org.forgerock / org.forgerock.opendj

02 Sep, 2007

2 commits

01 Sep, 2007

1 commit

  • 36df03f9   Issue 466 partial ... Browse Dir » 
    Update schema and config files with OIDs issued by Neil.


git-svn-id: https://svn.forgerock.org/opendj/trunk@2895 41b1ffd8-f28e-4786-ab96-9950f0a78031
    david_page
     

31 Aug, 2007

2 commits

28 Aug, 2007

3 commits

  • c91a1738   Files missing from previous commit ... Browse Dir » 
    git-svn-id: https://svn.forgerock.org/opendj/trunk@2830 41b1ffd8-f28e-4786-ab96-9950f0a78031
    coulbeck
     
  • 2bc97056   Changes for replication security issues 511, 512, 608. ... Browse Dir » 
    There is a new backend representing the certificate trust store, which allows the setup code to query and populate the trust store over protocol. However, we are using blind trust until that piece of the setup code is ready.

The encryption settings are currently global to the server instance in a new crypto manager config entry. Authentication will always be performed so the main setting is whether to use encryption or not. In the future (post 1.0) we will need to allow encryption to be configured on or off depending on which replication server we are connecting to but we need some discussion on the best way to specify that in configuration.

git-svn-id: https://svn.forgerock.org/opendj/trunk@2829 41b1ffd8-f28e-4786-ab96-9950f0a78031
    coulbeck
     
  • 2ebd3085   Add an SMTP account status notification handler, which can be configured to ... Browse Dir » 
    send e-mail messages whenever an account status notification is generated.  The
message can be sent to the end user impacted by the notification (based on an
attribute in the user's entry) and/or a fixed set of recipients.

The messages that will be generated are created from template files, which can
include tokens that will be replced with things like:

- The name of the notification type
- The notification message
- The DN of the target user's entry
- Attribute values from the target user's entry
- Values of account status notification properties, which may vary based on the
  type of notification

This change also includes a fix for a problem that could allow password
expiration warning messages to be sent to a client even if the bind was not
successful.


OpenDS Issue Number:  581


git-svn-id: https://svn.forgerock.org/opendj/trunk@2824 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     

26 Aug, 2007

2 commits

25 Aug, 2007

1 commit

23 Aug, 2007

2 commits

  • a21d35ef   Added the JE backend configuration attribute to enable or disable compression wh… ... Browse Dir » 
    …en encoding entries for ID2Entry. When backend-compact-encoding 
is enabled, attribute type descriptions and object class sets will be encoded using a compressed form. This behavior is enabled by default.

Fix for issue 2135


git-svn-id: https://svn.forgerock.org/opendj/trunk@2772 41b1ffd8-f28e-4786-ab96-9950f0a78031
    boli
     
  • 908a08a7   Add support for overriding the user friendly singlular and plural names of components. ... Browse Dir » 
    The user friendly names (UFN) are usually derived automatically from the component's "name" and "plural-name" attribute. However, sometimes these names are not that user friendly. For example, the names may be abbreviated forms (e.g. replication -> repl or password policy -> pwp). In these cases it would be nice to be abled to display the full human friendly name in help and documentation.

This change includes an overridden UFN for the global configuration. So we should stop seeing messages in applications like "The Global was updated successfully".


git-svn-id: https://svn.forgerock.org/opendj/trunk@2751 41b1ffd8-f28e-4786-ab96-9950f0a78031
    matthew_swift
     

22 Aug, 2007

1 commit

21 Aug, 2007

1 commit

  • d2ec5826   Add attribute uniqueness plugin implementation that provides single-server ... Browse Dir » 
    attribute uniqueness. The plugin has the following features:

- provides ability to specify a group of attribute types that must have
  unique values; if no attribute types are specified then the plugin allows
  the operations to proceed with no checking

- provides ability to specify a set of base DNs that limit the scope of the
  uniqueness checking; if no base DNs are specified the server's public
  naming contexts are used

- allow changing of these configuration options without server restart

- allows the uniqueness checking to span multiple base DNs; if the server's
  public naming contexts are used, then the specified attribute type values must
  be globally unique within the server


Two configuration attributes have been added:

1. ds-cfg-unique-attribute-type used to specify the unique attribute type(s)
2. ds-cfg-unique-attribute-base-dn used specify the base DN(s) to limit the search scope

A disabled plugin configuration has been added to the config.ldif file for the uid attribute:

dn: cn=UID Unique Attribute ,cn=Plugins,cn=config
objectClass: top
objectClass: ds-cfg-plugin
objectClass: ds-cfg-unique-attribute-plugin
cn: UID Unique Attribute
ds-cfg-plugin-class: org.opends.server.plugins.UniqueAttributePlugin
ds-cfg-plugin-enabled: false
ds-cfg-plugin-type: preOperationAdd
ds-cfg-plugin-type: preOperationModify
ds-cfg-plugin-type: preOperationModifyDN
ds-cfg-unique-attribute-type: uid

Issue 258.

git-svn-id: https://svn.forgerock.org/opendj/trunk@2721 41b1ffd8-f28e-4786-ab96-9950f0a78031
    dugan
     

20 Aug, 2007

1 commit

  • 30852b5b   These changes rovides the ability to repair ... Browse Dir » 
    the consistency in the replication topology in the (hopefully) rare case
when hardware failure or software bugs could break it (issue 788 and 791)

There are several parts in this commit :
- a new log file called replication was added.
  It's purpose is to store all the consistency errors detected by the replication
  with enough information to allow the administrator to repair the problem.
  This file is configured by default and contain only the replication errors,
  To achieve the a new log severity keyword "None" has been created so that
  the associated error log publisher does not print any error not related to
  replication. (I will update the reference guide after this commit)

- a new control (the replication repair control) has been added.
  When this control is used in a MODIFY, DELETE, ADD or MODDN operation
  the operation is marked as a non-replicated replication operation.
  This cause the following :
  - The operation is allowed to modify attributes that are normally not
    allowed to be modified or added (NO-USER-MODIFCATION) such as
    entryuuid and ds-sync-hist
   To achieve this I add to move those checks from the
    AddOperationBasis.getObjectClasses() or AddOperationBasis.getUserAttributes()
    to the LocalBackendWorkflowElement.processAdd() but this has already
    been reviewed.
  - no change number is associated to the operation.
  - the operation is not published to the replication server and is therefore
    a local only operation.
  - the replication don't try to solve conflict or generate historical information
    for this operation.
 
The intended usage of this control is that the administrator will check
for errors in the replication log, determine the entries that have inconsistent
values and use the control to repair them.
I will write some documentation explaining in more details how to do this.

- even though this is not related to replication repair I also took advantage of
  this change to add the multimaster replication synchronization provider
  in the default configuration.
  This will make configuration of replication using dsconfig easier because
  the user will now only need to configure the replication servers and
  replication domains.

git-svn-id: https://svn.forgerock.org/opendj/trunk@2687 41b1ffd8-f28e-4786-ab96-9950f0a78031
    gbellato
     

09 Aug, 2007

1 commit

  • 25790c03   Implement support for an identity mapper that can use regular expressions to ... Browse Dir » 
    transform the provided ID string before searching for the appropriate matching
user in the server.  This makes it possible, for example, to strip the realm
portion of a Kerberos V principal to obtain just the username before searching
for entries containing a uid attribute with that value.

OpenDS Issue Number:  2087


git-svn-id: https://svn.forgerock.org/opendj/trunk@2601 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     

07 Aug, 2007

2 commits

  • e661e49c   Add support for a new type of plugin which can be used to detect changes and ... Browse Dir » 
    take some action whenever a subordinate entry is modified as a result of a
modify DN operation that targets an entry that has one or more children (i.e.,
a subtree move or subtree rename operation).  At present, subordinate modify DN
plugins are not allowed to change the contents of the entry as it is being
moved/renamed, but an appropriate API is in place if we decide to add this
functionality in the future.

This commit also includes a significant amount of cleanup for plugin result
code, including corrections to copy-and-paste errors in the javadoc
documentation.

OpenDS Issue Number:  752


git-svn-id: https://svn.forgerock.org/opendj/trunk@2584 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     
  • 9c64b5f6   Fix the debug log publisher relation with debug targets to use a naming property… ... Browse Dir » 
    … and mark the naming property (debug-scope) as read-only. Also fix some minor typos in the descriptions.


git-svn-id: https://svn.forgerock.org/opendj/trunk@2581 41b1ffd8-f28e-4786-ab96-9950f0a78031
    matthew_swift
     

01 Aug, 2007

1 commit

31 Jul, 2007

1 commit

  • 35521901   This fixes serveral issues LDIF import and VLV features: ... Browse Dir » 
    - Added the ability to use both a backend ID and include branch arguments for LDIF imports 
(Issue 1971)
- Fixed incorrect search scope enum in the VLV index configuration
- Added unit tests for partial LDIF imports
- Fixed issue where using overlapping include branches during an import would result in a ConcurrentModificationException (Issue 2039)



git-svn-id: https://svn.forgerock.org/opendj/trunk@2538 41b1ffd8-f28e-4786-ab96-9950f0a78031
    boli
     

30 Jul, 2007

6 commits

  • 86b3ac12   Update the task backend to provide a mechanism for sending e-mail messages to ... Browse Dir » 
    notify administrators whenever a given task has been completed.  It is possible
to specify a set of administrators that should be notified only if the task
does not complete successfully, and/or a set of administrators that should be
notified regardless of the task's success or failure.  The basic framework for
this capability has always been in place, and this change only provides the
final implementation that actually generates and sends the e-mail message.

This also includes a change to the way that log messages are handled so that
any messages logged by a thread executing a task (or any DirectoryThread
subclass created by a task thread) will be captured as part of that task.
These messages will also be included in the notification e-mail message.

OpenDS Issue Numbers:  2033, 2034


git-svn-id: https://svn.forgerock.org/opendj/trunk@2529 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     
  • 2762f930   Update the server to provide an idle time limit configuration option that can ... Browse Dir » 
    be used to terminate client connections that have been idle for too long.  This
can be controlled on a server-wide default level using the
ds-cfg-idle-time-limit configuration attribute in the cn=config entry, but it
can also be overridden on a per-user level with the ds-rlim-idle-time-limit
operational attribute in the user's entry.

Note that while the idle time limit support is server wide, it needs help from
the connection handler to provide an idle time for client connections.  At this
time, only the LDAP connection handler provides this capability.  It is not
appropriate for internal connections, and it is not seen as important for JMX
connections at this time (although such support could be added in the future if
the need arises).

OpenDS Issue Number:  118


git-svn-id: https://svn.forgerock.org/opendj/trunk@2514 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     
  • 0ccdb664   Provide valid OIDs for the ds-cfg-ssl-protocol and ds-cfg-ssl-cipher-suite ... Browse Dir » 
    configuration attributes and define them in the server schema, and make the
names singular instead of plural.  Also, update some of the configuration
definitions to align the OIDs used in them with the OIDs used in the server
schema.


git-svn-id: https://svn.forgerock.org/opendj/trunk@2513 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     
  • b38806e7   Add two new configuration attributes, ds-cfg-enabled-alert-type and ... Browse Dir » 
    ds-cfg-disabled-alert-type to alert handler configuration entries.  If a set of
enabled alert types is given, then only alerts with one of those types will be
passed to the associated alert handler.  If a set of disabled alert types is
given, then only alerts without one of those types will be passed to the
associated alert handler.  If both enabled and disabled lists are provided,
then only alerts with a type on the enabled list and not on the disabled list
will be processed.

OpenDS Issue Number:  2027


git-svn-id: https://svn.forgerock.org/opendj/trunk@2512 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     
  • 71e273b1   Provide a configuration option that makes it possible for the administrator to ... Browse Dir » 
    control whether responses to failed bind operations include an error message
that explains the problem.  By default, failed bind operations will return a
response that indicates the operation failed, but will not include any error
message (although it will be written to the access log).  However, if the
administrator decides that the benefit of providing this information to the
client outweighs any potential security risk, then this option may be used to
include that message in the response to the client as well as having it written
to the access log.

OpenDS Issue Number:  1787


git-svn-id: https://svn.forgerock.org/opendj/trunk@2509 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     
  • af857725   Provide a mechanism to disable privileges in the server if necessary. If a ... Browse Dir » 
    privilege is disabled, then the server will behave as if all users have that
privilege.  This can help improve compatibility with environments that expect
a feature to always be available, or to only be governed by access control.


OpenDS Issue Number:  1683


git-svn-id: https://svn.forgerock.org/opendj/trunk@2508 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     

29 Jul, 2007

1 commit

27 Jul, 2007

1 commit

  • 7439e734   These set of changes implement VLV and filter capability to OpenDS: ... Browse Dir » 
    - A VLV index is defined by a name, base DN, search filter, search scope, sort order. A search request must match these parameters exactly to 
use the VLV index.
- A VLV index made up of the entry IDs matching the definition criteria (above) and the corresponding attribute values that are part of the sort 
order in the sort order. This information is broken up into blocks of sorted sets. The block size can be configured through admin framework. 
Default block size is 4000. In the database, the sorted set is stored with the following format:

      4 byte set size | entry IDs of 8 bytes each ... | attribute values of 16 bytes each ...

- Each sorted set is keyed by the entry ID and attribute values of the largest entry in the sorted set. A special comparator (VLVKeyComparator) 
is used to sort the keys in the database in the order of the specified sort order.
- When entries are added to the VLV index, its sort values are extracted and inserted into the sorted set whose key (also the largest entry in 
the set) is the smallest key that represents a entry that is greater or equal to the entry being inserted. If the sorted set exceeds the block 
size, it is divided in two and stored back into the database with the new key. In this implementation, a sorted set's key is never changed after 
it is created.
- On importing from LDIF, each entry's sort values and ID is written out to a intermediate file in order. These files are later merged and 
inserted into the database.
- Index rebuild and verify also works with VLV indexes. The verify job ensures that all the entries stored in the VLV index is in the correct 
order.
- With this implementation, once a VLV index is created, it can not be changed without a rebuild. The server will NOT warn the user if 
the index 
has changed offline. Until a rebuild is done, it can return incorrect results. This should be fixed later.
- Performance wise, modify, add, and delete performance will be degraded if the entry matches the indexing criteria. Searches not using the VLV 
index should not see any notable performance degradation. If the block size is set too big, there is a potential that a large number of updates 
will result in some JE lock timeouts since the few sorted sets are hotly contested. However, if the block size is too small, searches using the 
VLV control with offsets could be slow since there are more records to look through. This area need further investigation to determine the 
optimal default value.

Fix for issue 38


git-svn-id: https://svn.forgerock.org/opendj/trunk@2499 41b1ffd8-f28e-4786-ab96-9950f0a78031
    boli
     

24 Jul, 2007

1 commit

  • f9aa8191   Fix for issue 1794: ... Browse Dir » 
    - Attribute index no longer need the backend index entry limit parameter on construction. This is now handled by the admin framework.
- Updated test cases to reflect the change

Fix for issue 1846
- The debug string returned when using the debugsearchindex attribute now includes the indexes used during evaluation.


git-svn-id: https://svn.forgerock.org/opendj/trunk@2468 41b1ffd8-f28e-4786-ab96-9950f0a78031
    boli
     

23 Jul, 2007

1 commit

  • ce90ebb6   Fix issue 1819: add support for tagging properties as advanced. ... Browse Dir » 
    It is now possible to tag a property as advanced. This is achieved by adding the "advanced" attribute to XML property definitions. For example:

   <adm:property name="java-implementation-class" mandatory="true" advanced="true">
     ...
   </adm:property>

Advanced properties must be either option or, if they are mandatory, have default values (defined or inherited). This constraint is enforced except for abstract property definitions where sub-definitions can override the property and give it a default (this is the case for java implementation class properties).

Dsconfig has been modified so that get-xxx-prop and list-properties sub-commands only display advanced properties if the user provides the "--advanced" command line option. There will be similar support for set-xxx-prop and create-xxx sub-commands once they have a fully functional interactive mode (issue 1831).

This change just adds support for advanced properties. A subsequent change (for issue 1829) will designate which properties are advanced.


git-svn-id: https://svn.forgerock.org/opendj/trunk@2457 41b1ffd8-f28e-4786-ab96-9950f0a78031
    matthew_swift
     

20 Jul, 2007

2 commits

  • 52a7e720   Add a general framework for OpenDS to send e-mail messages, and add an SMTP ... Browse Dir » 
    alert handler that can be used to send e-mail messages in response to
administrative alerts generated within the server.

OpenDS Issue Number:  221


git-svn-id: https://svn.forgerock.org/opendj/trunk@2448 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     
  • 676e88e1   Fix issues 1966 and 1792. ... Browse Dir » 
    Add support for hiding relations and, using this feature, prevent users from access root DN user configurations through the CLI.

To make it easier to add new features to relation definitions in the future I have refactored the RelationDefinition classes so that they provide a Builder API for incrementally constructing new definitions.

git-svn-id: https://svn.forgerock.org/opendj/trunk@2444 41b1ffd8-f28e-4786-ab96-9950f0a78031
    matthew_swift
     

19 Jul, 2007

2 commits

  • 704c0ac7   Update the server so that the set of alert handlers are configurable rather ... Browse Dir » 
    than simply using a hard-coded JMX alert handler.


git-svn-id: https://svn.forgerock.org/opendj/trunk@2439 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     
  • d4c60353   Fix issues 1943 (unable to create je-index), 1996 (exception when creating compo… ... Browse Dir » 
    …nents with empty names), and 1998 (exception when creating components with blank names).

This change allows one-to-many relations to use a property of the referenced component for naming the component. For example, a je-index has an attribute called "index-attribute" which is the attribute type indexed by the index. There is no need for the je-indexes to have a naming attribute since the value of the "index-attribute" property is sufficient. With this change it is possible to specify a "naming property" for one-to-many relations. In the case of je-indexes, the je-backend je-index relation is now defined as follows:

  <adm:relation name="je-index">
    <adm:one-to-many naming-property="index-attribute"/>
     <adm:profile name="ldap">
      <ldap:rdn-sequence>
        cn=Index
      </ldap:rdn-sequence>
    </adm:profile>
    <adm:profile name="cli">
      <cli:relation>
        <cli:default-property name="index-type" />
      </cli:relation>
    </adm:profile>
  </adm:relation>

Note that the one-to-many element now has a "naming-property" attribute which identifies the je-index property which should be used for naming. Also note that the LDAP profile no longer needs a naming-attribute element, since the naming attribute will be the one associated with the index-attribute property.


git-svn-id: https://svn.forgerock.org/opendj/trunk@2434 41b1ffd8-f28e-4786-ab96-9950f0a78031
    matthew_swift
     

17 Jul, 2007

1 commit

  • 11127b18   Implement support for password history functionality. The password history can ... Browse Dir » 
    be maintained either based on the number of previous passwords to remember
(e.g., a user cannot re-use any of his/her last five passwords), or the length
of time the previous passwords have been retained (e.g., a user cannot re-use
any password he/she has had within the last 365 days), or both.

This commit also updates the manage-account tool so that it supports a public
option for displaying the password history state values, and a hidden option
for clearing a user's password history state.

OpenDS Issue Number:  339


git-svn-id: https://svn.forgerock.org/opendj/trunk@2424 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     

12 Jul, 2007

2 commits

11 Jul, 2007

2 commits

  • e2a1e824   Update the password policy configuration to support a new attribute, ... Browse Dir » 
    ds-cfg-state-update-failure-policy.  This attribute makes it possible to
control how the server should handle failures that may occur when attempting to
update password policy state information during a bind operation.  This
attribute allows the following values:

- ignore -- If an otherwise successful bind attempt encounters a failure when trying to update the password policy state information for a user, then log an error message but allow that bind to succeed.

- reactive -- If an otherwise successful bind attempt encounters a failure when trying to update the password policy state information for a user, then cause the bind to fail.

- proactive -- If the server can detect ahead of time that the password policy state update could fail (e.g., if the entire server or target backend is in read-only mode) and it is known that a successful or failed bind attempt would need to update the password policy state information, then reject the bind before any processing is performed.  If it gets past this phase and the attempt to update the state information later fails, then it will have the same behavior as the "reactive" policy.

Note that bind attempts by root users will always be treated using the "ignore" policy to ensure that they are not locked out in the event of a significant problem (e.g., disk full).


OpenDS Issue Number:  1810


git-svn-id: https://svn.forgerock.org/opendj/trunk@2363 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson
     
  • b5ac1da3   Revert unrelated changes committed accidentally in revision 2359. The changes ... Browse Dir » 
    didn't break anything, but they weren't related to the issue being addressed
by that commit and were not a complete fix for any other issue.


git-svn-id: https://svn.forgerock.org/opendj/trunk@2360 41b1ffd8-f28e-4786-ab96-9950f0a78031
    neil_a_wilson