upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2026-02-19 02:28:47 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'origin/master' into OPENLDAP_REL_ENG_2_5

Browse source
This commit is contained in:
Quanah Gibson-Mount 2021-02-24 23:26:07 +00:00
commit 49b2b22cfd
148 changed files with 1775 additions and 778 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.gitlab-ci.yml
View file

@ -25,7 +25,7 @@ build-openssl-heimdal-lloadd:
- apt update
- DEBIAN_FRONTEND=noninteractive apt install -y build-essential pkg-config automake libsasl2-dev heimdal-multidev libssl-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev heimdal-kdc libsasl2-modules-gssapi-heimdal sasl2-bin libevent-dev
- autoreconf
- ./configure --enable-backends=mod --enable-overlays=mod --enable-modules --enable-dynamic --disable-ndb --disable-asyncmeta --enable-balancer=mod
- ./configure --enable-backends=mod --enable-overlays=mod --enable-modules --enable-dynamic --disable-ndb --enable-balancer=mod
- make depend
- make
- ulimit -n 4096 # back-monitor takes a while scanning a long connections array
@ -43,7 +43,7 @@ build-gnutls-mit-standalone-lloadd:
- apt update
- DEBIAN_FRONTEND=noninteractive apt install -y build-essential pkg-config automake libsasl2-dev libltdl-dev groff-base unixodbc-dev libwiredtiger-dev libperl-dev krb5-user krb5-kdc krb5-admin-server libsasl2-modules-gssapi-mit sasl2-bin libgnutls28-dev libevent-dev
- autoreconf
- ./configure --enable-backends=mod --enable-overlays=mod --disable-autoca --enable-modules --enable-dynamic --disable-ndb --disable-asyncmeta --enable-balancer=yes
- ./configure --enable-backends=mod --enable-overlays=mod --disable-autoca --enable-modules --enable-dynamic --disable-ndb --enable-balancer=yes
- make depend
- make
- ulimit -n 4096 # back-monitor takes a while scanning a long connections array

6
build/shtool
View file

@ -317,7 +317,7 @@ eval `echo h.$opt_spec |\
eval `echo h:help,$opt_alias |\
sed -e 's/-/_/g' -e 's/\([a-zA-Z0-9]\):\([^,]*\),*/opt_ALIAS_\2=\1;/g'`
# interate over argument line
# iterate over argument line
opt_PREV=''
while [ $# -gt 0 ]; do
# special option stops processing
@ -383,11 +383,11 @@ while [ $# -gt 0 ]; do
eval "opt_${opt_OPT}=yes"
;;
':' )
# option with argument (multiple occurances override)
# option with argument (multiple occurrences override)
eval "opt_${opt_OPT}=\"\$opt_ARG\""
;;
'+' )
# option with argument (multiple occurances append)
# option with argument (multiple occurrences append)
eval "opt_${opt_OPT}=\"\$opt_${opt_OPT}\${ASC_NL}\$opt_ARG\""
;;
* )

2
clients/tools/ldapdelete.c
View file

@ -68,7 +68,7 @@ usage( void )
{
fprintf( stderr, _("Delete entries from an LDAP server\n\n"));
fprintf( stderr, _("usage: %s [options] [dn]...\n"), prog);
fprintf( stderr, _(" dn: list of DNs to delete. If not given, it will be readed from stdin\n"));
fprintf( stderr, _(" dn: list of DNs to delete. If not given, it will be read from stdin\n"));
fprintf( stderr, _(" or from the file specified with \"-f file\".\n"));
fprintf( stderr, _("Delete Options:\n"));
fprintf( stderr, _(" -c continuous operation mode (do not stop on errors)\n"));

2
clients/tools/ldapsearch.c
View file

@ -132,7 +132,7 @@ usage( void )
fprintf( stderr, _(" !dontUseCopy (Don't Use Copy)\n"));
fprintf( stderr, _(" [!]mv=<filter> (RFC 3876 matched values filter)\n"));
fprintf( stderr, _(" [!]pr=<size>[/prompt|noprompt] (RFC 2696 paged results/prompt)\n"));
fprintf( stderr, _(" [!]ps=<changetypes>/<changesonly>/<echg> (draft persisten search)\n"));
fprintf( stderr, _(" [!]ps=<changetypes>/<changesonly>/<echg> (draft persistent search)\n"));
fprintf( stderr, _(" [!]sss=[-]<attr[:OID]>[/[-]<attr[:OID]>...]\n"));
fprintf( stderr, _(" (RFC 2891 server side sorting)\n"));
fprintf( stderr, _(" [!]subentries[=true|false] (RFC 3672 subentries)\n"));

130
configure vendored
View file

@ -17208,7 +17208,7 @@ done
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER < 0x1000200fL
#if OPENSSL_VERSION_NUMBER < 0x1010100fL
#error "OpenSSL is too old"
#endif
_ACEOF
@ -17217,14 +17217,14 @@ if ac_fn_c_try_cpp "$LINENO"; then :
else
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
as_fn_error $? "OpenSSL 1.0.2a or newer required
as_fn_error $? "OpenSSL 1.1.1 or newer required
See \`config.log' for more details" "$LINENO" 5; }
fi
rm -f conftest.err conftest.i conftest.$ac_ext
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_set_msg_callback in -lssl" >&5
$as_echo_n "checking for SSL_CTX_set_msg_callback in -lssl... " >&6; }
if ${ac_cv_lib_ssl_SSL_CTX_set_msg_callback+:} false; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_export_keying_material_early in -lssl" >&5
$as_echo_n "checking for SSL_export_keying_material_early in -lssl... " >&6; }
if ${ac_cv_lib_ssl_SSL_export_keying_material_early+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@ -17238,80 +17238,33 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
#ifdef __cplusplus
extern "C"
#endif
char SSL_CTX_set_msg_callback ();
char SSL_export_keying_material_early ();
int
main ()
{
return SSL_CTX_set_msg_callback ();
return SSL_export_keying_material_early ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_ssl_SSL_CTX_set_msg_callback=yes
ac_cv_lib_ssl_SSL_export_keying_material_early=yes
else
ac_cv_lib_ssl_SSL_CTX_set_msg_callback=no
ac_cv_lib_ssl_SSL_export_keying_material_early=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_set_msg_callback" >&5
$as_echo "$ac_cv_lib_ssl_SSL_CTX_set_msg_callback" >&6; }
if test "x$ac_cv_lib_ssl_SSL_CTX_set_msg_callback" = xyes; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_export_keying_material_early" >&5
$as_echo "$ac_cv_lib_ssl_SSL_export_keying_material_early" >&6; }
if test "x$ac_cv_lib_ssl_SSL_export_keying_material_early" = xyes; then :
have_openssl=yes
need_rsaref=no
else
have_openssl=no
fi
if test $have_openssl = no ; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ssl3_accept in -lssl" >&5
$as_echo_n "checking for ssl3_accept in -lssl... " >&6; }
if ${ac_cv_lib_ssl_ssl3_accept+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-lssl -lcrypto -lRSAglue -lrsaref $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char ssl3_accept ();
int
main ()
{
return ssl3_accept ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_ssl_ssl3_accept=yes
else
ac_cv_lib_ssl_ssl3_accept=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_ssl3_accept" >&5
$as_echo "$ac_cv_lib_ssl_ssl3_accept" >&6; }
if test "x$ac_cv_lib_ssl_ssl3_accept" = xyes; then :
have_openssl=yes
need_rsaref=yes
else
have_openssl=no
fi
fi
if test $have_openssl = yes ; then
ol_with_tls=openssl
ol_link_tls=yes
@ -17321,15 +17274,7 @@ fi
$as_echo "#define HAVE_OPENSSL 1" >>confdefs.h
if test $need_rsaref = yes; then
$as_echo "#define HAVE_RSAREF 1" >>confdefs.h
TLS_LIBS="-lssl -lcrypto -lRSAglue -lrsaref"
else
TLS_LIBS="-lssl -lcrypto"
fi
TLS_LIBS="-lssl -lcrypto"
fi
fi
fi
@ -22929,6 +22874,53 @@ else
have_libevent=no
fi
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libevent_global_shutdown in -levent" >&5
$as_echo_n "checking for libevent_global_shutdown in -levent... " >&6; }
if ${ac_cv_lib_event_libevent_global_shutdown+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
LIBS="-levent $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
/* Override any GCC internal prototype to avoid an error.
Use char because int might match the return type of a GCC
builtin and then its argument prototype would still apply. */
#ifdef __cplusplus
extern "C"
#endif
char libevent_global_shutdown ();
int
main ()
{
return libevent_global_shutdown ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
ac_cv_lib_event_libevent_global_shutdown=yes
else
ac_cv_lib_event_libevent_global_shutdown=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_event_libevent_global_shutdown" >&5
$as_echo "$ac_cv_lib_event_libevent_global_shutdown" >&6; }
if test "x$ac_cv_lib_event_libevent_global_shutdown" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_LIBEVENT 1
_ACEOF
LIBS="-levent $LIBS"
else
have_libevent=no
fi
@ -22937,7 +22929,7 @@ fi
$as_echo "#define HAVE_LIBEVENT 1" >>confdefs.h
else
as_fn_error $? "You need libevent 2.0 or later with DNS support to build the load balancer" "$LINENO" 5
as_fn_error $? "You need libevent 2.1 or later with DNS support to build the load balancer" "$LINENO" 5
fi
fi

28
configure.ac
View file

@ -1181,23 +1181,15 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then
if test $ac_cv_header_openssl_ssl_h = yes ; then
AC_PREPROC_IFELSE([AC_LANG_SOURCE(
[[#include <openssl/opensslv.h>]
[#if OPENSSL_VERSION_NUMBER < 0x1000200fL]
[#if OPENSSL_VERSION_NUMBER < 0x1010100fL]
[#error "OpenSSL is too old"]
[#endif]])],
, [AC_MSG_FAILURE([OpenSSL 1.0.2a or newer required])])
, [AC_MSG_FAILURE([OpenSSL 1.1.1 or newer required])])
AC_CHECK_LIB(ssl, SSL_CTX_set_msg_callback,
[have_openssl=yes
need_rsaref=no], [have_openssl=no],
AC_CHECK_LIB(ssl, SSL_export_keying_material_early,
[have_openssl=yes], [have_openssl=no],
[-lcrypto])
if test $have_openssl = no ; then
AC_CHECK_LIB(ssl, ssl3_accept,
[have_openssl=yes
need_rsaref=yes], [have_openssl=no],
[-lcrypto -lRSAglue -lrsaref])
fi
if test $have_openssl = yes ; then
ol_with_tls=openssl
ol_link_tls=yes
@ -1206,14 +1198,7 @@ if test $ol_with_tls = openssl || test $ol_with_tls = auto ; then
AC_DEFINE(HAVE_OPENSSL, 1,
[define if you have OpenSSL])
if test $need_rsaref = yes; then
AC_DEFINE(HAVE_RSAREF, 1,
[define if OpenSSL needs RSAref])
TLS_LIBS="-lssl -lcrypto -lRSAglue -lrsaref"
else
TLS_LIBS="-lssl -lcrypto"
fi
TLS_LIBS="-lssl -lcrypto"
fi
fi
fi
@ -2158,11 +2143,12 @@ if test $ol_enable_balancer != no ; then
[have_libevent=yes
LEVENT_LIBS="$LEVENT_LIBS -levent"],
[have_libevent=no])])
AC_CHECK_LIB(event, libevent_global_shutdown, [], [have_libevent=no])
if test $have_libevent = yes ; then
AC_DEFINE(HAVE_LIBEVENT, 1, [define if you have -levent])
else
AC_MSG_ERROR([You need libevent 2.0 or later with DNS support to build the load balancer])
AC_MSG_ERROR([You need libevent 2.1 or later with DNS support to build the load balancer])
fi
fi

2
contrib/ldapc++/TODO
View file

@ -20,7 +20,7 @@ Please read:
- Add SASL Authentication
- Add methods to the Data Classes (LDAPAttribute, LDAPEntry) for higher
usability. (e.g. LDAPAttributeList::getAttribute(name), ... )
- implement some Controls/Extented Operations
- implement some Controls/Extended Operations
- LDIF im/export library
- Rework the logging and debugging facilities
- write some more documentation about the design and structure of the

16
contrib/ldapc++/src/LDAPAsynConnection.h
View file

@ -108,7 +108,7 @@ class LDAPAsynConnection{
*
* @throws LDAPException If the Request could not be sent to the
* destination server, a LDAPException-object contains the
* error that occured.
* error that occurred.
* This method does a simple (username, password) bind to the server.
* Other, saver, authentcation methods are provided later
* @param dn the distinguished name to bind as
@ -132,7 +132,7 @@ class LDAPAsynConnection{
* Use the search method to perform a search on the LDAP-Directory
* @throws LDAPException If the Request could not be sent to the
* destination server, a LDAPException-object contains the
* error that occured.
* error that occurred.
* @param base The distinguished name of the starting point for the
* search operation
* @param scope The scope of the search. Possible values: <BR>
@ -157,7 +157,7 @@ class LDAPAsynConnection{
* This method sends a delete request to the server
* @throws LDAPException If the Request could not be sent to the
* destination server, a LDAPException-object contains the
* error that occured.
* error that occurred.
* @param dn Distinguished name of the entry that should be deleted
* @param cons A set of constraints that should be used with this
* request
@ -169,7 +169,7 @@ class LDAPAsynConnection{
*
* @throws LDAPException If the Request could not be sent to the
* destination server, a LDAPException-object contains the
* error that occured.
* error that occurred.
* @param dn Distinguished name of the entry for which the compare
* should be performed
* @param attr An Attribute (one (!) value) to use for the
@ -185,7 +185,7 @@ class LDAPAsynConnection{
*
* @throws LDAPException If the Request could not be sent to the
* destination server, a LDAPException-object contains the
* error that occured.
* error that occurred.
* @param le The entry that will be added to the directory
*/
LDAPMessageQueue* add( const LDAPEntry* le,
@ -195,7 +195,7 @@ class LDAPAsynConnection{
*
* @throws LDAPException If the Request could not be sent to the
* destination server, a LDAPException-object contains the
* error that occured.
* error that occurred.
* @param dn Distinguished Name of the Entry to modify
* @param modlist A set of modification that should be applied
* to the Entry
@ -210,7 +210,7 @@ class LDAPAsynConnection{
*
* @throws LDAPException If the Request could not be sent to the
* destination server, a LDAPException-object contains the
* error that occured.
* error that occurred.
* @param dn DN to modify
* @param newRDN The new relative DN for the entry
* @param delOldRDN true=The old RDN will be removed from the
@ -229,7 +229,7 @@ class LDAPAsynConnection{
*
* @throws LDAPException If the Request could not be sent to the
* destination server, a LDAPException-object contains the
* error that occured.
* error that occurred.
* @param oid The dotted decimal representation of the extended
* Operation that should be performed
* @param value The data associated with this operation

2
contrib/ldapc++/src/LDAPConnection.h
View file

@ -14,7 +14,7 @@
/** Main class for synchronous LDAP-Communication
*
* The class represent a LDAP-Connection to perform synchronous
* LDAP-Operations. This provides methodes for the different
* LDAP-Operations. This provides methods for the different
* LDAP-Operations. All the methods for the LDAP-operations block until
* all results for the operation are received or until an error occurs
*/

2
contrib/ldapc++/src/LDAPConstraints.h
View file

@ -18,7 +18,7 @@
// * the Restart-Option ???
// * default Server(s)
//* Class for representating the various protocol options
//* Class for representing the various protocol options
/** This class represents some options that can be set for a LDAPConnection
* operation. Namely these are time and size limits. Options for referral
* chasing and a default set of client of server controls to be used with

2
contrib/ldapc++/src/LDAPRequest.h
View file

@ -61,7 +61,7 @@ class LDAPRequest{
void unbind() const;
/**
* This method encodes the request an calls the apprpriate
* This method encodes the request an calls the appropriate
* functions of the C-API to send the Request to a LDAP-Server
*/
virtual LDAPMessageQueue* sendRequest()=0;

2
contrib/ldaptcl/README
View file

@ -48,7 +48,7 @@ Shared libraries and Tcl packages.
If Tcl is built with --enable-shared, AND OpenLDAP (or another version
for that matter) has been build to create -llber and -lldap as shared
libaries, AND you build ldaptcl with --enable-shared, it should be
libraries, AND you build ldaptcl with --enable-shared, it should be
possible to run a plain Tcl interpreter (eg. tclsh8.0) and do
package require Ldaptcl

4
contrib/ldaptcl/neoXldap.c
View file

@ -178,7 +178,7 @@ LDAP_ErrorStringToCode(Tcl_Interp *interp, char *s)
* o evalCodeObj - Tcl_Obj pointer to code to eval against this result.
* Returns:
* o TCL_OK if processing succeeded..
* o TCL_ERROR if an error occured, with error message in interp.
* o TCL_ERROR if an error occurred, with error message in interp.
*-----------------------------------------------------------------------------
*/
int
@ -282,7 +282,7 @@ LDAP_ProcessOneSearchResult (interp, ldap, entry, destArrayNameObj, evalCodeObj)
* o evalCodeObj - Tcl_Obj pointer to code to eval against this result.
* Returns:
* o TCL_OK if processing succeeded..
* o TCL_ERROR if an error occured, with error message in interp.
* o TCL_ERROR if an error occurred, with error message in interp.
*-----------------------------------------------------------------------------
*/
int

2
contrib/slapd-modules/adremap/adremap.c
View file

@ -32,7 +32,7 @@
#include <ac/time.h>
#include <ac/string.h>
#include <ac/ctype.h>
#include "config.h"
#include "slap-config.h"
typedef struct adremap_dnv {
struct adremap_dnv *ad_next;

2
contrib/slapd-modules/allop/allop.c
View file

@ -39,7 +39,7 @@ allop-URI <ldapURI>
#include <ac/string.h>
#include "slap.h"
#include "config.h"
#include "slap-config.h"
#define SLAP_OVER_VERSION_REQUIRE(major,minor,patch) \
( \

2
contrib/slapd-modules/authzid/authzid.c
View file

@ -27,7 +27,7 @@
#include "portable.h"
#include "slap.h"
#include "config.h"
#include "slap-config.h"
#include "lutil.h"
#include "ac/string.h"

6
contrib/slapd-modules/autogroup/autogroup.c
View file

@ -31,7 +31,7 @@
#include <ac/string.h>
#include "slap.h"
#include "config.h"
#include "slap-config.h"
#include "lutil.h"
#ifndef SLAPD_MEMBEROF_ATTR
@ -849,7 +849,7 @@ done:
/*
** When adding a group, we first strip any existing members,
** and add all which match the filters ourselfs.
** and add all which match the filters ourselves.
*/
static int
autogroup_add_entry( Operation *op, SlapReply *rs)
@ -1385,7 +1385,7 @@ autogroup_response( Operation *op, SlapReply *rs )
/* When modifying any of the attributes of an entry, we must
check if the entry is in any of our groups, and if
the modified entry maches any of the filters of that group.
the modified entry matches any of the filters of that group.
If the entry exists in a group, but the modified attributes do
not match any of the group's filters, we delete the entry from that group.

2
contrib/slapd-modules/cloak/cloak.c
View file

@ -30,7 +30,7 @@
#include "lutil.h"
#include "slap.h"
#include "config.h"
#include "slap-config.h"
enum { CLOAK_ATTR = 1 };

2
contrib/slapd-modules/comp_match/asn_to_syn_mr.c
View file

@ -123,7 +123,7 @@ AsnTypetoCompMatchingRule asntype_to_compMR_mapping_tbl[] = {
};
/*
* This table mapps an ASN type to a corresponding ComponentType which has
* This table maps an ASN type to a corresponding ComponentType which has
* equivalent contents of an existing AttributeType
*/
AsnTypetoCompType asntype_to_compType_mapping_tbl[] = {

2
contrib/slapd-modules/comp_match/componentlib.h
View file

@ -558,7 +558,7 @@ retrieve_matching_rule( char* mr_oid, AsnTypeId type );
#define INITIAL_ATTR_SIZE 256
#define INCREMENT_SIZE 32
/*
* Followings are for conversion from ASN.1 RDN and DN to
* The following are for conversion from ASN.1 RDN and DN to
* LDAP encodings
*/
#define MAX_ALIASING_ENTRY 128

2
contrib/slapd-modules/comp_match/init.c
View file

@ -687,7 +687,7 @@ comp_test_components( void* attr_nm, void* assert_nm, ComponentSyntaxInfo* csi_a
rc = comp_test_components( attr_nm, assert_nm, contained_comp, ca );
}
else {
/* Ivalid Component reference */
/* Invalid Component reference */
rc = LDAP_PROTOCOL_ERROR;
}
break;

2
contrib/slapd-modules/kinit/README
View file

@ -17,7 +17,7 @@ default to).
Use Makefile or the following commands should work to
build it from inside the unpacked slapd sources, provided the required KRB5
header files and libaries are installed on your system:
header files and libraries are installed on your system:
gcc -fPIC -c -I ../../../include/ -I ../../../servers/slapd kinit.c
gcc -shared -o kinit.so kinit.o -lkrb5

2
contrib/slapd-modules/lastbind/lastbind.c
View file

@ -36,7 +36,7 @@
#include <ac/time.h>
#include <ac/string.h>
#include <ac/ctype.h>
#include "config.h"
#include "slap-config.h"
/* Per-instance configuration information */
typedef struct lastbind_info {

2
contrib/slapd-modules/nops/nops.c
View file

@ -29,7 +29,7 @@
#include "lutil.h"
#include "slap.h"
#include "config.h"
#include "slap-config.h"
static ConfigDriver nops_cf_gen;

8
contrib/slapd-modules/nssov/nss-pam-ldapd/nslcd-prot.h
View file

@ -228,10 +228,10 @@ static void debug_dump(const void *ptr, size_t size)
#define BUF_SKIP(sz) \
bufptr += (size_t)(sz);
/* move BUF_CUR foreward so that it is aligned to the specified
/* move BUF_CUR forward so that it is aligned to the specified
type width */
#define BUF_ALIGN(fp, type) \
/* figure out number of bytes to skip foreward */ \
/* figure out number of bytes to skip forward */ \
tmp2int32 = (sizeof(type) - ((BUF_CUR - (char *)NULL) % sizeof(type))) \
% sizeof(type); \
/* check and skip */ \
@ -279,7 +279,7 @@ static void debug_dump(const void *ptr, size_t size)
(field) = BUF_CUR; \
BUF_SKIP(tmpint32 + 1);
/* read an array from a stram and store it as a null-terminated
/* read an array from a stream and store it as a null-terminated
array list (size for the array is allocated) */
#define READ_BUF_STRINGLIST(fp, arr) \
/* read the number of entries */ \
@ -299,7 +299,7 @@ static void debug_dump(const void *ptr, size_t size)
/* SKIP macros for skipping over certain parts of the protocol stream. */
/* skip a number of bytes foreward */
/* skip a number of bytes forward */
#define SKIP(fp, sz) \
DEBUG_PRINT("READ : skip %d bytes", (int)(sz)); \
/* read (skip) the specified number of bytes */ \

2
contrib/slapd-modules/nssov/nss-pam-ldapd/tio.c
View file

@ -184,7 +184,7 @@ static int tio_wait(int fd, short events, int timeout,
return -1;
}
else if ((errno != EINTR) && (errno != EAGAIN))
/* some error ocurred */
/* some error occurred */
return -1;
/* we just try again on EINTR or EAGAIN */
}

12
contrib/slapd-modules/nssov/nssov.c
View file

@ -27,7 +27,7 @@
#define SLAPD_OVER_NSSOV SLAPD_MOD_DYNAMIC
#endif
#include "../slapd/config.h" /* not nss-ldapd config.h */
#include "slap-config.h"
#include "lutil.h"
@ -158,7 +158,7 @@ int write_address(TFILE *fp,struct berval *addr)
/* failure, log but write simple invalid address
(otherwise the address list is messed up) */
/* TODO: have error message in correct format */
Debug(LDAP_DEBUG_ANY,"nssov: unparseable address: %s\n",addr->bv_val );
Debug(LDAP_DEBUG_ANY,"nssov: unparsable address: %s\n",addr->bv_val );
/* write an illegal address type */
WRITE_INT32(fp,-1);
/* write an empty address */
@ -928,7 +928,7 @@ nssov_db_open(
Debug( LDAP_DEBUG_ANY,"nssov: bind() to "NSLCD_SOCKET" failed: %s",
AC_STRERROR_R(saved_errno, ebuf, sizeof(ebuf)) );
if (close(sock)) {
saved_errno = errno
saved_errno = errno;
Debug( LDAP_DEBUG_ANY,"nssov: problem closing socket: %s",
AC_STRERROR_R(saved_errno, ebuf, sizeof(ebuf)) );
}
@ -941,7 +941,7 @@ nssov_db_open(
Debug( LDAP_DEBUG_ANY,"nssov: fcntl(F_SETFL,O_NONBLOCK) failed: %s",
AC_STRERROR_R(saved_errno, ebuf, sizeof(ebuf)) );
if (close(sock)) {
saved_errno = errno
saved_errno = errno;
Debug( LDAP_DEBUG_ANY,"nssov: problem closing socket: %s",
AC_STRERROR_R(saved_errno, ebuf, sizeof(ebuf)) );
}
@ -958,7 +958,7 @@ nssov_db_open(
Debug( LDAP_DEBUG_ANY,"nssov: chmod(0666) failed: %s",
AC_STRERROR_R(saved_errno, ebuf, sizeof(ebuf)) );
if (close(sock)) {
saved_errno = errno
saved_errno = errno;
Debug( LDAP_DEBUG_ANY,"nssov: problem closing socket: %s",
AC_STRERROR_R(saved_errno, ebuf, sizeof(ebuf)) );
}
@ -971,7 +971,7 @@ nssov_db_open(
Debug( LDAP_DEBUG_ANY,"nssov: listen() failed: %s",
AC_STRERROR_R(saved_errno, ebuf, sizeof(ebuf)) );
if (close(sock)) {
saved_errno = errno
saved_errno = errno;
Debug( LDAP_DEBUG_ANY,"nssov: problem closing socket: %s",
AC_STRERROR_R(saved_errno, ebuf, sizeof(ebuf)) );
}

1
contrib/slapd-modules/nssov/nssov.h
View file

@ -28,6 +28,7 @@
#endif
#include <stdio.h>
#include <errno.h>
#include "nslcd.h"
#include "nslcd-prot.h"

2
contrib/slapd-modules/nssov/shadow.c
View file

@ -83,7 +83,7 @@ static long to_date(struct berval *date,AttributeDescription *attr)
/* we expect an AD 64-bit datetime value;
we should do date=date/864000000000-134774
but that causes problems on 32-bit platforms,
first we devide by 1000000000 by stripping the
first we divide by 1000000000 by stripping the
last 9 digits from the string and going from there */
l=date->bv_len-9;
if (l<1 || l>(sizeof(buffer)-1))

2
contrib/slapd-modules/nssov/slapo-nssov.5
View file

@ -242,7 +242,7 @@ Specify a PAM service name whose sessions will be recorded. For the
configured services, logins will be recorded in the
.TP
.B nssov-pam-password-prohibit-message <message>
Diable password change service and return the specified message to
Disable password change service and return the specified message to
users.
.TP
.B nssov-pam-pwdmgr-dn <dn>

2
contrib/slapd-modules/passwd/pbkdf2/README
View file

@ -24,7 +24,7 @@ First, You need to configure and build OpenLDAP.
$ make
# make install
# Configration
# Configuration
In slapd.conf:

2
contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c
View file

@ -52,7 +52,7 @@ const struct berval pbkdf2_sha512_scheme = BER_BVC("{PBKDF2-SHA512}");
* Converting base64 string to adapted base64 string.
* Adapted base64 encode is identical to general base64 encode except
* that it uses '.' instead of '+', and omits trailing padding '=' and
* whitepsace.
* whitespace.
* see http://pythonhosted.org/passlib/lib/passlib.utils.html
* This is destructive function.
*/

2
contrib/slapd-modules/passwd/sha2/sha2.c
View file

@ -65,7 +65,7 @@
* Please make sure that your system defines BYTE_ORDER. If your
* architecture is little-endian, make sure it also defines
* LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
* equivilent.
* equivalent.
*
* If your system does not define the above, then you can do so by
* hand like this:

2
contrib/slapd-modules/passwd/totp/slapd-totp.c
View file

@ -92,7 +92,7 @@ static void HMAC_CTX_free(HMAC_CTX *ctx)
#endif
#include "slap.h"
#include "config.h"
#include "slap-config.h"
static LUTIL_PASSWD_CHK_FUNC chk_totp1, chk_totp256, chk_totp512,
chk_totp1andpw, chk_totp256andpw, chk_totp512andpw;

2
contrib/slapd-modules/samba4/pguid.c
View file

@ -29,7 +29,7 @@
#include "ac/socket.h"
#include "slap.h"
#include "config.h"
#include "slap-config.h"
#include "lutil.h"

2
contrib/slapd-modules/samba4/rdnval.c
View file

@ -29,7 +29,7 @@
#include "ac/socket.h"
#include "slap.h"
#include "config.h"
#include "slap-config.h"
#include "lutil.h"

2
contrib/slapd-modules/samba4/vernum.c
View file

@ -29,7 +29,7 @@
#include "ac/socket.h"
#include "slap.h"
#include "config.h"
#include "slap-config.h"
#include "lutil.h"

2
contrib/slapd-modules/smbk5pwd/smbk5pwd.c
View file

@ -32,7 +32,7 @@
#include <ac/errno.h>
#include <ac/string.h>
#include "config.h"
#include "slap-config.h"
#ifdef DO_KRB5
#include <lber.h>

2
contrib/slapd-modules/usn/usn.c
View file

@ -28,7 +28,7 @@
#include <ac/socket.h>
#include "slap.h"
#include "config.h"
#include "slap-config.h"
/* This overlay intercepts write operations and adds a Microsoft-style
* USN to the target entry.

2
doc/devel/variadic_debug/07-shortcut.cocci
View file

@ -160,7 +160,7 @@ initializer I;
)
}
// the rest identifies and removes a (newly-)reduntant LogTest check
// the rest identifies and removes a (newly-)redundant LogTest check
@if_guard@
position p;
statement s;

5
doc/guide/admin/Makefile
View file

@ -86,7 +86,10 @@ index.html: index.sdf sdf-src sdf-img
admin.html: admin.sdf sdf-src sdf-img
sdf -DPDF -2html admin.sdf
guide.pdf: admin.html guide.book
booktitle.html: booktitle.sdf
sdf -2html booktitle.sdf
guide.pdf: admin.html booktitle.html guide.book
htmldoc --batch guide.book -f guide.pdf
OpenLDAP-Admin-Guide.pdf: admin.html guide.book

5
doc/guide/admin/access-control.sdf
View file

@ -1112,8 +1112,9 @@ You can restrict access based on the security strength factor (SSF)
0 (zero) implies no protection,
1 implies integrity protection only,
56 DES or other weak ciphers,
112 triple DES and other strong ciphers,
128 RC4, Blowfish and other modern strong ciphers.
112 triple DES and similar ciphers,
128 RC4, Blowfish and other similar ciphers,
256 modern ciphers.
Other possibilities:

2
doc/guide/admin/appendix-changes.sdf
View file

@ -68,7 +68,7 @@ These features were strongly deprecated in 2.4 and removed in 2.5.
H3: back-bdb and back-hdb
back-bdb and back-hdb were signficantly slower than back-mdb and
back-bdb and back-hdb were significantly slower than back-mdb and
required significant tuning of multiple parameters to maximize
performance. back-mdb requires no tuning and provides all the
functionality previously provided via back-bdb and back-hdb.

1
doc/guide/admin/aspell.en.pws
View file

@ -944,7 +944,6 @@ RetCodes
userApplications
NDBM
newSuperiorDN
browseable
auditBind
setstyle
newSuperior

34
doc/guide/admin/booktitle.sdf Normal file
View file

@ -0,0 +1,34 @@
# $OpenLDAP$
# Copyright 1999-2021 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
#
# Document: OpenLDAP Administrator's Guide
# Master: master.sdf
#
!include "../preamble.sdf"
!define DOC_TOC 3
!define DOC_TYPE "Administrator's Guide"
!macro build_html_cover
!block inline
<DIV align="Center">
!endblock
!default DOC_HTML_LOGO_BASE $var{'DOC_LOGO_BASE'}
!import "../images/LDAPwww.gif"; base=$var{'DOC_HTML_LOGO_BASE'}
P1[notoc; class='doc-title'] [[DOC_TITLE]]
Sign[class='doc-modified'] [[DATE:DOC_MODIFIED]]
!block inline
</DIV>
!endblock
!endmacro
!macro HTML_HEADER
!endmacro
!macro HTML_FOOTER
!endmacro
!build_title

19
doc/guide/admin/dbtools.sdf
View file

@ -126,8 +126,16 @@ unacceptably long time to add using the LDAP method described above.
These tools read the slapd configuration file and an input file
containing a text representation of the entries to add. For database
types which support the tools, they produce the database files
directly (otherwise you must use the on-line method above). There
are several important configuration options you will want to be
directly (otherwise you must use the on-line method above). Also,
the input file must be completely valid, as these tools do fewer
consistency checks than the on-line method.
Note: this Guide is not meant to provide exhaustive documentation
on the software. The tool descriptions here only list a few of the
available options for each command. Read the associated manpages for
complete documentation on all of the available options.
There are several important configuration options you will want to be
sure and set in the config file database definition first:
> suffix <dn>
@ -225,11 +233,12 @@ modifying {{slapd.conf}}(5)). This is possible using the {{slapindex}}(8)
program. {{slapindex}} is invoked like this
> slapindex -f <slapdconfigfile>
> [-d <debuglevel>] [-n <databasenumber>|-b <suffix>]
> [-d <debuglevel>] [-n <databasenumber>|-b <suffix>] [attr...]
Where the {{EX:-f}}, {{EX:-d}}, {{EX:-n}} and {{EX:-b}} options
are the same as for the {{slapadd}}(1) program. {{slapindex}}
rebuilds all indices based upon the current database contents.
are the same as for the {{slapadd}}(1) program. If no specific
attributes are listed, {{slapindex}} rebuilds all indices based
upon the current database contents.
H3: The {{EX:slapcat}} program

2
doc/guide/admin/guide.book
View file

@ -1,3 +1,3 @@
#HTMLDOC 1.8.27
-t pdf14 --book --toclevels 3 --no-numbered --toctitle "Table of Contents" --title --titleimage "../images/LDAPwww.gif" --linkstyle plain --size Universal --left 1.00in --right 0.50in --top 0.50in --bottom 0.50in --header .t. --header1 ... --footer ..1 --nup 1 --tocheader .t. --tocfooter ..i --duplex --portrait --color --no-pscommands --no-xrxcomments --compression=1 --jpeg=0 --fontsize 11.0 --fontspacing 1.2 --headingfont Helvetica --bodyfont Times --headfootsize 11.0 --headfootfont Helvetica --charset iso-8859-1 --links --embedfonts --pagemode outline --pagelayout single --firstpage p1 --pageeffect none --pageduration 10 --effectduration 1.0 --no-encryption --permissions all --owner-password "" --user-password "" --browserwidth 680 --no-strict --no-overflow
-t pdf14 --book --toclevels 3 --no-numbered --toctitle "Table of Contents" --title --titlefile "booktitle.html" --linkstyle plain --size Universal --left 1.00in --right 0.50in --top 0.50in --bottom 0.50in --header .t. --header1 ... --footer ..1 --nup 1 --tocheader .t. --tocfooter ..i --duplex --portrait --color --no-pscommands --no-xrxcomments --compression=1 --jpeg=0 --fontsize 11.0 --fontspacing 1.2 --headingfont Helvetica --bodyfont Times --headfootsize 11.0 --headfootfont Helvetica --charset iso-8859-1 --links --embedfonts --pagemode outline --pagelayout single --firstpage p1 --pageeffect none --pageduration 10 --effectduration 1.0 --no-encryption --permissions all --owner-password "" --user-password "" --browserwidth 680 --no-strict --no-overflow
admin.html

2
doc/guide/admin/intro.sdf
View file

@ -57,7 +57,7 @@ support browsing and searching.
While some consider the Internet {{TERM[expand]DNS}} (DNS) is an
example of a globally distributed directory service, DNS is not
browseable nor searchable. It is more properly described as a
browsable nor searchable. It is more properly described as a
globally distributed {{lookup}} service.

91
doc/guide/admin/limits.sdf
View file

@ -70,19 +70,63 @@ The default sizelimit is 500 entries and the default timelimit is
An extended form allows soft and hard limits to be set separately:
> sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
> sizelimit size[.{soft|hard}]=<integer> [...]
> timelimit time[.{soft|hard}]=<integer> [...]
Thus, to set a soft sizelimit of 10 entries and a hard limit of 75 entries:
E: sizelimit size.soft=10 size.hard=75
H3: Special Size Limits
There are other forms of size limits in addition to the soft and hard limits.
Note that when using the simple {{sizelimit}} form, none of these special
limits are changed.
H4: Unchecked Limits
The {{unchecked}} keyword sets a limit on how many entries the server
will examine once it has created an initial set of candidate results by
using indices. This can be very important in a large directory, as a
search that cannot be satisfied from an index might cause the server to
examine millions of entries, therefore always make sure the correct indexes
are configured.
will examine after doing index lookups but before evaluating filter
matches. If the set of candidates exceeds this limit, the search is aborted.
The purpose is to avoid causing excessive workload on {{slapd}}
if a filter uses attributes that are not properly indexed, and can
be critical for very large directories.
> sizelimit size.unchecked={<integer>|unlimited|disabled}
The default is unlimited. The {{disabled}} setting prevents a search
from being performed at all. This may be useful in the per-database
limits described below, to disallow searches for a specific set of users.
H4: Paged Results Limits
If the LDAP client adds the {{pagedResultsControl}} to the search operation,
the hard size limit is used by default, because the request for a specific
page size is considered an explicit request for a limitation on the number
of entries to be returned. However, the size limit applies to the total
count of entries returned within the search, and not to a single page.
Additional size limits may be enforced for paged searches.
The {{EX:size.pr}} limit controls the maximum page size:
> sizelimit size.pr={<integer>|noEstimate|unlimited}
{{EX:<integer>}} is the maximum page size if no explicit size is set.
{{EX:noEstimate}} has no effect in the current implementation as the
server does not return an estimate of the result size anyway.
{{EX:unlimited}} indicates that no limit is applied to the maximum
page size.
The {{EX:size.prtotal}} limit controls the total number of entries
that can be returned by a paged search. By default the limit is the
same as the normal {{EX:size.hard}} limit.
> size.prtotal={<integer>|unlimited|disabled}
{{EX:unlimited}} removes the limit on the number of entries that can be
returned by a paged search.
{{EX:disabled}} can be used to selectively disable paged result searches.
H2: Per-Database Limits
@ -150,43 +194,14 @@ H3: Specifying size limits
The syntax for size limit is
E: size[.{soft|hard|unchecked}]=<integer>
E: size[.{soft|hard}]=<integer>
where {{EX:<integer>}} is the maximum number of entries slapd will return
when answering a search request.
Soft, hard, and "unchecked" limits are available, with the same meanings
described for the global limits configuration above.
In addition to soft and hard limits, other limits are also available,
with the same meanings described for the global limits configuration above.
H3: Size limits and Paged Results
If the LDAP client adds the {{pagedResultsControl}} to the search operation,
the hard size limit is used by default, because the request for a specific
page size is considered an explicit request for a limitation on the number
of entries to be returned. However, the size limit applies to the total
count of entries returned within the search, and not to a single page.
Additional size limits may be enforced for paged searches.
The {{EX:size.pr}} limit controls the maximum page size:
> size.pr={<integer>|noEstimate|unlimited}
{{EX:<integer>}} is the maximum page size if no explicit size is set.
{{EX:noEstimate}} has no effect in the current implementation as the
server does not return an estimate of the result size anyway.
{{EX:unlimited}} indicates that no limit is applied to the maximum
page size.
The {{EX:size.prtotal}} limit controls the total number of entries
that can be returned by a paged search. By default the limit is the
same as the normal {{EX:size.hard}} limit.
> size.prtotal={<integer>|unlimited|disabled}
{{EX:unlimited}} removes the limit on the number of entries that can be
returned by a paged search.
{{EX:disabled}} can be used to selectively disable paged result searches.
H2: Example Limit Configurations

2
doc/guide/admin/overlays.sdf
View file

@ -365,7 +365,7 @@ Configuration via {{slapd.conf}}(5) would look like:
> ldap:///dc=catalog,dc=example,dc=com?title?sub?(objectClass=titleCatalog)
A specification like the above would reject any {{mail}} attribute which did not
look like {{<alpha-numeric string>@mydomain.com}}.
look like {{<alphanumeric string>@mydomain.com}}.
It would also reject any title attribute whose values were not listed in the
title attribute of any {{titleCatalog}} entries in the given scope.

17
doc/guide/admin/replication.sdf
View file

@ -742,7 +742,8 @@ This sets up the config database:
> olcDatabase: {0}config
> olcRootPW: secret
second and third servers will have a different olcServerID obviously:
Each server must have a unique server ID ({{EX:SID}}), so
second and third servers will have a different {{EX:olcServerID}} obviously:
> dn: cn=config
> objectClass: olcGlobal
@ -805,7 +806,8 @@ We still have to replicate the actual data, not just the config, so add to the p
> olcDbDirectory: ./db
> olcRootDN: $MANAGERDN
> olcRootPW: $PASSWD
> olcLimits: dn.exact="$MANAGERDN" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited
> olcLimits: dn.exact="$MANAGERDN" time.soft=unlimited time.hard=unlimited
> size.soft=unlimited size.hard=unlimited
> olcSyncRepl: rid=004 provider=$URI1 binddn="$MANAGERDN" bindmethod=simple
> credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly
> interval=00:00:00:10 retry="5 5 300 5" timeout=1
@ -832,6 +834,17 @@ directives are the URLs of the servers from which to replicate. These
must exactly match the URLs {{slapd}} listens on ({{-h}} in {{SECT:Command-Line Options}}).
Otherwise slapd may attempt to replicate from itself, causing a loop.
Note: The {{entryCSN}} and {{contextCSN}} attributes are used
to track changes to an entry and naming context, respectively. The
{{EX:SID}} which must be unique for each replication provider is a
component of these CSNs. If you're using {{slapadd}} to load a
database and there are no entryCSNs already present in the input
LDIF, {{slapadd}} will generate them with a {{SID}} of {{EX:000}}. This
is not a valid {{SID}} for multi-provider replication, and you
should use the {{EX:-S}} option of {{slapadd}} (8) to specify
a valid {{SID}} for these generated CSNs. If there are existing
entryCSNs in the input LDIF, {{slapadd}} will not change them.
H3: Mirror mode
Mirror mode configuration is actually very easy. If you have ever setup a normal

20
doc/guide/admin/runningslapd.sdf
View file

@ -36,13 +36,23 @@ This option specifies alternative listener configurations. The
default is {{EX:ldap:///}} which implies {{TERM:LDAP}} over
{{TERM:TCP}} on all interfaces on the default LDAP port 389. You
can specify specific host-port pairs or other protocol schemes (such
as {{EX:ldaps://}} or {{EX:ldapi://}}).
as {{EX:ldaps://}} or {{EX:ldapi://}}). slapd supports the HAProxy
proxy protocol version 2, which allows a load balancer or proxy
server to provide the remote client IP address to slapd to be used
for access control or logging. Listeners configured using either
{{EX:pldap:///}} or {{EX:pldaps:///}} URLS will only accept
connections that include the necessary proxy protocol header.
Connections to the ports used by these listeners should be restricted
at the network level to only trusted load balancers or proxies to
avoid spoofing of client IP addresses by third parties.
!block table
URL Protocol Transport
ldap:/// LDAP TCP port 389
ldaps:/// LDAP over SSL TCP port 636
ldapi:/// LDAP IPC (Unix-domain socket)
URL Protocol Transport
ldap:/// LDAP TCP port 389
pldap:/// proxied LDAP TCP port 389
ldaps:/// LDAP over SSL TCP port 636
pldaps:/// proxied LDAP over SSL TCP port 636
ldapi:/// LDAP IPC (Unix-domain socket)
!endblock
For example, {{EX:-h

18
doc/guide/admin/sasl.sdf
View file

@ -138,25 +138,35 @@ command option.
For the purposes of authentication and authorization, {{slapd}}(8)
associates an authentication request DN of the form:
> uid=<primary[/instance]>,cn=<realm>,cn=gssapi,cn=auth
> uid=<primary[/instance][@realm]>,cn=gssapi,cn=auth
The realm is omitted by Cyrus SASL if it's equal to the default realm of the
server in {{FILE:/etc/krb5.conf}}.
Continuing our example, a user with the Kerberos principal
{{EX:kurt@EXAMPLE.COM}} would have the associated DN:
> uid=kurt,cn=example.com,cn=gssapi,cn=auth
> uid=kurt,cn=gssapi,cn=auth
and the principal {{EX:ursula/admin@FOREIGN.REALM}} would have the
associated DN:
> uid=ursula/admin,cn=foreign.realm,cn=gssapi,cn=auth
> uid=ursula/admin@foreign.realm,cn=gssapi,cn=auth
The authentication request DN can be used directly ACLs and
The authentication request DN can be used directly in ACLs and
{{EX:groupOfNames}} "member" attributes, since it is of legitimate
LDAP DN format. Or alternatively, the authentication DN could be
mapped before use. See the section {{SECT:Mapping Authentication
Identities}} for details.
If you configure the {{olcSaslRealm}} then it will be inserted as
an extra component in the authorization DN, regardless of any
Kerberos realms in use. For example, if you set olcSaslRealm to
{{EX:example.com}} then you will get:
> uid=kurt,cn=example.com,cn=gssapi,cn=auth
> uid=ursula/admin@foreign.realm,cn=example.com,cn=gssapi,cn=auth
H3: KERBEROS_V4

10
doc/guide/admin/tls.sdf
View file

@ -81,10 +81,10 @@ H4: TLSCACertificatePath <path>
This directive specifies the path of a directory that contains
individual {{TERM:CA}} certificates in separate files. In addition,
this directory must be specially managed using the OpenSSL {{c_rehash}}
utility. When using this feature, the OpenSSL library will attempt to
this directory must be specially managed using the OpenSSL {{rehash}}
command. When using this feature, the OpenSSL library will attempt to
locate certificate files based on a hash of their name and serial number.
The {{c_rehash}} utility is used to generate symbolic links with the
The OpenSSL {{rehash}} command is used to generate symbolic links with the
hashed names that point to the actual certificate files. As such,
this option can only be used with a filesystem that actually supports
symbolic links. In general, it is simpler to use the
@ -226,8 +226,8 @@ same considerations apply.
H4: TLS_CACERTDIR <path>
This is equivalent to the server's {{EX:TLSCACertificatePath}} option. The
specified directory must be managed with the OpenSSL {{c_rehash}}
utility as well.
specified directory must be managed with the OpenSSL {{rehash}}
command as well.
H4: TLS_CERT <filename>

2
doc/guide/preamble.sdf
View file

@ -282,7 +282,7 @@ lloadd|LDAP Load Balancer
!block references; data; sort=Reference; style=grid
Reference|Status|Document|Jump
UM-GUIDE|O|The SLAPD and SLURPD Administrators Guide|https://web.archive.org/web/20170809071245/http://www.umich.edu/~dirsvcs/ldap/doc/guides/slapd/guide.pdf
RFC2079|PS|Definition of an X.500 Attribute Type and an Object Class to Hold Uniform Resource Identifers|https://www.rfc-editor.org/rfc/rfc2079.txt
RFC2079|PS|Definition of an X.500 Attribute Type and an Object Class to Hold Uniform Resource Identifiers|https://www.rfc-editor.org/rfc/rfc2079.txt
RFC2296|PS|Use of Language Codes in LDAP|https://www.rfc-editor.org/rfc/rfc2296.txt
RFC2307|X|An Approach for Using LDAP as a Network Information Service|https://www.rfc-editor.org/rfc/rfc2307.txt
RFC2589|PS|Lightweight Directory Access Protocol (v3): Extensions for Dynamic Directory Services|https://www.rfc-editor.org/rfc/rfc2589.txt

2
doc/guide/release/copyright.sdf
View file

@ -2,7 +2,7 @@
# Copyright 1999-2021 The OpenLDAP Foundation, All Rights Reserved.
# COPYING RESTRICTIONS APPLY, see COPYRIGHT.
# This file should match ../../../COPYRIGHT (except in formating)
# This file should match ../../../COPYRIGHT (except in formatting)
!if OPT_PP_HTML
!define copyright '[[c]] Copyright'

8
doc/man/man3/ldap_get_option.3
View file

@ -250,7 +250,9 @@ returns in case of no activity.
must be a
.BR "struct timeval **"
(the caller has to free
.BR *outvalue ) ,
.BR *outvalue
using
.BR ldap_memfree (3)),
and
.B invalue
must be a
@ -392,7 +394,9 @@ Sets/gets a timeout value for the synchronous API calls.
must be a
.BR "struct timeval **"
(the caller has to free
.BR *outvalue ) ,
.BR *outvalue
using
.BR ldap_memfree (3)),
and
.B invalue
must be a

23
doc/man/man5/ldap.conf.5
View file

@ -265,11 +265,10 @@ mechanisms which can pass credentials to do so).
.B minssf=<factor>
specifies the minimum acceptable
.I security strength factor
as an integer approximating the effective key length used for
as an integer approximate to effective key length used for
encryption. 0 (zero) implies no protection, 1 implies integrity
protection only, 56 allows DES or other weak ciphers, 112
allows triple DES and other strong ciphers, 128 allows RC4,
Blowfish and other modern strong ciphers. The default is 0.
protection only, 128 allows RC4, Blowfish and other similar ciphers,
256 will require modern ciphers. The default is 0.
.TP
.B maxssf=<factor>
specifies the maximum acceptable
@ -400,8 +399,8 @@ The environment variable RANDFILE can also be used to specify the filename.
This parameter is ignored with GnuTLS.
.TP
.B TLS_REQCERT <level>
Specifies what checks to perform on server certificates in a TLS session,
if any. The
Specifies what checks to perform on server certificates in a TLS session.
The
.B <level>
can be specified as one of the following keywords:
.RS
@ -410,19 +409,17 @@ can be specified as one of the following keywords:
The client will not request or check any server certificate.
.TP
.B allow
The server certificate is requested. If no certificate is provided,
the session proceeds normally. If a bad certificate is provided, it will
The server certificate is requested. If a bad certificate is provided, it will
be ignored and the session proceeds normally.
.TP
.B try
The server certificate is requested. If no certificate is provided,
the session proceeds normally. If a bad certificate is provided,
The server certificate is requested. If a bad certificate is provided,
the session is immediately terminated.
.TP
.B demand | hard
These keywords are equivalent. The server certificate is requested. If no
certificate is provided, or a bad certificate is provided, the session
is immediately terminated. This is the default setting.
These keywords are equivalent and the same as
.BR try .
This is the default setting.
.RE
.TP
.B TLS_REQSAN <level>

11
doc/man/man5/lloadd.conf.5
View file

@ -173,9 +173,12 @@ If modified after server starts up, a change to this option will not take
effect until the server has been restarted.
.TP
.B logfile <filename>
Specify a file for recording debug log messages. By default these messages
only go to stderr and are not recorded anywhere else. Specifying a logfile
copies messages to both stderr and the logfile.
Specify a file for recording lloadd debug messages. By default these messages
only go to stderr, are not recorded anywhere else, and are unrelated to
messages exposed by the
.B loglevel
configuration parameter. Specifying a logfile copies messages to both stderr
and the logfile.
.TP
.B loglevel <integer> [...]
Specify the level at which debugging statements and operation
@ -468,7 +471,7 @@ When using Mozilla NSS, TLSCertificateKeyFile specifies the name of
a file that contains the password for the key for the certificate specified with
TLSCertificateFile. The modutil command can be used to turn off password
protection for the cert/key database. For example, if TLSCACertificatePath
specifes /etc/openldap/certdb as the location of the cert/key database, use
specifies /etc/openldap/certdb as the location of the cert/key database, use
modutil to change the password to the empty string:
.nf
modutil \-dbdir /etc/openldap/certdb \-changepw 'NSS Certificate DB'

34
doc/man/man5/slapd-asyncmeta.5
View file

@ -443,15 +443,43 @@ See
for details.
.TP
.B tls {[try\-]start|[try\-]propagate}
execute the StartTLS extended operation when the connection is initialized;
only works if the URI directive protocol scheme is not \fBldaps://\fP.
.B tls {none|[try\-]start|[try\-]propagate|ldaps}
B [starttls=no]
.B [tls_cert=<file>]
.B [tls_key=<file>]
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_crlcheck=none|peer|all]
.RS
Specify TLS settings regular connections.
If the first parameter is not "none" then this configures the TLS
settings to be used for regular connections.
The StartTLS extended operation will be used when establishing the
connection unless the URI directive protocol scheme is \fBldaps://\fP.
In that case this keyword may only be set to "ldaps" and the StartTLS
operation will not be used.
\fBpropagate\fP issues the StartTLS operation only if the original
connection did.
The \fBtry\-\fP prefix instructs the proxy to continue operations
if the StartTLS operation failed; its use is highly deprecated.
The TLS settings default to the same as the main slapd TLS settings,
except for
.B tls_reqcert
which defaults to "demand",
.B tls_reqsan
which defaults to "allow", and
.B starttls
which is overshadowed by the first keyword and thus ignored.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.RE
.SH SCENARIOS
See

46
doc/man/man5/slapd-config.5
View file

@ -539,9 +539,12 @@ see
option description. The default is 71.
.TP
.B olcLogFile: <filename>
Specify a file for recording debug log messages. By default these messages
only go to stderr and are not recorded anywhere else. Specifying a logfile
copies messages to both stderr and the logfile.
Specify a file for recording slapd debug messages. By default these messages
only go to stderr, are not recorded anywhere else, and are unrelated to
messages exposed by the
.B loglevel
configuration parameter. Specifying a logfile copies messages to both stderr
and the logfile.
.TP
.B olcLogLevel: <integer> [...]
Specify the level at which debugging statements and operation
@ -647,6 +650,18 @@ In fact, if no olcLogLevel (or a 0 level) is defined, no logging occurs,
so at least the
.B none
level is required to have high priority messages logged.
Note that the
.BR packets ,
.BR BER ,
and
.B parse
levels are only available as debug output on stderr, and are not
sent to syslog.
This setting defaults to \fBstats\fP.
This level should usually also be included when using other loglevels, to
help analyze the logs.
.RE
.TP
.B olcPasswordCryptSaltFormat: <format>
@ -761,9 +776,8 @@ property specifies the minimum acceptable
.I security strength factor
as an integer approximate to effective key length used for
encryption. 0 (zero) implies no protection, 1 implies integrity
protection only, 56 allows DES or other weak ciphers, 112
allows triple DES and other strong ciphers, 128 allows RC4,
Blowfish and other modern strong ciphers. The default is 0.
protection only, 128 allows RC4, Blowfish and other similar ciphers,
256 will require modern ciphers. The default is 0.
The
.B maxssf=<factor>
property specifies the maximum acceptable
@ -775,13 +789,11 @@ property specifies the maximum security layer receive buffer
size allowed. 0 disables security layers. The default is 65536.
.TP
.B olcServerID: <integer> [<URL>]
Specify an integer ID from 0 to 4095 for this server (limited
to 3 hexadecimal digits). The ID may also be specified as a
hexadecimal ID by prefixing the value with "0x".
Non-zero IDs are
required when using multi-provider replication and each provider must have a
unique non-zero ID. Note that this requirement also applies to separate providers
contributing to a glued set of databases.
Specify an integer ID from 0 to 4095 for this server. The ID may also be
specified as a hexadecimal ID by prefixing the value with "0x".
Non-zero IDs are required when using multi-provider replication and each
provider must have a unique non-zero ID. Note that this requirement also
applies to separate providers contributing to a glued set of databases.
If the URL is provided, this directive may be specified
multiple times, providing a complete list of participating servers
and their IDs. The fully qualified hostname of each server should be
@ -1327,16 +1339,18 @@ e.g. ldapi:// (and eventually IPSEC). It is not normally used.
.TP
.B olcSizeLimit: {<integer>|unlimited}
.TP
.B olcSizeLimit: size[.{soft|hard|unchecked}]=<integer> [...]
.B olcSizeLimit: size[.{soft|hard}]=<integer> [...]
Specify the maximum number of entries to return from a search operation.
The default size limit is 500.
Use
.B unlimited
to specify no limits.
The second format allows a fine grain setting of the size limits.
Extra args can be added in the same value. See
If no special qualifiers are specified, both soft and hard limits are set.
Extra args can be added in the same value.
Additional qualifiers are available. See
.BR olcLimits
for an explanation of the different flags.
for an explanation of all of the different flags.
.TP
.B olcSortVals: <attr> [...]
Specify a list of multi-valued attributes whose values will always

8
doc/man/man5/slapd-ldap.5
View file

@ -595,8 +595,12 @@ is used.
.RS
Specify TLS settings for regular connections.
The first parameter only applies to \fBldap://\fP connections and so
at the moment, \fBnone\fP and \fBldaps\fP are equivalent.
If the first parameter is not "none" then this configures the TLS
settings to be used for regular connections.
The StartTLS extended operation will be used when establishing the
connection unless the URI directive protocol scheme is \fBldaps://\fP.
In that case this keyword may only be set to "ldaps" and the StartTLS
operation will not be used.
With \fBpropagate\fP, the proxy issues StartTLS operation only if
the original connection has a TLS layer set up.

12
doc/man/man5/slapd-mdb.5
View file

@ -17,18 +17,6 @@ primary database backend.
The \fBmdb\fP backend uses a hierarchical database layout which
supports subtree renames.
.SH CONFIGURATION
These
.B slapd.conf
options apply to the \fBmdb\fP backend.
That is, they must follow a "backend mdb" line and
come before any subsequent "backend" or "database" lines.
.TP
.BI idlexp \ <exp>
Specify a power of 2 for the maximum size of an index slot.
The default is 16, yielding a maximum slot size of 2^16 or 65536.
Once set, this option applies to every \fBmdb\fP database instance.
The specified value must be in the range of 16-31.
.LP
These
.B slapd.conf

34
doc/man/man5/slapd-meta.5
View file

@ -722,15 +722,43 @@ In case the timeout is exceeded during a bind operation, the connection
is destroyed, according to RFC4511.
.TP
.B tls {[try\-]start|[try\-]propagate}
execute the StartTLS extended operation when the connection is initialized;
only works if the URI directive protocol scheme is not \fBldaps://\fP.
.B tls {none|[try\-]start|[try\-]propagate|ldaps}
.B [starttls=no]
.B [tls_cert=<file>]
.B [tls_key=<file>]
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_reqsan=never|allow|try|demand]
.B [tls_cipher_suite=<ciphers>]
.B [tls_ecname=<names>]
.B [tls_crlcheck=none|peer|all]
.RS
Specify TLS settings regular connections.
If the first parameter is not "none" then this configures the TLS
settings to be used for regular connections.
The StartTLS extended operation will be used when establishing the
connection unless the URI directive protocol scheme is \fBldaps://\fP.
In that case this keyword may only be set to "ldaps" and the StartTLS
operation will not be used.
\fBpropagate\fP issues the StartTLS operation only if the original
connection did.
The \fBtry\-\fP prefix instructs the proxy to continue operations
if the StartTLS operation failed; its use is highly deprecated.
The TLS settings default to the same as the main slapd TLS settings,
except for
.B tls_reqcert
which defaults to "demand",
.B tls_reqsan
which defaults to "allow", and
.B starttls
which is overshadowed by the first keyword and thus ignored.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.RE
.SH SCENARIOS
A powerful (and in some sense dangerous) rewrite engine has been added

30
doc/man/man5/slapd.access.5
View file

@ -95,6 +95,8 @@ clause matches the accessor's properties, its
and
.B <control>
clauses are evaluated.
.LP
Access control checking stops at the first match of the
.B <what>
and
@ -110,8 +112,26 @@ clause list is implicitly terminated by a
by * none stop
.fi
.LP
clause that results in stopping the access control with no access
privileges granted.
.B <control>
clause. This implicit
.B <control>
stops access directive evaluation with no more access privileges
granted to anyone else.
To stop access directive evaluation only when both
.B <who>
and
.B <what>
match, add an explicit
.LP
.nf
by * break
.fi
.LP
to the end of the
.B <who>
clause list.
.LP
Each
.B <what>
clause list is implicitly terminated by a
@ -776,7 +796,11 @@ and
.BR manage .
Each access level implies all the preceding ones, thus
.B manage
grants all access including administrative access.
grants all access including administrative access. This access
allows some modifications which would otherwise be prohibited by the
LDAP data model or the directory schema, e.g. changing the
structural objectclass of an entry, or modifying an operational
attribute that is defined as not user modifiable.
The
.BR write
access is actually the combination of

97
doc/man/man5/slapd.conf.5
View file

@ -265,19 +265,26 @@ portions must be absent, so that the search occurs locally on either
.I authzFrom
or
.IR authzTo .
.LP
The second form is a
.BR DN ,
with the optional style modifiers
.BR DN .
The optional
.B dnstyle
modifiers
.IR exact ,
.IR onelevel ,
.IR children ,
and
.I subtree
for exact, onelevel, children and subtree matches, which cause
provide exact, onelevel, children and subtree matches, which cause
.I <pattern>
to be normalized according to the DN normalization rules, or the special
to be normalized according to the DN normalization rules.
The special
.B dnstyle
modifier
.I regex
style, which causes the
causes the
.I <pattern>
to be treated as a POSIX (''extended'') regular expression, as
discussed in
@ -287,38 +294,57 @@ and/or
A pattern of
.I *
means any non-anonymous DN.
.LP
The third form is a SASL
.BR id ,
with the optional fields
.BR id .
The optional fields
.I <mech>
and
.I <realm>
that allow to specify a SASL
allow specification of a SASL
.BR mechanism ,
and eventually a SASL
.BR realm ,
for those mechanisms that support one.
The need to allow the specification of a mechanism is still debated,
and users are strongly discouraged to rely on this possibility.
The fourth form is a group specification, consisting of the keyword
.LP
The fourth form is a group specification.
It consists of the keyword
.BR group ,
optionally followed by the specification of the group
optionally followed by the specification of
.B objectClass
and member
and
.BR attributeType .
The
.B objectClass
defaults to
.IR memberOf .
The
.B attributeType
defaults to
.IR member .
The group with DN
.B <pattern>
is searched with base scope, and in case of match, the values of the
member
is searched with base scope, filtered on the specified
.BR objectClass .
The values of the resulting
.B attributeType
are searched for the asserted DN.
For backwards compatibility, if no identity type is provided, i.e. only
.LP
The fifth form is provided for backwards compatibility. If no identity
type is provided, i.e. only
.B <pattern>
is present, an
.I exact DN
is assumed; as a consequence,
.B <pattern>
is subjected to DN normalization.
.LP
Since the interpretation of
.I authzFrom
and
@ -589,9 +615,12 @@ see
option description. The default is 71.
.TP
.B logfile <filename>
Specify a file for recording debug log messages. By default these messages
only go to stderr and are not recorded anywhere else. Specifying a logfile
copies messages to both stderr and the logfile.
Specify a file for recording slapd debug messages. By default these messages
only go to stderr, are not recorded anywhere else, and are unrelated to
messages exposed by the
.B loglevel
configuration parameter. Specifying a logfile copies messages to both stderr
and the logfile.
.TP
.B loglevel <integer> [...]
Specify the level at which debugging statements and operation
@ -698,6 +727,14 @@ so at least the
.B none
level is required to have high priority messages logged.
Note that the
.BR packets ,
.BR BER ,
and
.B parse
levels are only available as debug output on stderr, and are not
sent to syslog.
The loglevel defaults to \fBstats\fP.
This level should usually also be included when using other loglevels, to
help analyze the logs.
@ -901,9 +938,8 @@ property specifies the minimum acceptable
.I security strength factor
as an integer approximate to effective key length used for
encryption. 0 (zero) implies no protection, 1 implies integrity
protection only, 56 allows DES or other weak ciphers, 112
allows triple DES and other strong ciphers, 128 allows RC4,
Blowfish and other modern strong ciphers. The default is 0.
protection only, 128 allows RC4, Blowfish and other similar ciphers,
256 will require modern ciphers. The default is 0.
The
.B maxssf=<factor>
property specifies the maximum acceptable
@ -958,13 +994,11 @@ factor is measure of security provided by the underlying transport,
e.g. ldapi:// (and eventually IPSEC). It is not normally used.
.TP
.B serverID <integer> [<URL>]
Specify an integer ID from 0 to 4095 for this server (limited
to 3 hexadecimal digits). The ID may also be specified as a
hexadecimal ID by prefixing the value with "0x".
Non-zero IDs are
required when using multi-provider replication and each provider must have a
unique non-zero ID. Note that this requirement also applies to separate providers
contributing to a glued set of databases.
Specify an integer ID from 0 to 4095 for this server. The ID may also be
specified as a hexadecimal ID by prefixing the value with "0x".
Non-zero IDs are required when using multi-provider replication and each
provider must have a unique non-zero ID. Note that this requirement also
applies to separate providers contributing to a glued set of databases.
If the URL is provided, this directive may be specified
multiple times, providing a complete list of participating servers
and their IDs. The fully qualified hostname of each server should be
@ -979,17 +1013,18 @@ Example:
.TP
.B sizelimit {<integer>|unlimited}
.TP
.B sizelimit size[.{soft|hard|unchecked}]=<integer> [...]
.B sizelimit size[.{soft|hard}]=<integer> [...]
Specify the maximum number of entries to return from a search operation.
The default size limit is 500.
Use
.B unlimited
to specify no limits.
The second format allows a fine grain setting of the size limits.
If no special qualifiers are specified, both soft and hard limits are set.
Extra args can be added on the same line.
See
Additional qualifiers are available; see
.BR limits
for an explanation of the different flags.
for an explanation of all of the different flags.
.TP
.B sockbuf_max_incoming <integer>
Specify the maximum incoming LDAP PDU size for anonymous sessions.
@ -1953,7 +1988,7 @@ fails. Otherwise the syncrepl session continues without TLS. The
.B tls_reqcert
setting defaults to "demand", the
.B tls_reqsan
seting defaults to "allow", and the other TLS settings
setting defaults to "allow", and the other TLS settings
default to the same as the main slapd TLS settings.
The

4
doc/man/man5/slapo-constraint.5
View file

@ -119,9 +119,9 @@ constraint_attribute cn,sn,givenName set
A specification like the above would reject any
.B mail
attribute which did not look like
.BR "<alpha-numeric string>@mydomain.com"
.BR "<alphanumeric string>@mydomain.com"
or that looks like
.BR "<alpha-numeric string>@notallowed.com" .
.BR "<alphanumeric string>@notallowed.com" .
It would also reject any
.B title
attribute whose values were not listed in the

8
doc/man/man5/slapo-memberof.5
View file

@ -15,6 +15,11 @@ allows automatic reverse group membership maintenance.
Any time a group entry is modified, its members are modified as appropriate
in order to keep a DN-valued "is member of" attribute updated with the DN
of the group.
.LP
Note that this overlay is deprecated and support will be dropped in future
OpenLDAP releases. Installations should use the \fBdynlist\fP
overlay instead. Using this overlay in a replicated environment is especially
discouraged.
.SH CONFIGURATION
The config directives that are specific to the
@ -119,13 +124,14 @@ to emulate slapo-memberOf behavior.
ETCDIR/slapd.conf
default slapd configuration file
.SH BACKWARD COMPATIBILITY
The dyngroup overlay has been reworked with the 2.5 release to use
The memberof overlay has been reworked with the 2.5 release to use
a consistent namespace as with other overlays. As a side-effect the
following cn=config parameters are deprecated and will be removed in
a future release:
.B olcMemberOf
is replaced with olcMemberOfConfig
.SH SEE ALSO
.BR slapo-dynlist (5),
.BR slapd.conf (5),
.BR slapd\-config (5),
.BR slapd (8).

12
doc/man/man5/slapo-ppolicy.5
View file

@ -255,7 +255,7 @@ When syntax checking is enabled
(see also the
.B pwdCheckQuality
attribute), this attribute contains the minimum
number of characters that will be accepted in a password. If this
length in bytes that will be accepted in a password. If this
attribute is not present, minimum password length is not
enforced. If the server is unable to check the length of the password,
whether due to a client-side hashed password or some other reason,
@ -267,7 +267,9 @@ without checking it (if
.B pwdCheckQuality
is zero (0) or one (1)) or refuse it (if
.B pwdCheckQuality
is two (2)).
is two (2)). If the number of characters should be enforced with regards
to a particular encoding, the use of an appropriate pwdCheckModule is
required.
.LP
.RS 4
( 1.3.6.1.4.1.42.2.27.8.1.6
@ -283,7 +285,7 @@ When syntax checking is enabled
(see also the
.B pwdCheckQuality
attribute), this attribute contains the maximum
number of characters that will be accepted in a password. If this
length in bytes that will be accepted in a password. If this
attribute is not present, maximum password length is not
enforced. If the server is unable to check the length of the password,
whether due to a client-side hashed password or some other reason,
@ -295,7 +297,9 @@ without checking it (if
.B pwdCheckQuality
is zero (0) or one (1)) or refuse it (if
.B pwdCheckQuality
is two (2)).
is two (2)). If the number of characters should be enforced with regards
to a particular encoding, the use of an appropriate pwdCheckModule is
required.
.LP
.RS 4
( 1.3.6.1.4.1.42.2.27.8.1.31

25
doc/man/man8/lloadd.8
View file

@ -142,13 +142,24 @@ For example, if lloadd is given
it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,
and LDAP over IPC (Unix domain sockets). Host 0.0.0.0 represents
INADDR_ANY (any interface).
A space separated list of URLs is expected. The URLs should be of
the LDAP, LDAPS, or LDAPI schemes, and generally
without a DN or other optional parameters (excepting as discussed below).
Support for the latter two schemes depends on selected configuration
options. Hosts may be specified by name or IPv4 and IPv6 address formats.
Ports, if specified, must be numeric. The default ldap:// port is \fB389\fP
and the default ldaps:// port is \fB636\fP.
A space separated list of URLs is expected. The URLs should be of the LDAP,
PLDAP, LDAPS, PLDAPS, or LDAPI schemes, and generally without a DN or other
optional parameters (excepting as discussed below). Support for the latter
three schemes depends on selected configuration options. Hosts may be specified
by name or IPv4 and IPv6 address formats. Ports, if specified, must be
numeric. The default ldap:// port is \fB389\fP and the default ldaps:// port
is \fB636\fP, same for the proxy enabled variants.
The PLDAP and PLDAPS URL schemes provide support for the HAProxy proxy protocol
version 2, which allows a load balancer or proxy server to provide the remote
client IP address to slapd to be used for access control or logging. Ports
configured for PLDAP or PLDAPS will only accept connections that include the
necessary proxy protocol header. Connections to these ports should be
restricted at the network level to only trusted load balancers or proxies to
avoid spoofing of client IP addresses by third parties.
At the moment, the load balancer does not act on the recorded address in any
way.
For LDAP over IPC,
.B name

4
doc/man/man8/slapacl.8
View file

@ -58,8 +58,10 @@ from the database, and thus it must exist.
The
.I DN
is also used to determine what rules apply; thus, it must be
in the naming context of a configured database. See also
in the naming context of a configured database. By default, the first
database that supports the requested operation is used. See also
.BR \-u .
.TP
.BI \-d \ debug-level
enable debugging messages as defined by the specified

4
doc/man/man8/slapadd.8
View file

@ -75,8 +75,8 @@ any are configured. For specific details, please see
.TP
.BI \-b \ suffix
Use the specified \fIsuffix\fR to determine which database to
add entries to. The \fB\-b\fP cannot be used in conjunction
with the
add entries to. By default, the first database that supports the requested
operation is used. The \fB\-b\fP cannot be used in conjunction with the
.B \-n
option.
.TP

4
doc/man/man8/slapcat.8
View file

@ -75,8 +75,8 @@ Deprecated; use \fB-H\fP \fIldap:///???(filter)\fP instead.
.TP
.BI \-b \ suffix
Use the specified \fIsuffix\fR to determine which database to
generate output for. The \fB\-b\fP cannot be used in conjunction
with the
generate output for. By default, the first database that supports the requested
operation is used. The \fB\-b\fP cannot be used in conjunction with the
.B \-n
option.
.TP

22
doc/man/man8/slapd.8
View file

@ -192,13 +192,21 @@ For example, if slapd is given
it will listen on 127.0.0.1:9009 for LDAP, 0.0.0.0:636 for LDAP over TLS,
and LDAP over IPC (Unix domain sockets). Host 0.0.0.0 represents
INADDR_ANY (any interface).
A space separated list of URLs is expected. The URLs should be of
the LDAP, LDAPS, or LDAPI schemes, and generally
without a DN or other optional parameters (excepting as discussed below).
Support for the latter two schemes depends on selected configuration
options. Hosts may be specified by name or IPv4 and IPv6 address formats.
Ports, if specified, must be numeric. The default ldap:// port is \fB389\fP
and the default ldaps:// port is \fB636\fP.
A space separated list of URLs is expected. The URLs should be of the LDAP,
PLDAP, LDAPS, PLDAPS, or LDAPI schemes, and generally without a DN or other
optional parameters (excepting as discussed below). Support for the latter
three schemes depends on selected configuration options. Hosts may be specified
by name or IPv4 and IPv6 address formats. Ports, if specified, must be
numeric. The default ldap:// port is \fB389\fP and the default ldaps:// port
is \fB636\fP, same for the proxy enabled variants.
The PLDAP and PLDAPS URL schemes provide support for the HAProxy proxy protocol
version 2, which allows a load balancer or proxy server to provide the remote
client IP address to slapd to be used for access control or logging. Ports
configured for PLDAP or PLDAPS will only accept connections that include the
necessary proxy protocol header. Connections to these ports should be
restricted at the network level to only trusted load balancers or proxies to
avoid spoofing of client IP addresses by third parties.
For LDAP over IPC,
.B name

4
doc/man/man8/slapindex.8
View file

@ -65,8 +65,8 @@ or change file ownership before running
.TP
.BI \-b \ suffix
Use the specified \fIsuffix\fR to determine which database to
generate output for. The \fB\-b\fP cannot be used in conjunction
with the
generate output for. By default, the first database that supports the requested
operation is used. The \fB\-b\fP cannot be used in conjunction with the
.B \-n
option.
.TP

4
doc/man/man8/slapschema.8
View file

@ -79,8 +79,8 @@ Deprecated; use \fB-H\fP \fIldap:///???(filter)\fP instead.
.TP
.BI \-b \ suffix
Use the specified \fIsuffix\fR to determine which database to
check. The \fB\-b\fP cannot be used in conjunction
with the
check. By default, the first database that supports the requested operation is
used. The \fB\-b\fP cannot be used in conjunction with the
.B \-n
option.
.TP

2
include/ac/socket.h
View file

@ -149,7 +149,7 @@ LBER_F( char * ) ber_pvt_wsa_err2string LDAP_P((int));
#ifdef HAVE_PIPE
/*
* Only use pipe() on systems where file and socket descriptors
* are interchangable
* are interchangeable
*/
# define USE_PIPE HAVE_PIPE
#endif

3
include/ldap_pvt.h
View file

@ -32,6 +32,9 @@ ldap_pvt_url_scheme2proto LDAP_P((
LDAP_F ( int )
ldap_pvt_url_scheme2tls LDAP_P((
const char * ));
LDAP_F ( int )
ldap_pvt_url_scheme2proxied LDAP_P((
const char * ));
LDAP_F ( int )
ldap_pvt_url_scheme_port LDAP_P((

31
include/lutil.h
View file

@ -18,6 +18,14 @@
#include <ldap_cdefs.h>
#include <lber_types.h>
#include <ac/socket.h>
#ifdef HAVE_TCPD
# include <tcpd.h>
# define LUTIL_STRING_UNKNOWN STRING_UNKNOWN
#else /* ! TCP Wrappers */
# define LUTIL_STRING_UNKNOWN "unknown"
#endif /* ! TCP Wrappers */
/*
* Include file for LDAP utility routine
@ -336,6 +344,29 @@ lutil_parse_time( const char *in, unsigned long *tp );
LDAP_LUTIL_F (int)
lutil_unparse_time( char *buf, size_t buflen, unsigned long t );
#ifdef LDAP_PF_LOCAL
#define LUTIL_ADDRLEN (MAXPATHLEN + sizeof("PATH="))
#elif defined(LDAP_PF_INET6)
#define LUTIL_ADDRLEN sizeof("IP=[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]:65535")
#else
#define LUTIL_ADDRLEN sizeof("IP=255.255.255.255:65336")
#endif
typedef union Sockaddr {
struct sockaddr sa_addr;
struct sockaddr_in sa_in_addr;
#ifdef LDAP_PF_INET6
struct sockaddr_storage sa_storage;
struct sockaddr_in6 sa_in6_addr;
#endif
#ifdef LDAP_PF_LOCAL
struct sockaddr_un sa_un_addr;
#endif
} Sockaddr;
LDAP_LUTIL_F (void)
lutil_sockaddrstr(Sockaddr *sa, struct berval *);
#ifdef timerdiv
#define lutil_timerdiv timerdiv
#else /* ! timerdiv */

3
include/portable.hin
View file

@ -451,9 +451,6 @@
/* define if you have res_query() */
#undef HAVE_RES_QUERY
/* define if OpenSSL needs RSAref */
#undef HAVE_RSAREF
/* Define to 1 if you have the <sasl.h> header file. */
#undef HAVE_SASL_H

2
libraries/liblber/encode.c
View file

@ -349,7 +349,7 @@ ber_put_boolean(
typedef struct seqorset_header {
char xtagbuf[TAGBUF_SIZE + 1]; /* room for tag + len(tag or len) */
union {
ber_elem_size_t offset; /* enclosing seqence/set */
ber_elem_size_t offset; /* enclosing sequence/set */
char padding[SOS_LENLEN-1]; /* for final length encoding */
} next_sos;
# define SOS_TAG_END(header) ((unsigned char *) &(header).next_sos - 1)

2
libraries/liblber/memory.c
View file

@ -31,7 +31,7 @@
*
* It should only be enabled by an experienced developer as it causes
* the inclusion of numerous assert()'s, many of which may be triggered
* by a prefectly valid program. If LDAP_MEMORY_DEBUG & 2 is true,
* by a perfectly valid program. If LDAP_MEMORY_DEBUG & 2 is true,
* that includes asserts known to break both slapd and current clients.
*
* The code behind this macro is subject to change as needed to

4
libraries/libldap/ldap-int.h
View file

@ -123,8 +123,12 @@ LDAP_BEGIN_DECL
#define LDAP_URL_PREFIX "ldap://"
#define LDAP_URL_PREFIX_LEN STRLENOF(LDAP_URL_PREFIX)
#define PLDAP_URL_PREFIX "pldap://"
#define PLDAP_URL_PREFIX_LEN STRLENOF(PLDAP_URL_PREFIX)
#define LDAPS_URL_PREFIX "ldaps://"
#define LDAPS_URL_PREFIX_LEN STRLENOF(LDAPS_URL_PREFIX)
#define PLDAPS_URL_PREFIX "pldaps://"
#define PLDAPS_URL_PREFIX_LEN STRLENOF(PLDAPS_URL_PREFIX)
#define LDAPI_URL_PREFIX "ldapi://"
#define LDAPI_URL_PREFIX_LEN STRLENOF(LDAPI_URL_PREFIX)
#ifdef LDAP_CONNECTIONLESS

2
libraries/libldap/ldif.c
View file

@ -243,7 +243,7 @@ ldif_parse_line2(
* or \0. this routine handles continued lines, bundling them into
* a single big line before returning. if a line begins with a white
* space character, it is a continuation of the previous line. the white
* space character (nb: only one char), and preceeding newline are changed
* space character (nb: only one char), and preceding newline are changed
* into CONTINUED_LINE_MARKER chars, to be deleted later by the
* ldif_parse_line() routine above.
*

2
libraries/libldap/options.c
View file

@ -110,8 +110,6 @@ ldap_get_option(
}
if(ld != NULL) {
assert( LDAP_VALID( ld ) );
if( !LDAP_VALID( ld ) ) {
return LDAP_OPT_ERROR;
}

2
libraries/libldap/psearchctrl.c
View file

@ -240,7 +240,7 @@ ldap_create_persistentsearch_control(
not to return it). If this parameter is NULL, no indication
of whether the change number was present is returned.
chgnump (OUT) This result paramter is filled in with the change number
chgnump (OUT) This result parameter is filled in with the change number
if one was returned in the control. If this parameter
is NULL, the change number is not returned.

2
libraries/libldap/rdwr.c
View file

@ -25,7 +25,7 @@
*
* Does not support cancellation nor does any status checking.
*/
/* Adapted from publically available examples for:
/* Adapted from publicly available examples for:
* "Programming with Posix Threads"
* by David R Butenhof, Addison-Wesley
* http://cseng.aw.com/bookpage.taf?ISBN=0-201-63392-2

2
libraries/libldap/schema.c
View file

@ -977,7 +977,7 @@ ldap_attributetype2bv( LDAPAttributeType * at, struct berval *bv )
*
* Each of them is written as a recursive-descent parser, except that
* none of them is really recursive. But the idea is kept: there
* is one routine per non-terminal that eithers gobbles lexical tokens
* is one routine per non-terminal that either gobbles lexical tokens
* or calls lower-level routines, etc.
*
* The scanner is implemented in the routine get_token. Actually,

2
libraries/libldap/sortctrl.c
View file

@ -448,7 +448,7 @@ ldap_create_sort_control(
returnCode (OUT) This result parameter is filled in with the sort control
result code. This parameter MUST not be NULL.
attribute (OUT) If an error occured the server may return a string
attribute (OUT) If an error occurred the server may return a string
indicating the first attribute in the sortkey list
that was in error. If a string is returned, the memory
should be freed with ldap_memfree. If this parameter is

2
libraries/libldap/tls_g.c
View file

@ -1176,7 +1176,7 @@ static Sockbuf_IO tlsg_sbio =
tlsg_sb_close /* sbi_close */
};
/* Certs are not automatically varified during the handshake */
/* Certs are not automatically verified during the handshake */
static int
tlsg_cert_verify( tlsg_session *ssl )
{

42
libraries/libldap/url.c
View file

@ -20,7 +20,7 @@
/*
* LDAP URLs look like this:
* ldap[is]://host[:port][/[dn[?[attributes][?[scope][?[filter][?exts]]]]]]
* [p]ldap[is]://host[:port][/[dn[?[attributes][?[scope][?[filter][?exts]]]]]]
*
* where:
* attributes is a comma separated list
@ -59,7 +59,7 @@ int ldap_pvt_url_scheme2proto( const char *scheme )
return -1;
}
if( strcmp("ldap", scheme) == 0 ) {
if( strcmp("ldap", scheme) == 0 || strcmp("pldap", scheme) == 0 ) {
return LDAP_PROTO_TCP;
}
@ -67,7 +67,7 @@ int ldap_pvt_url_scheme2proto( const char *scheme )
return LDAP_PROTO_IPC;
}
if( strcmp("ldaps", scheme) == 0 ) {
if( strcmp("ldaps", scheme) == 0 || strcmp("pldaps", scheme) == 0 ) {
return LDAP_PROTO_TCP;
}
#ifdef LDAP_CONNECTIONLESS
@ -86,7 +86,7 @@ int ldap_pvt_url_scheme_port( const char *scheme, int port )
if( port ) return port;
if( scheme == NULL ) return port;
if( strcmp("ldap", scheme) == 0 ) {
if( strcmp("ldap", scheme) == 0 || strcmp("pldap", scheme) == 0 ) {
return LDAP_PORT;
}
@ -94,7 +94,7 @@ int ldap_pvt_url_scheme_port( const char *scheme, int port )
return -1;
}
if( strcmp("ldaps", scheme) == 0 ) {
if( strcmp("ldaps", scheme) == 0 || strcmp("pldaps", scheme) == 0 ) {
return LDAPS_PORT;
}
@ -116,7 +116,19 @@ ldap_pvt_url_scheme2tls( const char *scheme )
return -1;
}
return strcmp("ldaps", scheme) == 0;
return strcmp("ldaps", scheme) == 0 || strcmp("pldaps", scheme) == 0;
}
int
ldap_pvt_url_scheme2proxied( const char *scheme )
{
assert( scheme != NULL );
if( scheme == NULL ) {
return -1;
}
return strcmp("pldap", scheme) == 0 || strcmp("pldaps", scheme) == 0;
}
int
@ -150,7 +162,7 @@ ldap_is_ldaps_url( LDAP_CONST char *url )
return 0;
}
return strcmp(scheme, "ldaps") == 0;
return strcmp(scheme, "ldaps") == 0 || strcmp(scheme, "pldaps");
}
int
@ -228,6 +240,14 @@ skip_url_prefix(
return( p );
}
/* check for "pldap://" prefix */
if ( strncasecmp( p, PLDAP_URL_PREFIX, PLDAP_URL_PREFIX_LEN ) == 0 ) {
/* skip over "pldap://" prefix and return success */
p += PLDAP_URL_PREFIX_LEN;
*scheme = "pldap";
return( p );
}
/* check for "ldaps://" prefix */
if ( strncasecmp( p, LDAPS_URL_PREFIX, LDAPS_URL_PREFIX_LEN ) == 0 ) {
/* skip over "ldaps://" prefix and return success */
@ -236,6 +256,14 @@ skip_url_prefix(
return( p );
}
/* check for "pldaps://" prefix */
if ( strncasecmp( p, PLDAPS_URL_PREFIX, PLDAPS_URL_PREFIX_LEN ) == 0 ) {
/* skip over "pldaps://" prefix and return success */
p += PLDAPS_URL_PREFIX_LEN;
*scheme = "pldaps";
return( p );
}
/* check for "ldapi://" prefix */
if ( strncasecmp( p, LDAPI_URL_PREFIX, LDAPI_URL_PREFIX_LEN ) == 0 ) {
/* skip over "ldapi://" prefix and return success */

2
libraries/libldap/vlvctrl.c
View file

@ -253,7 +253,7 @@ ldap_create_vlv_control(
generated context identifier if one was returned by
the server. If the server did not return a context
identifier, this parameter will be set to NULL, even
if an error occured.
if an error occurred.
The returned context SHOULD be used in the next call
to create a VLV sort control. The struct berval
returned SHOULD be disposed of by calling ber_bvfree()

4
libraries/liblunicode/ucdata/api.txt
View file

@ -99,7 +99,7 @@ int uccanondecomp(const unsigned long *in, int inlen, unsigned long **out,
the characters at the same time.
If a -1 is returned, memory allocation was not successful. If a zero is
returned, no decomposition occured. Any other value means the output string
returned, no decomposition occurred. Any other value means the output string
contains the fully decomposed string in canonical order.
If the "outlen" parameter comes back with a value > 0, then the string
@ -146,7 +146,7 @@ int uccomp_hangul(unsigned long *str, int len)
done in-place.
The return value provides the new length of the string. This will be
smaller than "len" if compositions occured.
smaller than "len" if compositions occurred.
int uccanoncomp(unsigned long *str, int len)

4
libraries/liblunicode/ucdata/ucpgba.c
View file

@ -490,7 +490,7 @@ _ucstring_visual_cursor_right(ucstring_t *str, int count)
*/
if (cursor->visual_next == 0)
/*
* If movement occured, then report it.
* If movement occurred, then report it.
*/
return (cnt != count);
@ -616,7 +616,7 @@ _ucstring_visual_cursor_left(ucstring_t *str, int count)
*/
if (cursor->visual_prev == 0)
/*
* If movement occured, then report it.
* If movement occurred, then report it.
*/
return (cnt != count);

4
libraries/liblunicode/ure/ure.c
View file

@ -1700,7 +1700,7 @@ ure_compile(ucs2_t *re, unsigned long relen, int casefold, ure_buffer_t buf)
/*
* Reset the various fields of the compilation buffer. Default the flags
* to indicate the presense of the "^$" pattern. If any other pattern
* to indicate the presence of the "^$" pattern. If any other pattern
* occurs, then this flag will be removed. This is done to catch this
* special pattern and handle it specially when matching.
*/
@ -1720,7 +1720,7 @@ ure_compile(ucs2_t *re, unsigned long relen, int casefold, ure_buffer_t buf)
buf->states.states_used = 0;
/*
* Construct the NFA. If this stage returns a 0, then an error occured or
* Construct the NFA. If this stage returns a 0, then an error occurred or
* an empty expression was passed.
*/
if ((state = _ure_re2nfa(re, relen, buf)) == _URE_NOOP)

2
libraries/liblutil/entropy.c
View file

@ -15,7 +15,7 @@
* <http://www.OpenLDAP.org/license.html>.
*/
/* This work was initially developed by Kurt D. Zeilenga for
* inclusion in OpenLDAP Software based, in part, on publically
* inclusion in OpenLDAP Software based, in part, on publicly
* available works (as noted below).
*/

14
libraries/liblutil/ntservice.c
View file

@ -241,8 +241,8 @@ static void *start_status_routine( void *ptr )
SetServiceStatus(hlutil_ServiceStatus, &lutil_ServiceStatus);
break;
case WAIT_FAILED:
/* theres been some problem with WaitForSingleObject so tell the Service
* Control Manager to wait 30 seconds before deploying its assasin and
/* there's been some problem with WaitForSingleObject so tell the Service
* Control Manager to wait 30 seconds before deploying its assassin and
* then leave the thread. */
lutil_ServiceStatus.dwCheckPoint++;
lutil_ServiceStatus.dwWaitHint = THIRTY_SECONDS;
@ -283,8 +283,8 @@ static void *stop_status_routine( void *ptr )
SetServiceStatus(hlutil_ServiceStatus, &lutil_ServiceStatus);
break;
case WAIT_FAILED:
/* theres been some problem with WaitForSingleObject so tell the Service
* Control Manager to wait 30 seconds before deploying its assasin and
/* there's been some problem with WaitForSingleObject so tell the Service
* Control Manager to wait 30 seconds before deploying its assassin and
* then leave the thread. */
lutil_ServiceStatus.dwCheckPoint++;
lutil_ServiceStatus.dwWaitHint = THIRTY_SECONDS;
@ -332,7 +332,7 @@ static void WINAPI lutil_ServiceCtrlHandler( IN DWORD Opcode)
/* failed to create the thread that tells the Service Control Manager that the
* service stopping is proceeding.
* tell the Service Control Manager to wait another 30 seconds before deploying its
* assasin. */
* assassin. */
lutil_ServiceStatus.dwCheckPoint++;
lutil_ServiceStatus.dwWaitHint = THIRTY_SECONDS;
SetServiceStatus(hlutil_ServiceStatus, &lutil_ServiceStatus);
@ -444,7 +444,7 @@ void lutil_CommenceStartupProcessing( char *lpszServiceName,
{
/* failed to create the event to determine when the startup process is complete so
* tell the Service Control Manager to wait another 30 seconds before deploying its
* assasin */
* assassin */
lutil_ServiceStatus.dwCheckPoint++;
lutil_ServiceStatus.dwWaitHint = THIRTY_SECONDS;
SetServiceStatus(hlutil_ServiceStatus, &lutil_ServiceStatus);
@ -461,7 +461,7 @@ void lutil_CommenceStartupProcessing( char *lpszServiceName,
/* failed to create the thread that tells the Service Control Manager that the
* service startup is proceeding.
* tell the Service Control Manager to wait another 30 seconds before deploying its
* assasin. */
* assassin. */
lutil_ServiceStatus.dwCheckPoint++;
lutil_ServiceStatus.dwWaitHint = THIRTY_SECONDS;
SetServiceStatus(hlutil_ServiceStatus, &lutil_ServiceStatus);

2
libraries/liblutil/slapdmsg.h
View file

@ -10,7 +10,7 @@
// source with by creating the appropriate entries in the system registry.
//
//
// Values are 32 bit values layed out as follows:
// Values are 32 bit values laid out as follows:
//
// 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1
// 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0

71
libraries/liblutil/utils.c
View file

@ -1070,3 +1070,74 @@ lutil_snprintf( char *buf, ber_len_t bufsize, char **next, ber_len_t *len, LDAP_
return 0;
}
void
lutil_sockaddrstr( Sockaddr *sa, struct berval *addrbuf )
{
char *addr;
switch( sa->sa_addr.sa_family ) {
#ifdef LDAP_PF_LOCAL
case AF_LOCAL:
addrbuf->bv_len = snprintf( addrbuf->bv_val, addrbuf->bv_len,
"PATH=%s", sa->sa_un_addr.sun_path );
break;
#endif
#ifdef LDAP_PF_INET6
case AF_INET6:
strcpy(addrbuf->bv_val, "IP=");
if ( IN6_IS_ADDR_V4MAPPED(&sa->sa_in6_addr.sin6_addr) ) {
#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
addr = (char *)inet_ntop( AF_INET,
((struct in_addr *)&sa->sa_in6_addr.sin6_addr.s6_addr[12]),
addrbuf->bv_val+3, addrbuf->bv_len-3 );
#else /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */
addr = inet_ntoa( *((struct in_addr *)
&sa->sa_in6_addr.sin6_addr.s6_addr[12]) );
#endif /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */
if ( !addr ) addr = LUTIL_STRING_UNKNOWN;
if ( addr != addrbuf->bv_val+3 ) {
addrbuf->bv_len = sprintf( addrbuf->bv_val+3, "%s:%d", addr,
(unsigned) ntohs( sa->sa_in6_addr.sin6_port ) ) + 3;
} else {
int len = strlen( addr );
addrbuf->bv_len = sprintf( addr+len, ":%d",
(unsigned) ntohs( sa->sa_in6_addr.sin6_port ) ) + len + 3;
}
} else {
addr = (char *)inet_ntop( AF_INET6,
&sa->sa_in6_addr.sin6_addr,
addrbuf->bv_val+4, addrbuf->bv_len-4 );
if ( !addr ) addr = LUTIL_STRING_UNKNOWN;
if ( addr != addrbuf->bv_val+4 ) {
addrbuf->bv_len = sprintf( addrbuf->bv_val+3, "[%s]:%d", addr,
(unsigned) ntohs( sa->sa_in6_addr.sin6_port ) ) + 3;
} else {
int len = strlen( addr );
addrbuf->bv_val[3] = '[';
addrbuf->bv_len = sprintf( addr+len, "]:%d",
(unsigned) ntohs( sa->sa_in6_addr.sin6_port ) ) + len + 4;
}
}
break;
#endif /* LDAP_PF_INET6 */
case AF_INET:
strcpy(addrbuf->bv_val, "IP=");
#if defined( HAVE_GETADDRINFO ) && defined( HAVE_INET_NTOP )
addr = (char *)inet_ntop( AF_INET, &sa->sa_in_addr.sin_addr,
addrbuf->bv_val+3, addrbuf->bv_len-3 );
#else /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */
addr = inet_ntoa( sa->sa_in_addr.sin_addr );
#endif /* ! HAVE_GETADDRINFO || ! HAVE_INET_NTOP */
if ( !addr ) addr = LUTIL_STRING_UNKNOWN;
if ( addr != addrbuf->bv_val+3 ) {
addrbuf->bv_len = sprintf( addrbuf->bv_val+3, "%s:%d", addr,
(unsigned) ntohs( sa->sa_in_addr.sin_port ) ) + 3;
} else {
int len = strlen( addr );
addrbuf->bv_len = sprintf( addr+len, ":%d",
(unsigned) ntohs( sa->sa_in_addr.sin_port ) ) + len + 3;
}
break;
default:
addrbuf->bv_val[0] = '\0';
}
}

4
servers/lloadd/Makefile_server.in
View file

@ -22,7 +22,7 @@ NT_SRCS = ../slapd/nt_svc.c
NT_OBJS = ../slapd/nt_svc.o ../../libraries/liblutil/slapdmsg.res
SRCS += main.c value.c \
../slapd/ch_malloc.c ../slapd/sl_malloc.c ../slapd/user.c
../slapd/ch_malloc.c ../slapd/proxyp.c ../slapd/sl_malloc.c ../slapd/user.c
OBJS = $(patsubst %.c,%.o,$(SRCS)) $(@PLAT@_OBJS)
@ -63,7 +63,7 @@ install-local-srv: FORCE
@-$(INSTALL) -m 700 -d $(DESTDIR)$(localstatedir)/openldap-lloadd
@( \
for prg in $(PROGRAMS); do \
$(LTINSTALL) $(INSTALLFLAGS) $(STRIP) -m 755 $$prg$(EXEEXT) \
$(LTINSTALL) $(INSTALLFLAGS) $(STRIP_OPTS) -m 755 $$prg$(EXEEXT) \
$(DESTDIR)$(libexecdir); \
done \
)

Some files were not shown because too many files have changed in this diff Show more