Branch '389-ds-base-1.2.11' - ldap/servers
by Mark Reynolds
ldap/servers/plugins/uiduniq/7bit.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
New commits:
commit 7a5f2e7b4d9cecd5dd63e3ac72107b14631f49da
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Wed Jan 22 11:08:18 2014 -0500
Ticket 47641 - 7-bit check plugin not checking MODRDN operation
Bug Description: 7-bit check is not being performed on modrdn operations.
Fix Description: The "superior" DN was not properly being checked/set, and
caused the 7-bit check to be skipped.
https://fedorahosted.org/389/ticket/47641
Reviewed by: nhosoi(Thanks!)
(cherry picked from commit ddbec8c4cea448b775e3848c328cb86b238fe35f)
diff --git a/ldap/servers/plugins/uiduniq/7bit.c b/ldap/servers/plugins/uiduniq/7bit.c
index fbcc530..0459bb5 100644
--- a/ldap/servers/plugins/uiduniq/7bit.c
+++ b/ldap/servers/plugins/uiduniq/7bit.c
@@ -544,7 +544,7 @@ preop_modrdn(Slapi_PBlock *pb)
char **argv;
char **attrName;
Slapi_DN *target_sdn = NULL;
- Slapi_DN *superior;
+ Slapi_DN *superior = NULL;
char *rdn;
Slapi_Attr *attr;
char **firstSubtree;
@@ -584,7 +584,7 @@ preop_modrdn(Slapi_PBlock *pb)
* its current level in the tree. Use the target DN for
* determining which managed tree this belongs to
*/
- if (!superior) superior = target_sdn;
+ if (!slapi_sdn_get_dn(superior)) superior = target_sdn;
/* Get the new RDN - this has the attribute values */
err = slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &rdn);
@@ -618,7 +618,7 @@ preop_modrdn(Slapi_PBlock *pb)
}
/*
- * arguments before "," are the 7-bit clean attribute names. Arguemnts
+ * arguments before "," are the 7-bit clean attribute names. Arguments
* after "," are subtreeDN's.
*/
for ( firstSubtree = argv; strcmp(*firstSubtree, ",") != 0;
@@ -633,7 +633,7 @@ preop_modrdn(Slapi_PBlock *pb)
for (attrName = argv; strcmp(*attrName, ",") != 0; attrName++ )
{
/*
- * If the attribut type is userpassword, do not replace it by
+ * If the attribute type is userpassword, do not replace it by
* unhashed#user#password because unhashed#user#password does not exist
* in this case.
*/
10 years, 2 months
Branch '389-ds-base-1.3.0' - ldap/servers
by Mark Reynolds
ldap/servers/plugins/uiduniq/7bit.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
New commits:
commit a69644882c1724d3a5d541568056c58ab24e8a4e
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Wed Jan 22 11:08:18 2014 -0500
Ticket 47641 - 7-bit check plugin not checking MODRDN operation
Bug Description: 7-bit check is not being performed on modrdn operations.
Fix Description: The "superior" DN was not properly being checked/set, and
caused the 7-bit check to be skipped.
https://fedorahosted.org/389/ticket/47641
Reviewed by: nhosoi(Thanks!)
(cherry picked from commit ddbec8c4cea448b775e3848c328cb86b238fe35f)
diff --git a/ldap/servers/plugins/uiduniq/7bit.c b/ldap/servers/plugins/uiduniq/7bit.c
index fbcc530..0459bb5 100644
--- a/ldap/servers/plugins/uiduniq/7bit.c
+++ b/ldap/servers/plugins/uiduniq/7bit.c
@@ -544,7 +544,7 @@ preop_modrdn(Slapi_PBlock *pb)
char **argv;
char **attrName;
Slapi_DN *target_sdn = NULL;
- Slapi_DN *superior;
+ Slapi_DN *superior = NULL;
char *rdn;
Slapi_Attr *attr;
char **firstSubtree;
@@ -584,7 +584,7 @@ preop_modrdn(Slapi_PBlock *pb)
* its current level in the tree. Use the target DN for
* determining which managed tree this belongs to
*/
- if (!superior) superior = target_sdn;
+ if (!slapi_sdn_get_dn(superior)) superior = target_sdn;
/* Get the new RDN - this has the attribute values */
err = slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &rdn);
@@ -618,7 +618,7 @@ preop_modrdn(Slapi_PBlock *pb)
}
/*
- * arguments before "," are the 7-bit clean attribute names. Arguemnts
+ * arguments before "," are the 7-bit clean attribute names. Arguments
* after "," are subtreeDN's.
*/
for ( firstSubtree = argv; strcmp(*firstSubtree, ",") != 0;
@@ -633,7 +633,7 @@ preop_modrdn(Slapi_PBlock *pb)
for (attrName = argv; strcmp(*attrName, ",") != 0; attrName++ )
{
/*
- * If the attribut type is userpassword, do not replace it by
+ * If the attribute type is userpassword, do not replace it by
* unhashed#user#password because unhashed#user#password does not exist
* in this case.
*/
10 years, 2 months
Branch '389-ds-base-1.3.1' - ldap/servers
by Mark Reynolds
ldap/servers/plugins/uiduniq/7bit.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
New commits:
commit 3cfd99408705a49b72303c6ed680040f9086578a
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Wed Jan 22 11:08:18 2014 -0500
Ticket 47641 - 7-bit check plugin not checking MODRDN operation
Bug Description: 7-bit check is not being performed on modrdn operations.
Fix Description: The "superior" DN was not properly being checked/set, and
caused the 7-bit check to be skipped.
https://fedorahosted.org/389/ticket/47641
Reviewed by: nhosoi(Thanks!)
(cherry picked from commit ddbec8c4cea448b775e3848c328cb86b238fe35f)
diff --git a/ldap/servers/plugins/uiduniq/7bit.c b/ldap/servers/plugins/uiduniq/7bit.c
index fbcc530..0459bb5 100644
--- a/ldap/servers/plugins/uiduniq/7bit.c
+++ b/ldap/servers/plugins/uiduniq/7bit.c
@@ -544,7 +544,7 @@ preop_modrdn(Slapi_PBlock *pb)
char **argv;
char **attrName;
Slapi_DN *target_sdn = NULL;
- Slapi_DN *superior;
+ Slapi_DN *superior = NULL;
char *rdn;
Slapi_Attr *attr;
char **firstSubtree;
@@ -584,7 +584,7 @@ preop_modrdn(Slapi_PBlock *pb)
* its current level in the tree. Use the target DN for
* determining which managed tree this belongs to
*/
- if (!superior) superior = target_sdn;
+ if (!slapi_sdn_get_dn(superior)) superior = target_sdn;
/* Get the new RDN - this has the attribute values */
err = slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &rdn);
@@ -618,7 +618,7 @@ preop_modrdn(Slapi_PBlock *pb)
}
/*
- * arguments before "," are the 7-bit clean attribute names. Arguemnts
+ * arguments before "," are the 7-bit clean attribute names. Arguments
* after "," are subtreeDN's.
*/
for ( firstSubtree = argv; strcmp(*firstSubtree, ",") != 0;
@@ -633,7 +633,7 @@ preop_modrdn(Slapi_PBlock *pb)
for (attrName = argv; strcmp(*attrName, ",") != 0; attrName++ )
{
/*
- * If the attribut type is userpassword, do not replace it by
+ * If the attribute type is userpassword, do not replace it by
* unhashed#user#password because unhashed#user#password does not exist
* in this case.
*/
10 years, 2 months
Branch '389-ds-base-1.3.2' - ldap/servers
by Mark Reynolds
ldap/servers/plugins/uiduniq/7bit.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
New commits:
commit 628cb9073b7a46f867f185ec3e9bb0a16aaf2708
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Wed Jan 22 11:08:18 2014 -0500
Ticket 47641 - 7-bit check plugin not checking MODRDN operation
Bug Description: 7-bit check is not being performed on modrdn operations.
Fix Description: The "superior" DN was not properly being checked/set, and
caused the 7-bit check to be skipped.
https://fedorahosted.org/389/ticket/47641
Reviewed by: nhosoi(Thanks!)
(cherry picked from commit ddbec8c4cea448b775e3848c328cb86b238fe35f)
diff --git a/ldap/servers/plugins/uiduniq/7bit.c b/ldap/servers/plugins/uiduniq/7bit.c
index b6d164b..3474bf9 100644
--- a/ldap/servers/plugins/uiduniq/7bit.c
+++ b/ldap/servers/plugins/uiduniq/7bit.c
@@ -561,7 +561,7 @@ preop_modrdn(Slapi_PBlock *pb)
char **argv;
char **attrName;
Slapi_DN *target_sdn = NULL;
- Slapi_DN *superior;
+ Slapi_DN *superior = NULL;
char *rdn;
Slapi_Attr *attr;
char **firstSubtree;
@@ -601,7 +601,7 @@ preop_modrdn(Slapi_PBlock *pb)
* its current level in the tree. Use the target DN for
* determining which managed tree this belongs to
*/
- if (!superior) superior = target_sdn;
+ if (!slapi_sdn_get_dn(superior)) superior = target_sdn;
/* Get the new RDN - this has the attribute values */
err = slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &rdn);
@@ -635,7 +635,7 @@ preop_modrdn(Slapi_PBlock *pb)
}
/*
- * arguments before "," are the 7-bit clean attribute names. Arguemnts
+ * arguments before "," are the 7-bit clean attribute names. Arguments
* after "," are subtreeDN's.
*/
for ( firstSubtree = argv; strcmp(*firstSubtree, ",") != 0;
@@ -650,7 +650,7 @@ preop_modrdn(Slapi_PBlock *pb)
for (attrName = argv; strcmp(*attrName, ",") != 0; attrName++ )
{
/*
- * If the attribut type is userpassword, do not replace it by
+ * If the attribute type is userpassword, do not replace it by
* unhashed#user#password because unhashed#user#password does not exist
* in this case.
*/
10 years, 2 months
ldap/servers
by Mark Reynolds
ldap/servers/plugins/uiduniq/7bit.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
New commits:
commit ddbec8c4cea448b775e3848c328cb86b238fe35f
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Wed Jan 22 11:08:18 2014 -0500
Ticket 47641 - 7-bit check plugin not checking MODRDN operation
Bug Description: 7-bit check is not being performed on modrdn operations.
Fix Description: The "superior" DN was not properly being checked/set, and
caused the 7-bit check to be skipped.
https://fedorahosted.org/389/ticket/47641
Reviewed by: nhosoi(Thanks!)
diff --git a/ldap/servers/plugins/uiduniq/7bit.c b/ldap/servers/plugins/uiduniq/7bit.c
index b6d164b..3474bf9 100644
--- a/ldap/servers/plugins/uiduniq/7bit.c
+++ b/ldap/servers/plugins/uiduniq/7bit.c
@@ -561,7 +561,7 @@ preop_modrdn(Slapi_PBlock *pb)
char **argv;
char **attrName;
Slapi_DN *target_sdn = NULL;
- Slapi_DN *superior;
+ Slapi_DN *superior = NULL;
char *rdn;
Slapi_Attr *attr;
char **firstSubtree;
@@ -601,7 +601,7 @@ preop_modrdn(Slapi_PBlock *pb)
* its current level in the tree. Use the target DN for
* determining which managed tree this belongs to
*/
- if (!superior) superior = target_sdn;
+ if (!slapi_sdn_get_dn(superior)) superior = target_sdn;
/* Get the new RDN - this has the attribute values */
err = slapi_pblock_get(pb, SLAPI_MODRDN_NEWRDN, &rdn);
@@ -635,7 +635,7 @@ preop_modrdn(Slapi_PBlock *pb)
}
/*
- * arguments before "," are the 7-bit clean attribute names. Arguemnts
+ * arguments before "," are the 7-bit clean attribute names. Arguments
* after "," are subtreeDN's.
*/
for ( firstSubtree = argv; strcmp(*firstSubtree, ",") != 0;
@@ -650,7 +650,7 @@ preop_modrdn(Slapi_PBlock *pb)
for (attrName = argv; strcmp(*attrName, ",") != 0; attrName++ )
{
/*
- * If the attribut type is userpassword, do not replace it by
+ * If the attribute type is userpassword, do not replace it by
* unhashed#user#password because unhashed#user#password does not exist
* in this case.
*/
10 years, 2 months
Branch '389-ds-base-1.2.11' - ldap/servers
by Mark Reynolds
ldap/servers/slapd/modify.c | 168 +++++++++++++++++++++++++++++++++++---
ldap/servers/slapd/slapi-plugin.h | 11 --
2 files changed, 158 insertions(+), 21 deletions(-)
New commits:
commit a3b6e22cec1fb8cb5c55e8b848bec4a60f924849
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Mon Jan 20 14:36:43 2014 -0500
Ticket 47678 - modify-delete userpassword
Description: Needed to backport ticket 394 to 1.2.11. Had to remove the password
extension code from the original patch.
https://fedorahosted.org/389/ticket/47678
Reviewed by: nhosoi(Thanks!)
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index 5e52f26..9db10c5 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -80,6 +80,7 @@ static void remove_mod (Slapi_Mods *smods, const char *type, Slapi_Mods *smod_un
#endif
static int op_shared_allow_pw_change (Slapi_PBlock *pb, LDAPMod *mod, char **old_pw, Slapi_Mods *smods);
static int hash_rootpw (LDAPMod **mods);
+static int valuearray_init_bervalarray_unhashed_only(struct berval **bvals, Slapi_Value ***cvals);
#ifdef LDAP_DEBUG
static const char*
@@ -833,19 +834,134 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
if (strcasecmp (pw_mod->mod_type, SLAPI_USERPWD_ATTR) != 0)
continue;
- if (LDAP_MOD_DELETE == pw_mod->mod_op) {
+ if ( SLAPI_IS_MOD_DELETE(pw_mod->mod_op) ) {
Slapi_Attr *a = NULL;
- /* delete pseudo password attribute if it exists in the entry */
- if (!slapi_entry_attr_find(e, unhashed_pw_attr, &a)) {
- slapi_mods_add_mod_values(&smods, pw_mod->mod_op,
- unhashed_pw_attr, va);
+ struct pw_scheme *pwsp = NULL;
+ int remove_unhashed_pw = 1;
+ char *valpwd = NULL;
+
+ /* if there are mod values, we need to delete a specific userpassword */
+ for ( i = 0; pw_mod->mod_bvalues != NULL && pw_mod->mod_bvalues[i] != NULL; i++ ) {
+ char *password = slapi_ch_strdup(pw_mod->mod_bvalues[i]->bv_val);
+ pwsp = pw_val2scheme( password, &valpwd, 1 );
+ if(strcmp(pwsp->pws_name, "CLEAR") == 0){
+ /*
+ * CLEAR password
+ *
+ * Ok, so now we to check the entry's userpassword values.
+ * First, find out the password encoding of the entry's pw.
+ * Then compare our clear text password to the encoded userpassword
+ * using the proper scheme. If we have a match, we know which
+ * userpassword value to delete.
+ */
+ Slapi_Attr *pw = NULL;
+ struct berval bval, *bv[2];
+
+ if(slapi_entry_attr_find(e, SLAPI_USERPWD_ATTR, &pw) == 0 && pw){
+ struct pw_scheme *pass_scheme = NULL;
+ Slapi_Value **present_values = NULL;
+ char *pval = NULL;
+ int ii;
+
+ present_values = attr_get_present_values(pw);
+ for(ii = 0; present_values && present_values[ii]; ii++){
+ const char *userpwd = slapi_value_get_string(present_values[ii]);
+
+ pass_scheme = pw_val2scheme( (char *)userpwd, &pval, 1 );
+ if(strcmp(pass_scheme->pws_name,"CLEAR")){
+ /* its encoded, so compare it */
+ if((*(pass_scheme->pws_cmp))( valpwd, pval ) == 0 ){
+ /*
+ * Match, replace the mod value with the encoded password
+ */
+ slapi_ch_free_string(&pw_mod->mod_bvalues[i]->bv_val);
+ pw_mod->mod_bvalues[i]->bv_val = strdup(userpwd);
+ pw_mod->mod_bvalues[i]->bv_len = strlen(userpwd);
+ free_pw_scheme( pass_scheme );
+ break;
+ }
+ } else {
+ /* userpassword is already clear text, nothing to do */
+ free_pw_scheme( pass_scheme );
+ break;
+ }
+ free_pw_scheme( pass_scheme );
+ }
+ }
+ /*
+ * Finally, delete the unhashed userpassword
+ */
+ bval.bv_val = password;
+ bval.bv_len = strlen(password);
+ bv[0] = &bval;
+ bv[1] = NULL;
+ valuearray_init_bervalarray(bv, &va);
+ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+ valuearray_free(&va);
+ } else {
+ /*
+ * Password is encoded, try and find a matching unhashed_password to delete
+ */
+ char **vals;
+
+ /*
+ * Grab the current unhashed passwords from the entry.
+ */
+ vals = slapi_entry_attr_get_charray(e, unhashed_pw_attr);
+ if(vals){
+ int ii;
+
+ for(ii = 0; vals && vals[ii]; ii++){
+ char *unhashed_pwd = vals[ii];
+ struct pw_scheme *unhashed_pwsp = NULL;
+ struct berval bval, *bv[2];
+
+ /* prepare the value to delete from the list of unhashed userpasswords */
+ bval.bv_val = unhashed_pwd;
+ bval.bv_len = strlen(unhashed_pwd);
+ bv[0] = &bval;
+ bv[1] = NULL;
+
+ /*
+ * Compare the clear text unhashed password, to the encoded password
+ * provided by the client.
+ */
+ unhashed_pwsp = pw_val2scheme( unhashed_pwd, NULL, 1 );
+ if(strcmp(unhashed_pwsp->pws_name, "CLEAR") == 0){
+ if((*(pwsp->pws_cmp))(unhashed_pwd , valpwd) == 0 ){
+ /* match, add the delete mod for this particular unhashed userpassword */
+ valuearray_init_bervalarray(bv, &va);
+ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+ valuearray_free(&va);
+ free_pw_scheme( unhashed_pwsp );
+ break;
+ }
+ } else {
+ /*
+ * We have a hashed unhashed_userpassword! We must delete it.
+ */
+ valuearray_init_bervalarray(bv, &va);
+ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+ valuearray_free(&va);
+ }
+ free_pw_scheme( unhashed_pwsp );
+ }
+ }
+ }
+ remove_unhashed_pw = 0; /* mark that we already removed the unhashed userpassword */
+ slapi_ch_free_string(&password);
+ free_pw_scheme( pwsp );
+ }
+ if (remove_unhashed_pw && !slapi_entry_attr_find(e, unhashed_pw_attr, &a)){
+ slapi_mods_add_mod_values(&smods, pw_mod->mod_op,unhashed_pw_attr, va);
}
} else {
- /* add pseudo password attribute */
- valuearray_init_bervalarray(pw_mod->mod_bvalues, &va);
- slapi_mods_add_mod_values(&smods, pw_mod->mod_op,
- unhashed_pw_attr, va);
- valuearray_free(&va);
+ /* add pseudo password attribute - only if it's value is clear text */
+ valuearray_init_bervalarray_unhashed_only(pw_mod->mod_bvalues, &va);
+ if(va){
+ slapi_mods_add_mod_values(&smods, pw_mod->mod_op, unhashed_pw_attr, va);
+ valuearray_free(&va);
+ }
}
/* Init new value array for hashed value */
@@ -1301,3 +1417,35 @@ hash_rootpw (LDAPMod **mods)
return 0;
}
+/*
+ * Only add password mods that are in clear text. The console likes to send two mods:
+ * - Already encoded password
+ * - Clear text password
+ *
+ * We don't want to add the encoded value to the unhashed_userpassword attr
+ */
+static int
+valuearray_init_bervalarray_unhashed_only(struct berval **bvals, Slapi_Value ***cvals)
+{
+ int n;
+
+ for(n = 0; bvals != NULL && bvals[n] != NULL; n++);
+
+ if(n == 0){
+ *cvals = NULL;
+ } else {
+ struct pw_scheme *pwsp = NULL;
+ int i,p;
+
+ *cvals = (Slapi_Value **) slapi_ch_malloc((n + 1) * sizeof(Slapi_Value *));
+ for(i = 0, p = 0; i < n; i++){
+ pwsp = pw_val2scheme( bvals[i]->bv_val, NULL, 1 );
+ if(strcmp(pwsp->pws_name, "CLEAR") == 0){
+ (*cvals)[p++] = slapi_value_new_berval(bvals[i]);
+ }
+ free_pw_scheme( pwsp );
+ }
+ (*cvals)[p] = NULL;
+ }
+ return n;
+}
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index d9437ad..5c37a70 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -7231,17 +7231,6 @@ void slapi_set_plugin_open_rootdn_bind(Slapi_PBlock *pb);
#define SLAPI_EXT_SET_REPLACE 1
/**
- * Get entry extension
- *
- * \param entry is the entry to retrieve the extension from
- * \param vals is the array of (Slapi_Value *), which directly refers the extension. Caller must duplicate it to use it for other than referring.
- *
- * \return LDAP_SUCCESS if successful.
- * \return non-zero otherwise.
- */
-int slapi_pw_get_entry_ext(Slapi_Entry *entry, Slapi_Value ***vals);
-
-/**
* Set entry extension
*
* \param entry is the entry to set the extension to
10 years, 2 months
Branch '389-ds-base-1.3.1' - ldap/servers
by Noriko Hosoi
ldap/servers/plugins/acl/acl_ext.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
New commits:
commit aec20501db3a33df0bc151371cdec334c62af4b0
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Jan 16 11:06:22 2014 -0800
Ticket #342 - better error message when cache overflows
Description: commit 892bf12c1bb8b10afea3d6ff711059bf04e362cc
introduced an invalid memory read/write. This patch prepares one
extra aclpblock for the acl cache overflow.
https://fedorahosted.org/389/ticket/342
Reviewed by rmeggins(a)redhat.com (Thank you, Rich!!)
(cherry picked from commit 3fee1fc829a4a9573d087d1ead3c949239e5e914)
(cherry picked from commit fe75b11cad371890482b7f394384083dc1b0fd70)
diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c
index e42a7e2..ee2dd0f 100644
--- a/ldap/servers/plugins/acl/acl_ext.c
+++ b/ldap/servers/plugins/acl/acl_ext.c
@@ -717,7 +717,8 @@ acl__malloc_aclpb ( )
/* allocate arrays for result cache */
aclpb->aclpb_cache_result = (r_cache_t *)
- slapi_ch_calloc (aclpb_max_cache_results, sizeof (r_cache_t));
+ slapi_ch_calloc (aclpb_max_cache_results + 1 /* 1 for cache overflow warning */,
+ sizeof (r_cache_t));
/* allocate arrays for target handles in eval_context */
aclpb->aclpb_curr_entryEval_context.acle_handles_matched_target = (int *)
10 years, 2 months
Branch '389-ds-base-1.3.2' - ldap/servers
by Noriko Hosoi
ldap/servers/plugins/acl/acl_ext.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
New commits:
commit fe75b11cad371890482b7f394384083dc1b0fd70
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Jan 16 11:06:22 2014 -0800
Ticket #342 - better error message when cache overflows
Description: commit 892bf12c1bb8b10afea3d6ff711059bf04e362cc
introduced an invalid memory read/write. This patch prepares one
extra aclpblock for the acl cache overflow.
https://fedorahosted.org/389/ticket/342
Reviewed by rmeggins(a)redhat.com (Thank you, Rich!!)
(cherry picked from commit 3fee1fc829a4a9573d087d1ead3c949239e5e914)
diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c
index c1b6b4a..608de0a 100644
--- a/ldap/servers/plugins/acl/acl_ext.c
+++ b/ldap/servers/plugins/acl/acl_ext.c
@@ -721,7 +721,8 @@ acl__malloc_aclpb ( )
/* allocate arrays for result cache */
aclpb->aclpb_cache_result = (r_cache_t *)
- slapi_ch_calloc (aclpb_max_cache_results, sizeof (r_cache_t));
+ slapi_ch_calloc (aclpb_max_cache_results + 1 /* 1 for cache overflow warning */,
+ sizeof (r_cache_t));
/* allocate arrays for target handles in eval_context */
aclpb->aclpb_curr_entryEval_context.acle_handles_matched_target = (int *)
10 years, 2 months
ldap/servers
by Noriko Hosoi
ldap/servers/plugins/acl/acl_ext.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
New commits:
commit 3fee1fc829a4a9573d087d1ead3c949239e5e914
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Jan 16 11:06:22 2014 -0800
Ticket #342 - better error message when cache overflows
Description: commit 892bf12c1bb8b10afea3d6ff711059bf04e362cc
introduced an invalid memory read/write. This patch prepares one
extra aclpblock for the acl cache overflow.
https://fedorahosted.org/389/ticket/342
Reviewed by rmeggins(a)redhat.com (Thank you, Rich!!)
diff --git a/ldap/servers/plugins/acl/acl_ext.c b/ldap/servers/plugins/acl/acl_ext.c
index a011291..a1ff073 100644
--- a/ldap/servers/plugins/acl/acl_ext.c
+++ b/ldap/servers/plugins/acl/acl_ext.c
@@ -742,7 +742,8 @@ acl__malloc_aclpb ( )
/* allocate arrays for result cache */
aclpb->aclpb_cache_result = (r_cache_t *)
- slapi_ch_calloc (aclpb_max_cache_results, sizeof (r_cache_t));
+ slapi_ch_calloc (aclpb_max_cache_results + 1 /* 1 for cache overflow warning */,
+ sizeof (r_cache_t));
/* allocate arrays for target handles in eval_context */
aclpb->aclpb_curr_entryEval_context.acle_handles_matched_target = (int *)
10 years, 2 months
ldap/servers
by Richard Allen Megginson
ldap/servers/plugins/replication/repl_extop.c | 11 ++---------
ldap/servers/slapd/csngen.c | 8 ++++++--
2 files changed, 8 insertions(+), 11 deletions(-)
New commits:
commit 9f2b104b0938b21d7c9fe37c736d0e6328843aeb
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Thu Jan 16 12:57:22 2014 -0700
Ticket #47516 replication stops with excessive clock skew
https://fedorahosted.org/389/ticket/47516
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: The previous fix was not adequate. Instead, the determination
of whether or not to ignore time skew should be determined in
csngen_adjust_time().
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: yes - document new config param
diff --git a/ldap/servers/plugins/replication/repl_extop.c b/ldap/servers/plugins/replication/repl_extop.c
index 57249a6..35014a9 100644
--- a/ldap/servers/plugins/replication/repl_extop.c
+++ b/ldap/servers/plugins/replication/repl_extop.c
@@ -835,19 +835,12 @@ multimaster_extop_StartNSDS50ReplicationRequest(Slapi_PBlock *pb)
rc = replica_update_csngen_state_ext (replica, supplier_ruv, replicacsn); /* too much skew */
if (rc == CSN_LIMIT_EXCEEDED)
{
- extern int config_get_ignore_time_skew();
-
slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
"conn=%" NSPRIu64 " op=%d repl=\"%s\": "
"Excessive clock skew from supplier RUV\n",
(long long unsigned int)connid, opid, repl_root);
- if (!config_get_ignore_time_skew()) {
- response = NSDS50_REPL_EXCESSIVE_CLOCK_SKEW;
- goto send_response;
- } else {
- /* else just continue */
- rc = 0;
- }
+ response = NSDS50_REPL_EXCESSIVE_CLOCK_SKEW;
+ goto send_response;
}
else if (rc != 0)
{
diff --git a/ldap/servers/slapd/csngen.c b/ldap/servers/slapd/csngen.c
index 464a59e..f87f2d1 100644
--- a/ldap/servers/slapd/csngen.c
+++ b/ldap/servers/slapd/csngen.c
@@ -326,6 +326,8 @@ int csngen_adjust_time(CSNGen *gen, const CSN* csn)
time_t remote_time, remote_offset, cur_time;
PRUint16 remote_seqnum;
int rc;
+ extern int config_get_ignore_time_skew();
+ int ignore_time_skew = config_get_ignore_time_skew();
if (gen == NULL || csn == NULL)
return CSN_INVALID_PARAMETER;
@@ -380,7 +382,7 @@ int csngen_adjust_time(CSNGen *gen, const CSN* csn)
remote_offset = remote_time - cur_time;
if (remote_offset > gen->state.remote_offset)
{
- if (remote_offset <= CSN_MAX_TIME_ADJUST)
+ if (ignore_time_skew || (remote_offset <= CSN_MAX_TIME_ADJUST))
{
gen->state.remote_offset = remote_offset;
}
@@ -651,6 +653,8 @@ _csngen_cmp_callbacks (const void *el1, const void *el2)
static int
_csngen_adjust_local_time (CSNGen *gen, time_t cur_time)
{
+ extern int config_get_ignore_time_skew();
+ int ignore_time_skew = config_get_ignore_time_skew();
time_t time_diff = cur_time - gen->state.sampled_time;
if (time_diff == 0) {
@@ -714,7 +718,7 @@ _csngen_adjust_local_time (CSNGen *gen, time_t cur_time)
gen->state.remote_offset);
}
- if (abs (time_diff) > CSN_MAX_TIME_ADJUST)
+ if (!ignore_time_skew && (abs (time_diff) > CSN_MAX_TIME_ADJUST))
{
slapi_log_error (SLAPI_LOG_FATAL, NULL, "_csngen_adjust_local_time: "
"adjustment limit exceeded; value - %d, limit - %d\n",
10 years, 2 months