Kurt Zeilenga [Tue, 25 Apr 2000 10:38:03 +0000 (10:38 +0000)]
replace ldap_dnssrv_init() with lower level calls
ldap_domain2dn()
ldap_domain2hostlist()
and provide prototype to soon-to-be-implemented
ldap_dn2domain().
ldap_dnssrv_init(), if needed, can easily be implemented
using ldap_create(), ldap_set_option() and the above
commands.
Ben Collins [Mon, 24 Apr 2000 17:03:45 +0000 (17:03 +0000)]
for slurpd's replica directory (slurpd.status, and rej file) use a subdir of what the user specifies (add replica/ to it) to avoid /tmp races. A lot of the files that slurpd uses cannot be opened with O_EXCL, nor can we safely determine if there are any hardlinks from another file to it, so we create our own subdirectory so we can control the perms, even in /tmp
Added a method to make delivery to the local mailbox conditional on
the presence of a certain value in some other attribute. Used to
implement mailForwardingAddress both in addition to normal delivery
and excluding normal delivery, selectable entry by entry. The model
is mailDeliveryOption in Netscape MS. The implementation aims to
become more general, though. Affects "search-with-filter", any
entry can potentially use a parameter, introduced with "param=".
Optimize the case where we have to copy the message to an address that
is served by the directory. Formerly, we would have the MTA deal with
it and invoke mail500 again later. This has necessitated loading the
list of domains that are solved by us with "domain". A new definition,
"host", takes the role of the old "domain" that was the FQDN of our
host for routing loop avoidance.
The old mail500 had a method to try to translate the local address
part into something to check against the cn of entries. It is
supported again thorugh the selector %s in the search.
Explicitly initialize some pointers in automatic storage.
Added support for doing routing at the MTA, that is the right thing
anyway. A new syntax is defined, "present", that indicates that
values of an attribute type are not used, only presence is
significant. To do routing at the MTA, define both mailHost and
mailRoutingAddress with syntax "present". Otherwise, use "host" and
"rfc822" and mail500 will try to do routing by itself, if possible.
Read the comments in the code for the ugly details.
Added a new configuration line "own-address" that describes the FQDN of
our host to compare with mailHost. The line can be repeated.
Randy Kunkee [Tue, 4 Apr 2000 09:42:44 +0000 (09:42 +0000)]
Using a stale obj from Tcl_GetResultObj() to store error results
caused incorrect data in result array and possibly segmentation
violations when searches terminated due to errors such as timeout,
exceeding search limit, or the remote server going down in the middle
of a search. Also correctly puts error message on top of
traceback stack (instead of randomly in memory per the stale result obj).
A segmentation violation could have manifested later in the program's
life, or perhaps during termination of the interpreter.
The approach used was not powerfull enough to deal with things like
nested groups or the laser mail routing draft. Mostly, this is
because a flag saying the attribute type is 'final' is not flexible
enough. The old 'final' flag is gone and replaced by a priority
level.
Change 'forward' to 'route' to be consistent with the laser wording.
Add new 'domain' spec in the configuration file to describe what are
the local domains so that we do not loop when doing the laser thing.
We were escaping asterisks in filters. This seems incorrect. Removed.
Kurt Zeilenga [Wed, 15 Mar 2000 19:47:22 +0000 (19:47 +0000)]
ITS#479 fix: ber_put_seqorset() writes a few bytes beyond an allocated buffer
Commit based upon patch and comments provided by Alan Clark <aclark@novell.com>.
> Kudos to Dave Steck for the find and fix
Kurt Zeilenga [Wed, 15 Mar 2000 19:42:03 +0000 (19:42 +0000)]
Add additional be_isroot() checks to protect against empty
root and client ndns. (the existing backend protections
*should* be good enough, but one cannot be too safe)
Kurt Zeilenga [Tue, 14 Mar 2000 02:54:08 +0000 (02:54 +0000)]
work args of ldap_negotiated_sasl_bind_s() and provide examples
with authentication id and authorization ids. Note: this routine
doesn't actually negotiate anything. It likely should be renamed
ldap_sasl_auth_s() or ldap_sasl_bind_multistep() or something.
Fixed an irritating problem with nss_ldap and pam_ldap. Since these
modules are dynamically loaded, they summon libldap when needed.
However, depending on the security libraries available when the
shared libldap was built, the latter brings up other dependencies.
On some platforms, it seems that no solution is available: no
indirect dynamic dependencies. But for some platforms where this
is supported (in particular, Linux), the shared libldap must
contain info on what other dynamic libraries it needs. We were
failing to put this info into the shared library. This patch
seems to fix it.
Kurt Zeilenga [Fri, 3 Mar 2000 22:37:06 +0000 (22:37 +0000)]
Rework error handling. Add error descriptions.
Don't use LDAP_OPERATIONS_ERROR for internal errors. Use LDAP_OTHER
instead. (more changes needed in this area)
Kurt Zeilenga [Thu, 2 Mar 2000 20:36:53 +0000 (20:36 +0000)]
StartTLS now grabs conn->c_mutex before mucking with connection.
Add comment concerning sequencing issues which need to be resolved
by reworking of connection state machine. Add note that a race
condition exists until this rework is complete.
Rework extended operations to return pointer to static error text.