org.forgerock / org.forgerock.opendj

19 Mar, 2007

3 commits

18 Mar, 2007

1 commit

  • 0503b78b   Update the client connection code to ensure that any attempt to change the ... Browse Dir » 
    authentication info structure goes through the setAuthenticationInfo() method.
This will ensure that all proper cleanup is done.  Without doing this, there
may be problems if a client connection is used to authenticate multiple times
and the entry for one of the previous users is modified or deleted, since that
could cause an attempt to update the client connection which is now
authenticated as another user.

OpenDS Issue Number:  1392


git-svn-id: https://svn.forgerock.org/opendj/trunk@1441 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     

17 Mar, 2007

2 commits

  • 81bfb9df   Update the dseecompat access control implementation to provide a mechanism for ... Browse Dir » 
    detecting and warning administrators about the use of non-canonical hostnames
in the "dns" bind rule.  The dns bind rule requires that all addresses be
provided in canonical form or they will not match the intended target.

This change also includes special handling for the "localhost" name.  In the
event that it does not match its canonical representation, then the
corresponding rule will automatically allow the canonical name as well.  This
may be needed in some environments because the canonical hostname for the
loopback address may be something else, like "localhost.localdomain", and the
hostname "localhost" is likely to appear more commonly than other kinds of
hostnames.

With these changes, a number of reported mysterious ACI failures should go away
and the AciTests should now pass cleanly.

OpenDS Issue Number:  1385


git-svn-id: https://svn.forgerock.org/opendj/trunk@1440 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     
  • a684c01f   Add package-info.java files for the tasks, types, and tools.makeldif packages, ... Browse Dir » 
    and fix a couple of typos in the synchronization.common package-info.java file.


git-svn-id: https://svn.forgerock.org/opendj/trunk@1439 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     

16 Mar, 2007

4 commits

15 Mar, 2007

6 commits

  • 69da95a9   In ACI targetScope, use the standard definition of onelevel meaning just the imm… ... Browse Dir » 
    …ediate children of the target, rather than the target entry and its immediate children.

git-svn-id: https://svn.forgerock.org/opendj/trunk@1424 41b1ffd8-f28e-4786-ab96-9950f0a78031
    coulbeck
     
  • 59a4f2ca   Add new interfaces that can be used to notify Directory Server components when ... Browse Dir » 
    an import, export, backup, or restore task is about to begin or has ended.

Reviewed by:  Andrew Coulbeck
OpenDS Issue Number:  1316


git-svn-id: https://svn.forgerock.org/opendj/trunk@1422 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     
  • 36155ac9   Fix some more TODOs in the ACI. ... Browse Dir » 
    * Extends authmethod="sasl mechanism" to any sasl mechanism.
* Fixes the authmethod="ssl" case.
* Allows for future multi-factor authentication.

git-svn-id: https://svn.forgerock.org/opendj/trunk@1420 41b1ffd8-f28e-4786-ab96-9950f0a78031
    coulbeck
     
  • 253aee76   Update the LDAPSearch tool so that the "--noop" option works as expected. If ... Browse Dir » 
    it is provided, then the tool will verify that all of the arguments are valid
but will not actually attempt any network communication.

Fix Contributed By:  Ales Novak
OpenDS Issue Number:  1014


git-svn-id: https://svn.forgerock.org/opendj/trunk@1419 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     
  • 3c4a2403   Fix for issue 528 (Windows Service Definition for Automatic Startup). ... Browse Dir » 
    The following changes are targeted to be able to run OpenDS as a windows 
service.

The idea is to be able to run OpenDS to run as a service and to be able 
also to disable this feature.

The setup has been updated to run OpenDS as a service in windows (which 
is the standard behavior in this platform).  The uninstall has also been 
updated to remove all references to OpenDS in the Registry and in the 
list of services once OpenDS has been uninstalled.

A new executable (opends_service.exe) has been added to be able to 
perform all the tasks that require native code 
(registering/unregistering the service, sending events to the event log, 
etc.).  Most of the code required by this executable is in the file 
service.c.  The README file has been updated and a Makefile file 
provided to generate all the executables.

A new command line has been added: windowsservice.bat.  The usage of 
this command line is the following one:

This utility may be used to configure OpenDS as a Windows service.
Usage:  windowsservice {options}
              where {options} include:
-e  or   --enableService
     Enables OpenDS as a Windows service.
-d  or   --disableService
     Disables OpenDS as a Windows service and stops the server
-s  or   --serviceState
     Provides information about the state of OpenDS as a Windows service.
-H  or   --help
     Display this usage information.

The class associated with this command line (ConfigureWindowsService) 
uses opends_service.exe.  ConfigureWindowsService is basically a wrapper 
that allows to have the messages displayed to the user in the Java code 
(and so to minimize what is done by the native code).


Some changes have been made in the start-ds(.bat) and stop-ds(.bat) 
scripts by extending what the --checkStartability (in DirectoryServer 
class) and --checkStoppability (in StopDS class) do.  I think that it is 
a good idea to have all the parsing of the arguments into the java code 
(specially considering the limitations of the .bat files).  So I have 
moved most of the parsing to the java code so that the is the java code 
that provides a return code to the scripts to tell them what to do 
(start the server in detach mode, stop the server using a system call, 
stop the server using protocol, etc.).

In the particular case of how start-ds.bat and stop-ds.bat have been 
updated to manage the case where the server must be started using the 
system call 'net start <service_name>' and 'net stop <service_name>'. 
--checkstoppability and --checkstartability tell whether the server must 
be stopped/started directly with a system call (or stopped using LDAP 
protocol) or using the Windows Service system.  If it is the latter the 
bat files use two new auxiliary classes (StopWindowsService and 
StartWindowsService).  These classes figure out the service name 
associated with the OpenDS instance and call net stop (or net start) 
using that service name.

When net start/net stop are called start-ds.bat (or stop-ds.bat) are 
called.  The Windows Services have been configured to call start-ds.bat 
and stop-ds.bat with some particular options (--windowsNetStart and 
--windowsNetStop) to identify the case where we must start/stop the 
server directly (and so not having an infinite recursive loop of calls 
to net start/net stop).

In order to have the same user experience when the server is configured 
to run as a service and when is not the tool class WaitForDelete has 
also been updated to write its output to a file.  This has been done 
because piping from the standard output to a file in the context of a 
Windows Service call does not seem to work properly.  So now 
WaitForDelete has a new option --outputFile.

setup --cli on windows has a new option '-n' or '-noWindowsService' to allow not to enable the windows service.  When run in interactive mode and this options is not specified the user will systematically be asked whether to enable the windows service or not. 



git-svn-id: https://svn.forgerock.org/opendj/trunk@1418 41b1ffd8-f28e-4786-ab96-9950f0a78031
    jvergara
     
  • ffcc3a9b   Fix for issue 1376. ... Browse Dir » 
    With the addition of AspectJ there are some added dependencies in the code.  So
for instance using the class StaticUtils requires je.jar to be on the path
(which was not the case before).  The uninstall scripts used to have a limited
set of jar files so that afterwards there was a minimum number of files to be
deleted.  Instead of doing this uninstall scripts should use the full class path.

In any case all the remaning files are under the same directory so the user will
have to do the cleanup in the same single place as before.


git-svn-id: https://svn.forgerock.org/opendj/trunk@1415 41b1ffd8-f28e-4786-ab96-9950f0a78031
    jvergara
     

14 Mar, 2007

2 commits

13 Mar, 2007

4 commits

12 Mar, 2007

7 commits

  • c625fb3f   Add support for subordinate subtree to ACI. ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/opendj/trunk@1387 41b1ffd8-f28e-4786-ab96-9950f0a78031
    coulbeck
     
  • ae7bc26a   Initialize the locks properties with the installation path found using the class… ... Browse Dir » 
    …path.  This is required when the user.dir variable of the JVM used to launch setup does not match the installation path.  This is what happens for example when the setup is launched using an external tool (like Abbot).

This only affects the setup and is safe (or at least does not make things worse) because the setup is figuring out the server root based on the jar files in the class path.


git-svn-id: https://svn.forgerock.org/opendj/trunk@1385 41b1ffd8-f28e-4786-ab96-9950f0a78031
    jvergara
     
  • 923efe3e   Provide a mechanism for the server to notify the synchronization service about ... Browse Dir » 
    any schema changes that occur.  The synchronization service can already handle
schema changes that occur over protocol with the server online, but this set of
changes adds support for detecting schema changes made by directly editing the
schema configuration files with the server offline, as well as new schema
elements added through the add schema file task.

Reviewed By:  Gilles Bellaton
OpenDS Issue Number:  1315


git-svn-id: https://svn.forgerock.org/opendj/trunk@1384 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     
  • 873b9e01   Fix for issue 1351. ... Browse Dir » 
    Using the CLI the user can specify the JMX port using the -j or --jmxPort option.

The usage has been updated to reflect this.


git-svn-id: https://svn.forgerock.org/opendj/trunk@1382 41b1ffd8-f28e-4786-ab96-9950f0a78031
    jvergara
     
  • 504e9494   Fix for issue 1314. ... Browse Dir » 
    The number of entries was capped to 10 million.  Change the maximum value to 10000 entries.


git-svn-id: https://svn.forgerock.org/opendj/trunk@1380 41b1ffd8-f28e-4786-ab96-9950f0a78031
    jvergara
     
  • f3e56e8b   The following update to core.PasswordPolicyState.java, along with some small cha… ... Browse Dir » 
    …nges to consumers of its API are the result of a review in preparation for password policy state management extended operation (issue 579).

1. Issue 1301 Force Pwd Change Option Allows User to Change Pwds But Not Bind With New Pwd

I had made a change to PasswordPolicyState.setMustChangePassword in a previous commit that did not account for the possibility that the PasswordPolicyState field could be ConditionResult.UNDEFINED. Now the routine calls mustChangePassword, which ensures the state field is set.

2. Issue 1295 PwP: PasswordPolicyState.setRequiredChangeTime uses incorrect time value

Per https://opends.dev.java.net/public/docs/architecture/OpenDS-PWPolicy-Architecture.pdf , the field is to be set to the value of ds-cfg-require-change-by-time. It was being set to the PasswordPolicyState field passwordChangedTime value.

3. Issue 1344 PwP: PasswordPolicyState field secondsUntilUnlock set inside debug condition. Moved outside.

4. Issue 1346 PwP: When lockout-due-to-failures expiration detected, pwdFailureTime timestamps must be cleared. Now cleared along with pwdAccountLockedTime.

5. Initialize PasswordPolicyState fields at declaration, when a default initial value is available. Otherwise, the field is qualified with final, to help ensure proper initialization. (Similar to recent change to PasswordPolicy.)

6. Fixed several errors introduced when the new debug{Error,Warning,Info} methods were introduced and the string concatenation message style was replaced with the printf format string message style.

7. Converted getPasswordPolicyInternal to a static method: while the password policy state computation depends on the policy object, it is not a part of the state, per se. The method could be made public and used for AddOperation.

8. Changed PasswordPolicyState.getBoolean to return ConditionResult to be consistent with other entry field getters (i.e., indicate when the attribute is absent from the entry).

9. Used canonical attribute access style for getPasswordValues (for loop) to accommodate absent attribute and empty attribute values (based on attribute getters used throughout the existing code).

10. For the policy state getters, reorganized to follow a canonical structure:
    a. Return if cached value is found (note that lazy initialization is used for state fields).
    b. Try to fetch attribute value from entry.
         i. Handle exception case.
         ii. Handle absence case.
    c. Perform any computation on entry value needed to arrive at state value; store state value.
    d. Return result.

11. Revised PasswordPolicyState.lockedDueToFailures feature. The feature is complicated by the use (due to the IETF draft) of two state attributes. This change attempted to simplify managing the feature by wrapping the attribute management into a simpler API.
      a. Narrowed public API to
          i.  updateAuthFailureTimes:  adds pwdFailureTime timestamp and [new] checks for lockout;
          ii. lockedDueToFailure: checks for pwdAccountLockedTime, another lockout corner case, and handles lockout expiration including [1295] clearing pwdFailureTime timestamps;
          iii. clearFailureLockout: clears pwdAccountLockedTime and [new] pwdFailureTime.
       b. Factored pwdAccountLockedTime getter/setter/clear from public API. These are called from the public API as appropriate.
       c. Also, it now accommodates the pwdAccountLockedTime:19700101000000Z as a valid locked time (but subject to lockout expiration and not as "locked until reset" as described in IETF draft-behera).

12. Note that PasswordPolicyState.mustChangePassword is unusual in that it does not evaluate the entry unless the policy indicates the feature is enabled (i.e., checks for allow-user-change and force-change-on-{add,reset}). I did not change this behavior, but marked it with FIXME.

13. PasswordPolicyState.clearWarnedTime: Added getWarnedTime() and warnedTime = -1 to make it consistent with other clear routines.

14. PasswordPolicyState.getClearPasswords, passwordMatches, and handleDeprecatedStorageSchemes duplicated code for authPassword and userPassword syntax. Combining the two cases was complicated by the fact that these two routines have different return types:

  StringBuilder[] AuthPasswordSyntax.decodeAuthPassword
  String[] UserPasswordSyntax.decodeUserPassword

I did not change either return type, but believe the return types should be consistent.


TESTS

There are no unit tests. The functional tests (security) provide some coverage (e.g., like finding 1301), and these 157 tests now pass.



git-svn-id: https://svn.forgerock.org/opendj/trunk@1379 41b1ffd8-f28e-4786-ab96-9950f0a78031
    david_page
     
  • 7b9433d3   Enable again the synchonization pushSchemaFilesChange test after fixing ... Browse Dir » 
    the problem : an unitialized variable was causing disable of the schema tests

git-svn-id: https://svn.forgerock.org/opendj/trunk@1376 41b1ffd8-f28e-4786-ab96-9950f0a78031
    gbellato
     

09 Mar, 2007

4 commits

08 Mar, 2007

7 commits

  • 66022d88   Fix for issue #1317: Wrong Error Code For Improperly Formatted ACIs. ... Browse Dir » 
    Define a new attribute syntax for the aci attribute.  Invalid values are now rejected by the core server before getting to the access control evaluation.

git-svn-id: https://svn.forgerock.org/opendj/trunk@1350 41b1ffd8-f28e-4786-ab96-9950f0a78031
    coulbeck
     
  • b59d3a8a   issue 756:Import LDIF should allow groups of attributes ... Browse Dir » 
    to be included or excluded

git-svn-id: https://svn.forgerock.org/opendj/trunk@1349 41b1ffd8-f28e-4786-ab96-9950f0a78031
    sin
     
  • 8957bb10   Fix a bug in the schema backend that could cause problems when deleting one ... Browse Dir » 
    instance of an element and adding a different instance of the same element in
the same modification that also depends on a third schema element which was
added between the two.  For example, if you tried to have a single modify
operation that deleted an existing object class, added a new attribute type,
and added a new object class that depended on the new attribute type, the
operation would fail because when processing the removal of the object class
the server would attempt to determine whether it was going to be re-added later
in the operation and therefore attempted to decode any object class additions
later in the operation.  An error occurred when trying to decode the new object
class because it depended on an attribute type that was not yet defined and the
decode operation wasn't told to ignore unknown schema elements.

OpenDS Issue Number:  1318


git-svn-id: https://svn.forgerock.org/opendj/trunk@1346 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     
  • afba6e2d   These changes move the PasswordPolicy field default-value initialization from a … ... Browse Dir » 
    …private constructor to the field declaration, and where appropriate, qualifies the field with "final".

The motivations are:

1. Easier to find default field values (e.g., use an IDE's "go to declaration" mechanism).

2. Mark any field with "final" that does not have a reasonable default value (i.e., those that depend on some constructor argument) to help ensure the object is properly initialized.



git-svn-id: https://svn.forgerock.org/opendj/trunk@1344 41b1ffd8-f28e-4786-ab96-9950f0a78031
    david_page
     
  • db0d3f5e   Update the UTC Time attribute syntax so that it correctly uses two-digit years ... Browse Dir » 
    instead of four-digit years.  Also, update other parts of the server that made
reference to UTC times when they really meant "YYYYMMDDhhmmssZ" to the term
"GMT" instead of "UTC" so there is no confusion about whether the year would be
expressed in four digits or two.

OpenDS Issue Number:  637


git-svn-id: https://svn.forgerock.org/opendj/trunk@1343 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     
  • 0b6f2bee   Add a new CertificateManager class that can be used to simplify interacting ... Browse Dir » 
    with different types of key stores, including generating self-signed
certificates and certificate signing requests.

OpenDS Issue Number:  410


git-svn-id: https://svn.forgerock.org/opendj/trunk@1342 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     
  • 638ddf81   Fix some synchronization tests so that they don't fail anymore when trying ... Browse Dir » 
    to add an entry that already exist.

Also suppress a spurious println forgotten in a previous commit.

git-svn-id: https://svn.forgerock.org/opendj/trunk@1335 41b1ffd8-f28e-4786-ab96-9950f0a78031
    gbellato