# This patch file is derived from OpenLDAP Software. All of the
# modifications to OpenLDAP Software represented in the following
# patch(es) were developed by Apple. I, Bryan Duncan, am authorized by
# Apple, my employer, to release this work under the following terms.
#
# Copyright 2009 Apple Inc. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted only as authorized by the OpenLDAP
# Public License.
#
# A copy of this license is available in file LICENSE in the
# top-level directory of the distribution or, alternatively, at
# http://www.OpenLDAP.org/license.html.
#
Howard Chu [Fri, 13 Oct 2017 16:25:29 +0000 (17:25 +0100)]
ITS#8752 fix syncrepl deadlock from updateCookie
Must release cookieState->cs_mutex before invoking backend.
Add a condvar to serialize calls of updateCookie, so we can
release the mutex and still update sequentially.
Howard Chu [Fri, 13 Oct 2017 16:16:25 +0000 (17:16 +0100)]
fix syncprov_qtask race, test062 crashes
Keep s_mutex locked until we know we're removed from queue.
Remember qtask cookie so we can retract if ineeded when deleting
the overlay from running slapd.
config_delete is still unsafe, overlay_remove is running with active
threadpool instead of paused pool.
Zebediah Figura [Sat, 1 Oct 2016 02:26:59 +0000 (21:26 -0500)]
ITS#8508 - Allow ucgendat.c to recognize title-case characters even if they do not have lower-case equivalents
I, Zebediah Figura, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.
This function is used to manually establish a connection after
a call to ldap_initialize(). This is primarily so that a file
descriptor can be obtained before any requests are sent for the
purposes of polling for writability.
ITS#6475 - Man page updates to slapd.conf/slapd-config for the new olcSaslAuxpropsDontUseCopy and olcSaslAuxpropsDontUseCopyIgnore parameters for use with SASL/OTP
Jan Vcelak [Fri, 14 Sep 2012 12:24:29 +0000 (14:24 +0200)]
ITS#7389 - MozNSS: load certificates from certdb, fallback to PEM
If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS
certificate database, the backend assumed that the certificate is always
located in the certificate database. This assumption might be wrong.
This patch makes the library to try to load the certificate from NSS
database and fallback to PEM file if unsuccessfull.
Jan Vcelak [Wed, 29 Aug 2012 14:23:52 +0000 (16:23 +0200)]
ITS#7374 - MozNSS: better file name matching for hashed CA certificate directory
CA certificate files in OpenSSL compatible CACERTDIR were loaded if the
file extension was '.0'. However the file name should be 8 letters long
certificate hash of the certificate subject name, followed by a numeric
suffix which is used to differentiate between two certificates with the
same subject name.
Wit this patch, certificate file names are matched correctly (using
regular expressions).
Jan Vcelak [Tue, 28 Aug 2012 14:57:54 +0000 (16:57 +0200)]
ITS#7373 - TLS: do not reuse tls_session if hostname check fails
If multiple servers are specified, the connection to the first one
succeeds, and the hostname verification fails, *tls_session is not
dropped, but reused when connecting to the second server.
This is a problem with Mozilla NSS backend because another handshake
cannot be performed on the same file descriptor. From this reason,
hostname checking was moved into ldap_int_tls_connect() before
connection error handling.
ITS#6817 - back-meta work for SLAP_AUTH_DN was never finished according
to the ITS notes. In addition, this would need man page updates for the
feature
The support for unindexed attributes being tracked in back-monitor needs
to remain behind LDAP_DEVEL for now. Right now, the mutex in
back-monitor cannot properly handle the load if the server had a lot
of unindexed attributes that were being accessed in search filters.
Howard Chu [Tue, 17 Jan 2017 09:44:03 +0000 (09:44 +0000)]
ITS#8725 backover fixes for async
Fix some valgrind race conditions - wait for frontend to finish up
Don't set callbacks for abandon or unbind - since they have no response
Use tmpalloc for backover callback
Ondřej Kuzník [Fri, 25 Aug 2017 15:25:23 +0000 (16:25 +0100)]
ITS#8444 Do not clear the pending operation when checkpointing
When a checkpoint happens, if we remove the CSN from the pending list,
accesslog won't pass it onto the accesslog DB. But in a delta-mmr
scenario, an accesslog entry without a CSN faces a race where it might
be applied twice - that usually fails and causes a full refresh, other
times it can cause a silent desync - both are undesirable.