From: Kurt Zeilenga Date: Sun, 10 Jul 2005 06:36:39 +0000 (+0000) Subject: Sync with HEAD X-Git-Tag: OPENLDAP_REL_ENG_2_3_5~33 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=899b9f01602c65d6f36cde61be092757e116d7d4;p=openldap Sync with HEAD --- diff --git a/COPYRIGHT b/COPYRIGHT index e76700d774..bb20ca0362 100644 --- a/COPYRIGHT +++ b/COPYRIGHT @@ -36,8 +36,8 @@ Public License. --- -Portions Copyright 1999-2003 Howard Y.H. Chu. -Portions Copyright 1999-2003 Symas Corporation. +Portions Copyright 1999-2005 Howard Y.H. Chu. +Portions Copyright 1999-2005 Symas Corporation. Portions Copyright 1998-2003 Hallvard B. Furuseth. All rights reserved. diff --git a/build/shtool b/build/shtool index b17658831e..2680d69380 100755 --- a/build/shtool +++ b/build/shtool @@ -1,12 +1,12 @@ #!/bin/sh ## ## GNU shtool -- The GNU Portable Shell Tool -## Copyright (c) 1994-2004 Ralf S. Engelschall +## Copyright (c) 1994-2005 Ralf S. Engelschall ## ## See http://www.gnu.org/software/shtool/ for more information. ## See ftp://ftp.gnu.org/gnu/shtool/ for latest version. ## -## Version: 2.0.1 (11-Aug-2004) +## Version: 2.0.2 (15-Jun-2005) ## Contents: 6/19 available modules ## @@ -67,8 +67,8 @@ if [ $# -eq 0 ]; then exit 1 fi if [ ".$1" = ".-h" ] || [ ".$1" = ".--help" ]; then - echo "This is GNU shtool, version 2.0.1 (11-Aug-2004)" - echo "Copyright (c) 1994-2004 Ralf S. Engelschall " + echo "This is GNU shtool, version 2.0.2 (15-Jun-2005)" + echo "Copyright (c) 1994-2005 Ralf S. Engelschall " echo "Report bugs to " echo '' echo "Usage: shtool [] [ [] []]" @@ -136,11 +136,11 @@ if [ ".$1" = ".-h" ] || [ ".$1" = ".--help" ]; then exit 0 fi if [ ".$1" = ".-v" ] || [ ".$1" = ".--version" ]; then - echo "GNU shtool 2.0.1 (11-Aug-2004)" + echo "GNU shtool 2.0.2 (15-Jun-2005)" exit 0 fi if [ ".$1" = ".-r" ] || [ ".$1" = ".--recreate" ]; then - shtoolize -obuild/shtool echo move install mkdir mkln subst + shtoolize -oshtool echo move install mkdir mkln subst exit 0 fi if [ ".$1" = ".-d" ] || [ ".$1" = ".--debug" ]; then @@ -404,6 +404,7 @@ esac # establish a temporary file on request if [ ".$gen_tmpfile" = .yes ]; then + # create (explicitly) secure temporary directory if [ ".$TMPDIR" != . ]; then tmpdir="$TMPDIR" elif [ ".$TEMPDIR" != . ]; then @@ -411,10 +412,19 @@ if [ ".$gen_tmpfile" = .yes ]; then else tmpdir="/tmp" fi - tmpfile="$tmpdir/.shtool.$$" - rm -f $tmpfile >/dev/null 2>&1 - touch $tmpfile - chmod 600 $tmpfile + tmpdir="$tmpdir/.shtool.$$" + ( umask 077 + rm -rf "$tmpdir" >/dev/null 2>&1 || true + mkdir "$tmpdir" >/dev/null 2>&1 + if [ $? -ne 0 ]; then + echo "$msgprefix:Error: failed to create temporary directory \`$tmpdir'" 1>&2 + exit 1 + fi + ) + + # create (implicitly) secure temporary file + tmpfile="$tmpdir/shtool.tmp" + touch "$tmpfile" fi # utility function: map string to lower case @@ -431,7 +441,7 @@ util_upper () { shtool_exit () { rc="$1" if [ ".$gen_tmpfile" = .yes ]; then - rm -f $tmpfile >/dev/null 2>&1 || true + rm -rf "$tmpdir" >/dev/null 2>&1 || true fi exit $rc } @@ -445,7 +455,7 @@ case $tool in echo ) ## ## echo -- Print string with optional construct expansion - ## Copyright (c) 1998-2004 Ralf S. Engelschall + ## Copyright (c) 1998-2005 Ralf S. Engelschall ## text="$*" @@ -743,7 +753,7 @@ echo ) move ) ## ## move -- Move files with simultaneous substitution - ## Copyright (c) 1999-2004 Ralf S. Engelschall + ## Copyright (c) 1999-2005 Ralf S. Engelschall ## src="$1" @@ -835,7 +845,7 @@ move ) install ) ## ## install -- Install a program, script or datafile - ## Copyright (c) 1997-2004 Ralf S. Engelschall + ## Copyright (c) 1997-2005 Ralf S. Engelschall ## # special case: "shtool install -d [...]" internally @@ -998,7 +1008,7 @@ install ) mkdir ) ## ## mkdir -- Make one or more directories - ## Copyright (c) 1996-2004 Ralf S. Engelschall + ## Copyright (c) 1996-2005 Ralf S. Engelschall ## errstatus=0 @@ -1086,7 +1096,7 @@ mkdir ) mkln ) ## ## mkln -- Make link with calculation of relative paths - ## Copyright (c) 1998-2004 Ralf S. Engelschall + ## Copyright (c) 1998-2005 Ralf S. Engelschall ## # determine source(s) and destination @@ -1237,7 +1247,7 @@ mkln ) subst ) ## ## subst -- Apply sed(1) substitution operations - ## Copyright (c) 2001-2004 Ralf S. Engelschall + ## Copyright (c) 2001-2005 Ralf S. Engelschall ## # remember optional list of file(s) diff --git a/configure.in b/configure.in index 1755722d87..eb1f52fb7c 100644 --- a/configure.in +++ b/configure.in @@ -243,7 +243,7 @@ OL_ARG_ENABLE(sql,[ --enable-sql enable sql backend no|yes|mod], dnl ---------------------------------------------------------------- dnl SLAPD Overlay Options Overlays="accesslog denyop dyngroup dynlist glue lastmod ppolicy proxycache \ - refint rwm syncprov translucent unique" + refint retcode rwm syncprov translucent unique" AC_ARG_WITH(xxslapoverlays,[ SLAPD Overlay Options:]) @@ -268,6 +268,8 @@ OL_ARG_ENABLE(proxycache,[ --enable-proxycache Proxy Cache overlay no|yes|m no, [no yes mod]) OL_ARG_ENABLE(refint,[ --enable-refint Referential Integrity overlay no|yes|mod], no, [no yes mod]) +OL_ARG_ENABLE(retcode,[ --enable-retcode Return Code testing overlay no|yes|mod], + no, [no yes mod]) OL_ARG_ENABLE(rwm,[ --enable-rwm Rewrite/Remap overlay no|yes|mod], no, [no yes mod]) OL_ARG_ENABLE(syncprov,[ --enable-syncprov Syncrepl Provider overlay no|yes|mod], @@ -533,6 +535,7 @@ BUILD_LASTMOD=no BUILD_PPOLICY=no BUILD_PROXYCACHE=no BUILD_REFINT=no +BUILD_RETCODE=no BUILD_RWM=no BUILD_SYNCPROV=no BUILD_TRANSLUCENT=no @@ -2877,6 +2880,18 @@ if test "$ol_enable_refint" != no ; then AC_DEFINE_UNQUOTED(SLAPD_OVER_REFINT,$MFLAG,[define for Referential Integrity overlay]) fi +if test "$ol_enable_retcode" != no ; then + BUILD_RETCODE=$ol_enable_retcode + if test "$ol_enable_retcode" = mod ; then + MFLAG=SLAPD_MOD_DYNAMIC + SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS retcode.la" + else + MFLAG=SLAPD_MOD_STATIC + SLAPD_STATIC_OVERLAYS="$SLAPD_STATIC_OVERLAYS retcode.o" + fi + AC_DEFINE_UNQUOTED(SLAPD_OVER_RETCODE,$MFLAG,[define for Referential Integrity overlay]) +fi + if test "$ol_enable_rwm" != no ; then BUILD_REWRITE=yes BUILD_RWM=$ol_enable_rwm @@ -2991,6 +3006,7 @@ dnl overlays AC_SUBST(BUILD_PPOLICY) AC_SUBST(BUILD_PROXYCACHE) AC_SUBST(BUILD_REFINT) + AC_SUBST(BUILD_RETCODE) AC_SUBST(BUILD_RWM) AC_SUBST(BUILD_SYNCPROV) AC_SUBST(BUILD_TRANSLUCENT) diff --git a/contrib/slapd-modules/smbk5pwd/README b/contrib/slapd-modules/smbk5pwd/README index ec599bedbf..8ccad2f05a 100644 --- a/contrib/slapd-modules/smbk5pwd/README +++ b/contrib/slapd-modules/smbk5pwd/README @@ -16,7 +16,7 @@ The Kerberos support is written for Heimdal using its hdb-ldap backend. If a PasswordModify is performed on an entry that has the krb5KDCEntry objectclass, then the krb5Key and krb5KeyVersionNumber will be updated using the new password in the PasswordModify request. Additionally, a -new "{K5KEY}" password hash mechanism is provided. krb5KDCEntries that +new "{K5KEY}" password hash mechanism is provided. For krb5KDCEntries that have this hash specifier in their userPassword attribute, Simple Binds will be checked against the Kerberos keys of the Entry. No data is needed after the "{K5KEY}" hash specifier in the userPassword, it is @@ -50,7 +50,10 @@ paths are used. You can change the DEFS macro if you only want one or the other of Kerberos or Samba support. This overlay is only set up to be built as a dynamically loaded module. -If you need to build it statically, you will have to move it into the +On most platforms, in order for the module to be usable, all of the +library dependencies must also be available as shared libraries. + +If you need to build the overlay statically, you will have to move it into the slapd/overlays directory and edit the Makefile and overlays.c to reference it. You will also have to define SLAPD_OVER_SMBK5PWD to SLAPD_MOD_STATIC, and add the relevant libraries to the main slapd link command. diff --git a/doc/guide/COPYRIGHT b/doc/guide/COPYRIGHT index ea66006b56..bb20ca0362 100644 --- a/doc/guide/COPYRIGHT +++ b/doc/guide/COPYRIGHT @@ -1,13 +1,13 @@ -Copyright 1998-2001 The OpenLDAP Foundation +Copyright 1998-2005 The OpenLDAP Foundation All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License. -A copy of this license is available in file LICENSE in the +A copy of this license is available in the file LICENSE in the top-level directory of the distribution or, alternatively, at - +. OpenLDAP is a registered trademark of the OpenLDAP Foundation. @@ -20,14 +20,14 @@ at . This work also contains materials derived from public sources. -Additional information about OpenLDAP software can be obtained at +Additional information about OpenLDAP can be obtained at . --- -Portions Copyright 1998-2003 Kurt D. Zeilenga. -Portions Copyright 1998-2003 Net Boolean Incorporated. -Portions Copyright 2001-2003 IBM Corporation. +Portions Copyright 1998-2005 Kurt D. Zeilenga. +Portions Copyright 1998-2005 Net Boolean Incorporated. +Portions Copyright 2001-2005 IBM Corporation. All rights reserved. Redistribution and use in source and binary forms, with or without @@ -36,8 +36,8 @@ Public License. --- -Portions Copyright 1999-2003 Howard Y.H. Chu. -Portions Copyright 1999-2003 Symas Corporation. +Portions Copyright 1999-2005 Howard Y.H. Chu. +Portions Copyright 1999-2005 Symas Corporation. Portions Copyright 1998-2003 Hallvard B. Furuseth. All rights reserved. @@ -55,7 +55,8 @@ All rights reserved. Redistribution and use in source and binary forms are permitted provided that this notice is preserved and that due credit is given -to the University of Michigan at Ann Arbor. The name of the University -may not be used to endorse or promote products derived from this -software without specific prior written permission. This software -is provided ``as is'' without express or implied warranty. +to the University of Michigan at Ann Arbor. The name of the +University may not be used to endorse or promote products derived +from this software without specific prior written permission. This +software is provided ``as is'' without express or implied warranty. + diff --git a/doc/guide/admin/slapdconf2.sdf b/doc/guide/admin/slapdconf2.sdf index 9c0d49bb0e..dde88e0584 100644 --- a/doc/guide/admin/slapdconf2.sdf +++ b/doc/guide/admin/slapdconf2.sdf @@ -774,9 +774,10 @@ Directives in this category apply to both the {{TERM:BDB}} and the {{TERM:HDB}} database. They are used in an olcDatabase entry in addition to the generic database directives defined above. For a complete reference -of BDB/HDB configuration directives, see {{slapd-bdb}}(5). BDB and -HDB database entries must have the {{EX:olcBdbConfig}} objectClass in -addition to the {{EX:olcDatabaseConfig}} class. +of BDB/HDB configuration directives, see {{slapd-bdb}}(5). In +addition to the {{EX:olcDatabaseConfig}} objectClass, BDB and HDB +database entries must have the {{EX:olcBdbConfig}} and +{{EX:olcHdbConfig}} objectClass, respectively. H4: olcDbDirectory: @@ -970,7 +971,7 @@ H4: Sample Entry >dn: olcDatabase=hdb,cn=config >objectClass: olcDatabaseConfig ->objectClass: olcBdbConfig +>objectClass: olcHdbConfig >olcDatabase: hdb >olcSuffix: "dc=example,dc=com" >olcDbDirectory: /usr/local/var/openldap-data diff --git a/doc/guide/preamble.sdf b/doc/guide/preamble.sdf index 63f503ac78..f11257249d 100644 --- a/doc/guide/preamble.sdf +++ b/doc/guide/preamble.sdf @@ -91,7 +91,7 @@ ________________

________________
-© Copyright 2003, OpenLDAP Foundation, info@OpenLDAP.org +© Copyright 2005, OpenLDAP Foundation, info@OpenLDAP.org !endblock !endmacro diff --git a/doc/man/man1/ldapsearch.1 b/doc/man/man1/ldapsearch.1 index df4cf7227d..628712b01e 100644 --- a/doc/man/man1/ldapsearch.1 +++ b/doc/man/man1/ldapsearch.1 @@ -128,7 +128,7 @@ makes control critical. .BI \-S \ attribute Sort the entries returned based on \fIattribute\fP. The default is not to sort entries returned. If \fIattribute\fP is a zero-length string (""), -the entries are sorted by the components of their Distingished Name. See +the entries are sorted by the components of their Distinguished Name. See .BR ldap_sort (3) for more details. Note that .B ldapsearch diff --git a/doc/man/man3/lber-types.3 b/doc/man/man3/lber-types.3 index 7ea74dd9c7..be43c963b5 100644 --- a/doc/man/man3/lber-types.3 +++ b/doc/man/man3/lber-types.3 @@ -88,7 +88,7 @@ points to .B bv_len octets. .B bv_val -is not necessarly terminated by a NUL (zero) octet. +is not necessarily terminated by a NUL (zero) octet. .BR ber_bvfree () frees a BerValue, pointed to by \fIbv\fP, returned from this API. If \fIbv\fP is NULL, the routine does nothing. diff --git a/doc/man/man3/ldap.3 b/doc/man/man3/ldap.3 index fae4ee2bf7..f75c3b9912 100644 --- a/doc/man/man3/ldap.3 +++ b/doc/man/man3/ldap.3 @@ -60,9 +60,9 @@ Errors can be interpreted by calling .BR ldap_err2string (3). .SH LDAP versions This library supports version 3 of the Lightweight Directory Access -Protocol (LDAPv3) as defined in RFC 3377. It also supports a varient +Protocol (LDAPv3) as defined in RFC 3377. It also supports a variant of version 2 of LDAP as defined by U-Mich LDAP and, to some degree, -RFC 1777. Version 2 (all varients) should be viewed as obsolete. +RFC 1777. Version 2 (all variants) should be viewed as obsolete. Version 3 should be used instead. .LP For backwards compatibility reasons, the library defaults to version 2. diff --git a/doc/man/man3/ldap_get_dn.3 b/doc/man/man3/ldap_get_dn.3 index c1757770de..59d8b4c469 100644 --- a/doc/man/man3/ldap_get_dn.3 +++ b/doc/man/man3/ldap_get_dn.3 @@ -184,7 +184,7 @@ is used to turn a DN as returned by .BR ldap_get_dn (3) into a more user-friendly form, stripping off all type names. See "Using the Directory to Achieve User Friendly Naming" (RFC 1781) -for more details on the UFN format. Due to the ambigious nature +for more details on the UFN format. Due to the ambiguous nature of the format, it is generally only used for display purposes. The space for the UFN returned is obtained dynamically and the user is responsible for freeing it via a call to diff --git a/doc/man/man3/ldap_result.3 b/doc/man/man3/ldap_result.3 index 64552a55af..34756156d3 100644 --- a/doc/man/man3/ldap_result.3 +++ b/doc/man/man3/ldap_result.3 @@ -62,13 +62,13 @@ the responses of a search operation. .LP A search response is made up of zero or more search entries, zero or more search references, and zero or -more extended parital responses followed by a search result. If +more extended partial responses followed by a search result. If \fIall\fP is set to 0, search entries will be returned one at a time as they come in, via separate calls to .BR ldap_result() . If it's set to 1, the search response will only be returned in its entirety, i.e., after all entries, -all references, all extended parital responses, and the final search +all references, all extended partial responses, and the final search result have been received. .LP Upon success, the type of the result received is returned and the diff --git a/doc/man/man3/ldap_schema.3 b/doc/man/man3/ldap_schema.3 index d72e308928..93b007a01c 100644 --- a/doc/man/man3/ldap_schema.3 +++ b/doc/man/man3/ldap_schema.3 @@ -119,7 +119,7 @@ int code; These routines are used to parse schema definitions in the syntax defined in RFC 2252 into structs and handle these structs. These routines handle four kinds of definitions: syntaxes, matching rules, -attribute types and objectclasses. For each definition kind, four +attribute types and object classes. For each definition kind, four routines are provided. .LP .B ldap_str2xxx() diff --git a/doc/man/man3/ldap_search.3 b/doc/man/man3/ldap_search.3 index 18d678c368..5beb48636b 100644 --- a/doc/man/man3/ldap_search.3 +++ b/doc/man/man3/ldap_search.3 @@ -56,7 +56,7 @@ the message id of the operation it initiated. \fIScope\fP is the scope of the search and should be one of LDAP_SCOPE_BASE, to search the object itself, LDAP_SCOPE_ONELEVEL, to search the object's immediate children, -or LDAP_SCOPE_SUBTREE, to search the object and all its descendents. +or LDAP_SCOPE_SUBTREE, to search the object and all its descendants. .LP \fIFilter\fP is a string representation of the filter to apply in the search. Simple filters diff --git a/doc/man/man5/ldap.conf.5 b/doc/man/man5/ldap.conf.5 index a2a3141494..af22fc7ff7 100644 --- a/doc/man/man5/ldap.conf.5 +++ b/doc/man/man5/ldap.conf.5 @@ -55,7 +55,8 @@ The different configuration options are: Specifies the URI(s) of an LDAP server(s) to which the .I LDAP library should connect. The URI scheme may be either -.BR ldap or +.B ldap +or .B ldaps which refer to LDAP over TCP and LDAP over SSL (TLS) respectively. Each server's name can be specified as a @@ -92,6 +93,14 @@ The port may be specified as a number. is deprecated in favor of .BR URI. .TP +.B REFERRALS +Specifies if the client should automatically follow referrals returned +by LDAP servers. +The default is on. +Note that the command line tools +.BR ldapsearch (1) +&co always override this option. +.TP .B SIZELIMIT Specifies a size limit to use when performing searches. The number should be a non-negative integer. \fISIZELIMIT\fP of zero (0) @@ -260,7 +269,7 @@ is immediately terminated. This is the default setting. .TP .B TLS_CRLCHECK Specifies if the Certificate Revocation List (CRL) of the CA should be -used to verify if the server certicates have not been revoked. This +used to verify if the server certificates have not been revoked. This requires .B TLS_CACERTDIR parameter to be set. @@ -301,7 +310,9 @@ user ldap configuration file .I $CWD/ldaprc local ldap configuration file .SH "SEE ALSO" -.BR ldap (3) +.BR ldap (3), +.BR openssl (1), +.BR sasl (3) .SH AUTHOR Kurt Zeilenga, The OpenLDAP Project .SH ACKNOWLEDGEMENTS diff --git a/doc/man/man5/ldif.5 b/doc/man/man5/ldif.5 index d5abe38c83..5d2e17376a 100644 --- a/doc/man/man5/ldif.5 +++ b/doc/man/man5/ldif.5 @@ -38,7 +38,7 @@ or tab, e.g., .ft .fi .LP -Lines beginning with a sharpe sign ('#') are ignored. +Lines beginning with a sharp sign ('#') are ignored. .LP Multiple attribute values are specified on separate lines, e.g., .LP diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5 index 1df057ef8b..80e408ffb6 100644 --- a/doc/man/man5/slapd-ldap.5 +++ b/doc/man/man5/slapd-ldap.5 @@ -231,6 +231,10 @@ permissions, or the asserted identities must have appropriate permissions. Note, however, that the ID assertion feature is mostly useful when the asserted identities do not exist on the remote server. +Flags can be + +\fBoverride,{prescriptive|non-prescriptive}\fP + When the .B override flag is used, identity assertion takes place even when the database @@ -239,6 +243,20 @@ with the provided identity, and thus authenticating it, the proxy performs the identity assertion using the configured identity and authentication method. +When the +.B prescriptive +flag is used (the default), operations fail with +\fIinappropriateAuthentication\fP +for those identities whose assertion is not allowed by the +.B idassert-authzFrom +patterns. +If the +.B non-prescriptive +flag is used, operations are performed anonymously for those identities +whose assertion is not allowed by the +.B idassert-authzFrom +patterns. + This directive obsoletes .BR idassert-authcDN , .BR idassert-passwd , @@ -276,7 +294,7 @@ in conjunction with Proxy Authorization. .B rebind-as-user {NO|yes} If this option is given, the client's bind credentials are remembered for rebinds when chasing referrals. Useful when -\fBchase-referrals\fP is set to \fByes\P, useless otherwise. +\fBchase-referrals\fP is set to \fByes\fP, useless otherwise. .TP .B chase-referrals {YES|no} @@ -299,7 +317,7 @@ enable if the remote server supports absolute filters (see \fIdraft-zeilenga-ldap-t-f\fP for details). If set to .BR discover , -support is detected by reading the remote server's rootDSE. +support is detected by reading the remote server's root DSE. .SH BACKWARD COMPATIBILITY The LDAP backend has been heavily reworked between releases 2.2 and 2.3; @@ -342,7 +360,7 @@ and may be dismissed in the future. .B idassert-authcDN "" DN which is used to propagate the client's identity to the target by means of the proxyAuthz control when the client does not -belong to the DIT fragment that is being proxyied by back-ldap. +belong to the DIT fragment that is being proxied by back-ldap. This directive is obsoleted by .BR idassert-bind , and may be dismissed in the future. diff --git a/doc/man/man5/slapd-ldbm.5 b/doc/man/man5/slapd-ldbm.5 index 3bff2270e2..3aea63bb6c 100644 --- a/doc/man/man5/slapd-ldbm.5 +++ b/doc/man/man5/slapd-ldbm.5 @@ -53,7 +53,7 @@ Flush dirty database buffers to disk every seconds. Implies .B dbnosync -(ie. indvidual updates are no longer written to disk). +(ie. individual updates are no longer written to disk). It attempts to avoid syncs during periods of peak activity by waiting .B seconds if the server is busy, repeating this delay up to diff --git a/doc/man/man5/slapd-ldif.5 b/doc/man/man5/slapd-ldif.5 index 8360fd9861..4f28cefc04 100644 --- a/doc/man/man5/slapd-ldif.5 +++ b/doc/man/man5/slapd-ldif.5 @@ -48,6 +48,6 @@ default slapd configuration file .SH SEE ALSO .BR slapd.conf (5), .BR slapd (8), -.BR LDIF (5). +.BR ldif (5). .SH AUTHOR Eric Stokes diff --git a/doc/man/man5/slapd-meta.5 b/doc/man/man5/slapd-meta.5 index 316c49ac48..e686aaf9a7 100644 --- a/doc/man/man5/slapd-meta.5 +++ b/doc/man/man5/slapd-meta.5 @@ -50,31 +50,33 @@ Other database options are described in the .BR slapd.conf (5) manual page. .LP -Note: as with the -.B ldap -backend, operational attributes related to entry creation/modification -should not be used, as they would be passed to the target servers, -generating an error. -Moreover, it makes little sense to use such attributes in proxying, as -the proxy server doesn't actually store data, so it should have no -knowledge of such attributes. -While code to strip the modification attributes has been put in place -(and #ifdef'd), it implies unmotivated overhead. -So it is strongly recommended to set +Note: In early versions of back-ldap and back-meta it was recommended to always set +.LP .RS +.nf lastmod off +.fi .RE +.LP for every .B ldap and .B meta -backend. +database. +This is because operational attributes related to entry creation and +modification should not be proxied, as they could be mistakenly written +to the target server(s), generating an error. +The current implementation automatically sets lastmod to off, so its use +is redundant and should be omitted, because the lastmod directive will +be deprecated in the future. + .SH SPECIAL CONFIGURATION DIRECTIVES Target configuration starts with the "uri" directive. All the configuration directives that are not specific to targets should be defined first for clarity, including those that are common to all backends. They are: + .TP .B default-target none This directive forces the backend to reject all those operations @@ -86,6 +88,7 @@ matches an attempt is made to perform the operation on any candidate target, with the constraint that at most one must succeed. This directive can also be used when processing targets to mark a specific target as default. + .TP .B dncache-ttl {forever|disabled|} This directive sets the time-to-live of the DN cache. @@ -93,6 +96,7 @@ This caches the target that holds a given DN to speed up target selection in case multiple targets would result from an uncached search; forever means cache never expires; disabled means no DN caching; otherwise a valid ( > 0 ) ttl in seconds is required. + .TP .B nretries {forever|never|} This directive defines how many times a bind should be retried @@ -103,6 +107,7 @@ the global value can be overridden by redefinitions inside each target specification. .SH TARGET SPECIFICATION Target specification starts with a "uri" directive: + .TP .B uri ://[[:]]/ The "server" directive that was allowed in the LDAP backend (although @@ -130,10 +135,11 @@ Multiple URIs may be defined in a single argument. The URIs must be separated by TABs (e.g. '\\t'; commas or spaces, unlike back-ldap, will not work, because they are legal in the , and we don't want to use -URL-encoded s), and the additional URIs must have +URL-encoded s), and the additional URIs must have no part. This causes the underlying library to contact the first server of the list that responds. .RE + .TP .B default-target [] The "default-target" directive can also be used during target specification. @@ -141,6 +147,7 @@ With no arguments it marks the current target as the default. The optional number marks target as the default one, starting from 1. Target must be defined. + .TP .B acl-authcDN "" DN which is used to query the target server for acl checking, @@ -150,33 +157,72 @@ There is no risk of giving away such values; they are only used to check permissions. .B The acl-authcDN identity is by no means implicitly used by the proxy .B when the client connects anonymously. + .TP .B acl-passwd Password used with the .B acl-authcDN above. + .TP -.B rebind-as-user +.B rebind-as-user {NO|yes} If this option is given, the client's bind credentials are remembered for rebinds when chasing referrals. + +.TP +.B chase-referrals {YES|no} +enable/disable automatic referral chasing, which is delegated to the +underlying libldap, with rebinding eventually performed if the +\fBrebind-as-user\fP directive is used. The default is to chase referrals. + +.TP +.B tls {[try-]start|[try-]propagate} +execute the start TLS extended operation when the connection is initialized; +only works if the URI directive protocol scheme is not \fBldaps://\fP. +\fBpropagate\fP issues the Start TLS exop only if the original +connection did. +The \fBtry-\fP prefix instructs the proxy to continue operations +if start TLS failed; its use is highly deprecated. + +.TP +.B t-f-support {NO|yes|discover} +enable if the remote server supports absolute filters +(see \fIdraft-zeilenga-ldap-t-f\fP for details). +If set to +.BR discover , +support is detected by reading the remote server's root DSE. + +.TP +.B onerr {CONTINUE|stop} +This directive allows to select the behavior in case an error is returned +by one target during a search. +The default, \fBcontinue\fP, consists in continuing the operation, +trying to return as much data as possible. +If this statement is set to \fBstop\fP, the search is terminated as soon +as an error is returned by one target, and the error is immediately +propagated to the client. + .TP .B pseudorootdn "" This directive, if present, sets the DN that will be substituted to the bind DN if a bind with the backend's "rootdn" succeeds. The true "rootdn" of the target server ought not be used; an arbitrary administrative DN should used instead. + .TP .B pseudorootpw "" This directive sets the credential that will be used in case a bind with the backend's "rootdn" succeeds, and the bind is propagated to the target using the "pseudorootdn" DN. -.LP + Note: cleartext credentials must be supplied here; as a consequence, using the pseudorootdn/pseudorootpw directives is inherently unsafe. + .TP .B rewrite* ... The rewrite options are described in the "REWRITING" section. + .TP .B suffixmassage "" "" All the directives starting with "rewrite" refer to the rewrite engine @@ -195,6 +241,7 @@ on (case insensitive) DNs instead of normalized DNs, so "dc=foo, dc=com" would not match "dc=foo,dc=com". .LP See the "REWRITING" section. + .TP .B map "{attribute|objectclass} [|*] {|*}" This maps object classes and attributes as in the LDAP backend. @@ -358,7 +405,7 @@ of flags. The underlying concept is to build a lightweight rewrite module for the slapd server (initially dedicated to the LDAP backend). .SH Passes -An incoming string is matched agains a set of rules. +An incoming string is matched against a set of rules. Rules are made of a regex match pattern, a substitution pattern and a set of actions, described by a set of flags. In case of match a string rewriting is performed according to the @@ -368,7 +415,7 @@ The actions, if any, are finally performed. The substitution pattern allows map resolution of substrings. A map is a generic object that maps a substitution pattern to a value. The flags are divided in "Pattern matching Flags" and "Action Flags"; -the former alter the regex match pattern behaviorm while the latter +the former alter the regex match pattern behavior while the latter alter the action that is taken after substitution. .SH "Pattern Matching Flags" .TP @@ -480,7 +527,7 @@ operation structure which can be dereferenced later; operator assigns a variable in the rewrite context scope; operator .B && assigns a variable that scopes the entire session, e.g. its value -can be derefenced later by other rewrite contexts +can be dereferenced later by other rewrite contexts .TP .B * variable dereferencing; must refer to a variable that is @@ -572,7 +619,7 @@ altering too much the configuration file). is the name that identifies the context, i.e. the name used by the application to refer to the set of rules it contains. It is used also to reference sub contexts in string rewriting. -A context may aliase another one. +A context may alias another one. In this case the alias context contains no rule, and any reference to it will result in accessing the aliased one. .TP diff --git a/doc/man/man5/slapd-monitor.5 b/doc/man/man5/slapd-monitor.5 index a677426a78..542032b559 100644 --- a/doc/man/man5/slapd-monitor.5 +++ b/doc/man/man5/slapd-monitor.5 @@ -12,13 +12,20 @@ The monitor backend to is not an actual database; if enabled, it is automatically generated and dynamically maintained by slapd with information about the running status of the daemon. - +.LP +To inspect all monitor information, issue a subtree search with base +cn=Monitor, requesting that attributes "+" and "*" are returned. +The monitor backend produces mostly operational attributes, and LDAP +only returns operational attributes that are explicitly requested. +Requesting attribute "+" is an extension which requests all operational +attributes. .SH CONFIGURATION These .B slapd.conf options apply to the monitor backend database. That is, they must follow a "database monitor" line and come before any subsequent "backend" or "database" lines. +.LP As opposed to most databases, the monitor database can be instantiated only once, i.e. only one occurrence of "database monitor" can occur in the diff --git a/doc/man/man5/slapd-null.5 b/doc/man/man5/slapd-null.5 index 5164a7c459..02ef95283e 100644 --- a/doc/man/man5/slapd-null.5 +++ b/doc/man/man5/slapd-null.5 @@ -1,4 +1,6 @@ .TH SLAPD-NULL 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2002-2005 The OpenLDAP Foundation. All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. .\" $OpenLDAP$ .SH NAME slapd-null \- Null backend to slapd diff --git a/doc/man/man5/slapd-perl.5 b/doc/man/man5/slapd-perl.5 index 91d00776ef..0e3afc1f1a 100644 --- a/doc/man/man5/slapd-perl.5 +++ b/doc/man/man5/slapd-perl.5 @@ -58,7 +58,7 @@ It arguments are as follows: * object reference * base DN * scope - * alias deferencing policy + * alias dereferencing policy * size limit * time limit * filter string @@ -161,7 +161,7 @@ filter in the search request), rather than search results to be returned directly to the client. .SH EXAMPLE There is an example Perl module `SampleLDAP' in the slapd/back-perl/ -direcetory in the OpenLDAP source tree. +directory in the OpenLDAP source tree. .SH ACCESS CONTROL The .B passwd diff --git a/doc/man/man5/slapd-sql.5 b/doc/man/man5/slapd-sql.5 index 924acae12a..fd2c9f6003 100644 --- a/doc/man/man5/slapd-sql.5 +++ b/doc/man/man5/slapd-sql.5 @@ -105,7 +105,7 @@ Do not use the subtree condition when the searchBase is the database suffix, and the scope is subtree; rather collect all entries. .RE -.SH STAMEMENT CONFIGURATION +.SH STATEMENT CONFIGURATION These options specify SQL query templates for loading schema mapping metainformation, adding and deleting entries to ldap_entries, etc. All these and subtree_cond should have the given default values. @@ -250,7 +250,7 @@ or double quotes. .B has_ldapinfo_dn_ru { NO | yes } Explicitly inform the backend whether the dn_ru column (DN in reverse uppercased form) is present in table \fIldap_entries\fP. -Overrides automatic check (this is required, ofr instance, +Overrides automatic check (this is required, for instance, by PostgreSQL/unixODBC). This is \fIexperimental\fP and may change in future releases. @@ -642,7 +642,7 @@ to existing RDBMS storages that need to be published in LDAP form. .LP The \fBhasSubordintes\fP operational attribute is honored by back-sql in search results and in compare operations; it is partially honored -also in filtering. Owing to design limitations, a (braindead?) filter +also in filtering. Owing to design limitations, a (brain-dead?) filter of the form \fB(!(hasSubordinates=TRUE))\fP will give no results instead of returning all the leaf entries, because diff --git a/doc/man/man5/slapd.access.5 b/doc/man/man5/slapd.access.5 index c4189526b5..8eea8a1b8d 100644 --- a/doc/man/man5/slapd.access.5 +++ b/doc/man/man5/slapd.access.5 @@ -82,7 +82,7 @@ It can have the forms .nf [dn[.]=] filter= - attrs=[ val[.]=] + attrs=[ val[/matchingRule][.]=] .fi .LP with @@ -190,13 +190,13 @@ form is given, is implied, i.e. all attributes are addressed. .LP Using the form -.B attrs= val[.]= +.B attrs= val[/matchingRule][.]= specifies access to a particular value of a single attribute. In this case, only a single attribute type may be given. The .B .B exact (the default) uses the attribute's equality matching rule to compare the -value. If the +value, unless a different (and compatible) matching rule is specified. If the .B is .BR regex , @@ -853,7 +853,7 @@ The .B modify operation requires .B write (=w) -privileges on the attibutes being modified. +privileges on the attributes being modified. .LP The .B modrdn @@ -950,7 +950,7 @@ in and .B clauses, to avoid possible incorrect specifications of the access rules -as well as for performance (avoid unrequired regex matching when an exact +as well as for performance (avoid unnecessary regex matching when an exact match suffices) reasons. .LP An administrator might create a rule of the form: diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5 index f19dd7018d..fcd80166e3 100644 --- a/doc/man/man5/slapd.conf.5 +++ b/doc/man/man5/slapd.conf.5 @@ -944,7 +944,7 @@ setting must be chosen to enable SASL EXTERNAL authentication. .TP .B TLSCRLCheck Specifies if the Certificate Revocation List (CRL) of the CA should be -used to verify if the client certicates have not been revoked. This +used to verify if the client certificates have not been revoked. This requires .B TLSCACertificatePath parameter to be set. @@ -1155,13 +1155,13 @@ The .BR unchecked specifier sets a limit on the number of candidates a search request is allowed to examine. -The rationale behind it is that searches for non-properly indicized +The rationale behind it is that searches for non-properly indexed attributes may result in large sets of candidates, which must be examined by .BR slapd (8) to determine whether they match the search filter or not. The -.B unckeched +.B unchecked limit provides a means to drop such operations before they are even started. If the selected candidates exceed the diff --git a/doc/man/man5/slapd.plugin.5 b/doc/man/man5/slapd.plugin.5 index 85f12d4519..bc7cdc9f67 100644 --- a/doc/man/man5/slapd.plugin.5 +++ b/doc/man/man5/slapd.plugin.5 @@ -106,7 +106,7 @@ its value also affects the plugin search path. In general the search path is made of colon-separated paths; usually the user-defined path is searched first; then the value of the \fILTDL_LIBRARY_PATH\fP environment variable, if defined, is used; -finally, the systemi-specific dynamic load path is attempted (e.g. on +finally, the system-specific dynamic load path is attempted (e.g. on Linux the value of the environment variable \fILD_LIBRARY_PATH\fP). Please carefully read the documentation of ltdl because its behavior is very platform dependent. diff --git a/doc/man/man5/slapo-accesslog.5 b/doc/man/man5/slapo-accesslog.5 index 4d195152a8..0b1cf78c28 100644 --- a/doc/man/man5/slapo-accesslog.5 +++ b/doc/man/man5/slapo-accesslog.5 @@ -120,7 +120,7 @@ class is as follows: .RE .P Note that all of the OIDs used in the logging schema currently reside -under the OpenLDAP Experimental branch. It is anticipated that thay +under the OpenLDAP Experimental branch. It is anticipated that they will migrate to a Standard branch in the future. An overview of the attributes follows: @@ -164,7 +164,8 @@ session by a Bind request (if any) but may be altered in various circumstances. The -.BR reqControls and +.B reqControls +and .B reqRespControls attributes carry any controls sent by the client on the request and returned by the server in the response, respectively. The attribute values are just diff --git a/doc/man/man5/slapo-auditlog.5 b/doc/man/man5/slapo-auditlog.5 new file mode 100644 index 0000000000..2ab9b29611 --- /dev/null +++ b/doc/man/man5/slapo-auditlog.5 @@ -0,0 +1,37 @@ +.TH SLAPO-AUDITLOG 5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 2005 The OpenLDAP Foundation All Rights Reserved. +.\" Copying restrictions apply. See COPYRIGHT/LICENSE. +.\" $OpenLDAP$ +.SH NAME +slapo-auditlog \- Audit Logging overlay +.SH SYNOPSIS +ETCDIR/slapd.conf +.SH DESCRIPTION +The Audit Logging overlay can be used to record all changes on a given +backend database to a specified log file. Changes are logged as standard +LDIF, with an additional comment header giving the timestamp of the change +and the identity of the user making the change. +.LP +For Add and Modify operations the identity comes from the modifiersName +associated with the operation. This is usually the same as the requestor's +identity, but may be set by other overlays to reflect other values. +.SH CONFIGURATION +This +.B slapd.conf +option applies to the Audit Logging overlay. +It should appear after the +.B overlay +directive and before any subsequent +.B database +directive. +.TP +.B auditlog +Specify the fully qualified path for the log file. +.TP +.B +.SH FILES +.TP +ETCDIR/slapd.conf +default slapd configuration file +.SH SEE ALSO +.BR slapd.conf (5). diff --git a/doc/man/man5/slapo-chain.5 b/doc/man/man5/slapo-chain.5 index f3ab4c4718..27f9b5a2ba 100644 --- a/doc/man/man5/slapo-chain.5 +++ b/doc/man/man5/slapo-chain.5 @@ -34,7 +34,7 @@ database or to other stacked overlays. .LP There are no chain overlay specific directives; however, directives related to the \fIldap\fP database that is implicitly instantiated -by the overlay may assume a special meaning when used in conjuction +by the overlay may assume a special meaning when used in conjunction with this overlay. They are described in .BR slapd-ldap (5). .TP diff --git a/doc/man/man5/slapo-dynlist.5 b/doc/man/man5/slapo-dynlist.5 index f967d9617d..c5eb9f0e38 100644 --- a/doc/man/man5/slapo-dynlist.5 +++ b/doc/man/man5/slapo-dynlist.5 @@ -3,7 +3,7 @@ .\" Copying restrictions apply. See the COPYRIGHT file. .\" $OpenLDAP$ .SH NAME -slapo-dynlist \- dynnamic list overlay +slapo-dynlist \- Dynamic List overlay .SH SYNOPSIS ETCDIR/slapd.conf .SH DESCRIPTION @@ -56,7 +56,7 @@ occurs for that specific URI. This statement is required. .B dynlist-member-ad The name of the attributeDescription that will list the DN of the entries resulting from the internal search. This statement is optional and, if -present, changes the behvior of the overlay into that of a dynamic group. +present, changes the behavior of the overlay into that of a dynamic group. The portion of the URI is ignored, and the DNs of all the entries resulting from the expansion of the URI are listed as values of this attribute. diff --git a/doc/man/man5/slapo-glue.5 b/doc/man/man5/slapo-glue.5 index 6591acf11d..f9195bffcf 100644 --- a/doc/man/man5/slapo-glue.5 +++ b/doc/man/man5/slapo-glue.5 @@ -36,7 +36,7 @@ database. The specified database must have already been configured. If the optional \fBasync\fP keyword is supplied, searches against this database may be spawned in a separate thread to run concurrently with other operations (currently not implemented). If the optional \fBadvertise\fP flag -is supplied, the naming context is advertised in the rootDSE. +is supplied, the naming context is advertised in the root DSE. .SH FILES .TP ETCDIR/slapd.conf diff --git a/doc/man/man5/slapo-lastmod.5 b/doc/man/man5/slapo-lastmod.5 index ea9e7462ea..99537163ee 100644 --- a/doc/man/man5/slapo-lastmod.5 +++ b/doc/man/man5/slapo-lastmod.5 @@ -9,7 +9,7 @@ ETCDIR/slapd.conf .LP The .B lastmod -overlay creates aa service entry rooted at the suffix of the database +overlay creates a service entry rooted at the suffix of the database it's stacked onto, which holds the DN, the modification type, the modifiersName and the modifyTimestamp of the last write operation performed on that database. @@ -80,7 +80,7 @@ of the overlay. .B lastmodEnabled .P This attribute contains a boolean flag that determines the status -of the overlay. It can be latered via protocol by issuing a modify +of the overlay. It can be altered via protocol by issuing a modify operation that replaces the value of the attribute. .LP .RS 4 @@ -104,7 +104,7 @@ operational, since they can logically be altered only by the DSA. .B lastmodDN .P -This attribute contains the distingyished name of the entry +This attribute contains the distinguished name of the entry that was last modified within the naming context of a database. .LP .RS 4 @@ -172,7 +172,7 @@ So far, the OIDs for the schema haven't been assigned yet. .SH ACKNOWLEDGEMENTS .P -This module was written in 2004 by Pierangelo Masarati in fulfilment +This module was written in 2004 by Pierangelo Masarati in fulfillment of requirements from SysNet s.n.c.; this man page has been copied from .BR slapo-ppolicy (5), diff --git a/doc/man/man5/slapo-ppolicy.5 b/doc/man/man5/slapo-ppolicy.5 index 929a6e4ce2..cc95469adb 100644 --- a/doc/man/man5/slapo-ppolicy.5 +++ b/doc/man/man5/slapo-ppolicy.5 @@ -41,7 +41,7 @@ and no default is given, then no policies will be enforced. Specify that cleartext passwords present in Add and Modify requests should be hashed before being stored in the database. This violates the X.500 information model, but may be needed to compensate for LDAP clients that -don't use the PasswordModify exop to manage passwords. +don't use the Password Modify exop to manage passwords. .TP .B ppolicy_use_lockout A client will always receive an LDAP @@ -507,7 +507,7 @@ object. If it does not exist, the module will enforce the default password policy rules on the user associated with this authenticating DN. If there is no default, or the referenced subentry does not exist, then no -policy rules wil be enforced. +policy rules will be enforced. .LP .RS 4 ( 1.3.6.1.4.1.42.2.27.8.1.23 diff --git a/doc/man/man5/slapo-retcode.5 b/doc/man/man5/slapo-retcode.5 new file mode 100644 index 0000000000..13c006ad6f --- /dev/null +++ b/doc/man/man5/slapo-retcode.5 @@ -0,0 +1,153 @@ +.TH SLAPO-RETCODE5 "RELEASEDATE" "OpenLDAP LDVERSION" +.\" Copyright 1998-2004 The OpenLDAP Foundation, All Rights Reserved. +.\" Copying restrictions apply. See the COPYRIGHT file. +.\" Copyright 2001, Pierangelo Masarati, All rights reserved. +.\" $OpenLDAP$ +.SH NAME +slapo-retcode \- return code overlay +.SH SYNOPSIS +ETCDIR/slapd.conf +.SH DESCRIPTION +The +.B retcode +overlay to +.BR slapd (8) +is useful to test the behavior of clients when server-generated erroneous +and/or unusual responses occur, e.g. error codes, referrals, +excessive response times and so on. + +The error responses are generated according to different strategies. +.LP +In the first case, all operations targeted at a specific configurable +subtree cause the object related to the request DN to be looked up +and checked for return code data: a response code, plus an optional +textual message, an optional configurable delay, and, when the response code +is referral, a (list of) referral(s). +.LP +Well-known response codes from standard track documents are provided +in \fBretcode.conf\fP, which can be included after instantiating +the overlay. +.LP +In the second case, objects of the \fBerrObject\fP class, when returned +as intermediate responses of a search request, are changed into +the response dictated by their content. +.LP +A third mode causes objects to be looked up from the underlying database +to discover if their class is \fBerrObject\fP; in that case, their content +is used to compute the corresponding response. +.LP +The behavior is disabled by using the \fBmanageDSAit\fP control (RFC 3296); +in that case, the resulting object, either present in the directory +or dynamically generated by the overlay, or contained in the request, +is handled as usual. +.LP +The config directives that are specific to the +.B retcode +overlay must be prefixed by +.BR retcode\- , +to avoid conflicts with directives specific to the underlying database +or to other stacked overlays. The following specific directives +can be used to configure the retcode overlay: +.TP +.B retcode\-parent +This directive defines the parent DN where dynamically generated +entries reside. +If not defined, the suffix of the database is used. +.HP +.hy 0 +.B retcode\-item [op=] [text=] +.B [ref=] [sleeptime=] +.RS +A dynamically generated entry, located below \fBretcode\-parent\fP. +The \fB\fP is the number of the response code; +it can be in any format supported by strtol. +The optional \fB\fP is a list of operations that cause +response code generation; if absent, all operations are affected. +The \fBref\fP field is only allowed for the \fBreferral\fP +response code. +.RE +.TP +.B retcode\-indir +Enables exploitation of in-directory stored errObjects. May result +in lots of unnecessary overhead. + +.SH SCHEMA +The following schema items are created and used by the overlay: +.LP +The error code: +.RS 4 +( 1.3.6.1.4.1.4203.666.11.4.1.1 + NAME ( 'errCode' ) + DESC 'LDAP error code' + EQUALITY integerMatch + ORDERING integerOrderingMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +.RE +.LP +The operations that trigger the response code: +.RS 4 +( 1.3.6.1.4.1.4203.666.11.4.1.2 + NAME ( 'errOp' ) + DESC 'Operations the errObject applies to' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +.RE +.LP +The text message: +.RS 4 +( 1.3.6.1.4.1.4203.666.11.4.1.3 + NAME ( 'errText' ) + DESC 'LDAP error textual description' + EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreSubstringsMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 + SINGLE-VALUE ) +.RE +.LP +The sleep time before the response is actually returned to the client: +.RS 4 +( 1.3.6.1.4.1.4203.666.11.4.1.4 + NAME ( 'errSleepTime' ) + DESC 'Time to wait before returning the error' + EQUALITY integerMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 + SINGLE-VALUE ) +.RE +.LP +The objectclass: +.RS 4 +( 1.3.6.1.4.1.4203.666.11.4.3.1 + NAME ( 'errObject' ) + SUP top STRUCTURAL + MUST ( errCode ) + MAY ( cn $ description $ errOp $ errText $ errSleepTime ) ) +.RE + +.SH EXAMPLE +.LP +.RS +.nf +overlay retcode +retcode-parent "ou=RetCodes,dc=example,dc=com" +include ./retcode.conf + +# Wait 10 seconds, then return success (0x00) +retcode-item "cn=Success after 10 seconds" 0x00 sleeptime=10 +# Wait 10 seconds, then return timelimitExceeded (0x03) +retcode-item "cn=Timelimit after 10 seconds" 0x03 sleeptime=10 +.fi +.RE +.LP +.LP + +.SH FILES +.TP +ETCDIR/slapd.conf +default slapd configuration file +.SH SEE ALSO +.BR slapd.conf (5), +.BR slapd (8), +.SH AUTHOR +Pierangelo Masarati diff --git a/doc/man/man5/slapo-rwm.5 b/doc/man/man5/slapo-rwm.5 index a2a19fde55..a95e9276d4 100644 --- a/doc/man/man5/slapo-rwm.5 +++ b/doc/man/man5/slapo-rwm.5 @@ -39,7 +39,7 @@ slapd's schema, some attribute names might be different but serve the same purpose, etc. If local or foreign name is `*', the name is preserved. If local name is omitted, the foreign name is removed. -Unmapped names are preseved if both local and foreign name are `*', +Unmapped names are preserved if both local and foreign name are `*', and removed if local name is omitted and foreign name is `*'. .LP The local @@ -120,7 +120,7 @@ The underlying concept is to build a lightweight rewrite module for the slapd server (initially dedicated to the LDAP backend): .LP .SH Passes -An incoming string is matched agains a set of +An incoming string is matched against a set of .IR rewriteRules . Rules are made of a .IR "regex match pattern" , @@ -256,7 +256,7 @@ operation structure which can be dereferenced later; operator assigns a variable in the rewrite context scope; operator .B && assigns a variable that scopes the entire session, e.g. its value -can be derefenced later by other rewrite contexts +can be dereferenced later by other rewrite contexts .TP .B * variable dereferencing; must refer to a variable that is @@ -363,7 +363,7 @@ altering too much the configuration file). is the name that identifies the context, i.e. the name used by the application to refer to the set of rules it contains. It is used also to reference sub contexts in string rewriting. -A context may aliase another one. +A context may alias another one. In this case the alias context contains no rule, and any reference to it will result in accessing the aliased one. .TP diff --git a/doc/man/man5/slapo-syncprov.5 b/doc/man/man5/slapo-syncprov.5 index c0b611d834..6b12b4e7ea 100644 --- a/doc/man/man5/slapo-syncprov.5 +++ b/doc/man/man5/slapo-syncprov.5 @@ -15,7 +15,7 @@ the root entry of the database. The contextCSN is updated for every write operation performed against the database. To reduce database contention, the contextCSN is only updated in -memory. The value is written to the detabase on server shutdown and read into +memory. The value is written to the database on server shutdown and read into memory on startup, and maintained in memory thereafter. Checkpoints may be configured to write the contextCSN into the underlying database to minimize recovery time after an unclean shutdown. diff --git a/doc/man/man8/slaptest.8 b/doc/man/man8/slaptest.8 index 2ba6a75be0..cdedb9479c 100644 --- a/doc/man/man8/slaptest.8 +++ b/doc/man/man8/slaptest.8 @@ -16,7 +16,7 @@ slaptest \- Check the suitability of the slapd.conf file. .B Slaptest is used to check the conformance of the .BR slapd.conf (5) -configurtion file. +configuration file. It opens the .BR slapd.conf (5) configuration file, and parses it according to the general diff --git a/doc/man/man8/slurpd.8 b/doc/man/man8/slurpd.8 index 1c2fe8af26..22cb35c2b5 100644 --- a/doc/man/man8/slurpd.8 +++ b/doc/man/man8/slurpd.8 @@ -37,7 +37,7 @@ command-line option). If the replication log file does not exist or is empty, .B slurpd goes to sleep. It periodically wakes up and checks to see if there -are any changes to be propoagated. +are any changes to be propagated. .LP When .B slurpd diff --git a/include/ldif.h b/include/ldif.h index 0b2eaed130..a2aade11c5 100644 --- a/include/ldif.h +++ b/include/ldif.h @@ -90,7 +90,7 @@ typedef struct LDIFFP { } LDIFFP; LDAP_LDIF_F( LDIFFP * ) -ldif_open LDAP_P(( char *file, char *mode )); +ldif_open LDAP_P(( LDAP_CONST char *file, LDAP_CONST char *mode )); LDAP_LDIF_F( void ) ldif_close LDAP_P(( LDIFFP * )); diff --git a/libraries/libldap/abandon.c b/libraries/libldap/abandon.c index 27b47b5f57..1b2964961e 100644 --- a/libraries/libldap/abandon.c +++ b/libraries/libldap/abandon.c @@ -130,7 +130,7 @@ do_abandon( } if ( lr->lr_origid == msgid ) {/* child: abandon it */ (void) do_abandon( ld, - msgid, lr->lr_msgid, sctrls, cctrls ); + lr->lr_origid, lr->lr_msgid, sctrls, cctrls ); } } @@ -161,6 +161,15 @@ do_abandon( return LDAP_SUCCESS; } + /* fetch again the request that we are abandoning */ + if ( lr != NULL ) { + for ( lr = ld->ld_requests; lr != NULL; lr = lr->lr_next ) { + if ( lr->lr_msgid == msgid ) { /* this message */ + break; + } + } + } + err = 0; if ( sendabandon ) { if( ber_sockbuf_ctrl( ld->ld_sb, LBER_SB_OPT_GET_FD, NULL ) == -1 ) { @@ -253,6 +262,12 @@ do_abandon( } } +#ifdef LDAP_R_COMPILE + /* ld_abandoned is actually protected by the ld_res_mutex; + * give up the ld_req_mutex and get the other */ + ldap_pvt_thread_mutex_unlock( &ld->ld_req_mutex ); + ldap_pvt_thread_mutex_lock( &ld->ld_res_mutex ); +#endif i = 0; if ( ld->ld_abandoned != NULL ) { for ( ; ld->ld_abandoned[i] != -1; i++ ) @@ -267,7 +282,7 @@ do_abandon( if ( ld->ld_abandoned == NULL ) { ld->ld_abandoned = old_abandon; ld->ld_errno = LDAP_NO_MEMORY; - return( ld->ld_errno ); + goto done; } ld->ld_abandoned[i] = msgid; @@ -277,5 +292,10 @@ do_abandon( ld->ld_errno = LDAP_SUCCESS; } +done:; +#ifdef LDAP_R_COMPILE + ldap_pvt_thread_mutex_unlock( &ld->ld_res_mutex ); + ldap_pvt_thread_mutex_lock( &ld->ld_req_mutex ); +#endif return( ld->ld_errno ); } diff --git a/libraries/libldap/os-ip.c b/libraries/libldap/os-ip.c index 407f5ebad2..7715044f14 100644 --- a/libraries/libldap/os-ip.c +++ b/libraries/libldap/os-ip.c @@ -903,6 +903,7 @@ ldap_int_select( LDAP *ld, struct timeval *timeout ) #endif sip = (struct selectinfo *)ld->ld_selectinfo; + assert( sip != NULL ); #ifdef HAVE_POLL { diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c index b8ed64d48f..5eaa9ab31b 100644 --- a/libraries/libldap/result.c +++ b/libraries/libldap/result.c @@ -251,7 +251,7 @@ wait4msg( LDAPMessage **result ) { int rc; - struct timeval tv, *tvp; + struct timeval tv, tv0, *tvp; time_t start_time = 0; time_t tmp_time; LDAPConn *lc, *nextlc; @@ -272,6 +272,7 @@ wait4msg( if ( timeout == NULL ) { tvp = NULL; } else { + tv0 = *timeout; tv = *timeout; tvp = &tv; start_time = time( NULL ); @@ -358,11 +359,12 @@ wait4msg( if ( rc == -2 && tvp != NULL ) { tmp_time = time( NULL ); - if (( tv.tv_sec -= ( tmp_time - start_time )) <= 0 ) { + if (( tv0.tv_sec -= ( tmp_time - start_time )) <= 0 ) { rc = 0; /* timed out */ ld->ld_errno = LDAP_TIMEOUT; break; } + tv.tv_sec = tv0.tv_sec; Debug( LDAP_DEBUG_TRACE, "wait4msg: %ld secs to go\n", (long) tv.tv_sec, 0, 0 ); diff --git a/libraries/libldap/test.c b/libraries/libldap/test.c index 8cc5eb480f..2dfd8edf59 100644 --- a/libraries/libldap/test.c +++ b/libraries/libldap/test.c @@ -59,7 +59,7 @@ static char *dnsuffix; static char * get_line( char *line, int len, FILE *fp, const char *prompt ) { - printf(prompt); + fputs(prompt, stdout); if ( fgets( line, len, fp ) == NULL ) return( NULL ); diff --git a/libraries/libldap_r/tpool.c b/libraries/libldap_r/tpool.c index 50bac8d2c1..0148df89fc 100644 --- a/libraries/libldap_r/tpool.c +++ b/libraries/libldap_r/tpool.c @@ -33,7 +33,7 @@ enum ldap_int_thread_pool_state { LDAP_INT_THREAD_POOL_RUNNING, LDAP_INT_THREAD_POOL_FINISHING, LDAP_INT_THREAD_POOL_STOPPING, - LDAP_INT_THREAD_POOL_PAUSING, + LDAP_INT_THREAD_POOL_PAUSING }; typedef struct ldap_int_thread_key_s { diff --git a/libraries/liblutil/fetch.c b/libraries/liblutil/fetch.c index 904966619d..a182b3591a 100644 --- a/libraries/liblutil/fetch.c +++ b/libraries/liblutil/fetch.c @@ -40,8 +40,7 @@ FILE * ldif_open_url( - LDAP_CONST char *urlstr -) + LDAP_CONST char *urlstr ) { FILE *url; char *p = NULL; @@ -76,8 +75,7 @@ int ldif_fetch_url( LDAP_CONST char *urlstr, char **valuep, - ber_len_t *vlenp -) + ber_len_t *vlenp ) { FILE *url; char buffer[1024]; diff --git a/libraries/liblutil/ldif.c b/libraries/liblutil/ldif.c index 01ac9dbf5b..f29d4c3084 100644 --- a/libraries/liblutil/ldif.c +++ b/libraries/liblutil/ldif.c @@ -747,8 +747,8 @@ int ldif_is_not_printable( LDIFFP * ldif_open( - char *file, - char *mode + LDAP_CONST char *file, + LDAP_CONST char *mode ) { FILE *fp = fopen( file, mode ); diff --git a/libraries/liblutil/passwd.c b/libraries/liblutil/passwd.c index 5460b0376a..db5e865003 100644 --- a/libraries/liblutil/passwd.c +++ b/libraries/liblutil/passwd.c @@ -197,16 +197,26 @@ static const struct pw_scheme *get_scheme( const char* scheme ) { struct pw_slist *pws; + struct berval bv; if (!pw_inited) lutil_passwd_init(); + bv.bv_val = strchr( scheme, '}' ); + if ( !bv.bv_val ) + return NULL; + + bv.bv_len = bv.bv_val - scheme + 1; + bv.bv_val = (char *) scheme; + for( pws=pw_schemes; pws; pws=pws->next ) { - if( strcasecmp(scheme, pws->s.name.bv_val ) == 0 ) { + if( bv.bv_len != pws->s.name.bv_len ) + continue; + if( strncasecmp(bv.bv_val, pws->s.name.bv_val, bv.bv_len ) == 0 ) { return &(pws->s); } } - return NULL; + return (const struct pw_scheme *) NULL; } int lutil_passwd_scheme(