Ondřej Kuzník authored 9 years ago and Quanah Gibson-Mount committed 5 years ago

Still needs to retrieve the entry for ACL resolution until we can
restrict controls with ACLs.

Don't try to generate it if it wasn't requested

Fix for groupURI with no filter

Replace (memberOf=<groupDN>) filter with expansion of group's URI

parse dyngroup URLs in advance, don't use the ACL engine's
evaluator any more

Keep track of number of uses of memberOf in config, to
allow bypassing code if not in use.

Ryan Tandy authored 5 years ago and Quanah Gibson-Mount committed 5 years ago

MinGW targets do not have the <sys/socket.h> header. The configure check
would conclude that there is no socklen_t type, resulting in portable.h
containing its own definition of socklen_t, which would later conflict
with the actual definition in <ws2tcpip.h>.

Add <ws2tcpip.h> to the configure check for socklen_t, so that the
defined type is correctly detected.

- give authid-rewrite's argument a name
- tidy saslauthz.c whitespace (mixed spaces/tabs)
- always declare slap_sasl_regexp_destroy: fixes an implicit declaration
  warning when configured without librewrite
- delete dead code: ENABLE_REWRITE implies SLAP_AUTH_REWRITE, so this
  code is never compiled
- make slap_sasl_regexp_rewrite_config static
- omit sasl_regexp unused fields when built with librewrite

Note that with slapd-ldap, the special character "*" actually allows anonymous rather than denies, as is the case with authz-policy

Sergei Trofimovich authored 7 years ago and Quanah Gibson-Mount committed 5 years ago

thr_posix.c: In function 'ldap_pvt_thread_set_concurrency':
thr_posix.c:96:9: error: implicit declaration of function 'pthread_setconcurrency'
  return pthread_setconcurrency( n );
         ^~~~~~~~~~~~~~~~~~~~~~
         pthread_setcanceltype

Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>

Kurt Zeilenga authored 7 years ago and Quanah Gibson-Mount committed 5 years ago

The spec says that upon StartTLS 'success', both TLS communications is
established on the octet following the Start TLS response (and the
request)... and that once one starts TLS communications, one can never
go back to LDAP without TLS. So if there's a TLS failure (whether as
part of TLS nego or later), LDAP communications cannot be continued
(without TLS).

Only ignoring LDAP errors (rc > 0) ensures that if TLS negotiation
fails, we don't attempt to send LDAP operations without TLS.

Filters use parentheses, not brackets.