Age | Commit message (Collapse) | Author |
|
OK kn@
|
|
ok jmatthew@
|
|
ok miod@ millert@
|
|
various *d, *conf, *ctl files (where relevant) and simple;
also makes "man -k routing" more useful;
help from claudio and florian
ok claudio florian millert
|
|
OK tb@
|
|
This makes the function definition match the prototype and silences a
clang-15 warning.
|
|
ok miod@ martijn@
|
|
This change could theoretically affect some people who actually have one
of the scheme's in lower case in their password, but this is extremely
unlikely in the real world.
Pointed out by David Diggles (david <at> elven <dot> com <dot> au)
OK sthen@
|
|
|
|
the actuall attribute needs to removed instead of leaving back an
empty attribute. Empty attributes are not valid and fail later on
in ldap_modify(). By calling ldap_del_attribute() in this case
properly removes the attribute and with that validate_entry() no
longer fails later on.
OK jmatthew@
|
|
LDAP_INVALID_SYNTAX is returned.
OK jmatthew@
|
|
and therefor printing the errno as well makes no sense.
|
|
(needed for getdtablecount).
|
|
directory must be unveiled with "rwc" rather than just "rw".
ok deraadt@ mestre@
|
|
ok jmatthew millert
|
|
macro-build a replacement for sccsid, and was done without any concern
for namespace damage. Unfortunately this practice started infecting
other code as others were unaware they didn't need the file.
ok millert guenther
|
|
functions that take "char *" arguments. Where such chars are
assigned to int or passed to ctype functions, explicitly cast them
to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default,
but when the parse.y code was built elsewhere, the compiler would
complain.
With help from millert@
ok benno@ deraadt@
|
|
with normalized basedns work. Seems all other DN attributes in parse.y
pass through normalize_dn() so this seems to be the last one missing out.
With this configs using capitalized namespace DN like o=OpenBSD,c=CA
will actually work.
OK kn@ gsoares@
|
|
Host() return 1 on success and 0 or -1 on failure.
OK kn@ gsoares@
|
|
As per the manual and lib/libtls/tls.c revision 1.79 from 2018
"Automatically handle library initialisation for libtls." initialisation
is handled automatically by other tls_*(3) functions.
Remove explicit tls_init() calls from base to not give the impression of
it being needed.
Feedback tb
OK Tests mestre
|
|
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.
Work done and verified by Ashton Fagg <ashton@fagg.id.au>
ok deraadt@ semarie@ claudio@
|
|
r1.39. Issue originally reported by Anton Kasimov via rob@.
OK claudio@
|
|
These priv-sep daemons all follow a similar design and use TAILQs
for tracking control process connections. In most cases, the TAILQs
are initialized separate from where they are used. Since the scope
of use is generally confined to a specific control process file,
this commit also removes any extern definitions and exposing the
TAILQ structures to other compilation units.
ok bluhm@, tb@
|
|
|
|
some objects at shutdown thereby allowing for a tighter unveil.
Feedbackup from deraadt@ and martijn@.
OK deraadt@
|
|
to privsep_procid.
ok mortimer
|
|
Tweak and ok martijn@
|
|
Suggested by martijn@, ok claudio@
|
|
before accessing anything in ifa_addr.
ok claudio@
|
|
This warning was present since an incorrect cast was removed in r1.11.
Add the cast to the correct place, i.e., cast to the wider type.
ok florian martijn
|
|
ldapd infers certificate and key paths from the configured certificate
string. It appends ".crt" and ".key", respectively, and in the case of
a relative path it also prepends "/etc/ldap/certs/". A logic error
results in prepending "/etc/ldap/certs/" also for absolute paths. Avoid
this by making the whole thing readable at the cost of a bit of verbosity.
Problem reported by Maksim Rodin on misc@, thanks!
Initial fix from me, committing an improved version on behalf of martijn.
ok jmatthew, tb
|
|
attribute that can be used to extend existing LDAP users with the
additional bsdAccount objectclass. The former is useful for
ypldap+ldapd setups without login_ldap and the latter makes it
easier to use sshd's AuthorizedKeysCommand.
Originally from reyk,
revived by Aisha Tammy,
with input from many, especially Robert Klein.
|
|
protocols and ciphers. So you get a TLS server speaking TLSv1.0 and
supporting cipher suites with RC4 and 3DES encryption, all of which should
be considered broken. There is no way of disabling TLSv1.0 and TLSv1.1 in
ldapd. All this is also not very clearly called out in the documentation.
This commit switches the defaults to using the libtls defaults for both
protocols and ciphers. If compatibility with the insecure legacy protocols
and ciphers is needed, use the "legacy" keyword before "tls" or "ldaps" in
ldapd.conf.
tested by abieber.
inoguchi agrees with the direction.
ok beck
|
|
Diff from roklein <at> roklein <dot> de
OK claudio@
|
|
manual pages that document the corresponding configuration files;
OK jmc@, and general direction discussed with many
|
|
OK florian@
|
|
The handling of this changed with libutil/ber.c r1.12 resulting in starttls
failing.
Found by several.
Fix suggestion by roklein <at> roklein <dot> de
OK claudio@
|
|
so move our BER API to the unused ober_* prefix to avoid some
breakage in ports.
Problem diagnosed by jmatthew with ber_free() in samba, but
there are many others as pointed out by sthen.
tests & ok rob
ok sthen (who had an almost identical diff for libutil)
"go head hit it" deraadt
|
|
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
ok millert nicm tb, etc
|
|
ok guenther@, claudio@
|
|
snmpctl. Separate copies of ber.[ch] have existed and been maintained in sync
in ldap, ldapd, ypldap and snmpd.
This commit moves the BER API into /usr/lib/libutil. All current consumers
already link libutil. ldapd and snmpd regress passes, and release builds.
With help from tb@ and guenther@.
ok deraadt@, tb@
|
|
fixes a problem when handling large negative integers.
ok claudio@
|
|
descriptor keeps CLOEXEC flag then it will be closed unexpectedly by
exec().
ok tedu florian
|
|
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno
|
|
results in a warning. Use either the original string value or use a cast.
This makes both clang and gcc happy.
OK guenther@
|
|
|
|
Found via snmpctl snmp walk 127.0.0.1 oid 1
OK claudio@
|
|
|