ITS#8840 Fix domainScope control to ensure the control value is absent as per Microsoft specification (https://msdn.microsoft.com/en-us/library/aa366979%28v=vs.85%29.aspx).
Howard Chu [Wed, 31 Jan 2018 15:19:58 +0000 (15:19 +0000)]
ITS#8789 avoid unnecessary writes of context entry
If syncprov is present, only write contextCSN attribute on
actual state changes, not on per-entry modifications.
Continue to update in-memory cookieState. Saves overhead,
syncprov will eventually checkpoint it into the DB anyway.
* Check NUMKEYS(), similar to f34b61f9471d1c03fe0517b9d817c50c920e378a
"ITS#8722 fix FIRST_DUP/LAST_DUP cursor bounds check".
* Move XCURSOR_INITED() into XCURSOR_REFRESH(). This adds a check in
mdb_cursor_put, below /* converted, write the original data first */.
* Factor mc_ki[] out to XCURSOR_REFRESH().
* Replace an mc_pg[] with mp which is equal (mdb_cursor_del0).
# This patch file is derived from OpenLDAP Software. All of the
# modifications to OpenLDAP Software represented in the following
# patch(es) were developed by Apple. I, Bryan Duncan, am authorized by
# Apple, my employer, to release this work under the following terms.
#
# Copyright 2009 Apple Inc. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted only as authorized by the OpenLDAP
# Public License.
#
# A copy of this license is available in file LICENSE in the
# top-level directory of the distribution or, alternatively, at
# http://www.OpenLDAP.org/license.html.
#
Howard Chu [Fri, 13 Oct 2017 16:25:29 +0000 (17:25 +0100)]
ITS#8752 fix syncrepl deadlock from updateCookie
Must release cookieState->cs_mutex before invoking backend.
Add a condvar to serialize calls of updateCookie, so we can
release the mutex and still update sequentially.
Howard Chu [Fri, 13 Oct 2017 16:16:25 +0000 (17:16 +0100)]
fix syncprov_qtask race, test062 crashes
Keep s_mutex locked until we know we're removed from queue.
Remember qtask cookie so we can retract if ineeded when deleting
the overlay from running slapd.
config_delete is still unsafe, overlay_remove is running with active
threadpool instead of paused pool.
Zebediah Figura [Sat, 1 Oct 2016 02:26:59 +0000 (21:26 -0500)]
ITS#8508 - Allow ucgendat.c to recognize title-case characters even if they do not have lower-case equivalents
I, Zebediah Figura, hereby place the following modifications to OpenLDAP Software (and only these modifications) into the public domain. Hence, these modifications may be freely used and/or redistributed for any purpose with or without attribution and/or other notice.
This function is used to manually establish a connection after
a call to ldap_initialize(). This is primarily so that a file
descriptor can be obtained before any requests are sent for the
purposes of polling for writability.
ITS#6475 - Man page updates to slapd.conf/slapd-config for the new olcSaslAuxpropsDontUseCopy and olcSaslAuxpropsDontUseCopyIgnore parameters for use with SASL/OTP
Jan Vcelak [Fri, 14 Sep 2012 12:24:29 +0000 (14:24 +0200)]
ITS#7389 - MozNSS: load certificates from certdb, fallback to PEM
If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS
certificate database, the backend assumed that the certificate is always
located in the certificate database. This assumption might be wrong.
This patch makes the library to try to load the certificate from NSS
database and fallback to PEM file if unsuccessfull.
Jan Vcelak [Wed, 29 Aug 2012 14:23:52 +0000 (16:23 +0200)]
ITS#7374 - MozNSS: better file name matching for hashed CA certificate directory
CA certificate files in OpenSSL compatible CACERTDIR were loaded if the
file extension was '.0'. However the file name should be 8 letters long
certificate hash of the certificate subject name, followed by a numeric
suffix which is used to differentiate between two certificates with the
same subject name.
Wit this patch, certificate file names are matched correctly (using
regular expressions).
Jan Vcelak [Tue, 28 Aug 2012 14:57:54 +0000 (16:57 +0200)]
ITS#7373 - TLS: do not reuse tls_session if hostname check fails
If multiple servers are specified, the connection to the first one
succeeds, and the hostname verification fails, *tls_session is not
dropped, but reused when connecting to the second server.
This is a problem with Mozilla NSS backend because another handshake
cannot be performed on the same file descriptor. From this reason,
hostname checking was moved into ldap_int_tls_connect() before
connection error handling.