Jan Vcelak authored 12 years ago and Quanah Gibson-Mount committed 7 years ago

If TLS_CACERT pointed to a PEM file and TLS_CACERTDIR was set to NSS
certificate database, the backend assumed that the certificate is always
located in the certificate database. This assumption might be wrong.

This patch makes the library to try to load the certificate from NSS
database and fallback to PEM file if unsuccessfull.

ITS#8687 - EGD is disabled by default in OpenSSL 1.1. We need to comment out this block if it is not detected. Particularly affects cross compilation.

ITS#8121 - Note ldap_sasl_bind and ldap_sasl_bind_s can be used to make simple binds via the LDAP_SASL_SIMPLE mechanism

Jan Vcelak authored 12 years ago and Quanah Gibson-Mount committed 7 years ago

CA certificate files in OpenSSL compatible CACERTDIR were loaded if the
file extension was '.0'. However the file name should be 8 letters long
certificate hash of the certificate subject name, followed by a numeric
suffix which is used to differentiate between two certificates with the
same subject name.

Wit this patch, certificate file names are matched correctly (using
regular expressions).

Jan Vcelak authored 12 years ago and Quanah Gibson-Mount committed 7 years ago

If multiple servers are specified, the connection to the first one
succeeds, and the hostname verification fails, *tls_session is not
dropped, but reused when connecting to the second server.

This is a problem with Mozilla NSS backend because another handshake
cannot be performed on the same file descriptor. From this reason,
hostname checking was moved into ldap_int_tls_connect() before
connection error handling.

Howard Chu authored 7 years ago and Quanah Gibson-Mount committed 7 years ago

When TLS fails to start

Howard Chu authored 7 years ago and Quanah Gibson-Mount committed 7 years ago

Also, there's no need for a retry loop here. Just wait for
the specified timeout or give up.

Howard Chu authored 7 years ago and Quanah Gibson-Mount committed 7 years ago

Don't release read txn unless there has actually been a new write txn

Ondřej Kuzník authored 7 years ago and Quanah Gibson-Mount committed 7 years ago

When a checkpoint happens, if we remove the CSN from the pending list,
accesslog won't pass it onto the accesslog DB. But in a delta-mmr
scenario, an accesslog entry without a CSN faces a race where it might
be applied twice - that usually fails and causes a full refresh, other
times it can cause a silent desync - both are undesirable.

Howard Chu authored 7 years ago and Quanah Gibson-Mount committed 7 years ago

Strip trailing space of last pathname component, if any. Not first.

mappings from slapd.def