From nhosoi at redhat.com Mon Dec 1 19:11:39 2008 From: nhosoi at redhat.com (Noriko Hosoi) Date: Mon, 01 Dec 2008 11:11:39 -0800 Subject: [Fedora-directory-devel] Please review: [Bug 469800] Slow import post-processing with large number of non-leaf entries In-Reply-To: <200812011853.mB1IrrLY009172@bz-web1.app.phx.redhat.com> References: <200812011853.mB1IrrLY009172@bz-web1.app.phx.redhat.com> Message-ID: <493436EB.8000502@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=469800 Summary: Slow import post-processing with large number of non-leaf entries Thomas Lackey posted a patch to create an ancestorid index. With his patch, the large import with non-leaf entries dramatically. I reviewed his code and approved it. I'd like to have at least one more review to check in his patch. Thanks, --noriko [Description of problem] Import post-processing of large databases is extremely slow when they contain a large number of non-leaf entries. This slowness is centered in the creation of the ancestorid index. Version-Release number of selected component (if applicable): 1.1.3 How reproducible: Always. Steps to Reproduce: 1. Create a large LDIF to import, something with 1 million entries or more where many of the entries have children. In this test, approximately 1/10 of the entries were placed directly beneath the suffix and the other 9/10 were child entries evenly distributed beneath them. Eg: dn: cn=MyEntry0, ... dn: cn=Child0, cn=MyEntry0, ... dn: cn=Child1, cn=MyEntry0, ... 2. Import with ldif2db. 3. Watch the amount of time spent in the post-processing phase of the import and the difference in the final import rate when compared to the last rate from the import phase. Actual results: The post-processing time is inordinate to the import time. [30/Oct/2008:11:22:48 -0500] - import userRoot: Processed 1059199 entries -- average rate 5725.4/sec, recent rate 5565.0/sec, hit ratio 100% ... [30/Oct/2008:11:22:56 -0500] - import userRoot: Indexing complete. Post-processing... ... [30/Oct/2008:11:31:09 -0500] - import userRoot: Import complete. Processed 1100009 entries in 686 seconds. (1603.51 entries/sec) This import took 11m31s according to 'time', of which 7m38s was spent post-processing. This dropped the average rate from 5700 entries/s to 1600 entries/s. This difference becomes even more pronounced with larger databases. Importing a very large database on another machine averaged 11k entries/s until post-processing, where the final rate ended at only 283 entries/s. Expected results: Building the ancestorid index does not need to be so expensive, since the information is available from the parentid index. The cost is associated with general overhead in maintaining the IDLists in memory, and in particular to the constant unions done on them to add children. When these lists may contain millions of entries, the time spent copying the existing data when inserting children is prohibitively expensive. This does not affect all layouts equally, but does cause problems when large numbers of children are dispersed throughout the tree. Additional info: BDB can usually handle inserts efficiently on its own, so it is not necessary to maintain complete IDLists in memory for all the entries and write them out in total. Updates can be performed directly to the DB instead. This example is on the same hardware using the same LDIF, but using code that does not maintain all the IDLists in memory and calls through to idl_new_store_block() to perform updates incrementally. [30/Oct/2008:12:02:45 -0500] - import userRoot: Processed 1042117 entries -- average rate 5633.1/sec, recent rate 5752.4/sec, hit ratio 100% ... [30/Oct/2008:12:02:56 -0500] - import userRoot: Indexing complete. Post-processing... ... [30/Oct/2008:12:03:51 -0500] - import userRoot: Import complete. Processed 1100009 entries in 251 seconds. (4382.51 entries/sec) The total time for this run was 4m17s, of which only 30s was post-processing. Most importantly, 'dbscan -r -f ancestorid.db4' shows identical contents: > > md5sum ancestorid.db4.dbscan.prefix ancestorid.db4.dbscan.postfix > 7cb9cf17bb45a0e6960dccf17fb45a56 *ancestorid.db4.dbscan.prefix 7cb9cf17bb45a0e6960dccf17fb45a56 *ancestorid.db4.dbscan.postfix [proposed patch] Created an attachment (id=322386) [details] Proposed patch This proposed patch uses a new function, ldbm_ancestorid_new_idl_create_index(), to create the index when idl_get_idl_new() is true. The existing code is used otherwise. This is the code reference in the decription. From rmeggins at redhat.com Mon Dec 1 20:45:44 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 01 Dec 2008 13:45:44 -0700 Subject: [Fedora-directory-devel] Please review: Bug 469261 - Support server-to-server SASL - console chaining, server cleanup Message-ID: <49344CF8.2050802@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=469261 Resolves: bug 469261 Bug Description: Support server-to-server SASL - console chaining, server cleanup Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: There are two sets of diffs here. The first set adds tls, gssapi, and digest to the chaining database (aka database link) panels in the console. I had to add support for revert to some of the code to make the Reset button work without having to retrieve the values from the server each time. We already store the original values locally in the _origModel - I added code to allow the use of that in the Reset button. The second set of diffs is for the server. 1) I had to add support for "SIMPLE" for bindMechanism - this translates to LDAP_SASL_SIMPLE for the actual mechanism. This value is NULL, so I had to add handling for NULL values in the cb config code (slapi_ch_* work fine with NULL values). 2) Added some more debugging/tracing code 3) The server to server SSL code would only work if the server were configured to be an SSL server. But for the server to be an SSL client, it only needs NSS initialized and to have the CA cert. It also needs to configured some of the SSL settings and install the correct policy. I changed the server code to do this. Platforms tested: RHEL5 Flag Day: no Doc impact: no QA impact: should be covered by regular nightly and manual testing New Tests integrated into TET: none https://bugzilla.redhat.com/attachment.cgi?id=325289&action=diff https://bugzilla.redhat.com/attachment.cgi?id=325290&action=diff From nkinder at redhat.com Tue Dec 2 23:33:49 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 02 Dec 2008 15:33:49 -0800 Subject: [Fedora-directory-devel] Please Review: (474254) Default schema ends up in 99user.ldif Message-ID: <4935C5DD.20403@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=474254 Resolves: bug 474254 Bug Description: A number of the default attribute and objectclass definitions end up in 99user.ldif if you add any custom schema over LDAP. The default schema definitions should not end up in 99user.ldif. The cause of these definitions being copied to 99user.ldif are due to either duplicate definitions within the default schema, or from missing X-ORIGIN elements. These two conditions cause DS to think that the schema definitions have been redefined, or they are user defined. Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The fix is to simply remove the duplicates and to add the missing X-ORIGIN elements. Platforms tested: F9 Flag Day: no Doc impact: no QA impact: should be covered by regular nightly and manual testing New Tests integrated into TET: none https://bugzilla.redhat.com/attachment.cgi?id=325450&action=diff From rmeggins at redhat.com Tue Dec 2 23:38:51 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 02 Dec 2008 16:38:51 -0700 Subject: [Fedora-directory-devel] Please review: Bug 462411 - certificate request wizard returns an error Message-ID: <4935C70B.50900@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=462411 Resolves: bug 462411 Bug Description: certificate request wizard returns an error Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: This was broken as part of the fix for the XSS issues. To fix that, in order to make sure we never displayed any string that contained unescaped HTML entities, we just go ahead and escape everything when we read the values from the CGI GET or POST arguments. For this particular bug, this meant the cert CGI was getting a DN like this: CN="ldap.example.com" instead of CN="ldap.example.com". The solution is to add some functions to adminutil (stolen from dsgw) that can be used to escape/unescape HTML entities. We have to be careful never to display unescaped strings - in this particular case, the DN is never printed. Platforms tested: RHEL5 Flag Day: yes - will require new adminutil, adminserver Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=325446&action=diff https://bugzilla.redhat.com/attachment.cgi?id=325447&action=diff From rmeggins at redhat.com Thu Dec 4 01:07:49 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 03 Dec 2008 18:07:49 -0700 Subject: [Fedora-directory-devel] Please review: Bug 466137 - htmladmin gives 500 error Message-ID: <49372D65.1080705@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=466137 Resolves: bug 466137 Bug Description: htmladmin gives 500 error Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: If the locale string passed in to res_getstring is bogus, the CGI will just exit (no crash, no security problems) which causes the 500 error. ures_open returns U_ILLEGAL_ARGUMENT_ERROR if the locale string is bogus. In this case, just use NULL for the locale which will cause it to use the default one. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=325619&action=diff From rmeggins at redhat.com Thu Dec 4 14:26:35 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 04 Dec 2008 07:26:35 -0700 Subject: [Fedora-directory-devel] Please review: Bug 470946 - admin console does not place quotes around the certificate name in console.conf Message-ID: <4937E89B.6070009@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=470946 Resolves: bug 470946 Bug Description: admin console does not place quotes around the certificate name in console.conf Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: Just put double quotes around the values we write out, including NSSNickname Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=325687&action=diff From rmeggins at redhat.com Thu Dec 4 17:42:39 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 04 Dec 2008 10:42:39 -0700 Subject: [Fedora-directory-devel] Please review: Clean up adminserver code Message-ID: <4938168F.2000802@redhat.com> Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: Fix various compiler warnings about define redefinitions, unused functions/variables, wrong types being cast, etc. Platforms tested: RHEL5 Flag Day: no Doc impact: no -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: cvsdiffs URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: cvsdiffs URL: From rmeggins at redhat.com Fri Dec 5 04:14:22 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 04 Dec 2008 21:14:22 -0700 Subject: [Fedora-directory-devel] Please review: Bug 454030 - Need to address 64-bit compiler warnings - again Message-ID: <4938AA9E.9090506@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=454030 Resolves: bug 454030 Bug Description: Need to address 64-bit compiler warnings - again Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: This patch cleans up most of the other remaining compiler warnings. I compiled the directory server code with these flags on RHEL5 x86_64: -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic I also enabled argument/format match checking for most of the commonly used varadic functions. Most of the problems I found fell into these categories: 1) Too many or not enough arguments e.g. most everything that uses or did use LDAPDebug had extra 0,0 arguments. If they had been switched to use slapi_log_error, I removed the extra arguments - for those places still using LDAPDebug, I introduced more macros to handle the number of arguments, since C macros cannot be varadic. 2) When using NSPR formatting functions, we have to use %llu or %lld for 64-bit values, even on 64-bit systems. However, for regular system formatting functions, we have to use %ld or %lu. I introduced two new macros NSPRIu64 and NSPRI64 to handle cases where we are passing explicit 64-bit values to NSPR formatting functions, so that we can use the regular PRIu64 and PRI64 macros for regular system formatting functions. I also made sure we used NSPRI* only with NSPR functions, and used PRI* only with system functions. 3) use %lu for size_t and %ld for time_t I did find a few "real" errors, places that the code was doing something definitely not right: https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/acl/aclinit.c_sec4 https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/acl/acllas.c_sec17 https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/http/http_impl.c_sec1 https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/memberof/memberof.c_sec1 https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/pam_passthru/pam_ptimpl.c_sec1 https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/replication/cl5_api.c_sec5 https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/replication/cl5_clcache.c_sec2 https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/plugins/replication/replutil.c_sec1 https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/slapd/libglobs.c_sec1 https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/slapd/back-ldbm/dbverify.c_sec2 https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff#ldapserver/ldap/servers/slapd/back-ldbm/ldif2ldbm.c_sec3 This is why it's important to use this compiler checking, and why it's important to fix compiler warnings, if for no other reason than the sheer noise from so many warnings can mask real errors. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=325774&action=diff From rmeggins at redhat.com Fri Dec 5 23:04:07 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 05 Dec 2008 16:04:07 -0700 Subject: [Fedora-directory-devel] Please review: Bug 234948 - Console hangs when adding a custom entry and schema items are in certain order Message-ID: <4939B367.4020208@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=234948 Resolves: bug 234948 Bug Description: Console hangs when adding a custom entry and schema items are in certain order Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The problem is primarily due to https://bugzilla.redhat.com/show_bug.cgi?id=170791 "Schema file parsing overly picky?" - the console schema editor expects an objectclass to always have at least 1 superior. The bug causes SUP not to be present in the schema entry in the directory server. The fix is to use a schema helper function to make sure the list of superior objectclasses always contains at least "top". I also added a check for a null value to avoid the NullPointerException console error. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=325922&action=diff From rmeggins at redhat.com Mon Dec 8 22:45:33 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 08 Dec 2008 15:45:33 -0700 Subject: [Fedora-directory-devel] Please review: Bug 474936 - configuring config ds to use ldaps forces user/group ds to use ldaps - console hangs Message-ID: <493DA38D.1020804@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=474936 Resolves: bug 474936 Bug Description: configuring config ds to use ldaps forces user/group ds to use ldaps - console hangs Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The admin server was not putting the port number in the LDAP URL, so the console was attempting to use the secure port from the config ds with ldap://ughost. The console is already able to parse the :port part of the url. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=326220&action=diff From rmeggins at redhat.com Tue Dec 9 17:43:51 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Dec 2008 10:43:51 -0700 Subject: [Fedora-directory-devel] Please review: Bug 458488 - Console doesn't type-check input for schema-defined INTEGER attributes Message-ID: <493EAE57.4010505@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=458488 Resolves: bug 458488 Bug Description: Console doesn't type-check input for schema-defined INTEGER attributes Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: Fixed for posix uidNumber and gidNumber. Non numeric or negative values will be rejected. If the user specifies an explicit value of 0, a warning dialog will ask if the user really wants to do this. Platforms tested: RHEL5 Flag Day: no Doc impact: yes https://bugzilla.redhat.com/attachment.cgi?id=326368&action=diff From rmeggins at redhat.com Tue Dec 9 22:13:30 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Dec 2008 15:13:30 -0700 Subject: [Fedora-directory-devel] Please review: Bug 452596 - Help file for Status tab references server root Message-ID: <493EED8A.4080703@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=452596 Resolves: bug 452596 Bug Description: Help file for Status tab references server root Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: Remove/cleanup references to the old server root Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=326414&action=diff From rmeggins at redhat.com Wed Dec 10 02:52:17 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 09 Dec 2008 19:52:17 -0700 Subject: [Fedora-directory-devel] Please review: Bug 429514 - Administration Server Console : incorrect apache server error log parsing Message-ID: <493F2EE1.7000002@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=429514 Resolves: bug 429514 Bug Description: Administration Server Console : incorrect apache server error log parsing Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The error log date/time are together in one field. Just combine them into one column in the log viewer. New screenshot - https://bugzilla.redhat.com/attachment.cgi?id=326443 Platforms tested: RHEL5 Flag Day: no Doc impact: yes - will have to document the new log format https://bugzilla.redhat.com/attachment.cgi?id=326442&action=diff From rmeggins at redhat.com Thu Dec 11 02:10:15 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 10 Dec 2008 19:10:15 -0700 Subject: [Fedora-directory-devel] Please review: Bug 158334 - WinSync Console: Handling of logonHours and accountExpires incorrect. Message-ID: <49407687.7020305@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=158334 Resolves: bug 158334 Bug Description: WinSync Console: Handling of logonHours and accountExpires incorrect. Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: Added code to convert from Windows FILETIME to Java time. Added special handling for the "Never Expires" value, which can be the very large value or 0. The console now displays "Never Expires" or the actual human readable value for the time. As far as Logon Hours, it's just really messed up. I will open another bug for that. https://bugzilla.redhat.com/attachment.cgi?id=326573 - never expires https://bugzilla.redhat.com/attachment.cgi?id=326574 - expires with date Platforms tested: RHEL5 Flag Day: no Doc impact: yes https://bugzilla.redhat.com/attachment.cgi?id=326572&action=diff https://bugzilla.redhat.com/attachment.cgi?id=326575 From rmeggins at redhat.com Thu Dec 11 15:54:29 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 11 Dec 2008 08:54:29 -0700 Subject: [Fedora-directory-devel] Please review: Bug 166230 - Admin Server management window misparses access log Message-ID: <494137B5.5050106@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=166230 Resolves: bug 166230 Bug Description: Admin Server management window misparses access log Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: Look for ' - ' instead of just a '-' Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=326632&action=diff From rmeggins at redhat.com Thu Dec 11 17:29:16 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 11 Dec 2008 10:29:16 -0700 Subject: [Fedora-directory-devel] Please review: Bug 177334 - LDBM Plug-in Settings console UI value checking issues Message-ID: <49414DEC.2070309@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=177334 Resolves: bug 177334 Bug Description: LDBM Plug-in Settings console UI value checking issues Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The code was unconditionally resetting the field before checking the result of the modify operation. The correct way to do it is to reset the field only after the modify operation succeeded. I create a Vector of fields that are being modified, and only reset them if the modify succeeded. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=326639&action=diff From nkinder at redhat.com Thu Dec 11 22:18:41 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Thu, 11 Dec 2008 14:18:41 -0800 Subject: [Fedora-directory-devel] Please Review: (201332) Password change extended operation is not allowed after password reset Message-ID: <494191C1.2040308@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=201332 Resolves: bug 201332 Bug Description: The password modify extop is not allowed when a password change is required (expired, etc.). This operation should be allowed. Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The fix is to let extended operations pass through connection_need_new_password(), then check if the extended operation is the password modify extop if a password is expired in do_extended(). If the extended operation is something else, we return an error 53 along with the password expired control. Platforms tested: F9 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=326682&action=diff From rmeggins at redhat.com Thu Dec 11 22:30:42 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 11 Dec 2008 15:30:42 -0700 Subject: [Fedora-directory-devel] Please review: Bug 249120 - fds104 jre15sun empty subtree pw policy window Message-ID: <49419492.1080503@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=249120 Resolves: bug 249120 Bug Description: fds104 jre15sun empty subtree pw policy window Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The culprit was flexible but evil GridBagLayout. Changing the layout in the dialog window to BorderLayout solved the problem. Now, the window comes up with the panels flush with the edges of the dialog window. Resizing the box too small results in h and v scroll bars. pwp dialog at startup - https://bugzilla.redhat.com/attachment.cgi?id=326684 pwp dialog made too small - https://bugzilla.redhat.com/attachment.cgi?id=326685 Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=326683&action=diff From rmeggins at redhat.com Fri Dec 12 03:12:31 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Thu, 11 Dec 2008 20:12:31 -0700 Subject: [Fedora-directory-devel] Please review: Bug 238762 - Support "auto" for "Import cache size" in the LDBM Plug-in Settings Message-ID: <4941D69F.6040402@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=238762 Resolves: bug 238762 Bug Description: Support "auto" for "Import cache size" in the LDBM Plug-in Settings Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: Added a check box for "use auto cache size". If this is checked, a value of -1 will be saved for nsslapd-import-cache-autosize which will tell the server to use the default auto cache value. If this is not checked, a value of 0 will be saved which will tell the server to use the number from nsslapd-import-cachesize. If the check box is checked, the import cachesize field will be disabled. Here are a couple of screen shots. https://bugzilla.redhat.com/attachment.cgi?id=326699 https://bugzilla.redhat.com/attachment.cgi?id=326700 Platforms tested: RHEL5 Flag Day: no Doc impact: yes - will have to document the new UI https://bugzilla.redhat.com/attachment.cgi?id=326701&action=diff From nkinder at redhat.com Fri Dec 12 21:16:10 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Fri, 12 Dec 2008 13:16:10 -0800 Subject: [Fedora-directory-devel] Please Review: (432135) Need better error reporting when stats file can't be accessed Message-ID: <4942D49A.4030501@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=432135 Resolves: bug 432135 Bug Description: When the stats file can't be accessed at startup, we log a message to the terminal that is starting the server. We should be writing this message to the errors log instead, as you can't see the message from the terminal if you hit this problem during an install. Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: Log the message to the errors log. Platforms tested: F9 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=326777&action=diff From rmeggins at redhat.com Sat Dec 13 01:30:14 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 12 Dec 2008 18:30:14 -0700 Subject: [Fedora-directory-devel] Redux: Please review: Bug 158334 - WinSync Console: Handling of logonHours and accountExpires incorrect. Message-ID: <49431026.6030502@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=158334 Resolves: bug 158334 Bug Description: WinSync Console: Handling of logonHours and accountExpires incorrect. Reviewed by: ??? Files: https://bugzilla.redhat.com/attachment.cgi?id=326575 Branch: HEAD Fix Description: Added code to convert from Windows FILETIME to Java time. Added special handling for the "Never Expires" value, which can be the very large value or 0. The console now displays "Never Expires" or the actual human readable value for the time. As far as Logon Hours, it's just really messed up. I will open another bug for that. https://bugzilla.redhat.com/attachment.cgi?id=326573 - never expires https://bugzilla.redhat.com/attachment.cgi?id=326574 - expires with date Platforms tested: RHEL5 Flag Day: no Doc impact: yes https://bugzilla.redhat.com/attachment.cgi?id=326572&action=diff -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3258 bytes Desc: S/MIME Cryptographic Signature URL: From nkinder at redhat.com Sat Dec 13 16:50:05 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Sat, 13 Dec 2008 08:50:05 -0800 Subject: [Fedora-directory-devel] Please Review: (430368) Improve "Failed to open stats file" error upon startup Message-ID: <4943E7BD.70006@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=430368 Resolves: bug 430368 Bug Description: Due to a spec file problem, the permissions of the nsslapd-rundir directory can get reset. This causes DS to complain about it's stats file when starting up. Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The fix adds a check at startup to see if the user ns-slapd is running as has read and write permissions on nsslapd-rundir. A detailed error message is output if there is an access problem, which instructs the administrator how to fix it. Platforms tested: F9 Flag Day: no Doc impact: no QA impact: should be covered by regular nightly and manual testing New Tests integrated into TET: none https://bugzilla.redhat.com/attachment.cgi?id=326832&action=diff From rmeggins at redhat.com Mon Dec 15 19:16:44 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 15 Dec 2008 12:16:44 -0700 Subject: [Fedora-directory-devel] Please review: Bug 426439 - Unable to load CRL file for a DS instance - when its placed under /etc/dirsrv/slapd-INSTANCE Message-ID: <4946AD1C.7040604@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=426439 Resolves: bug 426439 Bug Description: Unable to load CRL file for a DS instance - when its placed under /etc/dirsrv/slapd-INSTANCE Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The main problem was that it was not using the getSecurityDir function to get the security dir based on the SIE passed in. This function is called in main after getting the SIE. I changed the code to set this value in a static variable that can be used throughout the program. In addition, I found and fixed some other bugs related to CRL handling: 1) The code did not work with ASCII CRLs generated by newer versions of crlutil which use the BEGIN CRL header. I added processing for that header type. 2) The code did not handle date/time in generalized time format. I added code to format the date/time based on the type of date/time stored in the CRL. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=327005&action=diff From rmeggins at redhat.com Mon Dec 15 20:32:48 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 15 Dec 2008 13:32:48 -0700 Subject: [Fedora-directory-devel] Please review: Bug 179193 - Replication UI most of the time don't return consumer initialization error Message-ID: <4946BEF0.1010103@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=179193 Resolves: bug 179193 Bug Description: Replication UI most of the time don't return consumer initialization error Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: Just added a 3 second sleep after telling the server to perform the consumer init. This seems to give the server time enough to attempt the init, fail, and set an appropriate error code. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=327021&action=diff From rmeggins at redhat.com Tue Dec 16 19:19:55 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 16 Dec 2008 12:19:55 -0700 Subject: [Fedora-directory-devel] Please review: Bug 198090 - ACI editor table sort problem Message-ID: <4947FF5B.9070105@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=198090 Resolves: bug 198090 Bug Description: ACI editor table sort problem Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The main problem was that the Table Model code was not checking the type of the model change event, and was just unconditionally resetting/initializing the internal indexes array every time the checkbox was checked. This caused the table to revert back to the original order every time a checkbox was checked on or off. The only events which should cause the indexes to be reset/initialized are the INSERT and DELETE types, not the UPDATE type. There were also some problems with setting up the initial model, and I cleaned up some bogus code. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=327150&action=diff From rmeggins at redhat.com Tue Dec 16 20:28:49 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Tue, 16 Dec 2008 13:28:49 -0700 Subject: [Fedora-directory-devel] Please review: Bug 179184 - Advanced Properties window sorts by attribute name not "friendly name" Message-ID: <49480F81.7060804@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=179184 Resolves: bug 179184 Bug Description: Advanced Properties window sorts by attribute name not "friendly name" Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: Just call the showAllAttributes method at the end of the ctor. This method will sort the list in the correct order. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=327157&action=diff From rmeggins at redhat.com Wed Dec 17 20:17:06 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Wed, 17 Dec 2008 13:17:06 -0700 Subject: [Fedora-directory-devel] Please review: Bug 476891 - Replication: Server to Server Connection Error: SASL(-1): generic failure: All-whitespace username. Message-ID: <49495E42.2010607@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=476891 Resolves: bug 476891 Bug Description: Replication: Server to Server Connection Error: SASL(-1): generic failure: All-whitespace username. Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: 1) SASL/DIGEST-MD5 needs both username and authid 2) The username and authid in this context are always a bind DN - they must have the "dn:" prefix in order for the SASL mapping to work 3) gssapi (kerberos) sets both username and authid to NULL Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=327280&action=diff From rmeggins at redhat.com Fri Dec 19 18:55:33 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Fri, 19 Dec 2008 11:55:33 -0700 Subject: [Fedora-directory-devel] Please review: Bug 476891 - Replication: Server to Server Connection Error: SASL(-1): generic failure: All-whitespace username. Message-ID: <494BEE25.1080806@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=476891 Resolves: bug 476891 Bug Description: Replication: Server to Server Connection Error: SASL(-1): generic failure: All-whitespace username. Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: My earlier fix for this bug broke GSSAPI - it would cause the username and authid to only be freed under certain conditions e.g. if the krb creds were still valid, the code would not free the username and authid, so they would be passed via SASL instead of the principal name. This fix just makes sure username and authid are always freed, under all circumstances. Platforms tested: RHEL5, Fedora 9 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=327485&action=diff From abartlet at samba.org Sat Dec 20 06:21:41 2008 From: abartlet at samba.org (Andrew Bartlett) Date: Sat, 20 Dec 2008 17:21:41 +1100 Subject: [Fedora-directory-devel] handling forward-only links, DN+Binary and DN+String Message-ID: <1229754101.3901.77.camel@naomi.s4.naomi.abartlet.net> Having thought I got to the bottom of extended DN behaviour, I've come across more challenges, that I would like thoughts on. Handling renames of one-way links: OpenLDAP already does this, but Samba needs some help here (as we try to infer the rename from the presence of backlinks, but for one-way links, how should we know we are being linked to?) Handling of DN+Binary and DN+String one-way links. For example, wellKnownObjects: B:32:22b70c67d56e4efb91e9300fca3dc1aa:CN=ForeignSecurityPrincipals,DC=samba,DC=org This is a 'DN+Binary' syntax attribute (for resolving well known GUIDs into a DN), and must therefore follow when the well known target renames. MS-ADTS 3.1.1.1.6 specifies the behaviour. The challenge I see here is that I really do need an additional syntax in OpenLDAP. If I map this to just a binary string (as I do now), then the rename will not follow though. If I map it to a DN (as I had tried in the past), then the syntax is invalid. Is it entirely unreasonable to add an additional syntax? This is a bit of a 'hit and run' question, as I won't be able to carry on the discussion during Christmas/New Year, but any thoughts would be most welcome. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From lukeh at padl.com Sun Dec 21 06:22:42 2008 From: lukeh at padl.com (Luke Howard) Date: Sun, 21 Dec 2008 17:22:42 +1100 Subject: [Fedora-directory-devel] handling forward-only links, DN+Binary and DN+String In-Reply-To: <1229754101.3901.77.camel@naomi.s4.naomi.abartlet.net> References: <1229754101.3901.77.camel@naomi.s4.naomi.abartlet.net> Message-ID: <7E8DD777-41B8-4AE0-A922-B7B8F6767682@padl.com> > The challenge I see here is that I really do need an additional syntax > in OpenLDAP. If I map this to just a binary string (as I do now), > then > the rename will not follow though. If I map it to a DN (as I had > tried > in the past), then the syntax is invalid. Is it entirely unreasonable > to add an additional syntax? Well, they are really new syntaxes, so you should add a new syntax. Or at least a syntax that looks like { type, blob, DN } upon which you can implement the AD syntaxes (that's kind of what I did for eDirectory). -- Luke From rmeggins at redhat.com Mon Dec 22 19:10:56 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 22 Dec 2008 12:10:56 -0700 Subject: [Fedora-directory-devel] Please review: Bug 471681 - DSGW authenticate multi-result hyperlinks broken Message-ID: <494FE640.5000206@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=471681 Resolves: bug 471681 Bug Description: DSGW authenticate multi-result hyperlinks broken Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: 1) The quoting was a bit off. The DSGW code adds double quotes at the beginning and end of the javascript. We have to use %22 to have DSGW emit double quotes in the right places where other double quotes are needed. 2) If you are attempting to auth as a real user, and you have password policy on such that the user must change the password after reset, and you are using a binddn instead of the default anon, the auth screen would not prompt you for your old password, because it thought you were already bound as the binddn. The binddn is not a real user in this case, and so should not be considered when testing for "bound". Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=327681&action=diff From rmeggins at redhat.com Mon Dec 22 20:04:05 2008 From: rmeggins at redhat.com (Rich Megginson) Date: Mon, 22 Dec 2008 13:04:05 -0700 Subject: [Fedora-directory-devel] Please review: Bug 472092 - (DSGW_passwd_corrupt) DSGW password corruption Message-ID: <494FF2B5.7000307@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=472092 Resolves: bug 472092 Bug Description: DSGW password corruption Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: 1) By default, all of the get/post parameters have the html entities escaped, so we can be sure that they are displayed to the user escaped, to avoid XSS issues. However, values sent to LDAP must be unescaped. The doauth code is used to authenticate directory manager and ordinary users, so we have to unescape the password explicitly there. The domodify code is used when data is added or modified in the directory server. It's easier to just fix all of the values before sending to the directory server. 2) The entity code has been moved to adminutil, so use the adminutil functions instead of the dsgw functions. This will require adminutil 1.1.8. 3) Clean up various compiler warnings. Platforms tested: RHEL5 Flag Day: no Doc impact: no https://bugzilla.redhat.com/attachment.cgi?id=327686&action=diff From nkinder at redhat.com Tue Dec 23 21:54:38 2008 From: nkinder at redhat.com (Nathan Kinder) Date: Tue, 23 Dec 2008 13:54:38 -0800 Subject: [Fedora-directory-devel] Please Review: (474621) Adding a user with nsuniqueid in the RDN creates an illegal entry Message-ID: <49515E1E.4050002@redhat.com> https://bugzilla.redhat.com/show_bug.cgi?id=474621 Resolves: bug 474621 Bug Description: If you add an entry using a create attribute in the RDN (such as nsuniqueid), the entry will be added, but the value used in the RDN will not exist in the entry. The same issue occurs with performing a MODRDN operation using a created attribute in the new RDN. Reviewed by: ??? Files: see diff Branch: HEAD Fix Description: The fix checks if the common created attributes are used as the RDN for both ADD and MODRDN operations. We disallow using nsuniqueid, creatorsName, modifiersName, modifiedTimestamp, and createTimestamp in the RDN for an external ADD operation. For a MODRDN, we disallow the same attributes in the new RDN with the exception of nsuniqueid. We want to allow nsuniqueid in the RDN from internal operations for replication conflict entries. The client will receive an LDAP_INVALID_DN_SYNTAX result if they violate the above rules. Platforms tested: F9 Flag Day: no Doc impact: no QA impact: should be covered by regular nightly and manual testing New Tests integrated into TET: none https://bugzilla.redhat.com/attachment.cgi?id=327773&action=diff