When removing the last value from an attribute in ldap_del_values()
the actuall attribute needs to removed instead of leaving back an
empty attribute. Empty attributes are not valid and fail later on
in ldap_modify(). By calling ldap_del_attribute() in this case
properly removes the attribute and with that validate_entry() no
longer fails later on.
OK jmatthew@

The ber_* namespace is used by liblber since time immemorial,
so move our BER API to the unused ober_* prefix to avoid some
breakage in ports.

Problem diagnosed by jmatthew with ber_free() in samba, but
there are many others as pointed out by sthen.

tests & ok rob
ok sthen (who had an almost identical diff for libutil)
"go head hit it" deraadt

branches: 1.22.2;
Fix LDAP RFC reference in comment. Also noticed by martijn.

ok guenther@, claudio@

Add support to filter on attributes.

This can be used to allow users to change their password (and a few
other things) but not their entire dn. For example:

allow read access to any by self
allow write access to any attribute userPassword by self

This is currently only supported for "write" (modify, add, delete) and
not "read" (search) filter rules.

OK jmatthew@

One negation is enough; pointed out by clang.

OK gsoares who says that he forgot about the same diff for months and
that millert@ had OK'ed it.

Correct handling of requests to delete individual attribute values.

reported by ZHANG Huangbin (zhb (at) iredmail.org)
fix by Robert Klein (roklein (at) roklein.de)

work on making log.c similar in all daemons:

move daemon-local functions into new logmsg.c, and reduce
the (mostly whitespace) differences so that log.c's can be diffed easily.

ok krw@ jmatthew@

bzero -> memset. No binary change.

initialize a variable in case "goto done" makes us compare it

found by clang, ok henning

eliminate the use of a gcc C extension (conditionals with omitted
operands).

ok deraadt@

Revert parts of previous change leading to assertion failure for
certain modify operations. Also fix logic error when replacing an attribute
with the empty set.

Avoid double free in ldap modify requests. The values received in the
modify request is linked into the stored ber structure, and then both are
freed. Fix this by unlinking the values from the request.

Plug another memory leak. Forgot to reset key returned from cursor, having
a reference to a cached page.

Check return code from commit. Incorrectly returned success when commit
failed due to disk full.

Close cursor on delete. Fixes memory leak introduced by non-leaf delete
check.

Don't validate modification of immutable attributes if the namespace is
configured with relaxed schema checking.

Disallow deleting non-leaf nodes.

Add checks that we're not adding immutable attributes, just as we're
disallowing modifying immutable attributes. Remove the check for modifying
operational attributes, as there's nothing that disallows that (except that
they're also often marked as immutable).

While here, check the return value from ber_add_* and ldap_add_attribute.

Add support for referrals. Referrals are configured in the config file,
either in the global context or in a namespace. The latter can be used to
delegate requests to different servers for specific parts of the DIT. The
former is a global catch-all referral.

don't overwrite the return code from validate_entry

Rewrite the schema parser, as it's not a context-free grammar.
This also brings the config parser more in line with other parse.y in the
tree. The new schema parser also supports symbolic OID names.

You need to update your /etc/ldapd.conf. Schema files are no longer
included with the 'include' keyword, you have to use 'schema' for that.

Moves schema-related structures to a separate include file to ease reuse.

Set errno to appropriate values when returning failure in btree. Make btree
functions only return success or failure (-1 or NULL). Update callers to
check errno.

Make modify and simple auth requests open their own transactions, as search
already does. Trigger a reopen imsg request if either the data or index
databases are compacted. Queue the failed request and try again when the
file is reopened.

Compaction can now be done by a separate process, and ldapd will pick up
the change and reopen the file.

Initial import of ldapd, a small LDAP daemon. Work in progress.

ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@

The ber_* namespace is used by liblber since time immemorial,
so move our BER API to the unused ober_* prefix to avoid some
breakage in ports.

Problem diagnosed by jmatthew with ber_free() in samba, but
there are many others as pointed out by sthen.

tests & ok rob
ok sthen (who had an almost identical diff for libutil)
"go head hit it" deraadt

Fix LDAP RFC reference in comment. Also noticed by martijn.

ok guenther@, claudio@

Add support to filter on attributes.

This can be used to allow users to change their password (and a few
other things) but not their entire dn. For example:

allow read access to any by self
allow write access to any attribute userPassword by self

This is currently only supported for "write" (modify, add, delete) and
not "read" (search) filter rules.

OK jmatthew@

One negation is enough; pointed out by clang.

OK gsoares who says that he forgot about the same diff for months and
that millert@ had OK'ed it.

Correct handling of requests to delete individual attribute values.

reported by ZHANG Huangbin (zhb (at) iredmail.org)
fix by Robert Klein (roklein (at) roklein.de)

work on making log.c similar in all daemons:

move daemon-local functions into new logmsg.c, and reduce
the (mostly whitespace) differences so that log.c's can be diffed easily.

ok krw@ jmatthew@

bzero -> memset. No binary change.

initialize a variable in case "goto done" makes us compare it

found by clang, ok henning

eliminate the use of a gcc C extension (conditionals with omitted
operands).

ok deraadt@

Revert parts of previous change leading to assertion failure for
certain modify operations. Also fix logic error when replacing an attribute
with the empty set.

Avoid double free in ldap modify requests. The values received in the
modify request is linked into the stored ber structure, and then both are
freed. Fix this by unlinking the values from the request.

Plug another memory leak. Forgot to reset key returned from cursor, having
a reference to a cached page.

Check return code from commit. Incorrectly returned success when commit
failed due to disk full.

Close cursor on delete. Fixes memory leak introduced by non-leaf delete
check.

Don't validate modification of immutable attributes if the namespace is
configured with relaxed schema checking.

Disallow deleting non-leaf nodes.

Add checks that we're not adding immutable attributes, just as we're
disallowing modifying immutable attributes. Remove the check for modifying
operational attributes, as there's nothing that disallows that (except that
they're also often marked as immutable).

While here, check the return value from ber_add_* and ldap_add_attribute.

Add support for referrals. Referrals are configured in the config file,
either in the global context or in a namespace. The latter can be used to
delegate requests to different servers for specific parts of the DIT. The
former is a global catch-all referral.

don't overwrite the return code from validate_entry

Rewrite the schema parser, as it's not a context-free grammar.
This also brings the config parser more in line with other parse.y in the
tree. The new schema parser also supports symbolic OID names.

You need to update your /etc/ldapd.conf. Schema files are no longer
included with the 'include' keyword, you have to use 'schema' for that.

Moves schema-related structures to a separate include file to ease reuse.

Set errno to appropriate values when returning failure in btree. Make btree
functions only return success or failure (-1 or NULL). Update callers to
check errno.

Make modify and simple auth requests open their own transactions, as search
already does. Trigger a reopen imsg request if either the data or index
databases are compacted. Queue the failed request and try again when the
file is reopened.

Compaction can now be done by a separate process, and ldapd will pick up
the change and reopen the file.

Initial import of ldapd, a small LDAP daemon. Work in progress.

ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@

Fix LDAP RFC reference in comment. Also noticed by martijn.

ok guenther@, claudio@

Add support to filter on attributes.

This can be used to allow users to change their password (and a few
other things) but not their entire dn. For example:

allow read access to any by self
allow write access to any attribute userPassword by self

This is currently only supported for "write" (modify, add, delete) and
not "read" (search) filter rules.

OK jmatthew@

One negation is enough; pointed out by clang.

OK gsoares who says that he forgot about the same diff for months and
that millert@ had OK'ed it.

Correct handling of requests to delete individual attribute values.

reported by ZHANG Huangbin (zhb (at) iredmail.org)
fix by Robert Klein (roklein (at) roklein.de)

work on making log.c similar in all daemons:

move daemon-local functions into new logmsg.c, and reduce
the (mostly whitespace) differences so that log.c's can be diffed easily.

ok krw@ jmatthew@

bzero -> memset. No binary change.

initialize a variable in case "goto done" makes us compare it

found by clang, ok henning

eliminate the use of a gcc C extension (conditionals with omitted
operands).

ok deraadt@

Revert parts of previous change leading to assertion failure for
certain modify operations. Also fix logic error when replacing an attribute
with the empty set.

Avoid double free in ldap modify requests. The values received in the
modify request is linked into the stored ber structure, and then both are
freed. Fix this by unlinking the values from the request.

Plug another memory leak. Forgot to reset key returned from cursor, having
a reference to a cached page.

Check return code from commit. Incorrectly returned success when commit
failed due to disk full.

Close cursor on delete. Fixes memory leak introduced by non-leaf delete
check.

Don't validate modification of immutable attributes if the namespace is
configured with relaxed schema checking.

Disallow deleting non-leaf nodes.

Add checks that we're not adding immutable attributes, just as we're
disallowing modifying immutable attributes. Remove the check for modifying
operational attributes, as there's nothing that disallows that (except that
they're also often marked as immutable).

While here, check the return value from ber_add_* and ldap_add_attribute.

Add support for referrals. Referrals are configured in the config file,
either in the global context or in a namespace. The latter can be used to
delegate requests to different servers for specific parts of the DIT. The
former is a global catch-all referral.

don't overwrite the return code from validate_entry

Rewrite the schema parser, as it's not a context-free grammar.
This also brings the config parser more in line with other parse.y in the
tree. The new schema parser also supports symbolic OID names.

You need to update your /etc/ldapd.conf. Schema files are no longer
included with the 'include' keyword, you have to use 'schema' for that.

Moves schema-related structures to a separate include file to ease reuse.

Set errno to appropriate values when returning failure in btree. Make btree
functions only return success or failure (-1 or NULL). Update callers to
check errno.

Make modify and simple auth requests open their own transactions, as search
already does. Trigger a reopen imsg request if either the data or index
databases are compacted. Queue the failed request and try again when the
file is reopened.

Compaction can now be done by a separate process, and ldapd will pick up
the change and reopen the file.

Initial import of ldapd, a small LDAP daemon. Work in progress.

ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@

Add support to filter on attributes.

This can be used to allow users to change their password (and a few
other things) but not their entire dn. For example:

allow read access to any by self
allow write access to any attribute userPassword by self

This is currently only supported for "write" (modify, add, delete) and
not "read" (search) filter rules.

OK jmatthew@

One negation is enough; pointed out by clang.

OK gsoares who says that he forgot about the same diff for months and
that millert@ had OK'ed it.

Correct handling of requests to delete individual attribute values.

reported by ZHANG Huangbin (zhb (at) iredmail.org)
fix by Robert Klein (roklein (at) roklein.de)

work on making log.c similar in all daemons:

move daemon-local functions into new logmsg.c, and reduce
the (mostly whitespace) differences so that log.c's can be diffed easily.

ok krw@ jmatthew@

bzero -> memset. No binary change.

initialize a variable in case "goto done" makes us compare it

found by clang, ok henning

eliminate the use of a gcc C extension (conditionals with omitted
operands).

ok deraadt@

Revert parts of previous change leading to assertion failure for
certain modify operations. Also fix logic error when replacing an attribute
with the empty set.

Avoid double free in ldap modify requests. The values received in the
modify request is linked into the stored ber structure, and then both are
freed. Fix this by unlinking the values from the request.

Plug another memory leak. Forgot to reset key returned from cursor, having
a reference to a cached page.

Check return code from commit. Incorrectly returned success when commit
failed due to disk full.

Close cursor on delete. Fixes memory leak introduced by non-leaf delete
check.

Don't validate modification of immutable attributes if the namespace is
configured with relaxed schema checking.

Disallow deleting non-leaf nodes.

Add checks that we're not adding immutable attributes, just as we're
disallowing modifying immutable attributes. Remove the check for modifying
operational attributes, as there's nothing that disallows that (except that
they're also often marked as immutable).

While here, check the return value from ber_add_* and ldap_add_attribute.

Add support for referrals. Referrals are configured in the config file,
either in the global context or in a namespace. The latter can be used to
delegate requests to different servers for specific parts of the DIT. The
former is a global catch-all referral.

don't overwrite the return code from validate_entry

Rewrite the schema parser, as it's not a context-free grammar.
This also brings the config parser more in line with other parse.y in the
tree. The new schema parser also supports symbolic OID names.

You need to update your /etc/ldapd.conf. Schema files are no longer
included with the 'include' keyword, you have to use 'schema' for that.

Moves schema-related structures to a separate include file to ease reuse.

Set errno to appropriate values when returning failure in btree. Make btree
functions only return success or failure (-1 or NULL). Update callers to
check errno.

Make modify and simple auth requests open their own transactions, as search
already does. Trigger a reopen imsg request if either the data or index
databases are compacted. Queue the failed request and try again when the
file is reopened.

Compaction can now be done by a separate process, and ldapd will pick up
the change and reopen the file.

Initial import of ldapd, a small LDAP daemon. Work in progress.

ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@

One negation is enough; pointed out by clang.

OK gsoares who says that he forgot about the same diff for months and
that millert@ had OK'ed it.

Correct handling of requests to delete individual attribute values.

reported by ZHANG Huangbin (zhb (at) iredmail.org)
fix by Robert Klein (roklein (at) roklein.de)

work on making log.c similar in all daemons:

move daemon-local functions into new logmsg.c, and reduce
the (mostly whitespace) differences so that log.c's can be diffed easily.

ok krw@ jmatthew@

bzero -> memset. No binary change.

initialize a variable in case "goto done" makes us compare it

found by clang, ok henning

eliminate the use of a gcc C extension (conditionals with omitted
operands).

ok deraadt@

Revert parts of previous change leading to assertion failure for
certain modify operations. Also fix logic error when replacing an attribute
with the empty set.

Avoid double free in ldap modify requests. The values received in the
modify request is linked into the stored ber structure, and then both are
freed. Fix this by unlinking the values from the request.

Plug another memory leak. Forgot to reset key returned from cursor, having
a reference to a cached page.

Check return code from commit. Incorrectly returned success when commit
failed due to disk full.

Close cursor on delete. Fixes memory leak introduced by non-leaf delete
check.

Don't validate modification of immutable attributes if the namespace is
configured with relaxed schema checking.

Disallow deleting non-leaf nodes.

Add checks that we're not adding immutable attributes, just as we're
disallowing modifying immutable attributes. Remove the check for modifying
operational attributes, as there's nothing that disallows that (except that
they're also often marked as immutable).

While here, check the return value from ber_add_* and ldap_add_attribute.

Add support for referrals. Referrals are configured in the config file,
either in the global context or in a namespace. The latter can be used to
delegate requests to different servers for specific parts of the DIT. The
former is a global catch-all referral.

don't overwrite the return code from validate_entry

Rewrite the schema parser, as it's not a context-free grammar.
This also brings the config parser more in line with other parse.y in the
tree. The new schema parser also supports symbolic OID names.

You need to update your /etc/ldapd.conf. Schema files are no longer
included with the 'include' keyword, you have to use 'schema' for that.

Moves schema-related structures to a separate include file to ease reuse.

Set errno to appropriate values when returning failure in btree. Make btree
functions only return success or failure (-1 or NULL). Update callers to
check errno.

Make modify and simple auth requests open their own transactions, as search
already does. Trigger a reopen imsg request if either the data or index
databases are compacted. Queue the failed request and try again when the
file is reopened.

Compaction can now be done by a separate process, and ldapd will pick up
the change and reopen the file.

Initial import of ldapd, a small LDAP daemon. Work in progress.

ok deraadt@ jacekm@ gilles@ back@ henning@ blambert@