Commit Graph

19710 Commits

Author SHA1 Message Date
Jan Vcelak
e422c3c919 ITS#7028 man: slapo-unique(5) quoting keywords 2011-08-24 15:42:04 -07:00
Francis Swasey
27ca42b555 ITS#7023 document TLSCACertificateFile in the man page as it is in the Admin Guide 2011-08-24 15:39:31 -07:00
Howard Chu
6546ecd39c ITS#7022 cleanup prev commit 2011-08-24 15:37:52 -07:00
Rich Megginson
a7aac14d2a ITS#7022 NSS_Init* functions are not thread safe
The NSS_InitContext et. al, and their corresponding shutdown functions,
are not thread safe.  There can only be one thread at a time calling
these functions.  Protect the calls with a mutex.  Create the mutex
using a PR_CallOnce to ensure that the mutex is only created once and
not used before created.  Move the registration of the nss shutdown
callback to also use a PR_CallOnce.  Removed the call to
SSL_ClearSessionCache() because it is always called at shutdown, and we must
not call it more than once.
2011-08-24 15:34:47 -07:00
Jan Vcelak
3dae953fd6 ITS#7014 TLS: don't check hostname if reqcert is 'allow'
If server certificate hostname does not match the server hostname,
connection is closed even if client has set TLS_REQCERT to 'allow'. This
is wrong - the documentation says, that bad certificates are being
ignored when TLS_REQCERT is set to 'allow'.
2011-08-24 15:27:29 -07:00
Howard Chu
fdb3443366 More abandon paranoia 2011-08-24 14:57:36 -07:00
Howard Chu
5829eb44a1 ITS#7025 handle Abandon in backglue 2011-08-23 13:48:59 -07:00
Howard Chu
4f5d087b4f Don't replicate refint repair ops 2011-08-22 14:05:58 -07:00
Pierangelo Masarati
415b8ec84b release mutex only *after* backend connection initialization (ITS#6993) 2011-08-22 11:23:54 -06:00
Pierangelo Masarati
58255ab250 further cleanup of ldapsearch response 2011-08-22 11:19:30 -06:00
Pierangelo Masarati
71eda709c6 referral is a legitimate result 2011-08-22 11:19:30 -06:00
Pierangelo Masarati
72e8a15068 make sure size limits are passed to ldapsearch 2011-08-22 11:19:30 -06:00
Pierangelo Masarati
15987caa11 error messages from ldapsearch changed 2011-08-22 08:43:57 -06:00
Pierangelo Masarati
3e504bcbbf add notes about pwdAllowUserChange (more about ITS#7021) 2011-08-20 19:03:15 -06:00
Pierangelo Masarati
bdbdae3e5f according to draft-behera, this attribute only affects password modifies by self (ITS#7021) 2011-08-20 18:52:54 -06:00
Howard Chu
433812db38 For #6982 fix a66fb16 2011-08-18 01:52:52 -07:00
Pierangelo Masarati
17cfffdd29 fix TTL tolerance (ITS#7017, patch by jvcelak@redhat.com) 2011-08-17 12:57:56 -06:00
Pierangelo Masarati
fb83bf08bc make sure frontend gets the {-1} (ITS#7016) 2011-08-16 22:18:23 -06:00
Howard Chu
a66fb1630c hack for #6982 - keep o_abandon set in op_free 2011-08-16 13:51:10 -07:00
Howard Chu
20a8da0b7c Revert "More for ITS#6892"
This reverts commit 3cb2ca8bbd.
Patch has no benefit
2011-08-16 13:49:27 -07:00
Howard Chu
3cb2ca8bbd More for ITS#6892 2011-08-15 15:40:46 -07:00
Pierangelo Masarati
0d0d64518f host part of unique URI must be empty (ITS#7018) 2011-08-13 23:34:31 +02:00
Pierangelo Masarati
8c2fc29786 cleanup slapd.ldif; install it (ITS#7015) 2011-08-11 17:34:29 +02:00
Pierangelo Masarati
f0810d6535 typo in comment 2011-08-11 17:09:36 +02:00
Pierangelo Masarati
d75803ed3f use ldap_search_ext(timelimit) instead of ldap_set_option(LDAP_OPT_TIMELIMIT) (related to ITS#7009) 2011-08-11 12:16:01 +02:00
Pierangelo Masarati
e080ba6e9d honor TIMEOUT when appropriate (ITS#7009); also honor timelimit (was broken) 2011-08-10 22:40:49 +02:00
Pierangelo Masarati
6b74e9002b make sure 2-arg statements have exactly 2 args (related to ITS#7012) 2011-08-10 20:26:59 +02:00
Pierangelo Masarati
55c70629aa TLS config statements always need an argument (related to ITS#7012) 2011-08-10 20:26:59 +02:00
Howard Chu
a31a8ed20e ITS#6999 fix syncrepl timeout in refreshAndPersist 2011-07-29 13:05:45 -07:00
Rich Megginson
210b156ece ITS#7002 MozNSS: fix VerifyCert allow/try behavior
If the olcTLSVerifyClient is set to a value other than "never", the server
should request that the client send a client certificate for possible use
with client cert auth (e.g. SASL/EXTERNAL).
If set to "allow", if the client sends a cert, and there are problems with
it, the server will warn about problems, but will allow the SSL session to
proceed without a client cert.
If set to "try", if the client sends a cert, and there are problems with
it, the server will warn about those problems, and shutdown the SSL session.
If set to "demand" or "hard", the client must send a cert, and the server
will shutdown the SSL session if there are problems.
I added a new member of the tlsm context structure - tc_warn_only - if this
is set, tlsm_verify_cert will only warn about errors, and only if TRACE
level debug is set.  This allows the server to warn but allow bad certs
if "allow" is set, and warn and fail if "try" is set.
2011-07-28 14:09:55 -07:00
Rich Megginson
fb4b4f7445 ITS#7001 MozNSS: free the return of tlsm_find_and_verify_cert_key
If tlsm_find_and_verify_cert_key finds the cert and/or key, and it fails
to verify them, it will leave them allocated for the caller to dispose of.
There were a couple of places that were not disposing of the cert and key
upon error.
2011-07-28 14:00:15 -07:00
Howard Chu
ff7acea2d2 ITS#7000 fix bad patch in ITS#6472 2011-07-28 13:52:47 -07:00
Howard Chu
890d4c6216 ITS#7003 fix typo 2011-07-28 13:48:08 -07:00
Jan Vcelak
e8ac17e17c ITS#6998 MozNSS: when cert not required, ignore issuer expiration
When server certificate is not required in a TLS session (e.g.
TLS_REQCERT is set to 'never'), ignore expired issuer certificate error
and do not terminate the connection.
2011-07-21 11:59:06 -07:00
Howard Chu
8eecc9a017 Only return requested attrs in sssvlv response 2011-07-18 12:53:23 -07:00
Howard Chu
db106f89e6 ITS#6985 fix sssvlv target offset, ordering match 2011-07-18 12:41:51 -07:00
Pierangelo Masarati
c86677ef41 blind fix build on solaris native compilers (ITS#6992) 2011-07-08 08:48:59 +02:00
Pierangelo Masarati
c0b669e14f fix config emit (ITS#6986) 2011-07-07 08:16:23 +02:00
Howard Chu
c02e681121 ITS#6982 fix md5 memset invocation 2011-07-01 22:55:06 -07:00
Pierangelo Masarati
8df4c357be authTimestamp should be manageable (ITS#6873) 2011-06-30 21:55:28 +02:00
Pierangelo Masarati
92f4a3b2a7 response tag is [1] according to RFC 2589 (ITS#6886) 2011-06-30 21:24:12 +02:00
Rich Megginson
d944920fd3 ITS#6980 free the result of SSL_PeerCertificate
In tlsm_auth_cert_handler, we get the peer's cert from the socket using
SSL_PeerCertificate.  This value is allocated and/or cached.  We must
destroy it using CERT_DestroyCertificate.
2011-06-29 16:56:26 -07:00
Howard Chu
7ee3dee647 ITS#6828 set ld_errno on connect failures 2011-06-27 18:43:31 -07:00
Rein Tollevik
ffa8eca405 Merge branch 'master' of ssh://git-master.openldap.org/~git/git/openldap 2011-06-27 14:21:35 +02:00
Rein Tollevik
62861cae0e ITS#6716 Extend test where consumer/provider holds CSNs with differing SIDs. 2011-06-27 14:17:39 +02:00
Howard Chu
230f433ec7 ITS#6872 re-enable test058 2011-06-27 04:48:25 -07:00
Howard Chu
ebf07016ef ITS#6872 fix test058 breakage from prev patch 2011-06-27 04:46:43 -07:00
Howard Chu
052ac2f64a ITS#6828 silence warning in prev commit 2011-06-24 18:03:11 -07:00
Howard Chu
d76be4828c ITS#6977 fix verbose check in client tools 2011-06-23 17:10:37 -07:00
Howard Chu
d0973003f7 ITS#6978 bail out on invalid input 2011-06-23 13:17:08 -07:00