From rmeggins at redhat.com Tue Jan 6 22:32:58 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 06 Jan 2009 15:32:58 -0700 Subject: [Fedora-directory-devel] Please review: Bug 479077 - Server to Server SASL/DIGEST-MD5 not Supported over SSL/TLS Message-ID: <4963DC1A.1080606@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=479077 Resolves: bug 479077 Bug Description: Server to Server SASL/DIGEST-MD5 not Supported over SSL/TLS Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: If using TLS/SSL, we don't need to use a sasl security layer, so just set the maxssf to 0. Platforms tested: RHEL4 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=328326&action=diff From rmeggins at redhat.com Wed Jan 7 21:36:23 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 07 Jan 2009 14:36:23 -0700 Subject: [Fedora-directory-devel] Please review: Bug 478656 - rhds accounts are disabled in ad after full sync Message-ID: <49652057.3000808@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=478656 Resolves: bug 478656 Bug Description: rhds accounts are disabled in ad after full sync Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The incremental sync code calls send_accountcontrol_modify after adding an entry, but the total update code does not. I modified the code to do that. I also changed the send_accountcontrol_modify to force the account to be enabled if adding it. I tried just adding userAccountContro:512 to the default user add template, but AD does not like this - gives operations error. So you have to modify userAccountControl after adding the entry. I also cleaned up a couple of minor memory leaks. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=328417&action=diff From nhosoi at redhat.com Thu Jan 8 22:15:30 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Thu, 08 Jan 2009 14:15:30 -0800 Subject: [Fedora-directory-devel] Please review: [Bug 436830] Memory leak in ns-slapd's Class Of Service In-Reply-To: <200901082134.n08LYoA8021223@bz-web2.app.phx.redhat.com> References: <200901082134.n08LYoA8021223@bz-web2.app.phx.redhat.com> Message-ID: <49667B02.4060600@redhat.com> *Bug 436830* - Memory leak in ns-slapd's Class Of Service https://bugzilla.redhat.com/show_bug.cgi?id=436830 // [Problem description by Tamas Bagyal] >From Bugzilla Helper: User-Agent: Opera/9.50 (X11; Linux i686; U; en) Description of problem: I found a memory leak in ns-slapd when using cos. the fds build on a debian etch using the build-ds script and follow the instructions on the mailing-list. the database replicated from an fds version 1.0.4 which is in mmr with 1.1.0. errors log shows nothing. valgrind's output see in the attachment. [Proposed fix] Created an attachment (id=328497) --> (https://bugzilla.redhat.com/attachment.cgi?id=328497) cvs diff ldapserver/ldap/servers/plugins/cos/cos_cache.c Fix Description: When all the necessary values for the CoS template cache are not available, the allocated memory should be discarded. One of them pCosPriority was missed to release. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Fri Jan 9 18:48:19 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Fri, 09 Jan 2009 10:48:19 -0800 Subject: [Fedora-directory-devel] Please review: [Bug 464854] ldapsearch with size limit (-z) doesn't work with OR filter and range search In-Reply-To: <200901091835.n09IZR0P003103@bz-web1.app.phx.redhat.com> References: <200901091835.n09IZR0P003103@bz-web1.app.phx.redhat.com> Message-ID: <49679BF3.3080905@redhat.com> [Bug 464854] ldapsearch with size limit (-z) doesn't work with OR filter and range search https://bugzilla.redhat.com/show_bug.cgi?id=464854 [Description of Problem] If sizelimit is specified (e.g., -z 5) in ldapsearch, the filter including a range search does not return expected entries even if entries matches the filter. How to reproduce the problem: Create a test ldif file with dbgen.pl $ dbgen.pl -o /path/to/example10k.ldif -n 10000 Import it $ ldif2db -n userRoot -i /path/to/example10k.ldif Start the server $ start-slapd Run the following command $ ldapsearch -D 'cn=Directory Manager' -w -b "dc=example,dc=com" "(&(l=Boston)(|(ou=Payroll)(ou=Accounting))(roomNumber>=9700))" dn roomNumber l ou It returns 7 entries. $ ldapsearch -D 'cn=Directory Manager' -w -b "dc=example,dc=com" -z 5 "(&(l=Boston)(|(ou=Payroll)(ou=Accounting))(roomNumber>=9700))" dn roomNumber l ou It returns no entries. This entry count could be random from 0 to 5. Expected result: returns 5 entries Problem description: SIZELIMIT is checked in index_range_read to eliminate the unnecessary data retrieval. But when the filter contains a range search which is connected by AND, then we should not do sizelimit. There was a bug in the function which sets is_and. The flag should have been cleared only when the function set it to 1. Instead, it was cleared each time the function is called. It let index_range_read stop reading when it reaches sizelimit even though it should not have. [Proposed Fix] Created an attachment (id=328581) --> (https://bugzilla.redhat.com/attachment.cgi?id=328581) cvs diff ldapserver/ldap/servers/slapd/back-ldbm/filterindex.c Fix Description: list_candidates sets SLAPI_SEARCH_IS_AND to 1 in pblock when the filter starts with AND. This function is recursively called and the IS_AND info should be passed to the descendent candidates functions. The IS_AND flag is cleared only by the function which sets it to 1. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Fri Jan 9 21:11:08 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Fri, 09 Jan 2009 13:11:08 -0800 Subject: [Fedora-directory-devel] Please review (Revised): [Bug 464854] ldapsearch with size limit (-z) doesn't work with OR filter and range search In-Reply-To: <49679BF3.3080905@redhat.com> References: <200901091835.n09IZR0P003103@bz-web1.app.phx.redhat.com> <49679BF3.3080905@redhat.com> Message-ID: <4967BD6C.2020903@redhat.com> [Bug 464854] ldapsearch with size limit (-z) doesn't work with OR filter and range search https://bugzilla.redhat.com/show_bug.cgi?id=464854 > [Description of Problem] > If sizelimit is specified (e.g., -z 5) in ldapsearch, the filter > including a range search does not return expected entries even if > entries matches the filter. > > How to reproduce the problem: > Create a test ldif file with dbgen.pl > $ dbgen.pl -o /path/to/example10k.ldif -n 10000 > Import it > $ ldif2db -n userRoot -i /path/to/example10k.ldif > Start the server > $ start-slapd > > Run the following command > $ ldapsearch -D 'cn=Directory Manager' -w -b "dc=example,dc=com" > "(&(l=Boston)(|(ou=Payroll)(ou=Accounting))(roomNumber>=9700))" dn > roomNumber l ou > It returns 7 entries. > > $ ldapsearch -D 'cn=Directory Manager' -w -b "dc=example,dc=com" > -z 5 > "(&(l=Boston)(|(ou=Payroll)(ou=Accounting))(roomNumber>=9700))" dn > roomNumber l ou > It returns no entries. This entry count could be random from 0 to 5. > Expected result: returns 5 entries > > Problem description: > SIZELIMIT is checked in index_range_read to eliminate the unnecessary > data > retrieval. But when the filter contains a range search which is > connected by > AND, then we should not do sizelimit. There was a bug in the function > which > sets is_and. The flag should have been cleared only when the function > set it > to 1. Instead, it was cleared each time the function is called. It let > index_range_read stop reading when it reaches sizelimit even though it > should > not have. [Revised proposed fix] Created an attachment (id=328591) --> (https://bugzilla.redhat.com/attachment.cgi?id=328591) Revised: cvs diff ldapserver/ldap/servers/slapd/back-ldbm/filterindex.c Thanks to Nathan for pointing out the flaw in my previous proposal. It had a bug in the nested AND case. Inner AND was clearing "is_and", which should not have. It was fixed in this new proposal. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri Jan 9 21:16:49 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 09 Jan 2009 14:16:49 -0700 Subject: [Fedora-directory-devel] Please review: Bug 471068 - winsync doesn't recognize some changes Message-ID: <4967BEC1.50309@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=471068 Resolves: bug 471068 Bug Description: winsync doesn't recognize some changes Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: Before sending updates to AD, first check to see if the updates still apply. For modify/add operations, check to make sure the value to add doesn't exist. If it does, remove it from the list of values in the mod. If all values are removed, then just skip the modify/add op altogether. For modify/del ops, check to see if the attribute exists. If not, just skip the op. If it does exist, check to see if the values exist, and remove the values from the mod/del op that do not exist anymore. If all values have been removed, just skip the mod/del op. I added a new slapi function - slapi_mod_init_valueset_byval - which will init a Slapi_Mod and init the list of values using a valueset. Fortunately there was already a function for converting a Slapi_Value** to a berval**. I also fixed a few compiler warnings. Platforms tested: RHEL5 Flag Day: no Doc impact: yes - add new function to slapi docs https://bugzilla.redhat.com/attachment.cgi?id=328589&action=diff From nkinder at redhat.com Fri Jan 9 22:43:22 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 09 Jan 2009 14:43:22 -0800 Subject: [Fedora-directory-devel] Please Review: (472602) would like an API for determining if an intercepted request is an internal one Message-ID: <4967D30A.6040403@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=472602 Resolves: bug 472602 Bug Description: The SLAPI API doesn't expose a way to check if an operation is an internal operation. There is a public function that allows you to get the flags set for an operation, but the internal operation flag itself is not exposed. Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The fix is simply to expose the internal operation flag in the public header file. Platforms tested: F9 Flag Day: no Doc impact: yes - add new flag and old function to SLAPI docs. https://bugzilla.redhat.com/attachment.cgi?id=328598&action=diff From nkinder at redhat.com Sat Jan 10 00:00:32 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 09 Jan 2009 16:00:32 -0800 Subject: [Fedora-directory-devel] Please Review: (170461) Remove dependency on Term::ReadKey for password prompts in Perl scripts Message-ID: <4967E520.1060306@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=170461 esolves: bug 170461 Bug Description: A handful of our Perl scripts currently require the Term::ReadKey module for password prompting. This is not a standard module on all platforms, so one has to ensure that it is installed and modify the Perl scripts by hand to use the password prompt code. Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The fix uses the same method that we use in the setup code to deal with non-echoed responses for password prompts. Platforms tested: F9 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=328607&action=diff From rmeggins at redhat.com Tue Jan 13 03:47:04 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 12 Jan 2009 20:47:04 -0700 Subject: [Fedora-directory-devel] Please review: Bug 204966 - WinSync ignores entry if NT attributes are added later. Message-ID: <496C0EB8.3010100@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=204966 Resolves: bug 204966 Bug Description: WinSync ignores entry if NT attributes are added later. Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: If we are replaying a modify operation, we need to check if the ntUser objectclass is being added along with the other attributes that tell the sync service to sync this entry. If the objectclass is being added or replaced, we check the existing entry to see if it is still a sync-able entry. If it is, we call process_replay_add to add the entry. I changed this function to accept a Slapi_Entry to add rather than the operation structure. Finally, I had to change the way we send the Account Control flags to take into account an entry that may have been added as a result of a modify operation. I fixed a memory leak when setting the Slapi_Attr attribute type, and cleaned up a compiler warning. NOTE: There will be no clear text password to send (unless the userPassword was modified in the same modify operation). This means the account will be added to Windows, and will be enabled, but will be essentially unusable - the user cannot login - until either the user modifies the password on the directory server side, or the administrator resets the password. Platforms tested: RHEL5 Flag Day: no Doc impact: yes - we will have to document the new winsync behavior https://bugzilla.redhat.com/attachment.cgi?id=328818&action=diff From rmeggins at redhat.com Tue Jan 13 18:40:46 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 13 Jan 2009 11:40:46 -0700 Subject: [Fedora-directory-devel] Please review: Bug 479202 - Acceptance test: mmrepl {accept, chainonupdate} : slapd dumps core during accept_cleanup() Message-ID: <496CE02E.6050805@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=479202 Resolves: bug 479202 Bug Description: Acceptance test: mmrepl {accept,chainonupdate} : slapd dumps core during accept_cleanup() Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: Have to call ldapssl_set_option(ld, SSL_NO_CACHE, PR_TRUE) after setting up the connection for client auth Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=328902&action=diff From rmeggins at redhat.com Tue Jan 13 21:32:15 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 13 Jan 2009 14:32:15 -0700 Subject: [Fedora-directory-devel] Please review: Bug 479313 - Server to Server SASL - DIGEST/MD5 - Can not Stop server Message-ID: <496D085F.4070307@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=479313 Resolves: bug 479313 Bug Description: Server to Server SASL - DIGEST/MD5 - Can not Stop server Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: Using ldap_set_option with LDAP_OPT_X_SASL_SECPROPS is not thread safe. ldap_set_option acquires the OPTION lock, but using LDAP_OPT_X_SASL_SECPROPS just calls return rather than calling break to exit the switch and unlock the lock. A mozilla bug has been filed https://bugzilla.mozilla.org/show_bug.cgi?id=473438. The fix is to use LDAP_OPT_X_SASL_SSF_MAX. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=328916&action=diff From rmeggins at redhat.com Wed Jan 14 01:22:14 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 13 Jan 2009 18:22:14 -0700 Subject: [Fedora-directory-devel] Please review: Bug 222055 - DirSync interval should be configurable Message-ID: <496D3E46.9020905@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=222055 Resolves: bug 222055 Bug Description: DirSync interval should be configurable Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: Added a new config attribute - winSyncInterval - this is how often to run the dirsync search, in seconds. The default is 600 (5 minutes) which was the old hard coded value. Due to the way it's coded, the change only takes effect when the agreement is created or restarted, so the value cannot really be dynamically changed. Platforms tested: RHEL5 Flag Day: no Doc impact: yes - document the new attribute https://bugzilla.redhat.com/attachment.cgi?id=328937&action=diff From wesamcis at gmail.com Thu Jan 15 11:11:28 2009 From: wesamcis at gmail.com (Wesam Al-Yazjeen) Date: Thu, 15 Jan 2009 03:11:28 -0800 Subject: [Fedora-directory-devel] fedora ldap Message-ID: Hi all, i need help. can i bind with fedora ldap by UTF-8 user name and pass. i mean can i use Arabic characters in user name or any other characters (not just English character). can i bind to ldap using UTF-8 char-set not ASCII? -- Wesam Al-Yazjeen... -------------- next part -------------- An HTML attachment was scrubbed... URL: From michael at stroeder.com Thu Jan 15 17:25:22 2009 From: michael at stroeder.com (=?ISO-8859-1?Q?Michael_Str=F6der?=) Date: Thu, 15 Jan 2009 18:25:22 +0100 Subject: [Fedora-directory-devel] fedora ldap In-Reply-To: References: Message-ID: <496F7182.6070802@stroeder.com> Wesam Al-Yazjeen wrote: > i need help. > can i bind with fedora ldap by UTF-8 user name and pass. Yes. > i mean can i use Arabic characters in user name or any other characters > (not just English character). Yes. > can i bind to ldap using UTF-8 char-set not ASCII? Yes, for simple bind. You should test with various SASL bind mechs. But I'd not recommend to do so because of possible interoperability problems with LDAP client applications. Bear in mind that everything has to be done right when the user enters NON-ASCII chars on the keyboard. You have to test such a scenario very thoroughly with all other components you want to deploy. Ciao, Michael. From nkinder at redhat.com Thu Jan 15 18:02:49 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 15 Jan 2009 10:02:49 -0800 Subject: [Fedora-directory-devel] Please Review: (184141) pwpolicy response control not sent with passwd modify extop response Message-ID: <496F7A49.90400@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=184141 esolves: bug 184141 Bug Description: If the password policy request control is present when performing a password modify extended operation, the associated response control is not sent back when there is a policy error or warning. Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: There are numerous issues causing the password policy response control to not be returned when using the password modify extended operation. As Rich pointed out, we were not passing the controls through to the internal modify operation. I found that we were not setting the request controls in the pblock for any extended operations, which made it impossible to copy those and pass them into the internal modify. In the internal modify code, we were not setting SLAPI_PWPOLICY if the password policy control was present. This needs to be set for the password policy code to determine if the response control needs to be sent. There are also a few password policy checks that are not processed for internal operations. We need to perform these checks in the password modify extended operation code since they need to know which user is performing the operation, which is unknown when dealing with an internal operation. Platforms tested: F9 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=329114&action=diff From nkinder at redhat.com Thu Jan 15 23:48:49 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 15 Jan 2009 15:48:49 -0800 Subject: [Fedora-directory-devel] Please Review: (248924) should support to change the password after reset by using password modify extension Message-ID: <496FCB61.100@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=248924 Resolves: bug 248924 Bug Description: When a password is expired, the password modify extended operation doesn't make the password non-expired. The server allows one to change their password, but the code assumes that the root DN is doing a reset of the password since we use an internal modify operation for the actual password update internally. Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The fix is to copy a reference to the connection object from the original pblock into the pblock used for the internal modify operation. This allows the password policy code to determine who initiated the password change for an internal operation. Platforms tested: F9 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=329152&action=diff From nkinder at redhat.com Fri Jan 16 16:31:55 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 16 Jan 2009 08:31:55 -0800 Subject: [Fedora-directory-devel] Please Review: (204626) Password syntax checking is performed also on hashed values Message-ID: <4970B67B.7000802@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=204626 Resolves: bug 204626 Bug Description: The password syntax checking is still performed against pre-hashed passwords. In addition, we are allowing anyone to store pre-hashed passwords, which we should not do when syntax checking is enabled since it allows one to override the syntax rules. Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: This patch simply checks if a password is pre-hashed in the password syntax checking code. It will reject a pre-hashed password if syntax checking is enabled, with the exception of replicated operations and those initiated by the root DN. The non-rejected cases will not be subject to syntax checking. Platforms tested: F9 Flag Day: no Doc impact: yes. A note about pre-hashed passwords not being allowed when using password syntax checking needs to be added. https://bugzilla.redhat.com/attachment.cgi?id=329221&action=diff From rmeggins at redhat.com Fri Jan 16 17:48:12 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 16 Jan 2009 10:48:12 -0700 Subject: [Fedora-directory-devel] Please review: Bug 480251 - rhds80 console - ssl - csr wizard really wants a country/region string Message-ID: <4970C85C.2090502@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=480251 Resolves: bug 480251 Bug Description: rhds80 console - ssl - csr wizard really wants a country/region string Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: Have to make sure the string is long enough before taking the substring Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=329234&action=diff From nkinder at redhat.com Mon Jan 19 19:10:23 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 19 Jan 2009 11:10:23 -0800 Subject: [Fedora-directory-devel] Please Review: (474945) Adding duplicate schema over LDAP triggers assertion in attrsyntax Message-ID: <4974D01F.4060400@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=474945 Resolves: bug 474945 Bug Description: An assertion is triggered when adding a duplicate attribute to the schema over LDAP in a debug build. Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: We were calling attr_syntax_delete() on a syntax that we fetched using attr_syntax_get_by_name_locking_optional(). You are supposed to use attr_syntax_return() when you are finished with a syntax that you fetch in this way, which will take care of freeing it if it is required. There was already code that was doing the proper thing, so the call to attr_syntax_delete() can simply be removed. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=329387&action=diff From nkinder at redhat.com Mon Jan 19 20:41:01 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 19 Jan 2009 12:41:01 -0800 Subject: [Fedora-directory-devel] Please Review: (480384) online schema update fails with SUP Message-ID: <4974E55D.4020009@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=480384 Resolves: bug 480384 Bug Description: If you attempt to add a new attribute to the schema over LDAP, the server will not find the parent attribute if you use an alias to refer to it in the attribute definition. Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The fix is to check if the parent attribute name used in the new definition matches any aliases when looking for the parent. Platforms tested: F9 x86_64 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=329398&action=diff From mario.fetka at gmail.com Wed Jan 21 15:55:12 2009 From: mario.fetka at gmail.com (Mario Fetka) Date: Wed, 21 Jan 2009 16:55:12 +0100 Subject: [Fedora-directory-devel] Gentoo and Admin Server Message-ID: <200901211655.12399.mario.fetka@gmail.com> Hallo, the problem could be gentoo specific so i am asking on the devel list. some infos on the system: apr-utils are build against mozldap (not openldap) so also apache is build against mozldap the dirsrv-admin initscript is only a modified apache intiscript (no LD_PRELOAD ) the error i am facing is: cat /var/log/dirsrv/admin-serv/error [Wed Jan 21 16:14:45 2009] [crit] do_admserv_post_config(): unable to create AdmldapInfo Configuration Failed [Wed Jan 21 16:20:48 2009] [crit] do_admserv_post_config(): unable to create AdmldapInfo Configuration Failed thx in av Mario From rmeggins at redhat.com Fri Jan 23 15:30:17 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 23 Jan 2009 08:30:17 -0700 Subject: [Fedora-directory-devel] Please review: Bug 481176 - Null Point Exception Attempting to Install CA Certifcate Message-ID: <4979E289.2020302@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=481176 Resolves: bug 481176 Bug Description: Null Point Exception Attempting to Install CA Certifcate Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The problem is that the certificate is not recognized by NSS as a CA certificate because it is missing some flags and the basic constraint extension for CAs. The wizard code wrongly assumed that any certificate being installed in this context is a CA cert. I changed the code to handle other types of certs. However, this doesn't fix the problem where the CA cert shows up under Server Certs instead of CA Certs, because only "real" CA certs with the proper settings will show up under the CA Certs list. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=329744&action=diff From rmeggins at redhat.com Mon Jan 26 15:51:46 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 26 Jan 2009 08:51:46 -0700 Subject: [Fedora-directory-devel] Please review: Bug 481223 - Removing Group Member in ADS and Send and Recieve Updates Crashes the Directory Server Message-ID: <497DDC12.9070007@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=481223 Resolves: bug 481223 Bug Description: Removing Group Member in ADS and Send and Receive Updates Crashes the Directory Server Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: I broke this with my earlier fix about sending mods to AD. There are calls which reset the raw entry from AD before the call to mod_already_made. The fix is to only retrieve the raw entry just before we use it, after it may have been reset. I also found a memory leak in the mod init with valueset function I added for the prior fix. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=329993&action=diff From rmeggins at redhat.com Tue Jan 27 20:34:27 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 27 Jan 2009 13:34:27 -0700 Subject: [Fedora-directory-devel] Please review: Bug 479253 - Configuring Server to Server GSSAPI over SSL - Need better Error Message Message-ID: <497F6FD3.5030308@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=479253 Resolves: bug 479253 Bug Description: Configuring Server to Server GSSAPI over SSL - Need better Error Message Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: If the user attempts to set the bind mech to GSSAPI, and a secure transport is being used, the server will return LDAP_UNWILLING_TO_PERFORM and provide a useful error message. Same if GSSAPI is being used and the user attempts to use a secure transport. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=330144&action=diff From nkinder at redhat.com Tue Jan 27 23:14:30 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 27 Jan 2009 15:14:30 -0800 Subject: [Fedora-directory-devel] Please Review: (430364) setup-ds-admin.pl does not correctly set the admin server ip address Message-ID: <497F9556.1050304@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=430364 Resolves: bug 430364 Bug Description: When the IP address for the admin server to listen on is specified in the inf file, it is not used in the config DS or in the console.conf config file. Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The first issue is that an error was being returned by the config CGI when attempting to set the IP address in console.conf, but the AdminServer.pm code was not detecting this error. This caused the install to not error out reporting that there was a problem with the IP address. The second issue is that the validation of the IP address in the config CGI was too strict. To validate the IP address, we were getting the hostname of the system, doing a reverse lookup to get the addresses associated with that hostname, then checking if any of those addresses matched the one form the .inf file. If the requested address is assigned to a different hostname, this validation will fail. The fix is to simply try to bind the address to a socket to see if the address is valid. We don't need to care what hostname it is associated with, we just need to know that the address is assigned to the system. The third issue is that the template file for the "o=NetscapeRoot" entry was missing a replace macro for the "nsServerAddress" attribute. The fix just adds the macro and maps it to the ServerIpAddress .inf directive. Platforms tested: F9 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=330174&action=diff From rmeggins at redhat.com Wed Jan 28 20:45:12 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 28 Jan 2009 13:45:12 -0700 Subject: [Fedora-directory-devel] Please review: Bug 482909 - server seg fault if doing SSLCLIENTAUTH without being an ssl server Message-ID: <4980C3D8.4080503@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=482909 Resolves: bug 482909 Bug Description: server seg fault if doing SSLCLIENTAUTH without being an ssl server Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: When I changed the code to allow the DS to be an SSL client without having to be an SSL server, I missed the svrcore setup for EXTERNAL (ssl client auth). The fix is to check to see if svrcore has been set up, and initialize it if not, before attempting to use it. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=330282&action=diff From rmeggins at redhat.com Thu Jan 29 21:20:01 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 29 Jan 2009 14:20:01 -0700 Subject: [Fedora-directory-devel] Please review: Bug 430364 - setup-ds-admin.pl does not correctly set the admin server ip address Message-ID: <49821D81.7040006@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=430364 Resolves: bug 430364 Bug Description: setup-ds-admin.pl does not correctly set the admin server ip address Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: If the admin server advertises its IP address in its cn=config nsServerAddress, the console will attempt to use the address instead of hostname (which will break https, btw). If the address is set to 0.0.0.0, clients cannot use this, so must fall back on the hostname. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=330404&action=diff From rmeggins at redhat.com Fri Jan 30 01:35:36 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 29 Jan 2009 18:35:36 -0700 Subject: [Fedora-directory-devel] Please review: Bug 431681 - Fix java detection on Windows XP Message-ID: <49825968.3000704@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=431681 Resolves: bug 431681 Bug Description: Fix java detection on Windows XP Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: Just use "java -version" to test for the presence of java Platforms tested: Windows 2003 server Flag Day: no Doc impact: no https://bugzilla.redhat.com/show_bug.cgi?id=431681#c4