f43bf60164dfc1ac60e5332f7a17ca1425c88268 7192 |
|
18-Aug-2011 |
matthew |
Initial checkpoint of work for OPENDJ-262: Implement pass through authentication (PTA)
Refactor PasswordPolicy implementation so that we now have a common parent type, "AuthenticatioPolicy", which will act as a common entry point for all authentication policies. In particular, password policies can be thought of as a specific type of authentication policy: one where authentication and the user's credentials are managed locally. PTA can be thought of as a non-local authentication policy: the password is managed by a third party.
With this change we still only have one type of authentication policy and no attempt has been made to refactor code which uses it. More specifically, code such as the local backend WFE just type-casts the authentication policy to a password policy.
Another implication of this change is that sub-entry based password policies now automatically inherit run-time changes made to the default password policy, whereas before a server restart was required. |
275972f67174210a376207933cb9017598a2c75f 7015 |
|
15-Jun-2011 |
ludo |
Tidy up unit-tests so that not all backends are always enabled, and replication related databases are deleted after tests. |
3debb7002b8f0f1606bb91eb477306653b410a3f 5679 |
|
17-Aug-2009 |
dugan |
These changes allow import-ldif to support multiple suffixes and fix some problems with the include/exclude options. |
40bcd0548855b066a72f6313f34b16f4891032e1 5596 |
|
25-Jul-2009 |
dugan |
Commit of new import code. |
d25372dc8e65a9ed019a88fdf659ca61313f1b31 4531 |
|
23-Oct-2008 |
jcduff |
The commit will bring the following features :
- An updated version of the underlying database. BDB JE 3.3 is now used.
- Attribute API refactoring providing a better abstraction and offering improved performances.
- A new GUI called the Control-Panel to replace the Status-Panel: the specifications for this
GUI are available on OpenDS Wiki and contains a link to a mockup.
See <https://www.opends.org/wiki/page/ControlPanelUISpecification>.
- Some changes in the replication protocol to implement "Assured Replication Mode". The
specifications are on OpenDS Wiki at <https://www.opends.org/wiki/page/AssuredMode> and section 7
described some of the replication changes required to support this. Assured Replication is not finished,
but the main replication protocol changes to support it are done. As explained by Gilles on an email on
the Dev mailing list (http://markmail.org/message/46rgo3meq3vriy4a), with these changes the newer versions
of OpenDS may not be able to replicate with OpenDS 1.0 instances.
- Support for Service Tags on the platforms where the functionality is available and enabled. Specifications
are published at <https://www.opends.org/wiki/page/OpenDSServiceTagEnabled>. For more information on
Service Tags see <http://wikis.sun.com/display/ServiceTag/Sun+Service+Tag+FAQ>.
- The Admin Connector service. In order to provide agentry of the OpenDS server at any time, a new service
has been added, dedicated to the administration, configuration and monitoring of the server.
An overview of the Admin Connector service and it's use is available on the
OpenDS wiki <https://www.opends.org/wiki/page/ManagingAdministrationTrafficToTheServer>
- Updates to the various command line tools to support the Admin Connector service.
- Some internal re-architecting of the server to put the foundation of future developments such as virtual
directory services. The new NetworkGroups and WorkFlow internal services which have been specified in
<https://www.opends.org/wiki/page/BasicOperationRoutingThroughNetworkGroup> are now implemented.
- Many bug fixes...
This set of changes may have an impact on current clients and deployments, however it should be possible to
upgrade existing 1.0 instances.
Some of the changes impacting the clients include :
- Scripts using the command line tools including dsconfig will need to be updated (usually to remove
some no longer required options). |
f00aed1ab812369a513321e10c6d97a33d3ba2f6 4328 |
|
04-Jun-2008 |
boli |
Fix for issues 3255, 3265, and 3269:
Issue 3255: Added ds-cfg-max-allowed-client-connections configuration parameter to prevent using up all file descriptors. By default the server will still allow unlimited number of connections just like before. The user will have to adjust this for their system. This might be automatically set for the OS in the future.
Issue 3265: Subtree deletes and mod DN operations will now always use a JE transaction throughout the entire operation. This makes sure the operations are always executed atomically.
Issue 3269: Added checks for canceled operations in JE backend code. |
48c8963048c9dcdec712a85c4a55f5e3c0547368 4231 |
|
07-May-2008 |
boli |
Fixed an issue where a NPE could be thrown when the server processes a mod DN operation with a new superior entry thats in the subtree to be moved. An informative error message is added so the user can fix the mistake.
This patch also enables the debug logger to print the cause of an exception message as well as all the stack frames by default. It also removes the deadlock retry configuration parameter from the JE backend configuration definition since deadlocks can no longer occur in the JE backend.
Fix for issue 3236 |
448e888bcaa64dc5273de682bf97e2d71e353b3d 4180 |
|
21-Apr-2008 |
boli |
This patch adds index buffering capabilities to the JE backend as to avoid using a fixed lock timeout for subtree delete and mod DN operations. Previously, any index modifications to subordinate entries of the affected operations will be performed with dn2id and id2entry modifications. This creates multiple random access to index database keys which could cause deadlocks in face of multiple parallel operations. With this fix, all index modifications are buffered up until the end of the operation so that each key of each index will be accessed once and in order. This maintains the DB access ordering in the JE backend of dn2id, id2entry, dn2uri, indexes in config order, VLV indexes in config order, and finally id2children and id2subtree. Since deadlocks should no longer occur in the JE backend, JE lock timeouts are now disabled at the JE environment level instead of the txn level. With this change, the performance of subtree deletes and mod DN operations have increased dramatically.
In order to add buffering capabilities to the VLV index, the format of the index records had to be changed. Previous DBs with VLVs configured will no longer be compatible with this new revision.
Cursors operations for subtree mod DN and delete operations are now taken with READ_COMMITTED JE isolation level to avoid locking un-affected entries and possibility causing deadlocks. Write operations affecting the DN2ID and ID2ENTRY databases will aquire an write lock directly as early as possible to avoid deadlocks.
A issue is also fixed where the debug log genereated during unit tests does not include stack traces.
Fix for issues 2980, 2186, 2979 |
e38ec0c48bbfdd18776e67e25269a5ed1eb40190 3979 |
|
17-Mar-2008 |
dugan |
These changes remove the temporary file limitation from import-ldif. Several other changes were made also:
- the cleaner is run at the end of the import
- the cleaner is run periodically during import if database eviction is detected
- the substring indexes are buffered to help boost performance during substring index processing
- the import files have been moved into its own package org.opends.server.backends.jeb.importLDIF
- the work threads do most of the processing
- import aborts if a work thread throws a runtime exception
- messages for the various stages of the import have been added (e.g. environment close)
The only functionality missing is VLV index processing. Also, there is a 2G limit on the
max entry ID value that can be used in a substring index.
The following configuration attributes have been removed:
- ds-cfg-import-temp-directory
- ds-cfg-import-buffer-size
- ds-cfg-import-pass-size
The should be removed from your config.ldif file. |
38517882c5bafd5ce8f2f6388542cc27ae307682 3708 |
|
21-Jan-2008 |
matthew_swift |
Fix issues 2831 and 1948.
Change local DB backend configuration so that db-directory and import-temp-directory properties now name a parent directory within which a sub-directory is created having the same name as the backend-id. This simplifies configuration and reduces the risk of name collisions. |
e4a46f025484c3745a0d987958cc53987e3db35d 3395 |
|
31-Oct-2007 |
boli |
This set of fixes mainly address the issues where the JE backend does not handle attributes with options and subtypes correctly when they are being indexed.
With this fix:
- All values of an indexed attribute type will be indexed correctly on modifies, adds, and deletes.
- Updates to subordinate types will now update the superior type if its indexed.
- Adding and deleting superior attribute types that are not allowed by any object classes (ie. name) will be correctly handled
- Deleting all values from an attribute with no options will no longer delete the values from the same attribute but with options. |
e47cfa5ceb341aaac79de65f661c9edfbbf722b4 3285 |
|
10-Oct-2007 |
david_page |
issues 315, 316, 317, 318
Enable password storage schemes based on encryption now that issue 466 (CryptoManager) features are implemented. |
987a50dfe113ed235d28716ff080b59e8873655c 3209 |
|
26-Sep-2007 |
matthew_swift |
Merge branches/temp-admin@3208 onto trunk@3208. |
da532aae526fd2b0696b251846864f77926ea6d9 3207 |
|
26-Sep-2007 |
neil_a_wilson |
Update the appropriate identity mappers and certificate mappers to use the new
isIndexed API in the backend to ensure that all referenced attributes are
indexed for equality. |
09b733040119bc8ee3bccec14c115f3f486d3ac4 3206 |
|
26-Sep-2007 |
neil_a_wilson |
Update the backend API to include new isIndexed methods that can be used to
determine whether a given attribute is indexed in a specified manner, or that
can be used to determine whether a specified filter is indexed. At present,
all backends except the JE backend and the replication backend are considered
always indexed for all operations. The JE backend is only considered indexed
based on its index configuration. The replication backend is never considered
indexed.
Update the following components to make use of this new isIndexed capability:
- The DSEE-compatible access control handler will now log a warning message at
startup if it detects that there is no presence index for the aci attribute,
which can make startup take a long time on a big database.
- The group manager will now log a warning message at startup if any of the
group implementation filters are unindexed, which can make startup take a
long time on a big database.
- The referential integrity plugin now requires that all of the attributes for
which referential integrity is to be maintained must be configured with
equality indexes.
- The unique attribute plugin now requires that all of the attributes for which
uniqueness is to be enforced must be configured with equality indexes.
This commit also updates the LDIF backend so that it is possible to
indicate via configuration whether its base DNs should be registered as public
or private base DNs. The LDIF backend used as the admin root has been
updated so that it is considered a private backend. The replication backend
has also been updated so that it is considered a private backend. |
df78b789855f18922262b05a664a7d737cc6f70e 3160 |
|
23-Sep-2007 |
neil_a_wilson |
Add support for an LDIF backend. Entries in this backend will be held in
memory, and all read operations will be served from memory, but the underlying
data will be stored in an LDIF file on disk and any write operation will cause
that LDIF file to be updated.
This backend supports all major operations, including moving/renaming non-leaf
entries with the modify DN operation, and also supports the subtree delete
control and LDIF import and export operations. Backup and restore operations
are not currently supported. |
8b81e2b204cc9eb316d169b3c5e3f6d36a820e26 3000 |
|
10-Sep-2007 |
neil_a_wilson |
Add support for password storage schemes using AES, 3DES, RC4, and Blowfish.
The AES, RC4, and Blowfish implementations all use 128-bit ciphers, and the
3DES implementation uses a 168-bit cipher.
Note that while these password storage schemes are functional, they rely on the
crypto manager, which is not fully implemented. The storage schemes are not
exposed in the server configuration because the crypto manager does not have
any mechanism to persist secret keys for symmetric encryption. Until the
crypto manager provides persistence for these keys, passwords encoded using
these schemes will not be usable after the server is restarted. Once the
crypto manager implementation is complete, these schemes should be exposed in
the server configuration.
OpenDS Issue Numbers: 315, 316, 317, 318 |
5068612b175360889317ffea5826e816c2abbe08 2999 |
|
10-Sep-2007 |
neil_a_wilson |
Update the server to provide a basic framework for controlling when plugins
will be invoked. There are two basic changes:
- Add a new ds-cfg-invoke-for-internal-operations configuration attribute for
all plugins, which indicates whether the plugin should be invoked for
internal operations. If this is false, then the plugin will only be invoked
for externally-requested operations.
- Add four new plugin types: postSynchronizationAdd,
postSynchronizationDelete, postSynchronizationModify, and
postSynchronizationModifyDN. These allow a plugin to perform a limited set
of processing for changes that are successfully applied through
synchronization.
The unique attribute plugin has also been updated to support the
post-synchronization plugin types so that if a conflict is introduced
concurrently on two different servers within the propagation delay, an
administrative alert will be generated to indicate that manual intervention is
required to address the problem.
Finally, ensure that audit logging is enabled during the unit tests, and
update the audit logger to include the connection ID and operation ID for the
operation being logged.
OpenDS Issue Number: 2057 |
9e6efc5309c2c3f7c00ed5f2d791b823bbcd2042 2974 |
|
06-Sep-2007 |
neil_a_wilson |
Update password storage scheme references in the server so that they use DNs
rather than storage scheme names. This will allow better consistency in the
configuration, since all other references between configuration objects are
DN-based, and it will work better with the upcoming aggregation support.
It also eliminates the need to know the storage scheme name, which is not
obvious from looking at the configuration entry for the storage scheme, and
can actually vary in some implementations depending on whether it's used with a
user password or auth password syntax attribute.
OpenDS Issue Number: 2155 |
8fbc8408d0efcc76724939bf52a39298f391b46f 2913 |
|
03-Sep-2007 |
dugan |
Commit plugin for maintaining referential integrity. Issue 257.
New configuration attributes:
- ds-cfg-referential-integrity-attribute-type Specify attribute types that referential integrity will be checked on; this is a mandatory attribute
-ds-cfg-referential-integrity-base-dn Specify base DN that will limit scope of reference check; if not specified the server's public naming contexts are used
- ds-cfg-referential-integrity-update-interval Specify update interval for background referential integrity processing; if update interval > 0 plugin performs background processing; default is 0
-ds-cfg-referential-integrity-log-file Specify log file location for update records when background processing is enabled; default is <instance>/logs/referint
The plugin is disabled by default:
dn: cn=Referential Integrity,cn=Plugins,cn=config
objectClass: top
objectClass: ds-cfg-plugin
objectClass: ds-cfg-referential-integrity-plugin
cn: Referential Integrity
ds-cfg-plugin-class: org.opends.server.plugins.ReferentialIntegrityPlugin
ds-cfg-plugin-enabled: false
ds-cfg-plugin-type: postOperationDelete
ds-cfg-plugin-type: postOperationModifyDN
ds-cfg-plugin-type: subordinateModifyDN
ds-cfg-referential-integrity-attribute-type: member
ds-cfg-referential-integrity-attribute-type: uniqueMember |
24d6db06810f2ea747f6dff60d483e4fca3aaa13 2902 |
|
02-Sep-2007 |
davidely |
There are several improvements to the unit test framework in this commit.
* Test methods are no longer interleaved between classes. All test
methods in a class are run together, with @BeforeClass and @AfterClass
methods called immediately before and after the methods are run. As
part of this fix, you are now required to include sequential=true in
every class level @Test annotation. If you don't do this, the build
will complain.
* Added a TestCaseUtils.restartServer() method that will do an in core
restart of the directory server during the tests. This can be used in a
@BeforeClass method to ensure that the tests start with a clean
directory server, and also in an @AfterClass method to cleanup after a
test that makes a lot of configuration changes. So if you introduce a
new test that runs fine in isolation but fails when run with other
tests, you could try calling TestCaseUtils.restartServer() in its
@BeforeClass method. The TestCaseUtils.restartServer() method will
reinitialize the server and reload the original test configuration, but
it's not quite the same as creating a completely new process.
Specifically, it cannot undo any changes that were made to static member
variables of a class. I've fixed a handful of places in the server
where this was a problem, but there might be more lurking. If you write
a test that changes static member variables of a class, please make sure
that it cleans up after itself in an @AfterMethod or @AfterClass test.
* The tests now use significantly much less memory. I saw a peak of
only 80MB. There were two main problems. 1) TestNG holds on to all
parameters and results for the whole test, and 2) since the test
classes themselves live for the duration of the tests, their member
variables were holding onto a lot of garbage. The in-core restart
made this problem much worse because we ended up with lots of copies
of the Schema, ConfigEntryS, etc. I've introduced some hacks to fix
this. Basically the code uses devious methos to go in and null out
the parameters and member variables after the test has run. If you're
curious about the details of how we've addressed this take a look at
the comments in DirectoryServerTestCase. From now on, all test
classes must inherit directly or indirectly from
DirectoryServerTestCase. The build will fail if they don't.
* Upgrade to TestNG b5.7. There is a fix in this release that helps
our tests to run in order, and I've had to make a couple of more
fixes, which they will eventually put back into the trunk.
* In classes with a class-level @Test annotation, TestNG treats any
public method (except @Before/After* methods) as a test method. The
build now points this out and asks you to either add a specific @Test
annotation to the method or change the method to be non-public. I've
fixed up several places where a test wasn't annotated and others where
a non-test method was being treated as a test method.
* The tests now report progress as they run. Run 'build testhelp' to
see details on how to control the output.
I've also added some new test properties, mainly to make debugging the
tests easier
* test.remote.debug.port: This test property allows you to remotely
attach a debugger to the unit tests. If you provide a valid port value,
the unit tests will not start to run until the debugger is attached.
* testng.verbosity0to5: This test property controls the debugging
output of TestNG. This output is useful to check the order in which
test methods are invoked or other details on what TestNG is doing.
Valid values are integer values from 0 (no output) to 5 (maximum
output). Since this implicitly sets
-Dorg.opends.test.suppressOutput=false, other stderr/stdout output
generated by the unit tests will also be displayed.
* org.opends.test.copyClassesToTestPackage=true: This test property
copies the classes into the test server root. This enables you to run
the server tools on the test server. It can slow down the test startup
so the files are no longer copied by default.
Thanks to Neil for trying out these changes and to him and Bo for
helping me track down some of the memory leaks. |
801cd264752a07453c37da6f30cc5b27ae3f6f42 2829 |
|
28-Aug-2007 |
coulbeck |
Changes for replication security issues 511, 512, 608.
There is a new backend representing the certificate trust store, which allows the setup code to query and populate the trust store over protocol. However, we are using blind trust until that piece of the setup code is ready.
The encryption settings are currently global to the server instance in a new crypto manager config entry. Authentication will always be performed so the main setting is whether to use encryption or not. In the future (post 1.0) we will need to allow encryption to be configured on or off depending on which replication server we are connecting to but we need some discussion on the best way to specify that in configuration. |
5be0f562bbb5c0e4f1d0f0117a870a86080aa157 2820 |
|
27-Aug-2007 |
boli |
This adds the numSubordinates and hasSubordinates operational attribute support in OpenDS.
- Implemented as virtual attributes
- They are enabled by default
- numSubordinates and hasSubordinates methods added to the backend API and implemented for all existing backends
- JE implementation uses the id2children index to keep count of the number of subordinates for each entry.
- The behavior of exceeding the index-entry-limit (ALL-IDs) has changed to store a 8 byte entry ID set count with the most significant bit
set to 1 instead of a 0 byte array to signify the index-entry-limit has been exceeded. The previous format is still compatible but all requests
for numSubordinates will return undefined (-1).
- The DBTest tool is also included in this fix. This can be used to list root containers, entry containers, database containers, index
status, as well as dumping a database with or without decoding the data.
Fix for issues 43 and 72 |
e1445b8fd6848bb38cf3296f056e1b89b7d91c93 2808 |
|
26-Aug-2007 |
dugan |
Change behavior of ds-cfg-unique-attribute-type attribute so that it is required (mandatory). |
e7c6610fb63eef85f8c7b57e12c8104059609e97 2721 |
|
21-Aug-2007 |
dugan |
Add attribute uniqueness plugin implementation that provides single-server
attribute uniqueness. The plugin has the following features:
- provides ability to specify a group of attribute types that must have
unique values; if no attribute types are specified then the plugin allows
the operations to proceed with no checking
- provides ability to specify a set of base DNs that limit the scope of the
uniqueness checking; if no base DNs are specified the server's public
naming contexts are used
- allow changing of these configuration options without server restart
- allows the uniqueness checking to span multiple base DNs; if the server's
public naming contexts are used, then the specified attribute type values must
be globally unique within the server
Two configuration attributes have been added:
1. ds-cfg-unique-attribute-type used to specify the unique attribute type(s)
2. ds-cfg-unique-attribute-base-dn used specify the base DN(s) to limit the search scope
A disabled plugin configuration has been added to the config.ldif file for the uid attribute:
dn: cn=UID Unique Attribute ,cn=Plugins,cn=config
objectClass: top
objectClass: ds-cfg-plugin
objectClass: ds-cfg-unique-attribute-plugin
cn: UID Unique Attribute
ds-cfg-plugin-class: org.opends.server.plugins.UniqueAttributePlugin
ds-cfg-plugin-enabled: false
ds-cfg-plugin-type: preOperationAdd
ds-cfg-plugin-type: preOperationModify
ds-cfg-plugin-type: preOperationModifyDN
ds-cfg-unique-attribute-type: uid
Issue 258. |
cce37bc37be36f1ed442ab722fb33b58c4cebe46 2584 |
|
07-Aug-2007 |
neil_a_wilson |
Add support for a new type of plugin which can be used to detect changes and
take some action whenever a subordinate entry is modified as a result of a
modify DN operation that targets an entry that has one or more children (i.e.,
a subtree move or subtree rename operation). At present, subordinate modify DN
plugins are not allowed to change the contents of the entry as it is being
moved/renamed, but an appropriate API is in place if we decide to add this
functionality in the future.
This commit also includes a significant amount of cleanup for plugin result
code, including corrections to copy-and-paste errors in the javadoc
documentation.
OpenDS Issue Number: 752 |
0d890ec3174f7dc30ccde99191b4614d66d58a22 2566 |
|
03-Aug-2007 |
neil_a_wilson |
Update the build script so that the server can use up to 192MB of memory when
compiling, generating javadoc, running unit tests, etc.
Also, update the configuration used for running the unit tests so that all JE
backends other than userRoot will only use up to 2% each of the JVM memory for
caching rather than up to 10%. |
2a823eedaab7ad3eb081427a08edaef80b6e27af 2512 |
|
30-Jul-2007 |
neil_a_wilson |
Add two new configuration attributes, ds-cfg-enabled-alert-type and
ds-cfg-disabled-alert-type to alert handler configuration entries. If a set of
enabled alert types is given, then only alerts with one of those types will be
passed to the associated alert handler. If a set of disabled alert types is
given, then only alerts without one of those types will be passed to the
associated alert handler. If both enabled and disabled lists are provided,
then only alerts with a type on the enabled list and not on the disabled list
will be processed.
OpenDS Issue Number: 2027 |
23ce92c0026c6677697cde79cc7f6176536748b9 2499 |
|
27-Jul-2007 |
boli |
These set of changes implement VLV and filter capability to OpenDS:
- A VLV index is defined by a name, base DN, search filter, search scope, sort order. A search request must match these parameters exactly to
use the VLV index.
- A VLV index made up of the entry IDs matching the definition criteria (above) and the corresponding attribute values that are part of the sort
order in the sort order. This information is broken up into blocks of sorted sets. The block size can be configured through admin framework.
Default block size is 4000. In the database, the sorted set is stored with the following format:
4 byte set size | entry IDs of 8 bytes each ... | attribute values of 16 bytes each ...
- Each sorted set is keyed by the entry ID and attribute values of the largest entry in the sorted set. A special comparator (VLVKeyComparator)
is used to sort the keys in the database in the order of the specified sort order.
- When entries are added to the VLV index, its sort values are extracted and inserted into the sorted set whose key (also the largest entry in
the set) is the smallest key that represents a entry that is greater or equal to the entry being inserted. If the sorted set exceeds the block
size, it is divided in two and stored back into the database with the new key. In this implementation, a sorted set's key is never changed after
it is created.
- On importing from LDIF, each entry's sort values and ID is written out to a intermediate file in order. These files are later merged and
inserted into the database.
- Index rebuild and verify also works with VLV indexes. The verify job ensures that all the entries stored in the VLV index is in the correct
order.
- With this implementation, once a VLV index is created, it can not be changed without a rebuild. The server will NOT warn the user if
the index
has changed offline. Until a rebuild is done, it can return incorrect results. This should be fixed later.
- Performance wise, modify, add, and delete performance will be degraded if the entry matches the indexing criteria. Searches not using the VLV
index should not see any notable performance degradation. If the block size is set too big, there is a potential that a large number of updates
will result in some JE lock timeouts since the few sorted sets are hotly contested. However, if the block size is too small, searches using the
VLV control with offsets could be slow since there are more records to look through. This area need further investigation to determine the
optimal default value.
Fix for issue 38 |
03839fc8bfcf7f63ca2b9d3a48faabf94642b00b 2479 |
|
26-Jul-2007 |
dugan |
Add new ACI keyword "extop" that can be used to enforce access
based on the OID of an extended operation. For example, a new global
access extended operation rule is also being added:
ds-cfg-global-aci:
(extop="1.3.6.1.4.1.26027.1.6.1 || 1.3.6.1.4.1.4203.1.11.1 || 1.3.6.1.4.1.1466.20037 || 1.3.6.1.4.1.4203.1.11.3")
(version 3.0; acl "Anonymous extended operation access"; allow(read) userdn="ldap:///anyone";)
which allows anonymous access to the following extended operations:
- StartTLS 1.3.6.1.4.1.1466.20037
- password policy state 1.3.6.1.4.1.26027.1.6.1
- password modify 1.3.6.1.4.1.4203.1.11.1
- Who Am I 1.3.6.1.4.1.4203.1.11.3
A wildcard can also be specified:
aci: (extop="*")(version 3.0; acl "Anonymous extended operation access"; allow(read) userdn="ldap:///anyone";)
Issue #443. |
01433f67db3185ecc79e180f920d9aefd57a7fcd 2135 |
|
20-Jun-2007 |
boli |
This refactoring includes the following changes to the JE backend:
- Extracted common interface DatabaseContainer from DN2ID, ID2Entry, etc... classes.
- Moved database read and write methods from EntryContainer to DatabaseContainer.
- Added index configuration to the XML based admin framework.
- Removed redundant configuration objects (Config, IndexConfig).
- Added exclusive/shared lock to EntryContainer. All access to an EntryContainer must acquire a lock before using the internal
DatabaseContainers or making configuration changes.
- Added the ability to add/remove/modify indexes with the backend online. Server will issue rebuild required warning when adding new indexes
or sub-indexes (equality, substring, presence...).
- Added the ability to change the index entry limit for both the backend and each index with the backend online. Server will issue rebuild
required warning if the previous limit has been exceeded.
- Added the ability to change entry compression and index substring length setting while the backend is online.
- Added a persistent state database to each EntryContainer to persist backend configuration between server restarts. Server will issue
rebuild required warning if a new index is added when the backend is offline.
- Added a trusted flag to indexes so that non existent keys will not be interpreted as an empty entry ID set when an index is untrusted. An
index is untrusted when it is added to an non-empty EntryContainer or an inconsistency is detected. Server will issue warning on startup to
rebuild the index.
- Fixed a issue where the LDIF import process stops responding if the temporary import dir is full or unwritable.
Fix for issue 1480 1455 1575 |
85fa1db655ec75262d9042259f86e7b9ce5c312b 1863 |
|
12-May-2007 |
coulbeck |
Issue 1532: Remove ConfigEntry from Backend API. (DS-1532) |
bedb386242727f98834c64397487f48d5eb6116c 1805 |
|
03-May-2007 |
boli |
Major changes made to the logging framework. It should resolve the following issues:
1. Migrated configuration to the new admin framework.
2. Removed all dependencies on the JDK logger. (Issue 1503)
3. Added option to set the file permissions on all log files. (Issue 202)
4. Added option to write log files asynchronously.
5. Retention and rotation policies are now separate managed objects registered to the Directory Server.
6. Rotation and retention policies are not extensible.
6. Post-rotation actions are not yet implemented in this set of changes.
7. Tools and tasks can now use a custom log publisher that only picks up messages generated by a specific thread or thread group.
8. Debug logger no longer creates a log record object for every message.
9. Configurable Log File Paths (Issue 174)
10. Log Level Support by Category/Severity. This capability is limited for error logger. (Issue 177)
11. Support log file rotation (Issue 188)
12. Sized-based, Time-based rotation policies (Issues 190, 191)
13. Time-based, max size-based, file count-based retention policies (Issues 199, 201, 202)
14. Debug logger configurable via the admin framework (Issue 836) |
7bd1f73609745826febd415b11567eeea7db56fc 1765 |
|
02-May-2007 |
boli |
Added privileges support for unindexed searches. Fixed issue where id2subtree and id2children indexes were not used when they should be.
Added test cases for the unindexed search privilege.
Fix for issue 480. |
29b1cca745810ca5f054aace99379ba6af427e6b 1673 |
|
21-Apr-2007 |
coulbeck |
Migrate the BackendConfigManager to the new configuration framework. |
e17b7037e441d669b928ce80317a8afff898f6b9 1628 |
|
13-Apr-2007 |
neil_a_wilson |
Update the member virtual attribute implementation so that it provides a
mechanism for preventing the entire member list from being returned, which can
be a very expensive operation. When running with this configuration, the
attribute will handle requests that determine whether a given user is a member
of the group, but will not list the entire set of membership.
OpenDS Issue Number: 1506 |
8d5d64c1542b43ea015b687d48b0d122d2a61e03 1607 |
|
10-Apr-2007 |
boli |
Added the following capabilities to OpenDS:
- Index rebuilding capabilities. All indexes including system and attribute indexes can
be rebuilt. Each index will be rebuilt by a seperate thread to increase performance. A
max number of rebuild threads could be set to limit the resources used by large rebuild
jobs. Partial rebuilds of attribute indexes could also be done by specifying the
attribute index type after the attribute type (ie. sn.approximate).
- Index rebuilding standalone tool. Rebuilding of attribute indexes could be done with
the backend online. However, rebuilds including system indexes must be done with the
backend offline.
- Index rebuilding task. Rebuilding of attribute indexes are done with the backend
online. Rebuilds that include system indexes will be performed after bring the backend
offline. The user must have index-rebuild privilages to rebuild indexes.
- Approxitae indexing capability. The value of the attribute will be normalized using
the approximate maching rule of that attribute type. This is used as the key for the
index. Approximate indexes are fully supported by the index verify, rebuild, and import
jobs.
- Fixed bug in build.xml where weave is enabled even if a test.* property is set.
- Consolidated some common tool messages.
- Consolidated some JE backend methods common to all tools.
- Added unit tests for rebuild job and approximate indexes.
Fix for issues 35, 39, 40, 41 |
0fd6a7c4d21b9fdb8b8ce1d9de8d6b6f7fde7e23 1498 |
|
22-Mar-2007 |
dugan |
Enable dseecompat ACI package by default. |
e4ff5e7757146c139160c3e78f4ac5ee1584dde5 1388 |
|
12-Mar-2007 |
coulbeck |
Enable access control checking in the unit tests. |
89bb69f651eab9fd3f4091800e226342444f2fb2 1212 |
|
21-Feb-2007 |
neil_a_wilson |
Redesign the server to support multiple key manager providers, trust manager
providers, and certificate mappers, and update the components which need access
to those elements so that they can specify which one they want to use. Among
other things, this will provide the ability to use different certificates for
different listeners, and provide template configuration entries that make it
easier for users to enable SSL and/or StartTLS.
OpenDS Issue Number: 561 |
e0f43d56d3e804a5a96edb37f5c371ecc0145ef7 630 |
|
23-Oct-2006 |
dugan |
Add new TestVerifyJob unit tests that adds deliberate errors to various index files
and examines the stat entry passed into the verifyBackend to see if all of the errors
are caught. Tests perform both complete index checking and clean index checking. |
bd0fafae94050abead7f243de21d9ca72a863846 604 |
|
19-Oct-2006 |
dugan |
These changes create a second JEB backend to be used by the TestVerify unit tests. These tests intentionally
inject errors into the index files. We thought it would be prudent they have their own backend, even though
the tests clean up after themselves. |
5302da548d89d97dd4787e3b37f1def73688bd2b 524 |
|
06-Oct-2006 |
neil_a_wilson |
Add a number of test cases for add operations. |
af6117fa729925b9e6cccbda589fecbb83f2b70f 523 |
|
06-Oct-2006 |
neil_a_wilson |
Update the password validator API in the following ways:
- Make the current password(s) for the user available so that they can be used
in the process of determining whether the new password is acceptable.
- Rename the passwordIsValid method to passwordIsAcceptable to make it clearer
what the intended purpose of the password validator is.
Also, improve test coverage for the password validator classes. |
5157c803af3d7ccb2f03801cc912b44149182cb3 490 |
|
29-Sep-2006 |
neil_a_wilson |
Make several test case updates:
- Add additional test cases for abandon operations.
- Add a set of test cases for bind operations.
- Add a new short circuit plugin that can be used to force plugin to cause
operation processing to end prematurely and with a specified result. |
7063b861a7c134148d242e3e694ef80d53d4ea17 486 |
|
29-Sep-2006 |
neil_a_wilson |
Update the unit test configuration so that exception stack traces will not be
written to the debug log by default. This will primarily help reduce the
amount of output generated when running the tests with assertions enabled, and
will help dramatically cut down the size of the e-mail message generated by the
daily build process. |
c20e7e3e6b1dd174c025487ceef713f07d77ba4b 477 |
|
26-Sep-2006 |
neil_a_wilson |
Add several changes related to testing:
- Add a new plugin that can be used to terminate client connections at specific
points in plugin processing when an appropriate control is included in the
request.
- Add a new plugin that can be used to count the number of times that various
types of plugins are invoked. Update the startServer and shutdownServer
methods in TestCaseUtils to ensure that the startup and shutdown plugins are
invoked at the right times.
- Add test cases for the DirectoryException and InitializationException
classes.
- Create an OperationTestCase superclass that can be used for testing generic
methods in the Operation class. Create an AbandonOperationTestClass subclass
that tests the core Abandon operation. |
a89f073e2246d8dc081ec584f19bbcd813b9a44c 449 |
|
25-Sep-2006 |
neil_a_wilson |
Add a set of certificates for use in testing the server with SSL and StartTLS.
The certificates are valid for 20 years, so we won't need to change them for a
while. They are self-signed, but there are also trust stores available so that
clients can trust them without needing to resort to blindly trusting all
certificates. There is a client certificate that is adequate for use with SASL
EXTERNAL. Both the client and server certificates are available in both JKS
and PKCS#12 formats.
The commands used to generate these certificates are as follows:
$ /usr/java5/bin/keytool -genkey -alias server-cert -keyalg rsa -dname 'CN=OpenDS Test Certificate,O=OpenDS.org' -keystore server.keystore -storepass password -keypass password
$ /usr/java5/bin/keytool -selfcert -alias server-cert -validity 7305 -keystore server.keystore -storepass password
$ /usr/java5/bin/keytool -export -rfc -alias server-cert -file /tmp/server.cert -keystore server.keystore -storepass password
$ /usr/java5/bin/keytool -import -alias server-cert -file /tmp/server.cert -keystore server.truststore -storepass password
$ /usr/java5/bin/keytool -genkey -alias client-cert -keyalg rsa -dname 'CN=Test User,O=Test' -keystore client.keystore -storepass password -keypass password
$ /usr/java5/bin/keytool -selfcert -alias client-cert -validity 7305 -keystore client.keystore -storepass password
$ /usr/java5/bin/keytool -import -alias server-cert -file /tmp/server.cert -keystore client.truststore -storepass password
$ /usr/java5/bin/keytool -export -rfc -alias client-cert -file /tmp/client.cert -keystore client.keystore -storepass password
$ /usr/java5/bin/keytool -import -alias client-cert -file /tmp/client.cert -keystore server.truststore -storepass password
$ /usr/java5/bin/keytool -import -alias client-cert -file /tmp/client.cert -keystore client.truststore -storepass password
$ keytool -importkeystore -srckeystore server.keystore -destkeystore server-cert.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass password -deststorepass password -srcalias server-cert -destalias server-cert -srckeypass password -destkeypass password
$ keytool -importkeystore -srckeystore client.keystore -destkeystore client-cert.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass password -deststorepass password -srcalias client-cert -destalias client-cert -srckeypass password -destkeypass password |
d1759377955a57f4c7362308bc78565694a87680 442 |
|
24-Sep-2006 |
neil_a_wilson |
Add a simple plugin that can be used to introduce a delay in pre-operation
processing. The delay will only be introduced for operations that contain a
special control which also indicates the length of time to sleep before
returning. This can be useful in testing cancel and abandon operations. |
78ebdb0fc9f2a940f8385300ee5b4952d225b899 375 |
|
19-Sep-2006 |
boli |
Added the ability to run unit tests in parallel on the same machine by randomly
choosing the ports the test server uses. The startServer() method picks 3 unused ports and writes them out to config-changes.ldif. It replaces the tokens "#ldapport#", "#jmxport#", and "#ldapsport#" with the port numbers. The getServerLdapPort etc. methods will return the ports assigned to those listeners.
Fix for issue 657 |
7ea3e4667fd4a40f7792638bc429b36d8066557a 373 |
|
18-Sep-2006 |
neil_a_wilson |
Add test cases for various server elements, including:
- The entryUUID plugin
- The password policy import plugin
- The LDAP attribute description list plugin
- The LastMod plugin
- The length-based password validator
- The default entry cache
- The null connection security provider
- The internal connection security provider
- The ANONYMOUS SASL mechanism handler
- The CRAM-MD5 SASL mechanism handler |
3effb6e09816d45ff07f200fec2b6ecb9588fa7f 333 |
|
14-Sep-2006 |
neil_a_wilson |
Update the config-changes.ldif file so that information about internal
operations will be written to the access log when running test cases. |
ae8010f9ddf526c96a9274296e01f6aa3f122d72 329 |
|
13-Sep-2006 |
neil_a_wilson |
Update the config-changes.ldif file to make sure the svn:eol-style property is
set, and also to make sure that there is a newline at the end of the file. |
267e43ad6455f631dfdb9e552909a137b9e4f087 328 |
|
13-Sep-2006 |
boli |
Add the test resources folder and the config-changes.ldif file used in unit tests. |