of our agreement */ +static int +is_dn_subject_of_agreement_local(const Slapi_DN *sdn, const Repl_Agmt *ra) +{ + int retval = 0; + const Slapi_DN *agreement_subtree = NULL; + + /* Get the subtree from the agreement */ + agreement_subtree = windows_private_get_directory_subtree(ra); + if (NULL == agreement_subtree) + { + goto error; + } + + /* Check if the DN is within the subtree */ + retval = slapi_sdn_scope_test(sdn, agreement_subtree, LDAP_SCOPE_SUBTREE); + +error: + return retval; +} + /* Tests if the entry is subject to our agreement (i.e. is it in the sync'ed subtree in AD and either a user or a group ?) */ static int is_subject_of_agreement_remote(Slapi_Entry *e, const Repl_Agmt *ra)

13 years, 1 month

1
0
0 / 0

ldap/servers

by Nathan Kinder

ldap/servers/plugins/replication/windows_protocol_util.c | 41 +++++++++++++-- 1 file changed, 37 insertions(+), 4 deletions(-) New commits: commit 4f30419596e8aaf411dc5cb9ab9bf88ddb4b791f Author: Nathan Kinder <nkinder(a)redhat.com> Date: Thu Mar 3 12:10:47 2011 -0800 Bug 680558 - Winsync plugin fails to restrain itself to the configured subtree When an operation against an entry that is in the same database that is used by a sync agreement, but falls outside of the sync agreement, a message is logged at the fatal error level stating that the local entry could not be fetched. The issue is that the sync code searches for the entry by uniqueid within the sync agreement scope, which fails to find the entry. This search is fine, but we should not log it as a fatal message. The fix is to only log a fatal message when we fail to fetch a local entry that falls within the sync agreement. This patch adds a new helper to check if a DN is within the sync agreement scope, which is used to determine if a fatal error should be logged. diff --git a/ldap/servers/plugins/replication/windows_protocol_util.c b/ldap/servers/plugins/replication/windows_protocol_util.c index 428f5f1..dc3754b 100644 --- a/ldap/servers/plugins/replication/windows_protocol_util.c +++ b/ldap/servers/plugins/replication/windows_protocol_util.c @@ -64,6 +64,7 @@ static void extract_guid_from_entry_bv(Slapi_Entry *e, const struct berval **bv) #endif static void windows_map_mods_for_replay(Private_Repl_Protocol *prp,LDAPMod **original_mods, LDAPMod ***returned_mods, int is_user, char** password); static int is_subject_of_agreement_local(const Slapi_Entry *local_entry,const Repl_Agmt *ra); +static int is_dn_subject_of_agreement_local(const Slapi_DN *sdn, const Repl_Agmt *ra); static int windows_create_remote_entry(Private_Repl_Protocol *prp,Slapi_Entry *original_entry, Slapi_DN *remote_sdn, Slapi_Entry **remote_entry, char** password); static int windows_get_local_entry(const Slapi_DN* local_dn,Slapi_Entry **local_entry); static int windows_get_local_entry_by_uniqueid(Private_Repl_Protocol *prp,const char* uniqueid,Slapi_Entry **local_entry, int is_global); @@ -1411,10 +1412,21 @@ windows_replay_update(Private_Repl_Protocol *prp, slapi_operation_parameters *op op->operation_type = SLAPI_OPERATION_DELETE; is_ours_force = 1; } else { - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: windows_replay_update: failed to fetch local entry for %s operation dn=\"%s\"\n", - agmt_get_long_name(prp->agmt), - op2string(op->operation_type), op->target_address.dn); + /* We only searched within the subtree in the agreement, so we should not print + * an error if we didn't find the entry and the DN is outside of the agreement scope. */ + if (is_dn_subject_of_agreement_local(local_dn, prp->agmt)) { + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, + "%s: windows_replay_update: failed to fetch local entry for %s operation dn=\"%s\"\n", + agmt_get_long_name(prp->agmt), + op2string(op->operation_type), op->target_address.dn); + } else { + slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, + "%s: windows_replay_update: Looking at %s operation local dn=\"%s\" (%s)\n", + agmt_get_long_name(prp->agmt), + op2string(op->operation_type), op->target_address.dn, is_ours ? "ours" : "not ours"); + } + /* Just bail on this change. We don't want to do any + * further checks since we don't have a local entry. */ goto error; } } @@ -3725,6 +3737,27 @@ error: return retval; } +/* Tests if a DN is within the scope of our agreement */ +static int +is_dn_subject_of_agreement_local(const Slapi_DN *sdn, const Repl_Agmt *ra) +{ + int retval = 0; + const Slapi_DN *agreement_subtree = NULL; + + /* Get the subtree from the agreement */ + agreement_subtree = windows_private_get_directory_subtree(ra); + if (NULL == agreement_subtree) + { + goto error; + } + + /* Check if the DN is within the subtree */ + retval = slapi_sdn_scope_test(sdn, agreement_subtree, LDAP_SCOPE_SUBTREE); + +error: + return retval; +} + /* Tests if the entry is subject to our agreement (i.e. is it in the sync'ed subtree in AD and either a user or a group ?) */ static int is_subject_of_agreement_remote(Slapi_Entry *e, const Repl_Agmt *ra)

13 years, 1 month

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-commits March 2011