Rich Megginson authored 13 years ago and Quanah Gibson-Mount committed 13 years ago

In tlsm_auth_cert_handler, we get the peer's cert from the socket using
SSL_PeerCertificate.  This value is allocated and/or cached.  We must
destroy it using CERT_DestroyCertificate.

Howard Chu authored 13 years ago and Quanah Gibson-Mount committed 13 years ago

add hex timestamp to lutil_debug() output
Fix LASTMOD race condition in accesslog.c
Set refreshInterval even if using refreshAndPersist, since
fallbacks will use refresh params

Merge branch 'OPENLDAP_REL_ENG_2_4' of ssh://git-master.openldap.org/~git/git/openldap into OPENLDAP_REL_ENG_2_4

Howard Chu authored 13 years ago and Quanah Gibson-Mount committed 13 years ago

track a CSN per SID in the log->sl_mincsn

Howard Chu authored 13 years ago and Quanah Gibson-Mount committed 13 years ago

Should SLAP_AUTH_DN be #defined in release now?

ITS#6975

Rich Megginson authored 13 years ago and Quanah Gibson-Mount committed 13 years ago

OpenLDAP built with OpenSSL allows most any value of cacertdir - directory
is a file, directory does not contain any CA certs, directory does not
exist - users expect if they specify TLS_REQCERT=never, no matter what
the TLS_CACERTDIR setting is, TLS/SSL will just work.
TLS_CACERT, on the other hand, is a hard error.  Even if TLS_REQCERT=never,
if TLS_CACERT is specified and is not a valid CA cert file, TLS/SSL will
fail.  This patch makes CACERT errors hard errors, and makes CACERTDIR
errors "soft" errors.  The code checks CACERT first and, even though
the function will return an error, checks CACERTDIR anyway so that if the
user sets TRACE mode they will get CACERTDIR processing messages.