Now related ITSes need be audited and possibly closed.
Enhancements:
- re-styled code for better readability
- upgraded backend API to reflect recent changes
- LDAP schema is checked when loading SQL/LDAP mapping
- AttributeDescription/ObjectClass pointers used for more efficient
mapping lookup
- bervals used where string length is required often
- atomized write operations by committing at the end of each operation
and defaulting connection closure to rollback
- added LDAP access control to write operations
- fully implemented modrdn (with rdn attrs change, deleteoldrdn,
access check, parent/children check and more)
- added parent access control, children control to delete operation
- added structuralObjectClass operational attribute check and
value return on search
- added hasSubordinate operational attribute on demand
- search limits are appropriately enforced
- function backsql_strcat() has been made more efficient
- concat function has been made configurable by means of a pattern
- added config switches:
- fail_if_no_mapping write operations fail if there is no mapping
- has_ldapinfo_dn_ru overrides autodetect
- concat_pattern a string containing two '?' is used
(note that "?||?" should be more portable
than builtin function "CONCAT(?,?)")
- strcast_func cast of string constants in "SELECT DISTINCT statements (needed by PostgreSQL)
- upper_needs_cast cast the argument of upper when required
(basically when building dn substring queries)
Todo:
- add security checks for SQL statements that can be injected (?)
- re-test with previously supported RDBMs
- replace dn_ru and so with normalized dn (no need for upper() and so
in dn match)
- implement a backsql_normalize() function to replace the upper()
conversion routines
- note that subtree deletion, subtree renaming and so could be easily
implemented (rollback and consistency checks are available :)
- implement "lastmod" and other operational stuff (ldap_entries table ?)
================
Written by Hallvard B. Furuseth and placed into the public domain.
This software is not subject to any license of the University of Oslo.
================
manpage patch for ITS#1787.
- Let write operations return unwilling-to-perform after
'gentle shutdown' has been initiated.
- Change -1 to 2 in slapd_gentle_shutdown and slapd_shutdown, since
sig_atomic_t can be unsigned (ITS#1736). The 'gentle SIGHUP' patch
is older than ITS#1736 but was applied later, so it reintroduced
the problem.
Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, June 2002.
================
Written by Hallvard B. Furuseth and placed into the public domain.
This software is not subject to any license of the University of Oslo.
================
It has just occurred to me - duh - that the process ID of a back-shell
command is a perfectly good unique ID for it, and more useful than
any connection id/message id thingy. Doesn't need extra arguments
to the shell commands either, except a pid: line to abandon.
And msgid: can still be removed in a future version.
Here is a patch.
Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, May 2002.
================
Written by Hallvard B. Furuseth and placed into the public domain.
This software is not subject to any license of the University of Oslo.
================
Here is a patch which does what I described. Of course, someone has
to decide if that is the right solution:-)
- Add an "opid:" line to the input to back-shell commands.
- Add an "abandonid: <opid> line to back-shell/abandon input.
- Replace message id with opid in back-tcl arguments.
- Add an abandonid = <opid> argument to back-tcl/abandon.
An opid (operation ID) is a "connection ID/message ID" string. I
would have liked to use another name to avoid confusion with struct
slap_op->o_opid, but I could not think of another apt word.
This also fixes ITS#1784 and ITS#1792. Since calling conventions
changed anyway, I fixed back-shell by adding abandonid: and making
opid: always be the ID of the current operation.
Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, May 2002.
================
Written by Hallvard B. Furuseth and placed into the public domain.
This software is not subject to any license of the University of Oslo.
================
Small changes:
- Fix typo slapd_meta -> slapd-meta in slapd-meta(5).
- Add slapd-dnssrv(5) to SEE ALSO in slapd.conf(5).
- Add descriptions of the files in FILES sections.
- Add $HOME/.udrc to FILES in ud(1) and ud.conf(5).
- Add ldaprc (without ".") and ENVIRONMENT VARIABLES in ldap.conf(5).
- Change manpage references to proper ".BR name (section)".
Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, May 2002.
Backend documentation patch, version 1
================
Most of this text is taken from OpenLDAP. The work of rewriting it
to manual pages is done by by Hallvard B. Furuseth and placed into
the public domain. This software is not subject to any license of
the University of Oslo.
================
Hallvard B. Furuseth <h.b.furuseth@usit.uio.no>, April 2002.
Developed by Julius Enarusai/IBM
Copyright IBM Corp. 2001
Use of this source code is subject to the terms of The OpenLDAP
Public License Version 2.7, 7 September 2001. No trademarks of the
IBM Corporation are to be used to identify, endorse or promote any
products derived from this code without the prior written consent
of IBM.
for LDBM backends called "dbsync", which takes minimum of one argument up
to 3 args which are sync frequency, # of delays, and delay periods. See
man page update for "dbsync" configuration for more details.
r/w locks and thread pools. Hide internal structures (using
pthread'ish technics). Place common code in threads.c. Move
no-thread code to thr_stub.c. Move thread pool code to tpool.c.
Removed setconcurrency call from initializer, added 'concurrency'
directive to slapd. Tested code under pthreads, pth, and no-threads.
privs, additive/substractive rules, and rule continuation. Existing
rules that use 'defaultaccess none' should be 100% compatible. Rules
that rely other defaultaccess settings will require addition of
explicit clauses granting the access.
Needs additional testing and tuning of logs
Old code applied sync flags to store(), however supported DBMs
require such flags to be specified during open(). The new
code now applies flags in ldbm_cache_open (which calls ldbm_open).
ldbm_cache_close() now calls ldbm_sync(). This will force
a updating of on-disk contents after each LDAP operation.
The old code either failed to sync the on-disk contents until
close or synced on every store. Per LDBM operation syncing
*should* be safe enough... real data safety requires transactions.
Removed nosync option from BDB2 as it is not compatible with
txn support.
Also added code to disable DBM level locking as slapd is only
process acessing the databases (dbnolocking).
Includes support for update referral for each replicated backend.
Reworked replication test to use update referral.
Includes major rewrite of response encoding codes (result.c).
Includes reworked alias support and eliminates old suffix alias codes
(can be emulated using named alias).
Includes (untested) support for the Manage DSA IT control.
Works in LDAPv2 world. Still testing in LDAPv3 world.
Added default referral (test009) test.
introduction of pid/agrs parameters to the test-suite slapd.conf files;
creation of sub-directory test/var for storage of pid/args files during test;
update of the slapd and slapd.conf man pages.
(The change reduces dependency on ldapconfig.h, since SLAPD_PIDEXT
and SLAPD_ARGSEXT are deleted from the code.)
default sysconfdir subdirectory is openldap instead of ldap.
This removes conflicts with other ldap subsystems. Should
be configure option.
*.conf files are now preserved. A *.conf.default are always
created with the latest conf.
*.help and ldapfriendly are now placed in $(datadir)/$(ldap_subdir)
updated man pages to reflect changes.
Modified clients to reduce use of ldapconfig.h.edit.
ldap_{get,set}_option support is relatively complete. Needs
to be extended to support other "features" of OpenLDAP.
