#
1.37 |
|
21-May-2024 |
jsg |
remove prototypes with no matching function and externs with no var partly checked by millert@
|
Revision tags: OPENBSD_7_1_BASE OPENBSD_7_2_BASE OPENBSD_7_3_BASE OPENBSD_7_4_BASE OPENBSD_7_5_BASE
|
#
1.36 |
|
15-Dec-2021 |
deraadt |
PATH_MAX+1 rarely makes sense, and abort if this happens in the imsg. ok jmatthew millert
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.35 |
|
20-Apr-2021 |
dv |
Move TAILQ initialization to files where they are used.
These priv-sep daemons all follow a similar design and use TAILQs for tracking control process connections. In most cases, the TAILQs are initialized separate from where they are used. Since the scope of use is generally confined to a specific control process file, this commit also removes any extern definitions and exposing the TAILQ structures to other compilation units.
ok bluhm@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.34 |
|
27-Jan-2021 |
deraadt |
these programs (with common ancestry) had a -fno-common problem related to privsep_procid. ok mortimer
|
#
1.33 |
|
09-Jan-2021 |
rob |
Remove locally imposed limit on sockets.
Suggested by martijn@, ok claudio@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.32 |
|
24-Jun-2020 |
tb |
Using the "ldaps" or "tls" keywords in ldapd.conf currently enables all protocols and ciphers. So you get a TLS server speaking TLSv1.0 and supporting cipher suites with RC4 and 3DES encryption, all of which should be considered broken. There is no way of disabling TLSv1.0 and TLSv1.1 in ldapd. All this is also not very clearly called out in the documentation.
This commit switches the defaults to using the libtls defaults for both protocols and ciphers. If compatibility with the insecure legacy protocols and ciphers is needed, use the "legacy" keyword before "tls" or "ldaps" in ldapd.conf.
tested by abieber. inoguchi agrees with the direction.
ok beck
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.31 |
|
31-Jul-2018 |
claudio |
Make ber type and encoding a unsigned int instead of unsigned long. This way the size is the same on all archs and 32bit should be good enough. OK rob@
|
#
1.30 |
|
15-May-2018 |
reyk |
Fix format string errors in log messages and update ldapd to use relayd's log.c
OK benno@ jmatthew@
|
#
1.29 |
|
14-May-2018 |
reyk |
Add support to filter on attributes.
This can be used to allow users to change their password (and a few other things) but not their entire dn. For example:
allow read access to any by self allow write access to any attribute userPassword by self
This is currently only supported for "write" (modify, add, delete) and not "read" (search) filter rules.
OK jmatthew@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.28 |
|
24-Feb-2017 |
gsoares |
Implement fork+exec model
OK jmatthew@
|
#
1.27 |
|
20-Jan-2017 |
benno |
work on making log.c similar in all daemons:
move daemon-local functions into new logmsg.c, and reduce the (mostly whitespace) differences so that log.c's can be diffed easily.
ok krw@ jmatthew@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.26 |
|
01-May-2016 |
jmatthew |
convert ldapd to use the libtls api, bringing in a copy of the evbuffer_tls code from syslogd.
ok beck@ benno@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.25 |
|
02-Nov-2015 |
jmatthew |
use SOCK_NONBLOCK instead of fcntl
ok dlg@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.24 |
|
16-Jan-2015 |
deraadt |
change to <limits.h> universe. The only changes in the binary are due to the heavy use of assert. ok millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.23 |
|
16-Jun-2012 |
jmatthew |
Protect against fd exhaustion when reopening database files. Only accept client or control connections when there are at least 8 fds available, and close a connection before calling imsg_read if it would be unable to accept an fd from the parent process.
ok gilles@
|
#
1.22 |
|
11-Apr-2012 |
deraadt |
rate limiting of accept() in various cases. Testing by jmatthew. there maybe still be a corner case where it needs one more file descriptor beyond the limit..
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.21 |
|
10-Nov-2010 |
martinh |
Make -dvv flags produce debug traces of decoded BER messages on stderr. Also shows a hexdump of the input buffer if BER decoding fails. Useful when debugging protocol issues.
|
#
1.20 |
|
03-Nov-2010 |
martinh |
Evaluate filters according to the three-valued logic of X.511, as required by RFC 4511. A filter term can now be evaluated as undefined if the attribute description is not recognized, the attribute type doesn't define the appropriate matching rule, or the filtering is not implemented.
This also implements the NOT filter in the query planner.
|
#
1.19 |
|
19-Oct-2010 |
martinh |
Remember the bind DN after BSD authentication. This makes access control work for SASL and BSDAUTH binds as it does for simple binds.
|
#
1.18 |
|
01-Sep-2010 |
martinh |
Move generic imsg/libevent glue to a separate file.
with eric@ at c2k10
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.17 |
|
10-Jul-2010 |
martinh |
Retry requests when the btree is busy. Without this, clients will just hang waiting for a response if the btree was being reopened when the request was received.
|
#
1.16 |
|
01-Jul-2010 |
martinh |
Implement the LDAP compare operation.
|
#
1.15 |
|
30-Jun-2010 |
martinh |
Add a global root user that is allowed to read/write entries in all local namespaces. Useful for dump/restore of all namespaces.
|
#
1.14 |
|
29-Jun-2010 |
martinh |
Add support for referrals. Referrals are configured in the config file, either in the global context or in a namespace. The latter can be used to delegate requests to different servers for specific parts of the DIT. The former is a global catch-all referral.
|
#
1.13 |
|
29-Jun-2010 |
martinh |
Remember on what listener a connection got from, and return protocol error if trying to use starttls without a configured certificate, instead of just blocking the client.
|
#
1.12 |
|
29-Jun-2010 |
martinh |
Rewrite the schema parser, as it's not a context-free grammar. This also brings the config parser more in line with other parse.y in the tree. The new schema parser also supports symbolic OID names.
You need to update your /etc/ldapd.conf. Schema files are no longer included with the 'include' keyword, you have to use 'schema' for that.
Moves schema-related structures to a separate include file to ease reuse.
|
#
1.11 |
|
27-Jun-2010 |
martinh |
return value unused, found by lint
|
#
1.10 |
|
27-Jun-2010 |
martinh |
Remove unused code.
|
#
1.9 |
|
27-Jun-2010 |
martinh |
remove an unused typedef
|
#
1.8 |
|
23-Jun-2010 |
martinh |
remove leftovers from old compaction code
|
#
1.7 |
|
23-Jun-2010 |
martinh |
Remove compaction and indexing from ldapd. It is better done by a separate process now that the btree can pick up the changes automatically.
|
#
1.6 |
|
15-Jun-2010 |
martinh |
Move around some functions to ease re-use from ldapctl.
|
#
1.5 |
|
15-Jun-2010 |
martinh |
Make modify and simple auth requests open their own transactions, as search already does. Trigger a reopen imsg request if either the data or index databases are compacted. Queue the failed request and try again when the file is reopened.
Compaction can now be done by a separate process, and ldapd will pick up the change and reopen the file.
|
#
1.4 |
|
15-Jun-2010 |
martinh |
Implement support in the parent to (re-)open database files on behalf of the unprivileged child over imsg. Part of a larger change that will fix database compaction.
|
#
1.3 |
|
11-Jun-2010 |
martinh |
Wrap searches in a read-only transaction so it is guaranteed to see a consistent snapshot of the database.
Also fixes a couple of format string errors for long long ints.
|
#
1.2 |
|
03-Jun-2010 |
martinh |
Open database files before chrooting, and use an absolute path to the database files, instead of relying on the chrooted-to path.
This breaks compaction as the ldape process can't re-open the database files. This is being worked on.
ok gilles@
|
#
1.1 |
|
31-May-2010 |
martinh |
Initial import of ldapd, a small LDAP daemon. Work in progress.
ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@
|
#
1.36 |
|
15-Dec-2021 |
deraadt |
PATH_MAX+1 rarely makes sense, and abort if this happens in the imsg. ok jmatthew millert
|
Revision tags: OPENBSD_7_0_BASE
|
#
1.35 |
|
20-Apr-2021 |
dv |
Move TAILQ initialization to files where they are used.
These priv-sep daemons all follow a similar design and use TAILQs for tracking control process connections. In most cases, the TAILQs are initialized separate from where they are used. Since the scope of use is generally confined to a specific control process file, this commit also removes any extern definitions and exposing the TAILQ structures to other compilation units.
ok bluhm@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.34 |
|
27-Jan-2021 |
deraadt |
these programs (with common ancestry) had a -fno-common problem related to privsep_procid. ok mortimer
|
#
1.33 |
|
09-Jan-2021 |
rob |
Remove locally imposed limit on sockets.
Suggested by martijn@, ok claudio@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.32 |
|
24-Jun-2020 |
tb |
Using the "ldaps" or "tls" keywords in ldapd.conf currently enables all protocols and ciphers. So you get a TLS server speaking TLSv1.0 and supporting cipher suites with RC4 and 3DES encryption, all of which should be considered broken. There is no way of disabling TLSv1.0 and TLSv1.1 in ldapd. All this is also not very clearly called out in the documentation.
This commit switches the defaults to using the libtls defaults for both protocols and ciphers. If compatibility with the insecure legacy protocols and ciphers is needed, use the "legacy" keyword before "tls" or "ldaps" in ldapd.conf.
tested by abieber. inoguchi agrees with the direction.
ok beck
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.31 |
|
31-Jul-2018 |
claudio |
Make ber type and encoding a unsigned int instead of unsigned long. This way the size is the same on all archs and 32bit should be good enough. OK rob@
|
#
1.30 |
|
15-May-2018 |
reyk |
Fix format string errors in log messages and update ldapd to use relayd's log.c
OK benno@ jmatthew@
|
#
1.29 |
|
14-May-2018 |
reyk |
Add support to filter on attributes.
This can be used to allow users to change their password (and a few other things) but not their entire dn. For example:
allow read access to any by self allow write access to any attribute userPassword by self
This is currently only supported for "write" (modify, add, delete) and not "read" (search) filter rules.
OK jmatthew@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.28 |
|
24-Feb-2017 |
gsoares |
Implement fork+exec model
OK jmatthew@
|
#
1.27 |
|
20-Jan-2017 |
benno |
work on making log.c similar in all daemons:
move daemon-local functions into new logmsg.c, and reduce the (mostly whitespace) differences so that log.c's can be diffed easily.
ok krw@ jmatthew@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.26 |
|
01-May-2016 |
jmatthew |
convert ldapd to use the libtls api, bringing in a copy of the evbuffer_tls code from syslogd.
ok beck@ benno@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.25 |
|
02-Nov-2015 |
jmatthew |
use SOCK_NONBLOCK instead of fcntl
ok dlg@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.24 |
|
16-Jan-2015 |
deraadt |
change to <limits.h> universe. The only changes in the binary are due to the heavy use of assert. ok millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.23 |
|
16-Jun-2012 |
jmatthew |
Protect against fd exhaustion when reopening database files. Only accept client or control connections when there are at least 8 fds available, and close a connection before calling imsg_read if it would be unable to accept an fd from the parent process.
ok gilles@
|
#
1.22 |
|
11-Apr-2012 |
deraadt |
rate limiting of accept() in various cases. Testing by jmatthew. there maybe still be a corner case where it needs one more file descriptor beyond the limit..
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.21 |
|
10-Nov-2010 |
martinh |
Make -dvv flags produce debug traces of decoded BER messages on stderr. Also shows a hexdump of the input buffer if BER decoding fails. Useful when debugging protocol issues.
|
#
1.20 |
|
03-Nov-2010 |
martinh |
Evaluate filters according to the three-valued logic of X.511, as required by RFC 4511. A filter term can now be evaluated as undefined if the attribute description is not recognized, the attribute type doesn't define the appropriate matching rule, or the filtering is not implemented.
This also implements the NOT filter in the query planner.
|
#
1.19 |
|
19-Oct-2010 |
martinh |
Remember the bind DN after BSD authentication. This makes access control work for SASL and BSDAUTH binds as it does for simple binds.
|
#
1.18 |
|
01-Sep-2010 |
martinh |
Move generic imsg/libevent glue to a separate file.
with eric@ at c2k10
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.17 |
|
10-Jul-2010 |
martinh |
Retry requests when the btree is busy. Without this, clients will just hang waiting for a response if the btree was being reopened when the request was received.
|
#
1.16 |
|
01-Jul-2010 |
martinh |
Implement the LDAP compare operation.
|
#
1.15 |
|
30-Jun-2010 |
martinh |
Add a global root user that is allowed to read/write entries in all local namespaces. Useful for dump/restore of all namespaces.
|
#
1.14 |
|
29-Jun-2010 |
martinh |
Add support for referrals. Referrals are configured in the config file, either in the global context or in a namespace. The latter can be used to delegate requests to different servers for specific parts of the DIT. The former is a global catch-all referral.
|
#
1.13 |
|
29-Jun-2010 |
martinh |
Remember on what listener a connection got from, and return protocol error if trying to use starttls without a configured certificate, instead of just blocking the client.
|
#
1.12 |
|
29-Jun-2010 |
martinh |
Rewrite the schema parser, as it's not a context-free grammar. This also brings the config parser more in line with other parse.y in the tree. The new schema parser also supports symbolic OID names.
You need to update your /etc/ldapd.conf. Schema files are no longer included with the 'include' keyword, you have to use 'schema' for that.
Moves schema-related structures to a separate include file to ease reuse.
|
#
1.11 |
|
27-Jun-2010 |
martinh |
return value unused, found by lint
|
#
1.10 |
|
27-Jun-2010 |
martinh |
Remove unused code.
|
#
1.9 |
|
27-Jun-2010 |
martinh |
remove an unused typedef
|
#
1.8 |
|
23-Jun-2010 |
martinh |
remove leftovers from old compaction code
|
#
1.7 |
|
23-Jun-2010 |
martinh |
Remove compaction and indexing from ldapd. It is better done by a separate process now that the btree can pick up the changes automatically.
|
#
1.6 |
|
15-Jun-2010 |
martinh |
Move around some functions to ease re-use from ldapctl.
|
#
1.5 |
|
15-Jun-2010 |
martinh |
Make modify and simple auth requests open their own transactions, as search already does. Trigger a reopen imsg request if either the data or index databases are compacted. Queue the failed request and try again when the file is reopened.
Compaction can now be done by a separate process, and ldapd will pick up the change and reopen the file.
|
#
1.4 |
|
15-Jun-2010 |
martinh |
Implement support in the parent to (re-)open database files on behalf of the unprivileged child over imsg. Part of a larger change that will fix database compaction.
|
#
1.3 |
|
11-Jun-2010 |
martinh |
Wrap searches in a read-only transaction so it is guaranteed to see a consistent snapshot of the database.
Also fixes a couple of format string errors for long long ints.
|
#
1.2 |
|
03-Jun-2010 |
martinh |
Open database files before chrooting, and use an absolute path to the database files, instead of relying on the chrooted-to path.
This breaks compaction as the ldape process can't re-open the database files. This is being worked on.
ok gilles@
|
#
1.1 |
|
31-May-2010 |
martinh |
Initial import of ldapd, a small LDAP daemon. Work in progress.
ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@
|
#
1.35 |
|
20-Apr-2021 |
dv |
Move TAILQ initialization to files where they are used.
These priv-sep daemons all follow a similar design and use TAILQs for tracking control process connections. In most cases, the TAILQs are initialized separate from where they are used. Since the scope of use is generally confined to a specific control process file, this commit also removes any extern definitions and exposing the TAILQ structures to other compilation units.
ok bluhm@, tb@
|
Revision tags: OPENBSD_6_9_BASE
|
#
1.34 |
|
27-Jan-2021 |
deraadt |
these programs (with common ancestry) had a -fno-common problem related to privsep_procid. ok mortimer
|
#
1.33 |
|
09-Jan-2021 |
rob |
Remove locally imposed limit on sockets.
Suggested by martijn@, ok claudio@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.32 |
|
24-Jun-2020 |
tb |
Using the "ldaps" or "tls" keywords in ldapd.conf currently enables all protocols and ciphers. So you get a TLS server speaking TLSv1.0 and supporting cipher suites with RC4 and 3DES encryption, all of which should be considered broken. There is no way of disabling TLSv1.0 and TLSv1.1 in ldapd. All this is also not very clearly called out in the documentation.
This commit switches the defaults to using the libtls defaults for both protocols and ciphers. If compatibility with the insecure legacy protocols and ciphers is needed, use the "legacy" keyword before "tls" or "ldaps" in ldapd.conf.
tested by abieber. inoguchi agrees with the direction.
ok beck
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.31 |
|
31-Jul-2018 |
claudio |
Make ber type and encoding a unsigned int instead of unsigned long. This way the size is the same on all archs and 32bit should be good enough. OK rob@
|
#
1.30 |
|
15-May-2018 |
reyk |
Fix format string errors in log messages and update ldapd to use relayd's log.c
OK benno@ jmatthew@
|
#
1.29 |
|
14-May-2018 |
reyk |
Add support to filter on attributes.
This can be used to allow users to change their password (and a few other things) but not their entire dn. For example:
allow read access to any by self allow write access to any attribute userPassword by self
This is currently only supported for "write" (modify, add, delete) and not "read" (search) filter rules.
OK jmatthew@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.28 |
|
24-Feb-2017 |
gsoares |
Implement fork+exec model
OK jmatthew@
|
#
1.27 |
|
20-Jan-2017 |
benno |
work on making log.c similar in all daemons:
move daemon-local functions into new logmsg.c, and reduce the (mostly whitespace) differences so that log.c's can be diffed easily.
ok krw@ jmatthew@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.26 |
|
01-May-2016 |
jmatthew |
convert ldapd to use the libtls api, bringing in a copy of the evbuffer_tls code from syslogd.
ok beck@ benno@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.25 |
|
02-Nov-2015 |
jmatthew |
use SOCK_NONBLOCK instead of fcntl
ok dlg@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.24 |
|
16-Jan-2015 |
deraadt |
change to <limits.h> universe. The only changes in the binary are due to the heavy use of assert. ok millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.23 |
|
16-Jun-2012 |
jmatthew |
Protect against fd exhaustion when reopening database files. Only accept client or control connections when there are at least 8 fds available, and close a connection before calling imsg_read if it would be unable to accept an fd from the parent process.
ok gilles@
|
#
1.22 |
|
11-Apr-2012 |
deraadt |
rate limiting of accept() in various cases. Testing by jmatthew. there maybe still be a corner case where it needs one more file descriptor beyond the limit..
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.21 |
|
10-Nov-2010 |
martinh |
Make -dvv flags produce debug traces of decoded BER messages on stderr. Also shows a hexdump of the input buffer if BER decoding fails. Useful when debugging protocol issues.
|
#
1.20 |
|
03-Nov-2010 |
martinh |
Evaluate filters according to the three-valued logic of X.511, as required by RFC 4511. A filter term can now be evaluated as undefined if the attribute description is not recognized, the attribute type doesn't define the appropriate matching rule, or the filtering is not implemented.
This also implements the NOT filter in the query planner.
|
#
1.19 |
|
19-Oct-2010 |
martinh |
Remember the bind DN after BSD authentication. This makes access control work for SASL and BSDAUTH binds as it does for simple binds.
|
#
1.18 |
|
01-Sep-2010 |
martinh |
Move generic imsg/libevent glue to a separate file.
with eric@ at c2k10
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.17 |
|
10-Jul-2010 |
martinh |
Retry requests when the btree is busy. Without this, clients will just hang waiting for a response if the btree was being reopened when the request was received.
|
#
1.16 |
|
01-Jul-2010 |
martinh |
Implement the LDAP compare operation.
|
#
1.15 |
|
30-Jun-2010 |
martinh |
Add a global root user that is allowed to read/write entries in all local namespaces. Useful for dump/restore of all namespaces.
|
#
1.14 |
|
29-Jun-2010 |
martinh |
Add support for referrals. Referrals are configured in the config file, either in the global context or in a namespace. The latter can be used to delegate requests to different servers for specific parts of the DIT. The former is a global catch-all referral.
|
#
1.13 |
|
29-Jun-2010 |
martinh |
Remember on what listener a connection got from, and return protocol error if trying to use starttls without a configured certificate, instead of just blocking the client.
|
#
1.12 |
|
29-Jun-2010 |
martinh |
Rewrite the schema parser, as it's not a context-free grammar. This also brings the config parser more in line with other parse.y in the tree. The new schema parser also supports symbolic OID names.
You need to update your /etc/ldapd.conf. Schema files are no longer included with the 'include' keyword, you have to use 'schema' for that.
Moves schema-related structures to a separate include file to ease reuse.
|
#
1.11 |
|
27-Jun-2010 |
martinh |
return value unused, found by lint
|
#
1.10 |
|
27-Jun-2010 |
martinh |
Remove unused code.
|
#
1.9 |
|
27-Jun-2010 |
martinh |
remove an unused typedef
|
#
1.8 |
|
23-Jun-2010 |
martinh |
remove leftovers from old compaction code
|
#
1.7 |
|
23-Jun-2010 |
martinh |
Remove compaction and indexing from ldapd. It is better done by a separate process now that the btree can pick up the changes automatically.
|
#
1.6 |
|
15-Jun-2010 |
martinh |
Move around some functions to ease re-use from ldapctl.
|
#
1.5 |
|
15-Jun-2010 |
martinh |
Make modify and simple auth requests open their own transactions, as search already does. Trigger a reopen imsg request if either the data or index databases are compacted. Queue the failed request and try again when the file is reopened.
Compaction can now be done by a separate process, and ldapd will pick up the change and reopen the file.
|
#
1.4 |
|
15-Jun-2010 |
martinh |
Implement support in the parent to (re-)open database files on behalf of the unprivileged child over imsg. Part of a larger change that will fix database compaction.
|
#
1.3 |
|
11-Jun-2010 |
martinh |
Wrap searches in a read-only transaction so it is guaranteed to see a consistent snapshot of the database.
Also fixes a couple of format string errors for long long ints.
|
#
1.2 |
|
03-Jun-2010 |
martinh |
Open database files before chrooting, and use an absolute path to the database files, instead of relying on the chrooted-to path.
This breaks compaction as the ldape process can't re-open the database files. This is being worked on.
ok gilles@
|
#
1.1 |
|
31-May-2010 |
martinh |
Initial import of ldapd, a small LDAP daemon. Work in progress.
ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@
|
#
1.34 |
|
27-Jan-2021 |
deraadt |
these programs (with common ancestry) had a -fno-common problem related to privsep_procid. ok mortimer
|
#
1.33 |
|
09-Jan-2021 |
rob |
Remove locally imposed limit on sockets.
Suggested by martijn@, ok claudio@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.32 |
|
24-Jun-2020 |
tb |
Using the "ldaps" or "tls" keywords in ldapd.conf currently enables all protocols and ciphers. So you get a TLS server speaking TLSv1.0 and supporting cipher suites with RC4 and 3DES encryption, all of which should be considered broken. There is no way of disabling TLSv1.0 and TLSv1.1 in ldapd. All this is also not very clearly called out in the documentation.
This commit switches the defaults to using the libtls defaults for both protocols and ciphers. If compatibility with the insecure legacy protocols and ciphers is needed, use the "legacy" keyword before "tls" or "ldaps" in ldapd.conf.
tested by abieber. inoguchi agrees with the direction.
ok beck
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.31 |
|
31-Jul-2018 |
claudio |
Make ber type and encoding a unsigned int instead of unsigned long. This way the size is the same on all archs and 32bit should be good enough. OK rob@
|
#
1.30 |
|
15-May-2018 |
reyk |
Fix format string errors in log messages and update ldapd to use relayd's log.c
OK benno@ jmatthew@
|
#
1.29 |
|
14-May-2018 |
reyk |
Add support to filter on attributes.
This can be used to allow users to change their password (and a few other things) but not their entire dn. For example:
allow read access to any by self allow write access to any attribute userPassword by self
This is currently only supported for "write" (modify, add, delete) and not "read" (search) filter rules.
OK jmatthew@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.28 |
|
24-Feb-2017 |
gsoares |
Implement fork+exec model
OK jmatthew@
|
#
1.27 |
|
20-Jan-2017 |
benno |
work on making log.c similar in all daemons:
move daemon-local functions into new logmsg.c, and reduce the (mostly whitespace) differences so that log.c's can be diffed easily.
ok krw@ jmatthew@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.26 |
|
01-May-2016 |
jmatthew |
convert ldapd to use the libtls api, bringing in a copy of the evbuffer_tls code from syslogd.
ok beck@ benno@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.25 |
|
02-Nov-2015 |
jmatthew |
use SOCK_NONBLOCK instead of fcntl
ok dlg@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.24 |
|
16-Jan-2015 |
deraadt |
change to <limits.h> universe. The only changes in the binary are due to the heavy use of assert. ok millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.23 |
|
16-Jun-2012 |
jmatthew |
Protect against fd exhaustion when reopening database files. Only accept client or control connections when there are at least 8 fds available, and close a connection before calling imsg_read if it would be unable to accept an fd from the parent process.
ok gilles@
|
#
1.22 |
|
11-Apr-2012 |
deraadt |
rate limiting of accept() in various cases. Testing by jmatthew. there maybe still be a corner case where it needs one more file descriptor beyond the limit..
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.21 |
|
10-Nov-2010 |
martinh |
Make -dvv flags produce debug traces of decoded BER messages on stderr. Also shows a hexdump of the input buffer if BER decoding fails. Useful when debugging protocol issues.
|
#
1.20 |
|
03-Nov-2010 |
martinh |
Evaluate filters according to the three-valued logic of X.511, as required by RFC 4511. A filter term can now be evaluated as undefined if the attribute description is not recognized, the attribute type doesn't define the appropriate matching rule, or the filtering is not implemented.
This also implements the NOT filter in the query planner.
|
#
1.19 |
|
19-Oct-2010 |
martinh |
Remember the bind DN after BSD authentication. This makes access control work for SASL and BSDAUTH binds as it does for simple binds.
|
#
1.18 |
|
01-Sep-2010 |
martinh |
Move generic imsg/libevent glue to a separate file.
with eric@ at c2k10
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.17 |
|
10-Jul-2010 |
martinh |
Retry requests when the btree is busy. Without this, clients will just hang waiting for a response if the btree was being reopened when the request was received.
|
#
1.16 |
|
01-Jul-2010 |
martinh |
Implement the LDAP compare operation.
|
#
1.15 |
|
30-Jun-2010 |
martinh |
Add a global root user that is allowed to read/write entries in all local namespaces. Useful for dump/restore of all namespaces.
|
#
1.14 |
|
29-Jun-2010 |
martinh |
Add support for referrals. Referrals are configured in the config file, either in the global context or in a namespace. The latter can be used to delegate requests to different servers for specific parts of the DIT. The former is a global catch-all referral.
|
#
1.13 |
|
29-Jun-2010 |
martinh |
Remember on what listener a connection got from, and return protocol error if trying to use starttls without a configured certificate, instead of just blocking the client.
|
#
1.12 |
|
29-Jun-2010 |
martinh |
Rewrite the schema parser, as it's not a context-free grammar. This also brings the config parser more in line with other parse.y in the tree. The new schema parser also supports symbolic OID names.
You need to update your /etc/ldapd.conf. Schema files are no longer included with the 'include' keyword, you have to use 'schema' for that.
Moves schema-related structures to a separate include file to ease reuse.
|
#
1.11 |
|
27-Jun-2010 |
martinh |
return value unused, found by lint
|
#
1.10 |
|
27-Jun-2010 |
martinh |
Remove unused code.
|
#
1.9 |
|
27-Jun-2010 |
martinh |
remove an unused typedef
|
#
1.8 |
|
23-Jun-2010 |
martinh |
remove leftovers from old compaction code
|
#
1.7 |
|
23-Jun-2010 |
martinh |
Remove compaction and indexing from ldapd. It is better done by a separate process now that the btree can pick up the changes automatically.
|
#
1.6 |
|
15-Jun-2010 |
martinh |
Move around some functions to ease re-use from ldapctl.
|
#
1.5 |
|
15-Jun-2010 |
martinh |
Make modify and simple auth requests open their own transactions, as search already does. Trigger a reopen imsg request if either the data or index databases are compacted. Queue the failed request and try again when the file is reopened.
Compaction can now be done by a separate process, and ldapd will pick up the change and reopen the file.
|
#
1.4 |
|
15-Jun-2010 |
martinh |
Implement support in the parent to (re-)open database files on behalf of the unprivileged child over imsg. Part of a larger change that will fix database compaction.
|
#
1.3 |
|
11-Jun-2010 |
martinh |
Wrap searches in a read-only transaction so it is guaranteed to see a consistent snapshot of the database.
Also fixes a couple of format string errors for long long ints.
|
#
1.2 |
|
03-Jun-2010 |
martinh |
Open database files before chrooting, and use an absolute path to the database files, instead of relying on the chrooted-to path.
This breaks compaction as the ldape process can't re-open the database files. This is being worked on.
ok gilles@
|
#
1.1 |
|
31-May-2010 |
martinh |
Initial import of ldapd, a small LDAP daemon. Work in progress.
ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@
|
#
1.33 |
|
09-Jan-2021 |
rob |
Remove locally imposed limit on sockets.
Suggested by martijn@, ok claudio@
|
Revision tags: OPENBSD_6_8_BASE
|
#
1.32 |
|
24-Jun-2020 |
tb |
Using the "ldaps" or "tls" keywords in ldapd.conf currently enables all protocols and ciphers. So you get a TLS server speaking TLSv1.0 and supporting cipher suites with RC4 and 3DES encryption, all of which should be considered broken. There is no way of disabling TLSv1.0 and TLSv1.1 in ldapd. All this is also not very clearly called out in the documentation.
This commit switches the defaults to using the libtls defaults for both protocols and ciphers. If compatibility with the insecure legacy protocols and ciphers is needed, use the "legacy" keyword before "tls" or "ldaps" in ldapd.conf.
tested by abieber. inoguchi agrees with the direction.
ok beck
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.31 |
|
31-Jul-2018 |
claudio |
Make ber type and encoding a unsigned int instead of unsigned long. This way the size is the same on all archs and 32bit should be good enough. OK rob@
|
#
1.30 |
|
15-May-2018 |
reyk |
Fix format string errors in log messages and update ldapd to use relayd's log.c
OK benno@ jmatthew@
|
#
1.29 |
|
14-May-2018 |
reyk |
Add support to filter on attributes.
This can be used to allow users to change their password (and a few other things) but not their entire dn. For example:
allow read access to any by self allow write access to any attribute userPassword by self
This is currently only supported for "write" (modify, add, delete) and not "read" (search) filter rules.
OK jmatthew@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.28 |
|
24-Feb-2017 |
gsoares |
Implement fork+exec model
OK jmatthew@
|
#
1.27 |
|
20-Jan-2017 |
benno |
work on making log.c similar in all daemons:
move daemon-local functions into new logmsg.c, and reduce the (mostly whitespace) differences so that log.c's can be diffed easily.
ok krw@ jmatthew@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.26 |
|
01-May-2016 |
jmatthew |
convert ldapd to use the libtls api, bringing in a copy of the evbuffer_tls code from syslogd.
ok beck@ benno@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.25 |
|
02-Nov-2015 |
jmatthew |
use SOCK_NONBLOCK instead of fcntl
ok dlg@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.24 |
|
16-Jan-2015 |
deraadt |
change to <limits.h> universe. The only changes in the binary are due to the heavy use of assert. ok millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.23 |
|
16-Jun-2012 |
jmatthew |
Protect against fd exhaustion when reopening database files. Only accept client or control connections when there are at least 8 fds available, and close a connection before calling imsg_read if it would be unable to accept an fd from the parent process.
ok gilles@
|
#
1.22 |
|
11-Apr-2012 |
deraadt |
rate limiting of accept() in various cases. Testing by jmatthew. there maybe still be a corner case where it needs one more file descriptor beyond the limit..
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.21 |
|
10-Nov-2010 |
martinh |
Make -dvv flags produce debug traces of decoded BER messages on stderr. Also shows a hexdump of the input buffer if BER decoding fails. Useful when debugging protocol issues.
|
#
1.20 |
|
03-Nov-2010 |
martinh |
Evaluate filters according to the three-valued logic of X.511, as required by RFC 4511. A filter term can now be evaluated as undefined if the attribute description is not recognized, the attribute type doesn't define the appropriate matching rule, or the filtering is not implemented.
This also implements the NOT filter in the query planner.
|
#
1.19 |
|
19-Oct-2010 |
martinh |
Remember the bind DN after BSD authentication. This makes access control work for SASL and BSDAUTH binds as it does for simple binds.
|
#
1.18 |
|
01-Sep-2010 |
martinh |
Move generic imsg/libevent glue to a separate file.
with eric@ at c2k10
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.17 |
|
10-Jul-2010 |
martinh |
Retry requests when the btree is busy. Without this, clients will just hang waiting for a response if the btree was being reopened when the request was received.
|
#
1.16 |
|
01-Jul-2010 |
martinh |
Implement the LDAP compare operation.
|
#
1.15 |
|
30-Jun-2010 |
martinh |
Add a global root user that is allowed to read/write entries in all local namespaces. Useful for dump/restore of all namespaces.
|
#
1.14 |
|
29-Jun-2010 |
martinh |
Add support for referrals. Referrals are configured in the config file, either in the global context or in a namespace. The latter can be used to delegate requests to different servers for specific parts of the DIT. The former is a global catch-all referral.
|
#
1.13 |
|
29-Jun-2010 |
martinh |
Remember on what listener a connection got from, and return protocol error if trying to use starttls without a configured certificate, instead of just blocking the client.
|
#
1.12 |
|
29-Jun-2010 |
martinh |
Rewrite the schema parser, as it's not a context-free grammar. This also brings the config parser more in line with other parse.y in the tree. The new schema parser also supports symbolic OID names.
You need to update your /etc/ldapd.conf. Schema files are no longer included with the 'include' keyword, you have to use 'schema' for that.
Moves schema-related structures to a separate include file to ease reuse.
|
#
1.11 |
|
27-Jun-2010 |
martinh |
return value unused, found by lint
|
#
1.10 |
|
27-Jun-2010 |
martinh |
Remove unused code.
|
#
1.9 |
|
27-Jun-2010 |
martinh |
remove an unused typedef
|
#
1.8 |
|
23-Jun-2010 |
martinh |
remove leftovers from old compaction code
|
#
1.7 |
|
23-Jun-2010 |
martinh |
Remove compaction and indexing from ldapd. It is better done by a separate process now that the btree can pick up the changes automatically.
|
#
1.6 |
|
15-Jun-2010 |
martinh |
Move around some functions to ease re-use from ldapctl.
|
#
1.5 |
|
15-Jun-2010 |
martinh |
Make modify and simple auth requests open their own transactions, as search already does. Trigger a reopen imsg request if either the data or index databases are compacted. Queue the failed request and try again when the file is reopened.
Compaction can now be done by a separate process, and ldapd will pick up the change and reopen the file.
|
#
1.4 |
|
15-Jun-2010 |
martinh |
Implement support in the parent to (re-)open database files on behalf of the unprivileged child over imsg. Part of a larger change that will fix database compaction.
|
#
1.3 |
|
11-Jun-2010 |
martinh |
Wrap searches in a read-only transaction so it is guaranteed to see a consistent snapshot of the database.
Also fixes a couple of format string errors for long long ints.
|
#
1.2 |
|
03-Jun-2010 |
martinh |
Open database files before chrooting, and use an absolute path to the database files, instead of relying on the chrooted-to path.
This breaks compaction as the ldape process can't re-open the database files. This is being worked on.
ok gilles@
|
#
1.1 |
|
31-May-2010 |
martinh |
Initial import of ldapd, a small LDAP daemon. Work in progress.
ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@
|
#
1.32 |
|
24-Jun-2020 |
tb |
Using the "ldaps" or "tls" keywords in ldapd.conf currently enables all protocols and ciphers. So you get a TLS server speaking TLSv1.0 and supporting cipher suites with RC4 and 3DES encryption, all of which should be considered broken. There is no way of disabling TLSv1.0 and TLSv1.1 in ldapd. All this is also not very clearly called out in the documentation.
This commit switches the defaults to using the libtls defaults for both protocols and ciphers. If compatibility with the insecure legacy protocols and ciphers is needed, use the "legacy" keyword before "tls" or "ldaps" in ldapd.conf.
tested by abieber. inoguchi agrees with the direction.
ok beck
|
Revision tags: OPENBSD_6_4_BASE OPENBSD_6_5_BASE OPENBSD_6_6_BASE OPENBSD_6_7_BASE
|
#
1.31 |
|
31-Jul-2018 |
claudio |
Make ber type and encoding a unsigned int instead of unsigned long. This way the size is the same on all archs and 32bit should be good enough. OK rob@
|
#
1.30 |
|
15-May-2018 |
reyk |
Fix format string errors in log messages and update ldapd to use relayd's log.c
OK benno@ jmatthew@
|
#
1.29 |
|
14-May-2018 |
reyk |
Add support to filter on attributes.
This can be used to allow users to change their password (and a few other things) but not their entire dn. For example:
allow read access to any by self allow write access to any attribute userPassword by self
This is currently only supported for "write" (modify, add, delete) and not "read" (search) filter rules.
OK jmatthew@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.28 |
|
24-Feb-2017 |
gsoares |
Implement fork+exec model
OK jmatthew@
|
#
1.27 |
|
20-Jan-2017 |
benno |
work on making log.c similar in all daemons:
move daemon-local functions into new logmsg.c, and reduce the (mostly whitespace) differences so that log.c's can be diffed easily.
ok krw@ jmatthew@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.26 |
|
01-May-2016 |
jmatthew |
convert ldapd to use the libtls api, bringing in a copy of the evbuffer_tls code from syslogd.
ok beck@ benno@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.25 |
|
02-Nov-2015 |
jmatthew |
use SOCK_NONBLOCK instead of fcntl
ok dlg@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.24 |
|
16-Jan-2015 |
deraadt |
change to <limits.h> universe. The only changes in the binary are due to the heavy use of assert. ok millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.23 |
|
16-Jun-2012 |
jmatthew |
Protect against fd exhaustion when reopening database files. Only accept client or control connections when there are at least 8 fds available, and close a connection before calling imsg_read if it would be unable to accept an fd from the parent process.
ok gilles@
|
#
1.22 |
|
11-Apr-2012 |
deraadt |
rate limiting of accept() in various cases. Testing by jmatthew. there maybe still be a corner case where it needs one more file descriptor beyond the limit..
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.21 |
|
10-Nov-2010 |
martinh |
Make -dvv flags produce debug traces of decoded BER messages on stderr. Also shows a hexdump of the input buffer if BER decoding fails. Useful when debugging protocol issues.
|
#
1.20 |
|
03-Nov-2010 |
martinh |
Evaluate filters according to the three-valued logic of X.511, as required by RFC 4511. A filter term can now be evaluated as undefined if the attribute description is not recognized, the attribute type doesn't define the appropriate matching rule, or the filtering is not implemented.
This also implements the NOT filter in the query planner.
|
#
1.19 |
|
19-Oct-2010 |
martinh |
Remember the bind DN after BSD authentication. This makes access control work for SASL and BSDAUTH binds as it does for simple binds.
|
#
1.18 |
|
01-Sep-2010 |
martinh |
Move generic imsg/libevent glue to a separate file.
with eric@ at c2k10
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.17 |
|
10-Jul-2010 |
martinh |
Retry requests when the btree is busy. Without this, clients will just hang waiting for a response if the btree was being reopened when the request was received.
|
#
1.16 |
|
01-Jul-2010 |
martinh |
Implement the LDAP compare operation.
|
#
1.15 |
|
30-Jun-2010 |
martinh |
Add a global root user that is allowed to read/write entries in all local namespaces. Useful for dump/restore of all namespaces.
|
#
1.14 |
|
29-Jun-2010 |
martinh |
Add support for referrals. Referrals are configured in the config file, either in the global context or in a namespace. The latter can be used to delegate requests to different servers for specific parts of the DIT. The former is a global catch-all referral.
|
#
1.13 |
|
29-Jun-2010 |
martinh |
Remember on what listener a connection got from, and return protocol error if trying to use starttls without a configured certificate, instead of just blocking the client.
|
#
1.12 |
|
29-Jun-2010 |
martinh |
Rewrite the schema parser, as it's not a context-free grammar. This also brings the config parser more in line with other parse.y in the tree. The new schema parser also supports symbolic OID names.
You need to update your /etc/ldapd.conf. Schema files are no longer included with the 'include' keyword, you have to use 'schema' for that.
Moves schema-related structures to a separate include file to ease reuse.
|
#
1.11 |
|
27-Jun-2010 |
martinh |
return value unused, found by lint
|
#
1.10 |
|
27-Jun-2010 |
martinh |
Remove unused code.
|
#
1.9 |
|
27-Jun-2010 |
martinh |
remove an unused typedef
|
#
1.8 |
|
23-Jun-2010 |
martinh |
remove leftovers from old compaction code
|
#
1.7 |
|
23-Jun-2010 |
martinh |
Remove compaction and indexing from ldapd. It is better done by a separate process now that the btree can pick up the changes automatically.
|
#
1.6 |
|
15-Jun-2010 |
martinh |
Move around some functions to ease re-use from ldapctl.
|
#
1.5 |
|
15-Jun-2010 |
martinh |
Make modify and simple auth requests open their own transactions, as search already does. Trigger a reopen imsg request if either the data or index databases are compacted. Queue the failed request and try again when the file is reopened.
Compaction can now be done by a separate process, and ldapd will pick up the change and reopen the file.
|
#
1.4 |
|
15-Jun-2010 |
martinh |
Implement support in the parent to (re-)open database files on behalf of the unprivileged child over imsg. Part of a larger change that will fix database compaction.
|
#
1.3 |
|
11-Jun-2010 |
martinh |
Wrap searches in a read-only transaction so it is guaranteed to see a consistent snapshot of the database.
Also fixes a couple of format string errors for long long ints.
|
#
1.2 |
|
03-Jun-2010 |
martinh |
Open database files before chrooting, and use an absolute path to the database files, instead of relying on the chrooted-to path.
This breaks compaction as the ldape process can't re-open the database files. This is being worked on.
ok gilles@
|
#
1.1 |
|
31-May-2010 |
martinh |
Initial import of ldapd, a small LDAP daemon. Work in progress.
ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@
|
#
1.31 |
|
31-Jul-2018 |
claudio |
Make ber type and encoding a unsigned int instead of unsigned long. This way the size is the same on all archs and 32bit should be good enough. OK rob@
|
#
1.30 |
|
15-May-2018 |
reyk |
Fix format string errors in log messages and update ldapd to use relayd's log.c
OK benno@ jmatthew@
|
#
1.29 |
|
14-May-2018 |
reyk |
Add support to filter on attributes.
This can be used to allow users to change their password (and a few other things) but not their entire dn. For example:
allow read access to any by self allow write access to any attribute userPassword by self
This is currently only supported for "write" (modify, add, delete) and not "read" (search) filter rules.
OK jmatthew@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.28 |
|
24-Feb-2017 |
gsoares |
Implement fork+exec model
OK jmatthew@
|
#
1.27 |
|
20-Jan-2017 |
benno |
work on making log.c similar in all daemons:
move daemon-local functions into new logmsg.c, and reduce the (mostly whitespace) differences so that log.c's can be diffed easily.
ok krw@ jmatthew@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.26 |
|
01-May-2016 |
jmatthew |
convert ldapd to use the libtls api, bringing in a copy of the evbuffer_tls code from syslogd.
ok beck@ benno@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.25 |
|
02-Nov-2015 |
jmatthew |
use SOCK_NONBLOCK instead of fcntl
ok dlg@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.24 |
|
16-Jan-2015 |
deraadt |
change to <limits.h> universe. The only changes in the binary are due to the heavy use of assert. ok millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.23 |
|
16-Jun-2012 |
jmatthew |
Protect against fd exhaustion when reopening database files. Only accept client or control connections when there are at least 8 fds available, and close a connection before calling imsg_read if it would be unable to accept an fd from the parent process.
ok gilles@
|
#
1.22 |
|
11-Apr-2012 |
deraadt |
rate limiting of accept() in various cases. Testing by jmatthew. there maybe still be a corner case where it needs one more file descriptor beyond the limit..
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.21 |
|
10-Nov-2010 |
martinh |
Make -dvv flags produce debug traces of decoded BER messages on stderr. Also shows a hexdump of the input buffer if BER decoding fails. Useful when debugging protocol issues.
|
#
1.20 |
|
03-Nov-2010 |
martinh |
Evaluate filters according to the three-valued logic of X.511, as required by RFC 4511. A filter term can now be evaluated as undefined if the attribute description is not recognized, the attribute type doesn't define the appropriate matching rule, or the filtering is not implemented.
This also implements the NOT filter in the query planner.
|
#
1.19 |
|
19-Oct-2010 |
martinh |
Remember the bind DN after BSD authentication. This makes access control work for SASL and BSDAUTH binds as it does for simple binds.
|
#
1.18 |
|
01-Sep-2010 |
martinh |
Move generic imsg/libevent glue to a separate file.
with eric@ at c2k10
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.17 |
|
10-Jul-2010 |
martinh |
Retry requests when the btree is busy. Without this, clients will just hang waiting for a response if the btree was being reopened when the request was received.
|
#
1.16 |
|
01-Jul-2010 |
martinh |
Implement the LDAP compare operation.
|
#
1.15 |
|
30-Jun-2010 |
martinh |
Add a global root user that is allowed to read/write entries in all local namespaces. Useful for dump/restore of all namespaces.
|
#
1.14 |
|
29-Jun-2010 |
martinh |
Add support for referrals. Referrals are configured in the config file, either in the global context or in a namespace. The latter can be used to delegate requests to different servers for specific parts of the DIT. The former is a global catch-all referral.
|
#
1.13 |
|
29-Jun-2010 |
martinh |
Remember on what listener a connection got from, and return protocol error if trying to use starttls without a configured certificate, instead of just blocking the client.
|
#
1.12 |
|
29-Jun-2010 |
martinh |
Rewrite the schema parser, as it's not a context-free grammar. This also brings the config parser more in line with other parse.y in the tree. The new schema parser also supports symbolic OID names.
You need to update your /etc/ldapd.conf. Schema files are no longer included with the 'include' keyword, you have to use 'schema' for that.
Moves schema-related structures to a separate include file to ease reuse.
|
#
1.11 |
|
27-Jun-2010 |
martinh |
return value unused, found by lint
|
#
1.10 |
|
27-Jun-2010 |
martinh |
Remove unused code.
|
#
1.9 |
|
27-Jun-2010 |
martinh |
remove an unused typedef
|
#
1.8 |
|
23-Jun-2010 |
martinh |
remove leftovers from old compaction code
|
#
1.7 |
|
23-Jun-2010 |
martinh |
Remove compaction and indexing from ldapd. It is better done by a separate process now that the btree can pick up the changes automatically.
|
#
1.6 |
|
15-Jun-2010 |
martinh |
Move around some functions to ease re-use from ldapctl.
|
#
1.5 |
|
15-Jun-2010 |
martinh |
Make modify and simple auth requests open their own transactions, as search already does. Trigger a reopen imsg request if either the data or index databases are compacted. Queue the failed request and try again when the file is reopened.
Compaction can now be done by a separate process, and ldapd will pick up the change and reopen the file.
|
#
1.4 |
|
15-Jun-2010 |
martinh |
Implement support in the parent to (re-)open database files on behalf of the unprivileged child over imsg. Part of a larger change that will fix database compaction.
|
#
1.3 |
|
11-Jun-2010 |
martinh |
Wrap searches in a read-only transaction so it is guaranteed to see a consistent snapshot of the database.
Also fixes a couple of format string errors for long long ints.
|
#
1.2 |
|
03-Jun-2010 |
martinh |
Open database files before chrooting, and use an absolute path to the database files, instead of relying on the chrooted-to path.
This breaks compaction as the ldape process can't re-open the database files. This is being worked on.
ok gilles@
|
#
1.1 |
|
31-May-2010 |
martinh |
Initial import of ldapd, a small LDAP daemon. Work in progress.
ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@
|
#
1.30 |
|
15-May-2018 |
reyk |
Fix format string errors in log messages and update ldapd to use relayd's log.c
OK benno@ jmatthew@
|
#
1.29 |
|
14-May-2018 |
reyk |
Add support to filter on attributes.
This can be used to allow users to change their password (and a few other things) but not their entire dn. For example:
allow read access to any by self allow write access to any attribute userPassword by self
This is currently only supported for "write" (modify, add, delete) and not "read" (search) filter rules.
OK jmatthew@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE OPENBSD_6_3_BASE
|
#
1.28 |
|
24-Feb-2017 |
gsoares |
Implement fork+exec model
OK jmatthew@
|
#
1.27 |
|
20-Jan-2017 |
benno |
work on making log.c similar in all daemons:
move daemon-local functions into new logmsg.c, and reduce the (mostly whitespace) differences so that log.c's can be diffed easily.
ok krw@ jmatthew@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.26 |
|
01-May-2016 |
jmatthew |
convert ldapd to use the libtls api, bringing in a copy of the evbuffer_tls code from syslogd.
ok beck@ benno@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.25 |
|
02-Nov-2015 |
jmatthew |
use SOCK_NONBLOCK instead of fcntl
ok dlg@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.24 |
|
16-Jan-2015 |
deraadt |
change to <limits.h> universe. The only changes in the binary are due to the heavy use of assert. ok millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.23 |
|
16-Jun-2012 |
jmatthew |
Protect against fd exhaustion when reopening database files. Only accept client or control connections when there are at least 8 fds available, and close a connection before calling imsg_read if it would be unable to accept an fd from the parent process.
ok gilles@
|
#
1.22 |
|
11-Apr-2012 |
deraadt |
rate limiting of accept() in various cases. Testing by jmatthew. there maybe still be a corner case where it needs one more file descriptor beyond the limit..
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.21 |
|
10-Nov-2010 |
martinh |
Make -dvv flags produce debug traces of decoded BER messages on stderr. Also shows a hexdump of the input buffer if BER decoding fails. Useful when debugging protocol issues.
|
#
1.20 |
|
03-Nov-2010 |
martinh |
Evaluate filters according to the three-valued logic of X.511, as required by RFC 4511. A filter term can now be evaluated as undefined if the attribute description is not recognized, the attribute type doesn't define the appropriate matching rule, or the filtering is not implemented.
This also implements the NOT filter in the query planner.
|
#
1.19 |
|
19-Oct-2010 |
martinh |
Remember the bind DN after BSD authentication. This makes access control work for SASL and BSDAUTH binds as it does for simple binds.
|
#
1.18 |
|
01-Sep-2010 |
martinh |
Move generic imsg/libevent glue to a separate file.
with eric@ at c2k10
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.17 |
|
10-Jul-2010 |
martinh |
Retry requests when the btree is busy. Without this, clients will just hang waiting for a response if the btree was being reopened when the request was received.
|
#
1.16 |
|
01-Jul-2010 |
martinh |
Implement the LDAP compare operation.
|
#
1.15 |
|
30-Jun-2010 |
martinh |
Add a global root user that is allowed to read/write entries in all local namespaces. Useful for dump/restore of all namespaces.
|
#
1.14 |
|
29-Jun-2010 |
martinh |
Add support for referrals. Referrals are configured in the config file, either in the global context or in a namespace. The latter can be used to delegate requests to different servers for specific parts of the DIT. The former is a global catch-all referral.
|
#
1.13 |
|
29-Jun-2010 |
martinh |
Remember on what listener a connection got from, and return protocol error if trying to use starttls without a configured certificate, instead of just blocking the client.
|
#
1.12 |
|
29-Jun-2010 |
martinh |
Rewrite the schema parser, as it's not a context-free grammar. This also brings the config parser more in line with other parse.y in the tree. The new schema parser also supports symbolic OID names.
You need to update your /etc/ldapd.conf. Schema files are no longer included with the 'include' keyword, you have to use 'schema' for that.
Moves schema-related structures to a separate include file to ease reuse.
|
#
1.11 |
|
27-Jun-2010 |
martinh |
return value unused, found by lint
|
#
1.10 |
|
27-Jun-2010 |
martinh |
Remove unused code.
|
#
1.9 |
|
27-Jun-2010 |
martinh |
remove an unused typedef
|
#
1.8 |
|
23-Jun-2010 |
martinh |
remove leftovers from old compaction code
|
#
1.7 |
|
23-Jun-2010 |
martinh |
Remove compaction and indexing from ldapd. It is better done by a separate process now that the btree can pick up the changes automatically.
|
#
1.6 |
|
15-Jun-2010 |
martinh |
Move around some functions to ease re-use from ldapctl.
|
#
1.5 |
|
15-Jun-2010 |
martinh |
Make modify and simple auth requests open their own transactions, as search already does. Trigger a reopen imsg request if either the data or index databases are compacted. Queue the failed request and try again when the file is reopened.
Compaction can now be done by a separate process, and ldapd will pick up the change and reopen the file.
|
#
1.4 |
|
15-Jun-2010 |
martinh |
Implement support in the parent to (re-)open database files on behalf of the unprivileged child over imsg. Part of a larger change that will fix database compaction.
|
#
1.3 |
|
11-Jun-2010 |
martinh |
Wrap searches in a read-only transaction so it is guaranteed to see a consistent snapshot of the database.
Also fixes a couple of format string errors for long long ints.
|
#
1.2 |
|
03-Jun-2010 |
martinh |
Open database files before chrooting, and use an absolute path to the database files, instead of relying on the chrooted-to path.
This breaks compaction as the ldape process can't re-open the database files. This is being worked on.
ok gilles@
|
#
1.1 |
|
31-May-2010 |
martinh |
Initial import of ldapd, a small LDAP daemon. Work in progress.
ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@
|
Revision tags: OPENBSD_6_1_BASE OPENBSD_6_2_BASE
|
#
1.28 |
|
24-Feb-2017 |
gsoares |
Implement fork+exec model
OK jmatthew@
|
#
1.27 |
|
20-Jan-2017 |
benno |
work on making log.c similar in all daemons:
move daemon-local functions into new logmsg.c, and reduce the (mostly whitespace) differences so that log.c's can be diffed easily.
ok krw@ jmatthew@
|
Revision tags: OPENBSD_6_0_BASE
|
#
1.26 |
|
01-May-2016 |
jmatthew |
convert ldapd to use the libtls api, bringing in a copy of the evbuffer_tls code from syslogd.
ok beck@ benno@
|
Revision tags: OPENBSD_5_9_BASE
|
#
1.25 |
|
02-Nov-2015 |
jmatthew |
use SOCK_NONBLOCK instead of fcntl
ok dlg@
|
Revision tags: OPENBSD_5_7_BASE OPENBSD_5_8_BASE
|
#
1.24 |
|
16-Jan-2015 |
deraadt |
change to <limits.h> universe. The only changes in the binary are due to the heavy use of assert. ok millert
|
Revision tags: OPENBSD_5_2_BASE OPENBSD_5_3_BASE OPENBSD_5_4_BASE OPENBSD_5_5_BASE OPENBSD_5_6_BASE
|
#
1.23 |
|
16-Jun-2012 |
jmatthew |
Protect against fd exhaustion when reopening database files. Only accept client or control connections when there are at least 8 fds available, and close a connection before calling imsg_read if it would be unable to accept an fd from the parent process.
ok gilles@
|
#
1.22 |
|
11-Apr-2012 |
deraadt |
rate limiting of accept() in various cases. Testing by jmatthew. there maybe still be a corner case where it needs one more file descriptor beyond the limit..
|
Revision tags: OPENBSD_4_9_BASE OPENBSD_5_0_BASE OPENBSD_5_1_BASE
|
#
1.21 |
|
10-Nov-2010 |
martinh |
Make -dvv flags produce debug traces of decoded BER messages on stderr. Also shows a hexdump of the input buffer if BER decoding fails. Useful when debugging protocol issues.
|
#
1.20 |
|
03-Nov-2010 |
martinh |
Evaluate filters according to the three-valued logic of X.511, as required by RFC 4511. A filter term can now be evaluated as undefined if the attribute description is not recognized, the attribute type doesn't define the appropriate matching rule, or the filtering is not implemented.
This also implements the NOT filter in the query planner.
|
#
1.19 |
|
19-Oct-2010 |
martinh |
Remember the bind DN after BSD authentication. This makes access control work for SASL and BSDAUTH binds as it does for simple binds.
|
#
1.18 |
|
01-Sep-2010 |
martinh |
Move generic imsg/libevent glue to a separate file.
with eric@ at c2k10
|
Revision tags: OPENBSD_4_8_BASE
|
#
1.17 |
|
10-Jul-2010 |
martinh |
Retry requests when the btree is busy. Without this, clients will just hang waiting for a response if the btree was being reopened when the request was received.
|
#
1.16 |
|
01-Jul-2010 |
martinh |
Implement the LDAP compare operation.
|
#
1.15 |
|
30-Jun-2010 |
martinh |
Add a global root user that is allowed to read/write entries in all local namespaces. Useful for dump/restore of all namespaces.
|
#
1.14 |
|
29-Jun-2010 |
martinh |
Add support for referrals. Referrals are configured in the config file, either in the global context or in a namespace. The latter can be used to delegate requests to different servers for specific parts of the DIT. The former is a global catch-all referral.
|
#
1.13 |
|
29-Jun-2010 |
martinh |
Remember on what listener a connection got from, and return protocol error if trying to use starttls without a configured certificate, instead of just blocking the client.
|
#
1.12 |
|
29-Jun-2010 |
martinh |
Rewrite the schema parser, as it's not a context-free grammar. This also brings the config parser more in line with other parse.y in the tree. The new schema parser also supports symbolic OID names.
You need to update your /etc/ldapd.conf. Schema files are no longer included with the 'include' keyword, you have to use 'schema' for that.
Moves schema-related structures to a separate include file to ease reuse.
|
#
1.11 |
|
27-Jun-2010 |
martinh |
return value unused, found by lint
|
#
1.10 |
|
27-Jun-2010 |
martinh |
Remove unused code.
|
#
1.9 |
|
27-Jun-2010 |
martinh |
remove an unused typedef
|
#
1.8 |
|
23-Jun-2010 |
martinh |
remove leftovers from old compaction code
|
#
1.7 |
|
23-Jun-2010 |
martinh |
Remove compaction and indexing from ldapd. It is better done by a separate process now that the btree can pick up the changes automatically.
|
#
1.6 |
|
15-Jun-2010 |
martinh |
Move around some functions to ease re-use from ldapctl.
|
#
1.5 |
|
15-Jun-2010 |
martinh |
Make modify and simple auth requests open their own transactions, as search already does. Trigger a reopen imsg request if either the data or index databases are compacted. Queue the failed request and try again when the file is reopened.
Compaction can now be done by a separate process, and ldapd will pick up the change and reopen the file.
|
#
1.4 |
|
15-Jun-2010 |
martinh |
Implement support in the parent to (re-)open database files on behalf of the unprivileged child over imsg. Part of a larger change that will fix database compaction.
|
#
1.3 |
|
11-Jun-2010 |
martinh |
Wrap searches in a read-only transaction so it is guaranteed to see a consistent snapshot of the database.
Also fixes a couple of format string errors for long long ints.
|
#
1.2 |
|
03-Jun-2010 |
martinh |
Open database files before chrooting, and use an absolute path to the database files, instead of relying on the chrooted-to path.
This breaks compaction as the ldape process can't re-open the database files. This is being worked on.
ok gilles@
|
#
1.1 |
|
31-May-2010 |
martinh |
Initial import of ldapd, a small LDAP daemon. Work in progress.
ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@
|