From nhosoi at redhat.com Sat May 10 00:34:37 2008 From: nhosoi at redhat.com (Noriko Hosoi) Date: Fri, 09 May 2008 17:34:37 -0700 Subject: [Fedora-directory-devel] Please review: LDAPI+AUTOBIND In-Reply-To: <200805092235.m49MZ1gh031684@bz-web2.app.phx.redhat.com> References: <200805092235.m49MZ1gh031684@bz-web2.app.phx.redhat.com> Message-ID: <4824ED9D.3080400@redhat.com> LDAPI and AUTOBIND had been implemented some time back, but AUTOBIND did not have an option to enable at the configuration. The following review requests includes 1. introducing the congirutation option --enable-autobind, 2. cleaning up the Directory Server instance creation code to support AUTOBIND, and 3. bug fixes in the non-Linux part of slapd_get_socket_peer. Also, I added a memo for LDAPI and AutoBind on the fedora project wiki: http://directory.fedoraproject.org/wiki/LDAPI_and_AutoBind Thanks, --noriko +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Summary: LDAPI: introduce --enable-autobind to support AUTOBIND https://bugzilla.redhat.com/show_bug.cgi?id=436388 ------- Additional Comments From nhosoi at redhat.com 2008-05-09 18:35 EST ------- Created an attachment (id=304990) --> (https://bugzilla.redhat.com/attachment.cgi?id=304990&action=view) cvs diff configure.ac Makefile.am Files: ldapserver/configure.ac ldapserver/Makefile.am Description: introduced --enable-autobind By default, autobind is off. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Summary: LDAPI: cleaning up template-ldapi*.ldif files https://bugzilla.redhat.com/show_bug.cgi?id=436400 ------- Additional Comments From nhosoi at redhat.com 2008-05-09 18:52 EST ------- Created an attachment (id=304993) --> (https://bugzilla.redhat.com/attachment.cgi?id=304993&action=view) cvs diff template-ldapi-default.ldif.in DSCreate.pm.in Files: ldap/ldif/template-ldapi-default.ldif.in ldap/admin/src/scripts/DSCreate.pm.in Description: LDAPI itself requires these 2 configuration parameters. nsslapd-ldapifilepath: /var/run/slapd-.socket nsslapd-ldapilisten: on The rest is needed only when autobind is enabled. Modified DSCreate to generate the following parameters when the DS is configured with --enable-autobind. nsslapd-ldapiautobind: off nsslapd-ldapimaprootdn: cn=Directory Manager nsslapd-ldapimaptoentries: off nsslapd-ldapiuidnumbertype: uidNumber nsslapd-ldapigidnumbertype: gidNumber nsslapd-ldapientrysearchbase: nsslapd-ldapiautodnsuffix: cn=peercred,cn=external,cn=auth Fixed nsslapd-ldapientrysearchbase value to set the server's suffix (instead of hardcoded dc=example,dc=com). template-ldapi-default.ldif.in seems not used. But to reduce the confusion, I updated the file, as well, for the future use. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Summary: LDAPI: enable all the platform supports for slapd_get_socket_peer and test them https://bugzilla.redhat.com/show_bug.cgi?id=436390 ------- Additional Comments From nhosoi at redhat.com 2008-05-09 19:52 EST ------- Created an attachment (id=304994) --> (https://bugzilla.redhat.com/attachment.cgi?id=304994&action=view) cvs diff slap.h getsocketpeer.c daemon.c Files: ldap/servers/slapd/slap.h /getsocketpeer.c /daemon.c Description: Debugged the basic code of slapd_get_socket_peer, which is used for Solaris9 and HP-UX. The recvmsg call returns an error immediately if no data is waiting to be received since the socket is set PR_SockOpt_Nonblocking (O_NONBLOCK). To make slapd_get_socket_peer more robust, we have to retry recvmsg if it returns EAGAIN. But set a retry count not to hang there. Also introduced c_local_valid in the Connection handle to tell the autobind code that the uid/gid pair is valid or not. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From hyc at symas.com Sat May 10 16:22:40 2008 From: hyc at symas.com (Howard Chu) Date: Sat, 10 May 2008 09:22:40 -0700 Subject: [Fedora-directory-devel] Re: Please review: LDAPI+AUTOBIND (Noriko Hosoi) In-Reply-To: <20080510160036.AA86A61957A@hormel.redhat.com> References: <20080510160036.AA86A61957A@hormel.redhat.com> Message-ID: <4825CBD0.8030105@symas.com> > Date: Fri, 09 May 2008 17:34:37 -0700 > From: Noriko Hosoi > Subject: [Fedora-directory-devel] Please review: LDAPI+AUTOBIND > To: "Fedora Directory server developer discussion." > > Message-ID:<4824ED9D.3080400 at redhat.com> > Content-Type: text/plain; charset="utf-8" > > LDAPI and AUTOBIND had been implemented some time back, but AUTOBIND did > not have an option to enable at the configuration. That was an intentional decision, with a lot of strong reasons behind it. You seem to be ignoring all the discussion that went into this before. https://www.redhat.com/archives/fedora-directory-devel/2007-February/msg00057.html > The following review > requests includes > 1. introducing the congirutation option --enable-autobind, > 2. cleaning up the Directory Server instance creation code to support > AUTOBIND, and > 3. bug fixes in the non-Linux part of slapd_get_socket_peer. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From abartlet at samba.org Sun May 11 22:47:15 2008 From: abartlet at samba.org (Andrew Bartlett) Date: Mon, 12 May 2008 08:47:15 +1000 Subject: [Fedora-directory-devel] Re: Please review: LDAPI+AUTOBIND (Noriko Hosoi) In-Reply-To: <4825CBD0.8030105@symas.com> References: <20080510160036.AA86A61957A@hormel.redhat.com> <4825CBD0.8030105@symas.com> Message-ID: <1210546035.24701.3.camel@naomi> On Sat, 2008-05-10 at 09:22 -0700, Howard Chu wrote: > > Date: Fri, 09 May 2008 17:34:37 -0700 > > From: Noriko Hosoi > > Subject: [Fedora-directory-devel] Please review: LDAPI+AUTOBIND > > To: "Fedora Directory server developer discussion." > > > > Message-ID:<4824ED9D.3080400 at redhat.com> > > Content-Type: text/plain; charset="utf-8" > > > > LDAPI and AUTOBIND had been implemented some time back, but AUTOBIND did > > not have an option to enable at the configuration. > > That was an intentional decision, with a lot of strong reasons behind it. You > seem to be ignoring all the discussion that went into this before. > > https://www.redhat.com/archives/fedora-directory-devel/2007-February/msg00057.html I think the correct patch for review should be to remove this feature. If someone really, really wants this, it should not be very hard at all to create a deamon that listens on a temporary, per-user ldapi:// socket, and does an EXTERNAL bind on another (ns-slapd) socket before passing the rest of the stream along. If this is being setup to be enabled, what is the consumer of the API? If not, why is this being made more visible? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From murthy at barc.gov.in Mon May 12 05:11:09 2008 From: murthy at barc.gov.in (C.S.R.C.Murthy) Date: Mon, 12 May 2008 10:41:09 +0530 Subject: [Fedora-directory-devel] BIND control using ACI feature request Message-ID: <4827D16D.1090802@barc.gov.in> Dear sir, The ACI in fedora directory server can be used to control only search/read/write operations but not BIND operation. This limitation leads to certain deficiencies as below, Suppose for an application that is using ldap for authentication verification, we want to specify that uids belonging to certain group can only authenticate but not the entire spectrum of uids, there is no way to code it in ACI. This is because the application can simply do a BIND operation with UID belonging to any group and corresponding password and gets authenticated. So even though I make groups Iam unable to enforce authentication control. May I request you to provide BIND control using ACI in future directory server release. regards murthy -------------- next part -------------- A non-text attachment was scrubbed... Name: murthy.vcf Type: text/x-vcard Size: 137 bytes Desc: not available URL: From nhosoi at redhat.com Wed May 14 18:20:45 2008 From: nhosoi at redhat.com (Noriko Hosoi) Date: Wed, 14 May 2008 11:20:45 -0700 Subject: [Fedora-directory-devel] Please review (revised): LDAPI+AUTOBIND In-Reply-To: <1210546035.24701.3.camel@naomi> References: <20080510160036.AA86A61957A@hormel.redhat.com> <4825CBD0.8030105@symas.com> <1210546035.24701.3.camel@naomi> Message-ID: <482B2D7D.5050009@redhat.com> Thank you for the background info and suggestions, Howard and Andrew. We are thinking auto-bind could be useful for some type of applications and trying to make it co-existing safely with the current features. Here is the summary of the changes: 436388 (Item 1): --enable-autobind is supported. Unless it's set, the auto-bind code is not compiled in. 436390 (Item 2): I updated the previous proposal based upon the feedbacks: now auto-bind is executed only from the bind code and when the client explicitly sends the SASL/EXTERNAL request to the server. On the server side, it's disabled, by default. To enable it, nsslapd-ldapiautobind needs to be set to "on" by an administrator. Having these changes, e.g., this search request is authenticated as Directory Manager if it's launched by a super user. # ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-.socket -b "cn=config" "(cn=*)" If the EXTERNAL request is not passed, it's bound as anonymous. 436400 (Item 3): Currently, dse.ldif stores extra configuration attributes only necessary for auto-bind, by default. They should not be there unless auto-bind is enabled. Your comments would be greatly appreciated. Thanks, --noriko Item 1) > Summary: LDAPI: introduce --enable-autobind to support AUTOBIND > > https://bugzilla.redhat.com/show_bug.cgi?id=436388 > > ------- Additional Comments From nhosoi at redhat.com 2008-05-09 18:35 > EST ------- > Created an attachment (id=304990) > --> (https://bugzilla.redhat.com/attachment.cgi?id=304990&action=view) > cvs diff configure.ac Makefile.am > > Files: > ldapserver/configure.ac > ldapserver/Makefile.am > > Description: introduced --enable-autobind > By default, autobind is off. Item 2) > Summary: LDAPI: support auto-bind > > https://bugzilla.redhat.com/show_bug.cgi?id=436390 > > ------- Additional Comments From nhosoi at redhat.com 2008-05-09 19:52 > EST ------- > Created an attachment (id=304994) > --> (https://bugzilla.redhat.com/attachment.cgi?id=304994&action=view) > cvs diff slap.h getsocketpeer.c daemon.c > > Files: > ldap/servers/slapd/slap.h > /getsocketpeer.c > /daemon.c > > Description: > Debugged the basic code of slapd_get_socket_peer, which is used for > Solaris9 > and HP-UX. The recvmsg call returns an error immediately if no data > is waiting > to be received since the socket is set PR_SockOpt_Nonblocking > (O_NONBLOCK). To > make slapd_get_socket_peer more robust, we have to retry recvmsg if it > returns > EAGAIN. But set a retry count not to hang there. > > Also introduced c_local_valid in the Connection handle to tell the > autobind > code that the uid/gid pair is valid or not. > > ------- Additional Comments From nhosoi at redhat.com 2008-05-13 12:23 > EST ------- > Created an attachment (id=305257) > --> (https://bugzilla.redhat.com/attachment.cgi?id=305257&action=view) > cvs diff daemon.c bind.c > > Files: > ldap/servers/slapd/daemon.c > /bind.c > > Description: > In addition to the previous changes, I'm modifying the code as > follows. The > change in daemon.c stops the automagic/unconditional auto-bind. In > bind.c, > slapd_bind_local_user (in which auto-bind is implemented) is called. > It was > called in do_bind even before, but there was no bind type or method > restriction > set. I'm proposing to change the code to call it only when SASL/EXTERNAL > request is passed. Item 3) > Summary: LDAPI: cleaning up template-ldapi*.ldif files > > https://bugzilla.redhat.com/show_bug.cgi?id=436400 > > > ------- Additional Comments From nhosoi at redhat.com 2008-05-09 18:52 > EST ------- > Created an attachment (id=304993) > --> (https://bugzilla.redhat.com/attachment.cgi?id=304993&action=view) > cvs diff template-ldapi-default.ldif.in DSCreate.pm.in > > Files: > ldap/ldif/template-ldapi-default.ldif.in > ldap/admin/src/scripts/DSCreate.pm.in > > Description: > LDAPI itself requires these 2 configuration parameters. > nsslapd-ldapifilepath: /var/run/slapd-.socket > nsslapd-ldapilisten: on > > The rest is needed only when autobind is enabled. > Modified DSCreate to generate the following parameters when the DS is > configured with --enable-autobind. > nsslapd-ldapiautobind: off > nsslapd-ldapimaprootdn: cn=Directory Manager > nsslapd-ldapimaptoentries: off > nsslapd-ldapiuidnumbertype: uidNumber > nsslapd-ldapigidnumbertype: gidNumber > nsslapd-ldapientrysearchbase: > nsslapd-ldapiautodnsuffix: cn=peercred,cn=external,cn=auth > > Fixed nsslapd-ldapientrysearchbase value to set the server's suffix > (instead of > hardcoded dc=example,dc=com). > > template-ldapi-default.ldif.in seems not used. But to reduce the > confusion, I > updated the file, as well, for the future use. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From abartlet at samba.org Fri May 16 00:41:06 2008 From: abartlet at samba.org (Andrew Bartlett) Date: Fri, 16 May 2008 10:41:06 +1000 Subject: [Fedora-directory-devel] Please review (revised): LDAPI+AUTOBIND In-Reply-To: <482B2D7D.5050009@redhat.com> References: <20080510160036.AA86A61957A@hormel.redhat.com> <4825CBD0.8030105@symas.com> <1210546035.24701.3.camel@naomi> <482B2D7D.5050009@redhat.com> Message-ID: <1210898466.3782.26.camel@naomi> On Wed, 2008-05-14 at 11:20 -0700, Noriko Hosoi wrote: > Thank you for the background info and suggestions, Howard and Andrew. > > We are thinking auto-bind could be useful for some type of applications > and trying to make it co-existing safely with the current features. > > Here is the summary of the changes: > 436388 (Item 1): --enable-autobind is supported. Unless it's set, the > auto-bind code is not compiled in. > > 436390 (Item 2): I updated the previous proposal based upon the > feedbacks: now auto-bind is executed only from the bind code and when > the client explicitly sends the SASL/EXTERNAL request to the server. On > the server side, it's disabled, by default. To enable it, > nsslapd-ldapiautobind needs to be set to "on" by an administrator. > Having these changes, e.g., this search request is authenticated as > Directory Manager if it's launched by a super user. > # ldapsearch -Y EXTERNAL -H ldapi://%2fvar%2frun%2fslapd-.socket > -b "cn=config" "(cn=*)" > If the EXTERNAL request is not passed, it's bound as anonymous. > > 436400 (Item 3): Currently, dse.ldif stores extra configuration > attributes only necessary for auto-bind, by default. They should not be > there unless auto-bind is enabled. > > Your comments would be greatly appreciated. This looks much better. If the client explicitly sends the SASL EXTERNAL bind, then this is a desirable feature, and should (subject to ACLs and some configuration that maps from unix to directory identities) work, preferably in the default build (but perhaps, like OpenLDAP, without gaining any useful privileges unless enabled by configuration). I don't have any objection to SASL EXTERNAL binds, when described as such. Howard and I have both objected to the concept, as described in the wiki page, of AutoBind, where contrary to the spec, requests are authenticated implicitly, without that SASL EXTERNAL bind. In short: SASL EXTERNAL is the right way to do this, if you do it this way, the objections go away. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From hyc at symas.com Fri May 16 07:05:01 2008 From: hyc at symas.com (Howard Chu) Date: Fri, 16 May 2008 00:05:01 -0700 Subject: [Fedora-directory-devel] Please review (revised): LDAPI+AUTOBIND In-Reply-To: <1210898466.3782.26.camel@naomi> References: <20080510160036.AA86A61957A@hormel.redhat.com> <4825CBD0.8030105@symas.com> <1210546035.24701.3.camel@naomi> <482B2D7D.5050009@redhat.com> <1210898466.3782.26.camel@naomi> Message-ID: <482D321D.308@symas.com> Andrew Bartlett wrote: >> This looks much better. > > If the client explicitly sends the SASL EXTERNAL bind, then this is a > desirable feature, and should (subject to ACLs and some configuration > that maps from unix to directory identities) work, preferably in the > default build (but perhaps, like OpenLDAP, without gaining any useful > privileges unless enabled by configuration). > > I don't have any objection to SASL EXTERNAL binds, when described as > such. Howard and I have both objected to the concept, as described in > the wiki page, of AutoBind, where contrary to the spec, requests are > authenticated implicitly, without that SASL EXTERNAL bind. Exactly. > In short: SASL EXTERNAL is the right way to do this, if you do it this > way, the objections go away. Agreed. In fact, in that case, it would make sense to have it always enabled (whenever the platform supports it). This is what we do with OpenLDAP. > Andrew Bartlett -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/ From nhosoi at redhat.com Fri May 16 15:48:53 2008 From: nhosoi at redhat.com (Noriko Hosoi) Date: Fri, 16 May 2008 08:48:53 -0700 Subject: [Fedora-directory-devel] Please review (revised): LDAPI+AUTOBIND In-Reply-To: <482D321D.308@symas.com> References: <20080510160036.AA86A61957A@hormel.redhat.com> <4825CBD0.8030105@symas.com> <1210546035.24701.3.camel@naomi> <482B2D7D.5050009@redhat.com> <1210898466.3782.26.camel@naomi> <482D321D.308@symas.com> Message-ID: <482DACE5.9040807@redhat.com> Thank you, Andrew! Thank you, Howard! I'm so happy to hear your comments. I thought I fixed the bug following your suggestion, but I was afraid I might have missed something important. So, your feedback made me relieved... Thanks! I'm going to check in the diffs. --noriko Howard Chu wrote: > Andrew Bartlett wrote: >>> This looks much better. >> >> If the client explicitly sends the SASL EXTERNAL bind, then this is a >> desirable feature, and should (subject to ACLs and some configuration >> that maps from unix to directory identities) work, preferably in the >> default build (but perhaps, like OpenLDAP, without gaining any useful >> privileges unless enabled by configuration). >> >> I don't have any objection to SASL EXTERNAL binds, when described as >> such. Howard and I have both objected to the concept, as described in >> the wiki page, of AutoBind, where contrary to the spec, requests are >> authenticated implicitly, without that SASL EXTERNAL bind. > > Exactly. > >> In short: SASL EXTERNAL is the right way to do this, if you do it this >> way, the objections go away. > > Agreed. In fact, in that case, it would make sense to have it always > enabled (whenever the platform supports it). This is what we do with > OpenLDAP. > >> Andrew Bartlett > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From michele-lists at pupazzo.org Sun May 18 11:18:24 2008 From: michele-lists at pupazzo.org (Michele Baldessari) Date: Sun, 18 May 2008 13:18:24 +0200 Subject: [Fedora-directory-devel] A couple of build cleanups Message-ID: <1211109504.21048.28.camel@conrad.int.rhx> Hi all, I am working on packaging FDS for debian [1], and here are a couple of changes that make sense upstream. I'm posting everything in one mail, but should you want me to file separate issues in bugzilla let me know. - Remove explicit softokn3 linking (it's deprecated anyway. See also #446101): --- Makefile.am.orig 2008-05-18 13:10:27.000000000 +0200 +++ Makefile.am 2008-05-18 13:10:33.000000000 +0200 @@ -39,7 +39,7 @@ # Linker Flags #------------------------ NSPR_LINK = @nspr_lib@ -lplc4 -lplds4 -lnspr4 -NSS_LINK = @nss_lib@ -lssl3 -lnss3 -lsoftokn3 +NSS_LINK = @nss_lib@ -lssl3 -lnss3 LDAPSDK_LINK = @ldapsdk_lib@ -lssldap60 -lprldap60 -lldap60 -lldif60 DB_LINK = @db_lib@ -ldb- at db_libver@ SASL_LINK = @sasl_lib@ -lsasl2 - Expand Makefile.am CLEANFILES target with other generated files: --- Makefile.am.orig 2008-05-18 13:10:27.000000000 +0200 +++ Makefile.am 2008-05-18 13:16:34.000000000 +0200 @@ -59,7 +59,32 @@ #------------------------ BUILT_SOURCES = dirver.h dberrstrs.h -CLEANFILES = dirver.h dberrstrs.h ns-slapd.properties +CLEANFILES = dirver.h dberrstrs.h ns-slapd.properties ldap/admin/src/scripts/dscreate.map \ + ldap/admin/src/scripts/DSCreate.pm ldap/admin/src/scripts/DSMigration.pm \ + ldap/admin/src/scripts/dsorgentries.map ldap/admin/src/scripts/migrate-ds.pl \ + ldap/admin/src/scripts/Migration.pm ldap/admin/src/scripts/SetupDialogs.pm \ + ldap/admin/src/scripts/setup-ds.pl ldap/admin/src/scripts/setup-ds.res \ + ldap/admin/src/scripts/Setup.pm ldap/admin/src/scripts/template-bak2db \ + ldap/admin/src/scripts/template-bak2db.pl ldap/admin/src/scripts/template-db2bak \ + ldap/admin/src/scripts/template-db2bak.pl ldap/admin/src/scripts/template-db2index \ + ldap/admin/src/scripts/template-db2index.pl ldap/admin/src/scripts/template-db2ldif \ + ldap/admin/src/scripts/template-db2ldif.pl ldap/admin/src/scripts/template-dbverify \ + ldap/admin/src/scripts/template-ldif2db ldap/admin/src/scripts/template-ldif2db.pl \ + ldap/admin/src/scripts/template-ldif2ldap ldap/admin/src/scripts/template-monitor \ + ldap/admin/src/scripts/template-ns-accountstatus.pl ldap/admin/src/scripts/template-ns-activate.pl \ + ldap/admin/src/scripts/template-ns-inactivate.pl ldap/admin/src/scripts/template-ns-newpwpolicy.pl \ + ldap/admin/src/scripts/template-restart-slapd ldap/admin/src/scripts/template-restoreconfig \ + ldap/admin/src/scripts/template-saveconfig ldap/admin/src/scripts/template-start-slapd \ + ldap/admin/src/scripts/template-stop-slapd ldap/admin/src/scripts/template-suffix2instance \ + ldap/admin/src/scripts/template-upgradedb ldap/admin/src/scripts/template-verify-db.pl \ + ldap/admin/src/scripts/template-vlvindex ldap/admin/src/scripts/Util.pm \ + ldap/ldif/template-baseacis.ldif ldap/ldif/template-bitwise.ldif ldap/ldif/template-country.ldif \ + ldap/ldif/template-dnaplugin.ldif ldap/ldif/template-domain.ldif ldap/ldif/template-dse.ldif \ + ldap/ldif/template-ldapi-autobind.ldif ldap/ldif/template-ldapi-default.ldif \ + ldap/ldif/template-ldapi.ldif ldap/ldif/template-locality.ldif ldap/ldif/template-org.ldif \ + ldap/ldif/template-orgunit.ldif ldap/ldif/template-pampta.ldif ldap/ldif/template-sasl.ldif \ + ldap/ldif/template-state.ldif ldap/ldif/template-suffix-db.ldif + dirver.h: Makefile perl $(srcdir)/dirver.pl -v "$(VERSION)" -o dirver.h regards, Michele [1] http://lists.alioth.debian.org/pipermail/pkg-fedora-ds-maintainers/2008-April/000004.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: From Andrey.Ivanov at polytechnique.fr Wed May 21 13:37:24 2008 From: Andrey.Ivanov at polytechnique.fr (Andrey Ivanov) Date: Wed, 21 May 2008 15:37:24 +0200 Subject: [Fedora-directory-devel] Please review (revised): LDAPI+AUTOBIND In-Reply-To: <482DACE5.9040807@redhat.com> References: <20080510160036.AA86A61957A@hormel.redhat.com> <4825CBD0.8030105@symas.com> <1210546035.24701.3.camel@naomi> <482B2D7D.5050009@redhat.com> <1210898466.3782.26.camel@naomi> <482D321D.308@symas.com> <482DACE5.9040807@redhat.com> Message-ID: <3413078.20080521153724@polytechnique.edu> Hi, On the page of ldapi/auto-bind I have found the following paragraph : If "nsslapd-ldapimaptoentries" value is "on", the uid and gid are searched with the filter "(&(uidNumber=)(gidNumber=)" under the search base "nsslapd-ldapientrysearchbase". Once a matched entry is found, the client is authenticated as the entry. The uidNumber and gidNumber attribute name are configurable with "nsslapd-ldapiuidnumbertype" and "nsslapd-ldapigidnumbertype", respectively. Password is not necessary in the authentication. What happens if there are serveral entries corresponding to the abovementioned filter? The bind is refused or there is a random bind? Or it will make an anynymous bind? I think this question should be clearly defined (as it is defined in PKI external authentification avec FDS). Andrey Ivanov Direction des Systemes d'Information Ecole Polytechnique 91128 Palaiseau CEDEX France From nhosoi at redhat.com Wed May 21 16:14:00 2008 From: nhosoi at redhat.com (Noriko Hosoi) Date: Wed, 21 May 2008 09:14:00 -0700 Subject: [Fedora-directory-devel] Please review (revised): LDAPI+AUTOBIND In-Reply-To: <3413078.20080521153724@polytechnique.edu> References: <20080510160036.AA86A61957A@hormel.redhat.com> <4825CBD0.8030105@symas.com> <1210546035.24701.3.camel@naomi> <482B2D7D.5050009@redhat.com> <1210898466.3782.26.camel@naomi> <482D321D.308@symas.com> <482DACE5.9040807@redhat.com> <3413078.20080521153724@polytechnique.edu> Message-ID: <48344A48.3050907@redhat.com> Andrey, Thank you for pointing it out. If multiple entries are found, the MapToEntries is considered failed. And it falls through the next step: checking whether the client user is a super user or not. If it's not, it's going to be an anonymous bind. I'm updating the memo. Thanks! --noriko Andrey Ivanov wrote: > Hi, > > > On the page of ldapi/auto-bind I have found the following paragraph : > > If "nsslapd-ldapimaptoentries" value is "on", the uid and gid are > searched with the filter "(&(uidNumber=)(gidNumber=)" under > the search base "nsslapd-ldapientrysearchbase". Once a matched entry > is found, the client is authenticated as the entry. The uidNumber and > gidNumber attribute name are configurable with > "nsslapd-ldapiuidnumbertype" and "nsslapd-ldapigidnumbertype", > respectively. Password is not necessary in the authentication. > > > > What happens if there are serveral entries corresponding to the > abovementioned filter? The bind is refused or there is a random bind? > Or it will make an anynymous bind? I think this question should be > clearly defined (as it is defined in PKI external authentification > avec FDS). > > > > > Andrey Ivanov > > Direction des Systemes d'Information > Ecole Polytechnique > 91128 Palaiseau CEDEX > France > > -- > Fedora-directory-devel mailing list > Fedora-directory-devel at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-devel > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: From nhosoi at redhat.com Fri May 30 23:58:36 2008 From: nhosoi at redhat.com (Noriko Hosoi) Date: Fri, 30 May 2008 16:58:36 -0700 Subject: [Fedora-directory-devel] Please review: [Bug 436837] Dynamically reload schema via task interface Message-ID: <484094AC.8050700@redhat.com> Summary: Dynamically reload schema via task interface https://bugzilla.redhat.com/show_bug.cgi?id=436837 "Dynamically reload schema via task interface" is introduced to support these requirements: - managing user specified schema file names instead of putting all the user defined schema into 99user.ldif - reloading schema from the schema files without the server downtime ------- Additional Comments From nhosoi at redhat.com 2008-05-30 19:49 EST ------- Created an attachment (id=307257) --> (https://bugzilla.redhat.com/attachment.cgi?id=307257&action=view) cvs diffs Modified files: ldap/servers/slapd/attrsyntax.c ldap/servers/slapd/backend.c ldap/servers/slapd/backend_manager.c ldap/servers/slapd/dse.c ldap/servers/slapd/entry.c ldap/servers/slapd/mapping_tree.c ldap/servers/slapd/pblock.c ldap/servers/slapd/proto-slap.h ldap/servers/slapd/schema.c ldap/servers/slapd/schemaparse.c ldap/servers/slapd/slap.h ldap/servers/slapd/slapi-plugin.h ldap/servers/slapd/slapi-private.h ldap/servers/slapd/back-ldbm/init.c ldap/ldif/template-dse.ldif.in Makefile.am New file: ldap/servers/plugins/schema_reload/schema_reload.c Description: see http://directory.fedoraproject.org/wiki/Dynamically_Reload_Schema In addition to the test cases in the wiki page, ran the concurrency check (test case 6) in the wiki against the valgrind'ed server. Some memory leaks and attribute syntax info (struct asyntaxinfo) leaks were found. The leaks are also fixed. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3237 bytes Desc: S/MIME Cryptographic Signature URL: