From rmeggins at redhat.com Fri May 1 00:20:54 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 30 Apr 2009 18:20:54 -0600 Subject: [Fedora-directory-devel] Please Review: Syntax validation design document In-Reply-To: <49F9EAC9.3060000@redhat.com> References: <49F9EAC9.3060000@redhat.com> Message-ID: <49FA4066.1010402@redhat.com> Nathan Kinder wrote: > I've been working on the design document for adding syntax validation > support to Fedora DS. Feedback would be appreciated. > > http://directory.fedoraproject.org/wiki/Syntax_Validation_Design > > Thanks, > -NGK Looks good. I think it would be better for nsslapd-syntaxcheck to have different values - off, warn, error, on- or something like that - rather than have another config parameter nsslapd-syntaxwarn > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Fri May 1 04:54:47 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 30 Apr 2009 21:54:47 -0700 Subject: [Fedora-directory-devel] Please Review: Syntax validation design document In-Reply-To: <49FA4066.1010402@redhat.com> References: <49F9EAC9.3060000@redhat.com> <49FA4066.1010402@redhat.com> Message-ID: <49FA8097.2080600@redhat.com> Rich Megginson wrote: > Nathan Kinder wrote: >> I've been working on the design document for adding syntax validation >> support to Fedora DS. Feedback would be appreciated. >> >> http://directory.fedoraproject.org/wiki/Syntax_Validation_Design >> >> Thanks, >> -NGK > Looks good. I think it would be better for nsslapd-syntaxcheck to > have different values - off, warn, error, on- or something like that - > rather than have another config parameter nsslapd-syntaxwarn Sure, I can merge those into a single config parameter. I just made them separate since there is already a CONFIG_ON_OFF type that deals with things such as mapping "0/1" to "on/off". Perhaps it would be good to add a new generic config type of CONFIG_ON_OFF_WARN that can take values of "0/1/2" or "on/off/warn". Do you have any thoughts on the non-standard syntaxes that are mentioned in the design doc? The "Binary" syntax would be difficult to remove since it is used by 20 or so attributes, including most of the certificate related attributes. These attributes now have their own specific syntaxes, so we would have to add support for them before getting rid of the "Binary" syntax. I think that the "SpaceInsensitiveString" and "URI" syntaxes can be removed since "URI" isn't used by any of the default schema and "SpaceInsensitiveString" was added specifically for the Presence plug-in. -NGK >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > From rmeggins at redhat.com Fri May 1 13:52:01 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 01 May 2009 07:52:01 -0600 Subject: [Fedora-directory-devel] Please Review: Syntax validation design document In-Reply-To: <49FA8097.2080600@redhat.com> References: <49F9EAC9.3060000@redhat.com> <49FA4066.1010402@redhat.com> <49FA8097.2080600@redhat.com> Message-ID: <49FAFE81.8000701@redhat.com> Nathan Kinder wrote: > Rich Megginson wrote: >> Nathan Kinder wrote: >>> I've been working on the design document for adding syntax >>> validation support to Fedora DS. Feedback would be appreciated. >>> >>> http://directory.fedoraproject.org/wiki/Syntax_Validation_Design >>> >>> Thanks, >>> -NGK >> Looks good. I think it would be better for nsslapd-syntaxcheck to >> have different values - off, warn, error, on- or something like that >> - rather than have another config parameter nsslapd-syntaxwarn > Sure, I can merge those into a single config parameter. I just made > them separate since there is already a CONFIG_ON_OFF type that deals > with things such as mapping "0/1" to "on/off". Perhaps it would be > good to add a new generic config type of CONFIG_ON_OFF_WARN that can > take values of "0/1/2" or "on/off/warn". > > Do you have any thoughts on the non-standard syntaxes that are > mentioned in the design doc? The "Binary" syntax would be difficult > to remove since it is used by 20 or so attributes, including most of > the certificate related attributes. These attributes now have their > own specific syntaxes, so we would have to add support for them before > getting rid of the "Binary" syntax. I think that the > "SpaceInsensitiveString" and "URI" syntaxes can be removed since "URI" > isn't used by any of the default schema and "SpaceInsensitiveString" > was added specifically for the Presence plug-in. The problem is that there is no way to know if someone is using these. We should figure out a way to deprecate them or allow them to be switched on and off, with the default being off. That way, if someone really is using them, they can turn them on while the migrate to using a standard syntax. > > -NGK >>> >>> -- >>> Fedora-directory-devel mailing list >>> Fedora-directory-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >> > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Fri May 1 14:53:21 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 01 May 2009 07:53:21 -0700 Subject: [Fedora-directory-devel] Please Review: Syntax validation design document In-Reply-To: <49FA8097.2080600@redhat.com> References: <49F9EAC9.3060000@redhat.com> <49FA4066.1010402@redhat.com> <49FA8097.2080600@redhat.com> Message-ID: <49FB0CE1.2080500@redhat.com> Nathan Kinder wrote: > Rich Megginson wrote: >> Nathan Kinder wrote: >>> I've been working on the design document for adding syntax >>> validation support to Fedora DS. Feedback would be appreciated. >>> >>> http://directory.fedoraproject.org/wiki/Syntax_Validation_Design >>> >>> Thanks, >>> -NGK >> Looks good. I think it would be better for nsslapd-syntaxcheck to >> have different values - off, warn, error, on- or something like that >> - rather than have another config parameter nsslapd-syntaxwarn > Sure, I can merge those into a single config parameter. I just made > them separate since there is already a CONFIG_ON_OFF type that deals > with things such as mapping "0/1" to "on/off". Perhaps it would be > good to add a new generic config type of CONFIG_ON_OFF_WARN that can > take values of "0/1/2" or "on/off/warn". Thinking about this some more, it may be best to have two separate config settings. The warning isn't really a warning, but instead a log message for the administrator. Sending a warning message to the client is going to be of limited value as the client may not display the diagnosticMessage text from the LDAPResult for a successful operation. I found that the message text was not displayed with ldapmodify (both mozldap and openldap) for a successful modify operation that should trigger a warning, even in verbose mode. A true warning displayed to the client would be nice, but I don't see a way of making it happen without client side changes. Having two separate config settings allows one to only log messages, to log messages and disallow illegal values, and to just disallow illegal values without filling up the logs. I guess we could also just log the syntax errors at a different log level instead of having a second config setting. > > Do you have any thoughts on the non-standard syntaxes that are > mentioned in the design doc? The "Binary" syntax would be difficult > to remove since it is used by 20 or so attributes, including most of > the certificate related attributes. These attributes now have their > own specific syntaxes, so we would have to add support for them before > getting rid of the "Binary" syntax. I think that the > "SpaceInsensitiveString" and "URI" syntaxes can be removed since "URI" > isn't used by any of the default schema and "SpaceInsensitiveString" > was added specifically for the Presence plug-in. > > -NGK >>> >>> -- >>> Fedora-directory-devel mailing list >>> Fedora-directory-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >> > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel From rmeggins at redhat.com Fri May 1 15:04:08 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 01 May 2009 09:04:08 -0600 Subject: [Fedora-directory-devel] Please Review: Syntax validation design document In-Reply-To: <49FB0CE1.2080500@redhat.com> References: <49F9EAC9.3060000@redhat.com> <49FA4066.1010402@redhat.com> <49FA8097.2080600@redhat.com> <49FB0CE1.2080500@redhat.com> Message-ID: <49FB0F68.4090709@redhat.com> Nathan Kinder wrote: > Nathan Kinder wrote: >> Rich Megginson wrote: >>> Nathan Kinder wrote: >>>> I've been working on the design document for adding syntax >>>> validation support to Fedora DS. Feedback would be appreciated. >>>> >>>> http://directory.fedoraproject.org/wiki/Syntax_Validation_Design >>>> >>>> Thanks, >>>> -NGK >>> Looks good. I think it would be better for nsslapd-syntaxcheck to >>> have different values - off, warn, error, on- or something like that >>> - rather than have another config parameter nsslapd-syntaxwarn >> Sure, I can merge those into a single config parameter. I just made >> them separate since there is already a CONFIG_ON_OFF type that deals >> with things such as mapping "0/1" to "on/off". Perhaps it would be >> good to add a new generic config type of CONFIG_ON_OFF_WARN that can >> take values of "0/1/2" or "on/off/warn". > Thinking about this some more, it may be best to have two separate > config settings. > > The warning isn't really a warning, but instead a log message for the > administrator. Sending a warning message to the client is going to be > of limited value as the client may not display the diagnosticMessage > text from the LDAPResult for a successful operation. I found that the > message text was not displayed with ldapmodify (both mozldap and > openldap) for a successful modify operation that should trigger a > warning, even in verbose mode. A true warning displayed to the client > would be nice, but I don't see a way of making it happen without > client side changes. > > Having two separate config settings allows one to only log messages, > to log messages and disallow illegal values, and to just disallow > illegal values without filling up the logs. I guess we could also > just log the syntax errors at a different log level instead of having > a second config setting. Ok. A setting like "nsslapd-syntaxlogging: on/off" or something like that then. I guess ideally we should have "standard" syslog style log levels (e.g. fatal, critical, error, warn, notice, etc.) but that would require a lot of code changes and work on the log subsystem. >> >> Do you have any thoughts on the non-standard syntaxes that are >> mentioned in the design doc? The "Binary" syntax would be difficult >> to remove since it is used by 20 or so attributes, including most of >> the certificate related attributes. These attributes now have their >> own specific syntaxes, so we would have to add support for them >> before getting rid of the "Binary" syntax. I think that the >> "SpaceInsensitiveString" and "URI" syntaxes can be removed since >> "URI" isn't used by any of the default schema and >> "SpaceInsensitiveString" was added specifically for the Presence >> plug-in. >> >> -NGK >>>> >>>> -- >>>> Fedora-directory-devel mailing list >>>> Fedora-directory-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-devel mailing list >>> Fedora-directory-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >>> >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue May 5 22:49:34 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 05 May 2009 16:49:34 -0600 Subject: [Fedora-directory-devel] test Message-ID: <4A00C27E.8070807@redhat.com> test -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Fri May 8 17:47:49 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 08 May 2009 10:47:49 -0700 Subject: [Fedora-directory-devel] Please Review: Syntax Validation feature implementation Message-ID: <4A047045.1050105@redhat.com> Here's the implementation of syntax validation support for values being added to the database. It does not deal with validation of assertion values. For details on the implementation, see the design document: http://directory.fedoraproject.org/wiki/Syntax_Validation_Design I also added support for the "numericString" syntax. -NGK -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Added-capability-to-validate-syntax-of-values-being.patch URL: From rmeggins at redhat.com Fri May 8 21:18:21 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 08 May 2009 15:18:21 -0600 Subject: [Fedora-directory-devel] Please Review: Syntax Validation feature implementation In-Reply-To: <4A047045.1050105@redhat.com> References: <4A047045.1050105@redhat.com> Message-ID: <4A04A19D.4090607@redhat.com> Nathan Kinder wrote: > Here's the implementation of syntax validation support for values > being added to the database. It does not deal with validation of > assertion values. > > For details on the implementation, see the design document: > http://directory.fedoraproject.org/wiki/Syntax_Validation_Design > > I also added support for the "numericString" syntax. Looks good. > > -NGK > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Mon May 11 17:37:33 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 11 May 2009 10:37:33 -0700 Subject: [Fedora-directory-devel] Please Review: Syntax Validation feature implementation In-Reply-To: <4A04A19D.4090607@redhat.com> References: <4A047045.1050105@redhat.com> <4A04A19D.4090607@redhat.com> Message-ID: <4A08625D.9090301@redhat.com> Rich Megginson wrote: > Nathan Kinder wrote: >> Here's the implementation of syntax validation support for values >> being added to the database. It does not deal with validation of >> assertion values. >> >> For details on the implementation, see the design document: >> http://directory.fedoraproject.org/wiki/Syntax_Validation_Design >> >> I also added support for the "numericString" syntax. > Looks good. Pushed to master. I also pushed the autogenerated build files. >> >> -NGK >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > From nkinder at redhat.com Mon May 11 23:11:01 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 11 May 2009 16:11:01 -0700 Subject: [389-devel] Please Review: Auto-generate SLAPI documentation - first pass Message-ID: <4A08B085.5090003@redhat.com> -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Auto-generate-SLAPI-docs-first-pass.patch URL: From nhosoi at redhat.com Tue May 12 00:27:46 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Mon, 11 May 2009 17:27:46 -0700 Subject: [389-devel] Please Review: Auto-generate SLAPI documentation - first pass In-Reply-To: <4A08B085.5090003@redhat.com> References: <4A08B085.5090003@redhat.com> Message-ID: <4A08C282.3040009@redhat.com> Nathan Kinder wrote: > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel Looks good. It might be a stupid question... doesn't slapi.doxy need any copyrights? And I'm wondering if there is any easy way to see the diffs on the browser as we usually do/did on bugzilla? Probably, sdiff style output could be good enough. But I'm spoiled by the pretty print and colouring... :) Thanks, --noriko -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Tue May 12 05:30:45 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 11 May 2009 22:30:45 -0700 Subject: [389-devel] Please Review: Auto-generate SLAPI documentation - first pass In-Reply-To: <4A08C282.3040009@redhat.com> References: <4A08B085.5090003@redhat.com> <4A08C282.3040009@redhat.com> Message-ID: <4A090985.5000506@redhat.com> Noriko Hosoi wrote: > Nathan Kinder wrote: >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel > Looks good. > > It might be a stupid question... doesn't slapi.doxy need any copyrights? > > And I'm wondering if there is any easy way to see the diffs on the > browser as we usually do/did on bugzilla? Probably, sdiff style > output could be good enough. But I'm spoiled by the pretty print and > colouring... :) I've only played with this for a minute, but it looks like git-gui will do what you want. It allows you to view each commit as diffs, the new file (with color coded changes), or the old file (with color coded changes). To review a large patch, you could create a branch in your local repo, apply the patch you want to review, and take a look at that branch in git-gui. It doesn't look like you can do a side-by-side view like bugzilla, but you can easily switch back and forth between the "old" and "new" views. > > Thanks, > --noriko > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > From nkinder at redhat.com Tue May 12 05:40:57 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Mon, 11 May 2009 22:40:57 -0700 Subject: [389-devel] Please Review: Auto-generate SLAPI documentation - first pass In-Reply-To: <4A090985.5000506@redhat.com> References: <4A08B085.5090003@redhat.com> <4A08C282.3040009@redhat.com> <4A090985.5000506@redhat.com> Message-ID: <4A090BE9.8060603@redhat.com> Nathan Kinder wrote: > Noriko Hosoi wrote: >> Nathan Kinder wrote: >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-devel mailing list >>> Fedora-directory-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >> Looks good. >> >> It might be a stupid question... doesn't slapi.doxy need any copyrights? >> >> And I'm wondering if there is any easy way to see the diffs on the >> browser as we usually do/did on bugzilla? Probably, sdiff style >> output could be good enough. But I'm spoiled by the pretty print and >> colouring... :) > I've only played with this for a minute, but it looks like git-gui > will do what you want. It allows you to view each commit as diffs, > the new file (with color coded changes), or the old file (with color > coded changes). To review a large patch, you could create a branch in > your local repo, apply the patch you want to review, and take a look > at that branch in git-gui. It doesn't look like you can do a > side-by-side view like bugzilla, but you can easily switch back and > forth between the "old" and "new" views. I've found that you can get a side-by-side color coded diff if you install the meld package in addition to git-gui. From within git-gui, you can right click on the file name in the lower-right panel when viewing a commited patch and select "external diff" from the pop-up menu. This will open up the diff for that file within meld, which gives you a nice side-by-side view. >> >> Thanks, >> --noriko >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >> > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel From rmeggins at redhat.com Tue May 12 15:28:32 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 12 May 2009 09:28:32 -0600 Subject: [389-devel] Please Review: Auto-generate SLAPI documentation - first pass In-Reply-To: <4A08B085.5090003@redhat.com> References: <4A08B085.5090003@redhat.com> Message-ID: <4A0995A0.7000006@redhat.com> Nathan Kinder wrote: > > ------------------------------------------------------------------------ > Looks good. BTW, the best graphical patch file viewer I have found is kompare. I don't know if it works as well meld for doing 2/3 way merging with git, but if you just want to do a side by side graphical view of a patch file, it works great (something that meld cannot do, afaict). > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Tue May 12 18:04:57 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 12 May 2009 11:04:57 -0700 Subject: [389-devel] Please Review: Auto-generate SLAPI documentation - first pass In-Reply-To: <4A0995A0.7000006@redhat.com> References: <4A08B085.5090003@redhat.com> <4A0995A0.7000006@redhat.com> Message-ID: <4A09BA49.20508@redhat.com> Rich Megginson wrote: > Nathan Kinder wrote: >> >> ------------------------------------------------------------------------ >> > Looks good. Pushed to master. > > BTW, the best graphical patch file viewer I have found is kompare. I > don't know if it works as well meld for doing 2/3 way merging with > git, but if you just want to do a side by side graphical view of a > patch file, it works great (something that meld cannot do, afaict). >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > From nhosoi at redhat.com Tue May 12 21:57:16 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Tue, 12 May 2009 14:57:16 -0700 Subject: [389-devel] Please Review: simple paged results design document Message-ID: <4A09F0BC.5090303@redhat.com> I'm working on the Simple Paged Results. http://directory.fedoraproject.org/wiki/Simple_Paged_Results_Design Currently, I have prototyped the front-end approach (2 To-Do's are not implemented yet) and the back-end approach without sorting. As I put it in the wiki page, I'm leaning towards the front-end approach. Your feedback would be greatly appreciated. Thanks, --noriko -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue May 12 23:47:38 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 12 May 2009 17:47:38 -0600 Subject: [389-devel] Please review: rename to 389 Message-ID: <4A0A0A9A.4080405@redhat.com> patch file too big for email - so here is the link: http://rmeggins.fedorapeople.org/0001-Rename-to-389.patch -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Wed May 13 15:27:20 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 13 May 2009 08:27:20 -0700 Subject: [389-devel] Please review: rename to 389 In-Reply-To: <4A0A0A9A.4080405@redhat.com> References: <4A0A0A9A.4080405@redhat.com> Message-ID: <4A0AE6D8.6060901@redhat.com> Rich Megginson wrote: > patch file too big for email - so here is the link: > http://rmeggins.fedorapeople.org/0001-Rename-to-389.patch ack > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > From nkinder at redhat.com Wed May 13 18:21:17 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 13 May 2009 11:21:17 -0700 Subject: [389-devel] Please Review: Add strict DN syntax enforcement option Message-ID: <4A0B0F9D.8010404@redhat.com> -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-strict-DN-syntax-enforcement-option.patch URL: From rmeggins at redhat.com Wed May 13 18:41:29 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 13 May 2009 12:41:29 -0600 Subject: [389-devel] Please Review: Add strict DN syntax enforcement option In-Reply-To: <4A0B0F9D.8010404@redhat.com> References: <4A0B0F9D.8010404@redhat.com> Message-ID: <4A0B1459.5000006@redhat.com> Nathan Kinder wrote: Ok. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Thu May 14 02:50:03 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Wed, 13 May 2009 19:50:03 -0700 Subject: [389-devel] [PATCH] Add require secure binds switch. Message-ID: <4A0B86DB.8030400@redhat.com> -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-require-secure-binds-switch.patch URL: From rmeggins at redhat.com Fri May 15 17:02:18 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 15 May 2009 11:02:18 -0600 Subject: [389-devel] [PATCH] Add require secure binds switch. In-Reply-To: <4A0B86DB.8030400@redhat.com> References: <4A0B86DB.8030400@redhat.com> Message-ID: <4A0DA01A.5090001@redhat.com> Nathan Kinder wrote: > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel Looks good. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Fri May 15 18:30:07 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Fri, 15 May 2009 11:30:07 -0700 Subject: [389-devel] Please review: [PATCH] Add Simple Paged Results Message-ID: <4A0DB4AF.6060309@redhat.com> The patch is located here (It's too big for email...): http://nhosoi.fedorapeople.org/0001-Add-Simple-Paged-Results.patch I also updated the design doc on wiki: http://directory.fedoraproject.org/wiki/Simple_Paged_Results_Design Comments on the doc would be appreciated, too. Thanks, --noriko -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature URL: From andrey.ivanov at polytechnique.fr Fri May 15 21:09:21 2009 From: andrey.ivanov at polytechnique.fr (Andrey Ivanov) Date: Fri, 15 May 2009 23:09:21 +0200 Subject: [389-devel] [PATCH] Add require secure binds switch. In-Reply-To: <4A0DA01A.5090001@redhat.com> References: <4A0B86DB.8030400@redhat.com> <4A0DA01A.5090001@redhat.com> Message-ID: <1601b8650905151409p45a55fb3s7e5632ead34969de@mail.gmail.com> Does it mean that when "nsslapd-require-secure-binds" is "on" then even the anonymous binds should be made by SSL? Maybe there is some sense in leaving a possibility to have anonymous binds non-SSL and frocing non-anonymous ones to be secure? 2009/5/15 Rich Megginson > Nathan Kinder wrote: > >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >> > Looks good. > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Fri May 15 22:05:23 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 15 May 2009 16:05:23 -0600 Subject: [389-devel] Please review: [PATCH] Add Simple Paged Results In-Reply-To: <4A0DB4AF.6060309@redhat.com> References: <4A0DB4AF.6060309@redhat.com> Message-ID: <4A0DE723.1020401@redhat.com> Noriko Hosoi wrote: > The patch is located here (It's too big for email...): > http://nhosoi.fedorapeople.org/0001-Add-Simple-Paged-Results.patch In pagedresults.c there are several functions that get/set Connection* internals - are these protected by conn->c_mutex? Do they need to be? Otherwise, looks good. > > I also updated the design doc on wiki: > http://directory.fedoraproject.org/wiki/Simple_Paged_Results_Design > > Comments on the doc would be appreciated, too. > > Thanks, > --noriko > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Fri May 15 22:42:00 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Fri, 15 May 2009 15:42:00 -0700 Subject: [389-devel] Please review: [PATCH] Add Simple Paged Results In-Reply-To: <4A0DE723.1020401@redhat.com> References: <4A0DB4AF.6060309@redhat.com> <4A0DE723.1020401@redhat.com> Message-ID: <4A0DEFB8.8030308@redhat.com> Rich Megginson wrote: > Noriko Hosoi wrote: >> The patch is located here (It's too big for email...): >> http://nhosoi.fedorapeople.org/0001-Add-Simple-Paged-Results.patch > In pagedresults.c there are several functions that get/set Connection* > internals - are these protected by conn->c_mutex? Do they need to be? A good point. Updates are done by one thread, but the values could be read by other threads. I'm going to add them and run some more tests. Thanks, Rich! --noriko > > Otherwise, looks good. >> >> I also updated the design doc on wiki: >> http://directory.fedoraproject.org/wiki/Simple_Paged_Results_Design >> >> Comments on the doc would be appreciated, too. >> >> Thanks, >> --noriko >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Fri May 15 23:31:43 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Fri, 15 May 2009 16:31:43 -0700 Subject: [389-devel] Commit: [PATCH] Add Simple Paged Results In-Reply-To: <4A0DEFB8.8030308@redhat.com> References: <4A0DB4AF.6060309@redhat.com> <4A0DE723.1020401@redhat.com> <4A0DEFB8.8030308@redhat.com> Message-ID: <4A0DFB5F.2000409@redhat.com> Thanks to Rich for his reviews. Revised diff is uploaded at: http://nhosoi.fedorapeople.org/0001-Add-Simple-Paged-Results.patch The patch has been pushed to master. $ git merge pagedresults Auto-merged Makefile.in Auto-merged configure Merge made by recursive. Makefile.am | 2 + Makefile.in | 54 +- ldap/servers/slapd/back-ldbm/filterindex.c | 17 +- ldap/servers/slapd/back-ldbm/init.c | 2 + ldap/servers/slapd/back-ldbm/ldbm_search.c | 174 +++- ldap/servers/slapd/back-ldbm/proto-back-ldbm.h | 5 +- ldap/servers/slapd/back-ldbm/sort.c | 79 +-- ldap/servers/slapd/backend.c | 6 + ldap/servers/slapd/connection.c | 35 +- ldap/servers/slapd/control.c | 29 +- ldap/servers/slapd/daemon.c | 10 + ldap/servers/slapd/opshared.c | 1242 +++++++++++++----------- ldap/servers/slapd/pagedresults.c | 315 ++++++ ldap/servers/slapd/pblock.c | 12 + ldap/servers/slapd/proto-slap.h | 19 + ldap/servers/slapd/result.c | 21 +- ldap/servers/slapd/slap.h | 19 + ldap/servers/slapd/slapi-private.h | 3 + ldap/servers/slapd/sort.c | 130 +++ 19 files changed, 1454 insertions(+), 720 deletions(-) create mode 100644 ldap/servers/slapd/pagedresults.c create mode 100644 ldap/servers/slapd/sort.c $ git push Counting objects: 55, done. Compressing objects: 100% (29/29), done. Writing objects: 100% (29/29), 13.90 KiB, done. Total 29 (delta 25), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 0235f43..902fe2d master -> master Thanks, --noriko Noriko Hosoi wrote: > Rich Megginson wrote: >> Noriko Hosoi wrote: >>> The patch is located here (It's too big for email...): >>> http://nhosoi.fedorapeople.org/0001-Add-Simple-Paged-Results.patch >> In pagedresults.c there are several functions that get/set >> Connection* internals - are these protected by conn->c_mutex? Do >> they need to be? > A good point. Updates are done by one thread, but the values could be > read by other threads. I'm going to add them and run some more > tests. Thanks, Rich! > --noriko >> >> Otherwise, looks good. >>> >>> I also updated the design doc on wiki: >>> http://directory.fedoraproject.org/wiki/Simple_Paged_Results_Design >>> >>> Comments on the doc would be appreciated, too. >>> >>> Thanks, >>> --noriko >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-devel mailing list >>> Fedora-directory-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >>> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >> > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon May 18 19:18:50 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 18 May 2009 13:18:50 -0600 Subject: [389-devel] Please review: fix rpmlint issues Message-ID: <4A11B49A.80005@redhat.com> There are a couple of rpmlint issues with 389-ds-base: 389-ds-base.x86_64: E: script-without-shebang /usr/lib64/dirsrv/perl/Resource.pm ... 389-ds-base.x86_64: E: executable-marked-as-config-file /etc/sysconfig/dirsrv These are fixed by marking them as _DATA instead of _SCRIPTS in Makefile.am I'm also changing the version to 1.2.1 to take into consideration the new syntax and paged results code. Finally, this is the output of git diff, not git-format-patch, so you guys don't have to wade through all of those configure and Makefile.in diffs. -------------- next part -------------- A non-text attachment was scrubbed... Name: review.patch Type: text/x-patch Size: 1409 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Mon May 18 21:21:32 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Mon, 18 May 2009 14:21:32 -0700 Subject: [389-devel] Please review: fix rpmlint issues In-Reply-To: <4A11B49A.80005@redhat.com> References: <4A11B49A.80005@redhat.com> Message-ID: <4A11D15C.3090600@redhat.com> Rich Megginson wrote: > There are a couple of rpmlint issues with 389-ds-base: > 389-ds-base.x86_64: E: script-without-shebang > /usr/lib64/dirsrv/perl/Resource.pm > ... > 389-ds-base.x86_64: E: executable-marked-as-config-file > /etc/sysconfig/dirsrv > > These are fixed by marking them as _DATA instead of _SCRIPTS in > Makefile.am Your fixes look good. --noriko > > I'm also changing the version to 1.2.1 to take into consideration the > new syntax and paged results code. > > Finally, this is the output of git diff, not git-format-patch, so you > guys don't have to wade through all of those configure and Makefile.in > diffs. > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon May 18 22:17:14 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 18 May 2009 16:17:14 -0600 Subject: [389-devel] Please review: fix rpmlint issues In-Reply-To: <4A11D15C.3090600@redhat.com> References: <4A11B49A.80005@redhat.com> <4A11D15C.3090600@redhat.com> Message-ID: <4A11DE6A.9060908@redhat.com> Noriko Hosoi wrote: > Rich Megginson wrote: >> There are a couple of rpmlint issues with 389-ds-base: >> 389-ds-base.x86_64: E: script-without-shebang >> /usr/lib64/dirsrv/perl/Resource.pm >> ... >> 389-ds-base.x86_64: E: executable-marked-as-config-file >> /etc/sysconfig/dirsrv >> >> These are fixed by marking them as _DATA instead of _SCRIPTS in >> Makefile.am > Your fixes look good. thanks - pushed > --noriko >> >> I'm also changing the version to 1.2.1 to take into consideration the >> new syntax and paged results code. >> >> Finally, this is the output of git diff, not git-format-patch, so you >> guys don't have to wade through all of those configure and >> Makefile.in diffs. >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon May 18 22:20:52 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 18 May 2009 16:20:52 -0600 Subject: [389-devel] Please Review: simple paged results design document In-Reply-To: <4A09F0BC.5090303@redhat.com> References: <4A09F0BC.5090303@redhat.com> Message-ID: <4A11DF44.8090805@redhat.com> Noriko Hosoi wrote: > I'm working on the Simple Paged Results. > > http://directory.fedoraproject.org/wiki/Simple_Paged_Results_Design > > Currently, I have prototyped the front-end approach (2 To-Do's are not > implemented yet) and the back-end approach without sorting. As I put > it in the wiki page, I'm leaning towards the front-end approach. > > Your feedback would be greatly appreciated. Looks good. What would happen if a malicious user were to specify some bad cookie value? > > Thanks, > --noriko > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Mon May 18 22:56:51 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 18 May 2009 16:56:51 -0600 Subject: [389-devel] 389 Project now uses git for our SCM Message-ID: <4A11E7B3.4050706@redhat.com> 389 has switched from using the venerable CVS to using git for our SCM. All new development will take place in our new git repositories. The old CVS repositories are still available, but they won't be used for any new code. Some projects will still use the CVS repository, such as mod_nss, mod_revocator, coolkey, esc, windowsautoenroll, and console (just the idm console framework code - the rest of the console packages have moved to git). * What is git? http://git-scm.com/ * Where are the repos? http://port389.org/wiki/Developers#Source_Code -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Mon May 18 23:22:14 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Mon, 18 May 2009 16:22:14 -0700 Subject: [389-devel] Please Review: simple paged results design document In-Reply-To: <4A11DF44.8090805@redhat.com> References: <4A09F0BC.5090303@redhat.com> <4A11DF44.8090805@redhat.com> Message-ID: <4A11EDA6.6080901@redhat.com> Rich Megginson wrote: > Noriko Hosoi wrote: >> I'm working on the Simple Paged Results. >> >> http://directory.fedoraproject.org/wiki/Simple_Paged_Results_Design >> >> Currently, I have prototyped the front-end approach (2 To-Do's are >> not implemented yet) and the back-end approach without sorting. As I >> put it in the wiki page, I'm leaning towards the front-end approach. >> >> Your feedback would be greatly appreciated. > Looks good. > > What would happen if a malicious user were to specify some bad cookie > value? Actually, the server does not use the cookie value. It could be used to specify the current position of the search results when communicating between the client and the server. This implementation stores the info inside the server and use it. Thanks, --noriko From rmeggins at redhat.com Tue May 19 14:32:21 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 19 May 2009 08:32:21 -0600 Subject: [389-devel] Please Review: simple paged results design document In-Reply-To: <4A11EDA6.6080901@redhat.com> References: <4A09F0BC.5090303@redhat.com> <4A11DF44.8090805@redhat.com> <4A11EDA6.6080901@redhat.com> Message-ID: <4A12C2F5.2070303@redhat.com> Noriko Hosoi wrote: > Rich Megginson wrote: >> Noriko Hosoi wrote: >>> I'm working on the Simple Paged Results. >>> >>> http://directory.fedoraproject.org/wiki/Simple_Paged_Results_Design >>> >>> Currently, I have prototyped the front-end approach (2 To-Do's are >>> not implemented yet) and the back-end approach without sorting. As >>> I put it in the wiki page, I'm leaning towards the front-end approach. >>> >>> Your feedback would be greatly appreciated. >> Looks good. >> >> What would happen if a malicious user were to specify some bad cookie >> value? > Actually, the server does not use the cookie value. It could be used > to specify the current position of the search results when > communicating between the client and the server. This implementation > stores the info inside the server and use it. Ok, good. > > Thanks, > --noriko > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue May 19 19:23:07 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 19 May 2009 13:23:07 -0600 Subject: [389-devel] Please review: fix various compiler warnings Message-ID: <4A13071B.1080605@redhat.com> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-various-compiler-warnings.patch Type: text/x-patch Size: 19667 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Tue May 19 20:03:54 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Tue, 19 May 2009 13:03:54 -0700 Subject: [389-devel] Please review: fix various compiler warnings In-Reply-To: <4A13071B.1080605@redhat.com> References: <4A13071B.1080605@redhat.com> Message-ID: <4A1310AA.2030703@redhat.com> Rich Megginson wrote: > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel Your fixes look good to me. Thanks a lot, Rich! --noriko From rmeggins at redhat.com Tue May 19 20:08:24 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 19 May 2009 14:08:24 -0600 Subject: [389-devel] Please review: fix various compiler warnings In-Reply-To: <4A1310AA.2030703@redhat.com> References: <4A13071B.1080605@redhat.com> <4A1310AA.2030703@redhat.com> Message-ID: <4A1311B8.6070904@redhat.com> Noriko Hosoi wrote: > Rich Megginson wrote: >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel > Your fixes look good to me. Thanks a lot, Rich! Pushed to master > --noriko > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue May 19 20:50:46 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 19 May 2009 14:50:46 -0600 Subject: [389-devel] Please review: bug 501490 - Error creating view on FDS 1.2 Message-ID: <4A131BA6.5090400@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=501490 Resolves: Bug 501490 Description: Error creating view on FDS 1.2 Fix Description: The problem is when the views code calls views_cache_discover_children() and there are no children. The code should check to see if the child_count is 0, and only attempt to alloc space for the pChildren array if the child_count is greater than 0. Platforms tested: RHEL5 x86_64 Diffs: https://bugzilla.redhat.com/attachment.cgi?id=344701&action=diff -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue May 19 21:58:07 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 19 May 2009 15:58:07 -0600 Subject: [389-devel] Please review: bug 501490 - Error creating view on FDS 1.2 In-Reply-To: <4A131BA6.5090400@redhat.com> References: <4A131BA6.5090400@redhat.com> Message-ID: <4A132B6F.1020600@redhat.com> Rich Megginson wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=501490 > Resolves: Bug 501490 > Description: Error creating view on FDS 1.2 > Fix Description: The problem is when the views code calls > views_cache_discover_children() > and there are no children. The code should check to see if the > child_count > is 0, and only attempt to alloc space for the pChildren array if the > child_count is greater than 0. > Platforms tested: RHEL5 x86_64 > Diffs: https://bugzilla.redhat.com/attachment.cgi?id=344701&action=diff Pushed to master > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From mario.fetka at gmail.com Thu May 21 09:57:21 2009 From: mario.fetka at gmail.com (Mario Fetka) Date: Thu, 21 May 2009 11:57:21 +0200 Subject: [389-devel] source download Message-ID: <200905211157.21505.mario.fetka@gmail.com> for some unknown reasons i can't download http://directory.fedoraproject.org/sources/389-admin-1.1.7.tar.bz2 all other 389-* sources dont have a problem thx in av Mario From rcritten at redhat.com Thu May 21 13:13:28 2009 From: rcritten at redhat.com (Rob Crittenden) Date: Thu, 21 May 2009 09:13:28 -0400 Subject: [389-devel] source download In-Reply-To: <200905211157.21505.mario.fetka@gmail.com> References: <200905211157.21505.mario.fetka@gmail.com> Message-ID: <4A155378.8060302@redhat.com> Mario Fetka wrote: > for some unknown reasons i can't download > http://directory.fedoraproject.org/sources/389-admin-1.1.7.tar.bz2 > > all other 389-* sources dont have a problem > > thx in av > Mario > What error are you getting? I'm able to download it ok and looking at the logs others have retrieved it today as well. rob -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3245 bytes Desc: S/MIME Cryptographic Signature URL: From mario.fetka at gmail.com Thu May 21 13:27:18 2009 From: mario.fetka at gmail.com (Mario Fetka) Date: Thu, 21 May 2009 15:27:18 +0200 Subject: [389-devel] source download In-Reply-To: <4A155378.8060302@redhat.com> References: <200905211157.21505.mario.fetka@gmail.com> <4A155378.8060302@redhat.com> Message-ID: <200905211527.18819.mario.fetka@gmail.com> On Thursday, 21. May 2009 15:13:28 Rob Crittenden wrote: > Mario Fetka wrote: > > for some unknown reasons i can't download > > http://directory.fedoraproject.org/sources/389-admin-1.1.7.tar.bz2 > > > > all other 389-* sources dont have a problem > > > > thx in av > > Mario > > What error are you getting? > > I'm able to download it ok and looking at the logs others have retrieved > it today as well. > > rob damm! have reacted to fast the download worked 10min ago thx Mario From nhosoi at redhat.com Fri May 22 22:53:53 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Fri, 22 May 2009 15:53:53 -0700 Subject: [389-devel] Please review: Use thread aware library for complex regex searches Message-ID: <4A172D01.8030400@redhat.com> Subject: Use thread aware library for complex regex searches Link: http://nhosoi.fedorapeople.org/0001-Use-thread-aware-library-for-complex-regex-searches.patch Unfortunately, the fedoraproject.org is closed now. I'm going to create the page http://directory.fedoraproject.org/wiki/Thread_Aware_Regex which contains the following notes as soon as the wiki is reopened. ------------------------------------------------------------------------ Directory Server used to use the regular expression pattern matching and replacing library which was not thread safe. Thus, the operation should have been protected by the mutex lock. Regular expression could be used by the search filters (syntax plugin), acl, schema file load, and SASL Mapping. If one of them took a long time, the rest should have been blocked. Replacing the library with the thread aware library solves the problem and improves the throughput. [http://www.pcre.org/ PCRE - Perl Compatible Regular Expressions] library is installed on RHELs/Fedoras, by default. We need just a subset of the APIs, thus we provide simplified slapi APIs wrapping the PCRE APIs. NAME slapi_re_comp -- compiles a regular expression pattern. A thin wrapper of pcre_compile. SYNOPSIS Slapi_Regex *slapi_re_comp( char *pat, char **error ); PARAMS pat: Pattern to be compiled. error: The error string is set if the compile fails. RETURN VALUE a pointer to the regex handler which stores the compiled pattern. NULL if the compile fails. WARNING The regex handler should be released by slapi_re_free(). NAME slapi_re_exec -- matches a compiled regular expression pattern against a given string. A thin wrapper of pcre_exec. SYNOPSIS int slapi_re_exec( Slapi_Regex *re_handle, char *subject, time_t time_up ); PARAMS re_handle: The regex handler returned from slapi_re_comp. subject: A string to be checked against the compiled pattern. time_up: If the current time is larger than the value, this function returns immediately. (-1) means no time limit. RETURN VALUE 0 if the string did not match. 1 if the string matched. other values if any error occurred. NAME slapi_re_subs -- substitutes '&' or '\#' in the param src with the matched string. SYNOPSIS int slapi_re_subs( Slapi_Regex *re_handle, char *subject, char *src, char **dst, unsigned long dstlen ); PARAMS re_handle: The regex handler returned from slapi_re_comp. subject: A string checked against the compiled pattern. src: A given string which could contain the substitution symbols. dst: A pointer pointing to the memory which stores the output string. dstlen: Size of the memory dst. RETURN VALUE 1 if the substitution was successful. 0 if the substitution failed. NAME slapi_re_free -- releases the regex handler which was returned from slapi_re_comp. SYNOPSIS void slapi_re_free(Slapi_Regex *re_handle); PARAMS re_handle: The regex handler to be released. RETURN VALUE none ------------------------------------------------------------------------ Thanks, --noriko -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Tue May 26 15:29:33 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 26 May 2009 09:29:33 -0600 Subject: [389-devel] new git push - added LICENSE.GPLv2 Message-ID: <4A1C0ADD.8020604@redhat.com> One of the things we were dinged about in the Fedora review for 389 was the lack of the full text of the GPLv2 - so I added it in LICENSE.GPLv2 and referred to it in LICENSE -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From emliberman at ra.rockwell.com Tue May 26 16:34:22 2009 From: emliberman at ra.rockwell.com (Eugene M Liberman) Date: Tue, 26 May 2009 12:34:22 -0400 Subject: [389-devel] Single attribute value from a list of possible values Message-ID: I would like identify an attribute in an entry to hold only one value from a list of possible values. For example: attribute ?status? can only have one of the following values: OFF, ON, UNKNOWN and nothing else. Is there such a construct in LDAP and if there is please provide a link or an example how to implement. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmeggins at redhat.com Tue May 26 16:37:47 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 26 May 2009 10:37:47 -0600 Subject: [389-devel] Single attribute value from a list of possible values In-Reply-To: References: Message-ID: <4A1C1ADB.4010100@redhat.com> Eugene M Liberman wrote: > > I would like identify an attribute in an entry to hold only one value > from a list of possible values. For example: attribute ?status? can > only have one of the following values: OFF, ON, UNKNOWN and nothing > else. Is there such a construct in LDAP and if there is please provide > a link or an example how to implement. No, there is nothing like that. You could write a pre-operation plugin in C to do that. > > Thank you. > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Tue May 26 20:44:25 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 26 May 2009 13:44:25 -0700 Subject: [389-devel] [PATCH] Add require secure binds switch. In-Reply-To: <1601b8650905151409p45a55fb3s7e5632ead34969de@mail.gmail.com> References: <4A0B86DB.8030400@redhat.com> <4A0DA01A.5090001@redhat.com> <1601b8650905151409p45a55fb3s7e5632ead34969de@mail.gmail.com> Message-ID: <4A1C54A9.5020402@redhat.com> Andrey Ivanov wrote: > > Does it mean that when "nsslapd-require-secure-binds" is "on" then > even the anonymous binds should be made by SSL? Maybe there is some > sense in leaving a possibility to have anonymous binds non-SSL and > frocing non-anonymous ones to be secure? Sorry for the late response, but I was on vacation the last week. The current patch does force all simple binds, including anonymous, to use a secure connection. I can see value in allowing anonymous simple binds over an unencrypted connection, as the main reason for this new setting is to prevent clear text transmission of passwords. I will revise the patch to ignore anonymous binds when nsslapd-require-secure-binds is on unless anyone else has arguments otherwise. There are a number of other security related configuration settings that I plan to add soon, which will provide other ways of dealing with restricting anonymous operations. One of these features are a switch to disable any anonymous operations completely. Another is to have a minimum SSF setting on the server. The only operation we would allow after first connecting over plain LDAP would be startTLS. If the SSF then meets the minimum requirement, other operations would be allowed. > > 2009/5/15 Rich Megginson > > > Nathan Kinder wrote: > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > > Looks good. > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > From nkinder at redhat.com Tue May 26 21:48:26 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 26 May 2009 14:48:26 -0700 Subject: [389-devel] [PATCH] Add require secure binds switch. In-Reply-To: <4A1C54A9.5020402@redhat.com> References: <4A0B86DB.8030400@redhat.com> <4A0DA01A.5090001@redhat.com> <1601b8650905151409p45a55fb3s7e5632ead34969de@mail.gmail.com> <4A1C54A9.5020402@redhat.com> Message-ID: <4A1C63AA.3000901@redhat.com> Nathan Kinder wrote: > Andrey Ivanov wrote: >> >> Does it mean that when "nsslapd-require-secure-binds" is "on" then >> even the anonymous binds should be made by SSL? Maybe there is some >> sense in leaving a possibility to have anonymous binds non-SSL and >> frocing non-anonymous ones to be secure? > Sorry for the late response, but I was on vacation the last week. > > The current patch does force all simple binds, including anonymous, to > use a secure connection. I can see value in allowing anonymous simple > binds over an unencrypted connection, as the main reason for this new > setting is to prevent clear text transmission of passwords. I will > revise the patch to ignore anonymous binds when > nsslapd-require-secure-binds is on unless anyone else has arguments > otherwise. A new patch with the above change is attached. > > There are a number of other security related configuration settings > that I plan to add soon, which will provide other ways of dealing with > restricting anonymous operations. One of these features are a switch > to disable any anonymous operations completely. Another is to have a > minimum SSF setting on the server. The only operation we would allow > after first connecting over plain LDAP would be startTLS. If the SSF > then meets the minimum requirement, other operations would be allowed. >> >> 2009/5/15 Rich Megginson > > >> >> Nathan Kinder wrote: >> >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >> >> Looks good. >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >> >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >> > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-require-secure-binds-switch.patch URL: From rmeggins at redhat.com Thu May 28 16:26:09 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 28 May 2009 10:26:09 -0600 Subject: [389-devel] Please review: Use thread aware library for complex regex searches In-Reply-To: <4A172D01.8030400@redhat.com> References: <4A172D01.8030400@redhat.com> Message-ID: <4A1EBB21.6090506@redhat.com> Noriko Hosoi wrote: > Subject: Use thread aware library for complex regex searches > > Link: > http://nhosoi.fedorapeople.org/0001-Use-thread-aware-library-for-complex-regex-searches.patch > > > Unfortunately, the fedoraproject.org is closed now. I'm going to > create the page > http://directory.fedoraproject.org/wiki/Thread_Aware_Regex which > contains the following notes as soon as the wiki is reopened. > ------------------------------------------------------------------------ > Directory Server used to use the regular expression pattern matching > and replacing library which was not thread safe. Thus, the operation > should have been protected by the mutex lock. Regular expression > could be used by the search filters (syntax plugin), acl, schema file > load, and SASL Mapping. If one of them took a long time, the rest > should have been blocked. Replacing the library with the thread aware > library solves the problem and improves the throughput. > > [http://www.pcre.org/ PCRE - Perl Compatible Regular Expressions] > library is installed on RHELs/Fedoras, by default. We need just a > subset of the APIs, thus we provide simplified slapi APIs wrapping the > PCRE APIs. > > NAME > slapi_re_comp -- compiles a regular expression pattern. A thin wrapper > of pcre_compile. > SYNOPSIS > Slapi_Regex *slapi_re_comp( char *pat, char **error ); > PARAMS > pat: Pattern to be compiled. > error: The error string is set if the compile fails. > RETURN VALUE > a pointer to the regex handler which stores the compiled pattern. > NULL if the compile fails. > WARNING > The regex handler should be released by slapi_re_free(). > > NAME > slapi_re_exec -- matches a compiled regular expression pattern against > a given string. A thin wrapper of pcre_exec. > SYNOPSIS > int slapi_re_exec( Slapi_Regex *re_handle, char *subject, time_t > time_up ); > PARAMS > re_handle: The regex handler returned from slapi_re_comp. > subject: A string to be checked against the compiled pattern. > time_up: If the current time is larger than the value, this function > returns immediately. (-1) means no time limit. > RETURN VALUE > 0 if the string did not match. > 1 if the string matched. > other values if any error occurred. > > NAME > slapi_re_subs -- substitutes '&' or '\#' in the param src with the > matched string. > SYNOPSIS > int slapi_re_subs( Slapi_Regex *re_handle, char *subject, char *src, > char **dst, unsigned long dstlen ); > PARAMS > re_handle: The regex handler returned from slapi_re_comp. > subject: A string checked against the compiled pattern. > src: A given string which could contain the substitution symbols. > dst: A pointer pointing to the memory which stores the output string. > dstlen: Size of the memory dst. > RETURN VALUE > 1 if the substitution was successful. > 0 if the substitution failed. > > NAME > slapi_re_free -- releases the regex handler which was returned from > slapi_re_comp. > SYNOPSIS > void slapi_re_free(Slapi_Regex *re_handle); > PARAMS > re_handle: The regex handler to be released. > RETURN VALUE > none > ------------------------------------------------------------------------ Looks good. I notice you have some unrelated fixes in this patch too - those look ok - be sure to document those. You can edit your commit message by using git commit --amend to amend the last commit you made. > > Thanks, > --noriko > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Thu May 28 16:59:26 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Thu, 28 May 2009 09:59:26 -0700 Subject: [389-devel] Commit: Use thread aware library for complex regex searches In-Reply-To: <4A1EBB21.6090506@redhat.com> References: <4A172D01.8030400@redhat.com> <4A1EBB21.6090506@redhat.com> Message-ID: <4A1EC2EE.2070702@redhat.com> Rich Megginson wrote: > [...] >> > Looks good. I notice you have some unrelated fixes in this patch too > - those look ok - be sure to document those. You can edit your commit > message by using git commit --amend to amend the last commit you made. Thank you, Rich, for reviewing my changes. I updated the commit message as follows and pushed the patch to master. > Use thread aware library for complex regex searches > > For more details, see the design doc at > http://directory.fedoraproject.org/wiki/Thread_Aware_Regex > > Additional 2 unrelated changes are being made: > 1) dbgen.pl.in: secretary and manager are having a dn format value > "cn=...". > 2) slapi_counter_sunos_sparcv9.S: adding "#define _ASM 1" to force to > set an assembler code macro _ASM. Thanks, --noriko -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Fri May 29 17:41:31 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 29 May 2009 10:41:31 -0700 Subject: [389-devel] [PATCH] Add require secure binds switch. In-Reply-To: <4A1C63AA.3000901@redhat.com> References: <4A0B86DB.8030400@redhat.com> <4A0DA01A.5090001@redhat.com> <1601b8650905151409p45a55fb3s7e5632ead34969de@mail.gmail.com> <4A1C54A9.5020402@redhat.com> <4A1C63AA.3000901@redhat.com> Message-ID: <4A201E4B.5060609@redhat.com> Nathan Kinder wrote: > Nathan Kinder wrote: >> Andrey Ivanov wrote: >>> >>> Does it mean that when "nsslapd-require-secure-binds" is "on" then >>> even the anonymous binds should be made by SSL? Maybe there is some >>> sense in leaving a possibility to have anonymous binds non-SSL and >>> frocing non-anonymous ones to be secure? >> Sorry for the late response, but I was on vacation the last week. >> >> The current patch does force all simple binds, including anonymous, >> to use a secure connection. I can see value in allowing anonymous >> simple binds over an unencrypted connection, as the main reason for >> this new setting is to prevent clear text transmission of passwords. >> I will revise the patch to ignore anonymous binds when >> nsslapd-require-secure-binds is on unless anyone else has arguments >> otherwise. > A new patch with the above change is attached. After some discussion with Rich, we determined that a change to the patch was necessary with regards to the way unauthenticated binds are treated. The attached patch treats unauthenticated binds the same as anonymous binds (assuming that they are allowed in the config). This means that the new setting to require secure binds will not affect unauthenticated binds or anonymous binds. The patch also fixed a typo in one of the new log messages. >> >> There are a number of other security related configuration settings >> that I plan to add soon, which will provide other ways of dealing >> with restricting anonymous operations. One of these features are a >> switch to disable any anonymous operations completely. Another is to >> have a minimum SSF setting on the server. The only operation we >> would allow after first connecting over plain LDAP would be >> startTLS. If the SSF then meets the minimum requirement, other >> operations would be allowed. >>> >>> 2009/5/15 Rich Megginson >> > >>> >>> Nathan Kinder wrote: >>> >>> >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-devel mailing list >>> Fedora-directory-devel at redhat.com >>> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >>> >>> Looks good. >>> >>> -- >>> Fedora-directory-devel mailing list >>> Fedora-directory-devel at redhat.com >>> >>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >>> >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-devel mailing list >>> Fedora-directory-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >>> >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Add-require-secure-binds-switch.patch URL: From nhosoi at redhat.com Fri May 29 18:08:23 2009 From: nhosoi at redhat.com (Noriko Hosoi) Date: Fri, 29 May 2009 11:08:23 -0700 Subject: [389-devel] [PATCH] Add require secure binds switch. In-Reply-To: <4A201E4B.5060609@redhat.com> References: <4A0B86DB.8030400@redhat.com> <4A0DA01A.5090001@redhat.com> <1601b8650905151409p45a55fb3s7e5632ead34969de@mail.gmail.com> <4A1C54A9.5020402@redhat.com> <4A1C63AA.3000901@redhat.com> <4A201E4B.5060609@redhat.com> Message-ID: <4A202497.2050108@redhat.com> Your fixes look good to me. --noriko Nathan Kinder wrote: > Nathan Kinder wrote: >> Nathan Kinder wrote: >>> Andrey Ivanov wrote: >>>> >>>> Does it mean that when "nsslapd-require-secure-binds" is "on" then >>>> even the anonymous binds should be made by SSL? Maybe there is some >>>> sense in leaving a possibility to have anonymous binds non-SSL and >>>> frocing non-anonymous ones to be secure? >>> Sorry for the late response, but I was on vacation the last week. >>> >>> The current patch does force all simple binds, including anonymous, >>> to use a secure connection. I can see value in allowing anonymous >>> simple binds over an unencrypted connection, as the main reason for >>> this new setting is to prevent clear text transmission of >>> passwords. I will revise the patch to ignore anonymous binds when >>> nsslapd-require-secure-binds is on unless anyone else has arguments >>> otherwise. >> A new patch with the above change is attached. > After some discussion with Rich, we determined that a change to the > patch was necessary with regards to the way unauthenticated binds are > treated. The attached patch treats unauthenticated binds the same as > anonymous binds (assuming that they are allowed in the config). This > means that the new setting to require secure binds will not affect > unauthenticated binds or anonymous binds. > > The patch also fixed a typo in one of the new log messages. >>> >>> There are a number of other security related configuration settings >>> that I plan to add soon, which will provide other ways of dealing >>> with restricting anonymous operations. One of these features are a >>> switch to disable any anonymous operations completely. Another is >>> to have a minimum SSF setting on the server. The only operation we >>> would allow after first connecting over plain LDAP would be >>> startTLS. If the SSF then meets the minimum requirement, other >>> operations would be allowed. >>>> >>>> 2009/5/15 Rich Megginson >>> > >>>> >>>> Nathan Kinder wrote: >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-devel mailing list >>>> Fedora-directory-devel at redhat.com >>>> >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >>>> >>>> Looks good. >>>> >>>> -- >>>> Fedora-directory-devel mailing list >>>> Fedora-directory-devel at redhat.com >>>> >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-devel mailing list >>>> Fedora-directory-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >>>> >>> >>> -- >>> Fedora-directory-devel mailing list >>> Fedora-directory-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3250 bytes Desc: S/MIME Cryptographic Signature URL: From rmeggins at redhat.com Fri May 29 18:16:05 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 29 May 2009 12:16:05 -0600 Subject: [389-devel] [PATCH] Add require secure binds switch. In-Reply-To: <4A201E4B.5060609@redhat.com> References: <4A0B86DB.8030400@redhat.com> <4A0DA01A.5090001@redhat.com> <1601b8650905151409p45a55fb3s7e5632ead34969de@mail.gmail.com> <4A1C54A9.5020402@redhat.com> <4A1C63AA.3000901@redhat.com> <4A201E4B.5060609@redhat.com> Message-ID: <4A202665.6040702@redhat.com> Nathan Kinder wrote: > Nathan Kinder wrote: >> Nathan Kinder wrote: >>> Andrey Ivanov wrote: >>>> >>>> Does it mean that when "nsslapd-require-secure-binds" is "on" then >>>> even the anonymous binds should be made by SSL? Maybe there is some >>>> sense in leaving a possibility to have anonymous binds non-SSL and >>>> frocing non-anonymous ones to be secure? >>> Sorry for the late response, but I was on vacation the last week. >>> >>> The current patch does force all simple binds, including anonymous, >>> to use a secure connection. I can see value in allowing anonymous >>> simple binds over an unencrypted connection, as the main reason for >>> this new setting is to prevent clear text transmission of >>> passwords. I will revise the patch to ignore anonymous binds when >>> nsslapd-require-secure-binds is on unless anyone else has arguments >>> otherwise. >> A new patch with the above change is attached. > After some discussion with Rich, we determined that a change to the > patch was necessary with regards to the way unauthenticated binds are > treated. The attached patch treats unauthenticated binds the same as > anonymous binds (assuming that they are allowed in the config). This > means that the new setting to require secure binds will not affect > unauthenticated binds or anonymous binds. > > The patch also fixed a typo in one of the new log messages. Ok. >>> >>> There are a number of other security related configuration settings >>> that I plan to add soon, which will provide other ways of dealing >>> with restricting anonymous operations. One of these features are a >>> switch to disable any anonymous operations completely. Another is >>> to have a minimum SSF setting on the server. The only operation we >>> would allow after first connecting over plain LDAP would be >>> startTLS. If the SSF then meets the minimum requirement, other >>> operations would be allowed. >>>> >>>> 2009/5/15 Rich Megginson >>> > >>>> >>>> Nathan Kinder wrote: >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-devel mailing list >>>> Fedora-directory-devel at redhat.com >>>> >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >>>> >>>> Looks good. >>>> >>>> -- >>>> Fedora-directory-devel mailing list >>>> Fedora-directory-devel at redhat.com >>>> >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> >>>> -- >>>> Fedora-directory-devel mailing list >>>> Fedora-directory-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >>>> >>> >>> -- >>> Fedora-directory-devel mailing list >>> Fedora-directory-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Fri May 29 18:15:01 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 29 May 2009 11:15:01 -0700 Subject: [389-devel] [PATCH] Add require secure binds switch. In-Reply-To: <4A202665.6040702@redhat.com> References: <4A0B86DB.8030400@redhat.com> <4A0DA01A.5090001@redhat.com> <1601b8650905151409p45a55fb3s7e5632ead34969de@mail.gmail.com> <4A1C54A9.5020402@redhat.com> <4A1C63AA.3000901@redhat.com> <4A201E4B.5060609@redhat.com> <4A202665.6040702@redhat.com> Message-ID: <4A202625.1050107@redhat.com> Rich Megginson wrote: > Nathan Kinder wrote: >> Nathan Kinder wrote: >>> Nathan Kinder wrote: >>>> Andrey Ivanov wrote: >>>>> >>>>> Does it mean that when "nsslapd-require-secure-binds" is "on" then >>>>> even the anonymous binds should be made by SSL? Maybe there is >>>>> some sense in leaving a possibility to have anonymous binds >>>>> non-SSL and frocing non-anonymous ones to be secure? >>>> Sorry for the late response, but I was on vacation the last week. >>>> >>>> The current patch does force all simple binds, including anonymous, >>>> to use a secure connection. I can see value in allowing anonymous >>>> simple binds over an unencrypted connection, as the main reason for >>>> this new setting is to prevent clear text transmission of >>>> passwords. I will revise the patch to ignore anonymous binds when >>>> nsslapd-require-secure-binds is on unless anyone else has arguments >>>> otherwise. >>> A new patch with the above change is attached. >> After some discussion with Rich, we determined that a change to the >> patch was necessary with regards to the way unauthenticated binds are >> treated. The attached patch treats unauthenticated binds the same as >> anonymous binds (assuming that they are allowed in the config). This >> means that the new setting to require secure binds will not affect >> unauthenticated binds or anonymous binds. >> >> The patch also fixed a typo in one of the new log messages. > Ok. Pushed to master. >>>> >>>> There are a number of other security related configuration settings >>>> that I plan to add soon, which will provide other ways of dealing >>>> with restricting anonymous operations. One of these features are a >>>> switch to disable any anonymous operations completely. Another is >>>> to have a minimum SSF setting on the server. The only operation we >>>> would allow after first connecting over plain LDAP would be >>>> startTLS. If the SSF then meets the minimum requirement, other >>>> operations would be allowed. >>>>> >>>>> 2009/5/15 Rich Megginson >>>> > >>>>> >>>>> Nathan Kinder wrote: >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-devel mailing list >>>>> Fedora-directory-devel at redhat.com >>>>> >>>>> >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >>>>> >>>>> Looks good. >>>>> >>>>> -- >>>>> Fedora-directory-devel mailing list >>>>> Fedora-directory-devel at redhat.com >>>>> >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >>>>> >>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> >>>>> -- >>>>> Fedora-directory-devel mailing list >>>>> Fedora-directory-devel at redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >>>>> >>>> >>>> -- >>>> Fedora-directory-devel mailing list >>>> Fedora-directory-devel at redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >>> >>> ------------------------------------------------------------------------ >>> >>> >>> -- >>> Fedora-directory-devel mailing list >>> Fedora-directory-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-devel >> >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > From nkinder at redhat.com Fri May 29 21:17:21 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 29 May 2009 14:17:21 -0700 Subject: [389-devel] [PATCH] Bug: 181465 - Handle spacing issues in objectClass SUP list Message-ID: <4A2050E1.3020102@redhat.com> -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: 0001-Bug-181465-Handle-spacing-issues-in-objectClass-S.patch URL: From rmeggins at redhat.com Fri May 29 21:31:19 2009 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 29 May 2009 15:31:19 -0600 Subject: [389-devel] [PATCH] Bug: 181465 - Handle spacing issues in objectClass SUP list In-Reply-To: <4A2050E1.3020102@redhat.com> References: <4A2050E1.3020102@redhat.com> Message-ID: <4A205427.9090407@redhat.com> Nathan Kinder wrote: > ok > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Fri May 29 21:29:21 2009 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 29 May 2009 14:29:21 -0700 Subject: [389-devel] [PATCH] Bug: 181465 - Handle spacing issues in objectClass SUP list In-Reply-To: <4A205427.9090407@redhat.com> References: <4A2050E1.3020102@redhat.com> <4A205427.9090407@redhat.com> Message-ID: <4A2053B1.9060708@redhat.com> Rich Megginson wrote: > Nathan Kinder wrote: >> > ok pushed to master. >> ------------------------------------------------------------------------ >> >> -- >> Fedora-directory-devel mailing list >> Fedora-directory-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-devel > > ------------------------------------------------------------------------ > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel >