================
Written by Hallvard B. Furuseth and placed into the public domain.
This software is not subject to any license of the University of Oslo.
================
Adapted by Kurt Zeilenga for inclusion in OpenLDAP. My comments are
marked with enclosed with square brackets (e.g. [Kurt's comment] below.
================
If I run ldapmodify & co from a script, I don't want to use '-W password'
because the password shows up in the output of 'ps' for everyone,
and I can't pipe the password to 'ldapmodify -w' because -w uses
getpassphrase() which reads from the tty instead of stdin.
So I added '-y file' which reads the password from file. The programs
exit if the file cannot be read.
[Complete contents of file is used as password. Use:
echo -n "secret" > password
to create a file with "secret" as the password. The -n avoids
adding a newline (which would invalidate the password). Note
that echo is a builtin and hence its arguments are not visible
to 'ps'.]
I changed ldapmodify, ldapmodrdn, ldapdelete, ldapsearch, ldapcompare.
I did not bother to change ldappasswd and ldapwhoami, because they
prompt for many passwords. [I fixed up ldapwhoami.]
Rerun autoconf after applying this patch. [Done.]
Note: I do not know if Windows NT has fstat(), so I set HAVE_FSTAT to
undef in portable.nt. (fstat() is used to warn if the file is publicly
readable or writeable.) [I used fstat() to set the buffer size to
read.]
[Note: using the contents of a file extends the tools to support
passwords which could not normally be provided using getpassphrase()
or via the command line.]
Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, Aug 2002.
[Kurt D. Zeilenga <kurt@openldap.org>, Aug 2002.]
Now related ITSes need be audited and possibly closed.
Enhancements:
- re-styled code for better readability
- upgraded backend API to reflect recent changes
- LDAP schema is checked when loading SQL/LDAP mapping
- AttributeDescription/ObjectClass pointers used for more efficient
mapping lookup
- bervals used where string length is required often
- atomized write operations by committing at the end of each operation
and defaulting connection closure to rollback
- added LDAP access control to write operations
- fully implemented modrdn (with rdn attrs change, deleteoldrdn,
access check, parent/children check and more)
- added parent access control, children control to delete operation
- added structuralObjectClass operational attribute check and
value return on search
- added hasSubordinate operational attribute on demand
- search limits are appropriately enforced
- function backsql_strcat() has been made more efficient
- concat function has been made configurable by means of a pattern
- added config switches:
- fail_if_no_mapping write operations fail if there is no mapping
- has_ldapinfo_dn_ru overrides autodetect
- concat_pattern a string containing two '?' is used
(note that "?||?" should be more portable
than builtin function "CONCAT(?,?)")
- strcast_func cast of string constants in "SELECT DISTINCT statements (needed by PostgreSQL)
- upper_needs_cast cast the argument of upper when required
(basically when building dn substring queries)
Todo:
- add security checks for SQL statements that can be injected (?)
- re-test with previously supported RDBMs
- replace dn_ru and so with normalized dn (no need for upper() and so
in dn match)
- implement a backsql_normalize() function to replace the upper()
conversion routines
- note that subtree deletion, subtree renaming and so could be easily
implemented (rollback and consistency checks are available :)
- implement "lastmod" and other operational stuff (ldap_entries table ?)
================
Written by Hallvard B. Furuseth and placed into the public domain.
This software is not subject to any license of the University of Oslo.
================
manpage patch for ITS#1787.
- Let write operations return unwilling-to-perform after
'gentle shutdown' has been initiated.
- Change -1 to 2 in slapd_gentle_shutdown and slapd_shutdown, since
sig_atomic_t can be unsigned (ITS#1736). The 'gentle SIGHUP' patch
is older than ITS#1736 but was applied later, so it reintroduced
the problem.
Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, June 2002.
Version: head
OS: SuSE Linux 7.3
URL: ftp://ftp.openldap.org/incoming/norbert.klasen.rejects.20020605.patch
Submission from: (NULL) (62.104.216.66)
This patch adds an '-S' option to ldapmodify. If a filename is specified with
this option, records which could not successfully be added/modified/deleted from
the LDAP server will be written to the specified file. Most useful in
conjunction with '-c' option.
================
Written by Hallvard B. Furuseth and placed into the public domain.
This software is not subject to any license of the University of Oslo.
================
It has just occurred to me - duh - that the process ID of a back-shell
command is a perfectly good unique ID for it, and more useful than
any connection id/message id thingy. Doesn't need extra arguments
to the shell commands either, except a pid: line to abandon.
And msgid: can still be removed in a future version.
Here is a patch.
Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, May 2002.
================
Written by Hallvard B. Furuseth and placed into the public domain.
This software is not subject to any license of the University of Oslo.
================
Here is a patch which does what I described. Of course, someone has
to decide if that is the right solution:-)
- Add an "opid:" line to the input to back-shell commands.
- Add an "abandonid: <opid> line to back-shell/abandon input.
- Replace message id with opid in back-tcl arguments.
- Add an abandonid = <opid> argument to back-tcl/abandon.
An opid (operation ID) is a "connection ID/message ID" string. I
would have liked to use another name to avoid confusion with struct
slap_op->o_opid, but I could not think of another apt word.
This also fixes ITS#1784 and ITS#1792. Since calling conventions
changed anyway, I fixed back-shell by adding abandonid: and making
opid: always be the ID of the current operation.
Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, May 2002.
================
Written by Hallvard B. Furuseth and placed into the public domain.
This software is not subject to any license of the University of Oslo.
================
Small changes:
- Fix typo slapd_meta -> slapd-meta in slapd-meta(5).
- Add slapd-dnssrv(5) to SEE ALSO in slapd.conf(5).
- Add descriptions of the files in FILES sections.
- Add $HOME/.udrc to FILES in ud(1) and ud.conf(5).
- Add ldaprc (without ".") and ENVIRONMENT VARIABLES in ldap.conf(5).
- Change manpage references to proper ".BR name (section)".
Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, May 2002.
Backend documentation patch, version 1
================
Most of this text is taken from OpenLDAP. The work of rewriting it
to manual pages is done by by Hallvard B. Furuseth and placed into
the public domain. This software is not subject to any license of
the University of Oslo.
================
Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
submitted by Jeff Costlow <j.costlow@f5.com> (ITS#1560).
Portions:
Copyright 2002, F5 Networks, Inc, All rights reserved.
This software is not subject to any license of F5 Networks.
This is free software; you can redistribute and use it
under the same terms as OpenLDAP itself.
may need optimization;
uncomment #define USE_LDAP_DN_PARSING in libraries/libldap/getdn.c
to enable its use.
The ava/rdn/dn handling routines (append, insert, free and so) must
be made available thru declaration in some header.
Developed by Julius Enarusai/IBM
Copyright IBM Corp. 2001
Use of this source code is subject to the terms of The OpenLDAP
Public License Version 2.7, 7 September 2001. No trademarks of the
IBM Corporation are to be used to identify, endorse or promote any
products derived from this code without the prior written consent
of IBM.
