summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFabio Erculiani <lxnay@gentoo.org>2012-10-02 20:23:36 +0000
committerFabio Erculiani <lxnay@gentoo.org>2012-10-02 20:23:36 +0000
commit34a94ec29356c7a8ea96babfe1e22ad56bca015e (patch)
tree45c5c0fa214fb1d0e5d9c581a9c47b95df686b22 /net-nds/389-ds-base
parentstable ppc ppc64, bug #436810 (diff)
downloadgentoo-2-34a94ec29356c7a8ea96babfe1e22ad56bca015e.tar.gz
gentoo-2-34a94ec29356c7a8ea96babfe1e22ad56bca015e.tar.bz2
gentoo-2-34a94ec29356c7a8ea96babfe1e22ad56bca015e.zip
version bump, closes #405127, #428178, #436768
(Portage version: 2.2.0_alpha123/cvs/Linux x86_64)
Diffstat (limited to 'net-nds/389-ds-base')
-rw-r--r--net-nds/389-ds-base/389-ds-base-1.2.11.15.ebuild (renamed from net-nds/389-ds-base/389-ds-base-1.2.8.3.ebuild)21
-rw-r--r--net-nds/389-ds-base/389-ds-base-1.2.9.6.ebuild199
-rw-r--r--net-nds/389-ds-base/ChangeLog11
-rw-r--r--net-nds/389-ds-base/files/389-ds-base-1.2.11-fix-mozldap.patch28
-rw-r--r--net-nds/389-ds-base/files/389-ds-base-1.2.11.16-cve-2012-4450.patch367
5 files changed, 417 insertions, 209 deletions
diff --git a/net-nds/389-ds-base/389-ds-base-1.2.8.3.ebuild b/net-nds/389-ds-base/389-ds-base-1.2.11.15.ebuild
index cb1c90e55a6a..9dc293126a49 100644
--- a/net-nds/389-ds-base/389-ds-base-1.2.8.3.ebuild
+++ b/net-nds/389-ds-base/389-ds-base-1.2.11.15.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2012 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-nds/389-ds-base/389-ds-base-1.2.8.3.ebuild,v 1.4 2012/05/03 04:24:37 jdhore Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-nds/389-ds-base/389-ds-base-1.2.11.15.ebuild,v 1.1 2012/10/02 20:23:36 lxnay Exp $
EAPI=2
@@ -19,22 +19,21 @@ KEYWORDS="~amd64 ~x86"
IUSE="autobind auto-dn-suffix debug doc +pam-passthru +dna +ldapi +bitwise +presence kerberos selinux"
ALL_DEPEND="!>=sys-libs/db-5.0
+ >=dev-libs/cyrus-sasl-2.1.19
+ >=dev-libs/icu-3.4
dev-libs/nss[utils]
dev-libs/nspr
dev-libs/svrcore
+ dev-libs/openssl
+ dev-libs/libpcre:3
dev-libs/mozldap
- >=dev-libs/cyrus-sasl-2.1.19
- >=dev-libs/icu-3.4
- >=sys-libs/db-4.5
+ dev-perl/perl-mozldap
>=net-analyzer/net-snmp-5.1.2
- dev-libs/openssl
sys-apps/tcp-wrappers
+ >=sys-libs/db-4.5
sys-libs/pam
sys-libs/zlib
- dev-perl/perl-mozldap
- dev-libs/libpcre:3
- kerberos? ( net-nds/openldap
- >=app-crypt/mit-krb5-1.7-r100[openldap] )
+ kerberos? ( net-nds/openldap >=app-crypt/mit-krb5-1.7-r100[openldap] )
selinux? ( >=sys-apps/policycoreutils-1.30.30
sec-policy/selinux-base-policy )"
@@ -57,6 +56,10 @@ pkg_setup() {
src_prepare() {
epatch "${FILESDIR}/selinux.patch"
+ # Fix compilation against mozldap
+ epatch "${FILESDIR}/389-ds-base-1.2.11-fix-mozldap.patch"
+ # Upstream patch, will be in 1.2.11.16, fixes CVE-2012-4450
+ epatch "${FILESDIR}/389-ds-base-1.2.11.16-cve-2012-4450.patch"
# as per 389 documentation, when 64bit, export USE_64
use amd64 && export USE_64=1
diff --git a/net-nds/389-ds-base/389-ds-base-1.2.9.6.ebuild b/net-nds/389-ds-base/389-ds-base-1.2.9.6.ebuild
deleted file mode 100644
index b6bb8ac18d08..000000000000
--- a/net-nds/389-ds-base/389-ds-base-1.2.9.6.ebuild
+++ /dev/null
@@ -1,199 +0,0 @@
-# Copyright 1999-2012 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-nds/389-ds-base/389-ds-base-1.2.9.6.ebuild,v 1.2 2012/05/03 04:24:37 jdhore Exp $
-
-EAPI=2
-
-WANT_AUTOMAKE="1.9"
-MY_P=${P/_alpha/.a}
-MY_P=${MY_P/_rc/.rc}
-inherit eutils multilib flag-o-matic autotools
-
-DESCRIPTION="389 Directory Server (core librares and daemons )"
-HOMEPAGE="http://port389.org/"
-SRC_URI="http://directory.fedoraproject.org/sources/${MY_P}.tar.bz2"
-
-LICENSE="GPL-2-with-exceptions"
-SLOT="0"
-KEYWORDS="~amd64 ~x86"
-IUSE="autobind auto-dn-suffix debug doc +pam-passthru +dna +ldapi +bitwise +presence kerberos selinux"
-
-ALL_DEPEND="!>=sys-libs/db-5.0
- dev-libs/nss[utils]
- dev-libs/nspr
- dev-libs/svrcore
- dev-libs/mozldap
- >=dev-libs/cyrus-sasl-2.1.19
- >=dev-libs/icu-3.4
- >=sys-libs/db-4.5
- >=net-analyzer/net-snmp-5.1.2
- dev-libs/openssl
- sys-apps/tcp-wrappers
- sys-libs/pam
- sys-libs/zlib
- dev-perl/perl-mozldap
- dev-libs/libpcre:3
- kerberos? ( net-nds/openldap
- >=app-crypt/mit-krb5-1.7-r100[openldap] )
- selinux? ( >=sys-apps/policycoreutils-1.30.30
- sec-policy/selinux-base-policy )"
-
-DEPEND="${ALL_DEPEND}
- virtual/pkgconfig
- sys-devel/libtool
- doc? ( app-doc/doxygen )
- selinux? ( sys-devel/m4 >=sys-apps/checkpolicy-1.30.12 )
- sys-apps/sed"
-RDEPEND="${ALL_DEPEND}
- virtual/perl-Time-Local
- virtual/perl-MIME-Base64"
-
-S="${WORKDIR}/${MY_P}"
-
-pkg_setup() {
- enewgroup dirsrv
- enewuser dirsrv -1 -1 -1 dirsrv
-}
-
-src_prepare() {
- epatch "${FILESDIR}/selinux.patch"
-
- # as per 389 documentation, when 64bit, export USE_64
- use amd64 && export USE_64=1
-
- sed -i -e 's/nobody/dirsrv/g' configure.ac || die "sed failed on configure.ac"
- eautoreconf
-
- # enable nsslapd-allow-unauthenticated-binds by default
- sed -i '/^nsslapd-allow-unauthenticated-binds/ s/off/on/' "${S}"/ldap/ldif/template-dse.ldif.in || \
- die "cannot tweak default setting: nsslapd-allow-unauthenticated-binds"
-
-}
-
-src_configure() {
- local myconf=""
-
- use auto-dn-suffix && myconf="${myconf} --enable-auto-dn-suffix"
- use selinux && myconf="${myconf} --with-selinux"
-
- econf \
- $(use_enable debug) \
- $(use_enable pam-passthru) \
- $(use_enable ldapi) \
- $(use_enable autobind) \
- $(use_enable dna) \
- $(use_enable bitwise) \
- $(use_enable presence) \
- $(use_with kerberos) \
- --enable-maintainer-mode \
- --enable-autobind \
- --with-fhs \
- $myconf || die "econf failed"
-}
-
-src_compile() {
- append-lfs-flags
-
- # Use -j1 otherwise libacl-plugin.so could fail to install properly
- emake -j1 || die "compile failed"
- if use selinux; then
- emake -f selinux/Makefile || die " build selinux policy failed"
- fi
-}
-
-src_install () {
- # Use -j1 otherwise libacl-plugin.so could fail to install properly
- emake -j1 DESTDIR="${D}" install || die "emake install failed"
-
- if use selinux;then
- emake -f selinux/Makefile DESTDIR="${D}" install || die "Install selinux policy failed"
- fi
-
- # install not installed header
- insinto /usr/include/dirsrv
- doins ldap/servers/slapd/slapi-plugin.h
-
- # for build free-ipa require winsync-plugin
- doins ldap/servers/plugins/replication/winsync-plugin.h
- doins ldap/servers/plugins/replication/repl-session-plugin.h
-
- # make sure perl scripts have a proper shebang
- cd "${D}"/usr/share/dirsrv/script-templates/
-
- for i in $(find ./ -iname '*.pl') ;do
- sed -i -e 's/#{{PERL-EXEC}}/#\!\/usr\/bin\/perl/' $i || die
- done
-
- # remove redhat style init script
- rm -rf "${D}"/etc/rc.d || die
- rm -rf "${D}"/etc/default || die
-
- # and install gentoo style init script
- newinitd "${FILESDIR}"/389-ds.initd 389-ds
- newinitd "${FILESDIR}"/389-ds-snmp.initd 389-ds-snmp
-
- # install Gentoo-specific start/stop scripts
- rm -f "${D}"/usr/sbin/{re,}start-dirsrv || die "cannot remove 389 start/stop executables"
- exeinto /usr/sbin
- doexe "${FILESDIR}"/{re,}start-dirsrv
-
- # cope with libraries being in /usr/lib/dirsrv
- dodir /etc/env.d
- echo "LDPATH=/usr/$(get_libdir)/dirsrv" > "${D}"/etc/env.d/08dirsrv
-
- # create the directory where our log file and database
- diropts -m 0755
- dodir /var/lib/dirsrv
- keepdir /var/lib/dirsrv
- dodir /var/lock/dirsrv
- keepdir /var/lock/dirsrv
- # snmp agent, required directory
- keepdir /var/agentx
- dodir /var/agentx
-
- if use doc; then
- cd "${S}"
- doxygen slapi.doxy || die "cannot run doxygen"
- dohtml -r docs/html
- fi
-}
-
-pkg_postinst() {
- if use selinux; then
- if has "loadpolicy" $FEATURES; then
- einfo "Inserting the following modules into the module store"
- cd /usr/share/selinux/targeted # struct policy not supported
- semodule -s dirsrv -i dirsrv.pp
- else
- elog
- elog "Policy has not been loaded. It is strongly suggested"
- elog "that the policy be loaded before continuing!!"
- elog
- elog "Automatic policy loading can be enabled by adding"
- elog "\"loadpolicy\" to the FEATURES in make.conf."
- elog
- ebeep 4
- fi
- fi
-
- elog
- elog "If you are planning to use 389-ds-snmp (ldap-agent),"
- elog "make sure to properly configure: /etc/dirsrv/config/ldap-agent.conf"
- elog "adding proper 'server' entries, and adding the lines below to"
- elog " => /etc/snmp/snmpd.conf"
- elog
- elog "master agentx"
- elog "agentXSocket /var/agentx/master"
- elog
- elog
- elog "To start 389 Directory Server (LDAP service) at boot:"
- elog
- elog " rc-update add 389-ds default"
- elog
-
- elog "If you are upgrading from previous 1.2.6 release candidates"
- elog "please see:"
- elog "http://directory.fedoraproject.org/wiki/Subtree_Rename#warning:_upgrade_from_389_v1.2.6_.28a.3F.2C_rc1_.7E_rc6.29_to_v1.2.6_rc6_or_newer"
- elog
-
-}
diff --git a/net-nds/389-ds-base/ChangeLog b/net-nds/389-ds-base/ChangeLog
index a9822c80cca0..fe906aed3134 100644
--- a/net-nds/389-ds-base/ChangeLog
+++ b/net-nds/389-ds-base/ChangeLog
@@ -1,6 +1,15 @@
# ChangeLog for net-nds/389-ds-base
# Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-nds/389-ds-base/ChangeLog,v 1.21 2012/05/03 04:24:37 jdhore Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-nds/389-ds-base/ChangeLog,v 1.22 2012/10/02 20:23:36 lxnay Exp $
+
+*389-ds-base-1.2.11.15 (02 Oct 2012)
+
+ 02 Oct 2012; Fabio Erculiani <lxnay@gentoo.org>
+ +389-ds-base-1.2.11.15.ebuild,
+ +files/389-ds-base-1.2.11.16-cve-2012-4450.patch,
+ +files/389-ds-base-1.2.11-fix-mozldap.patch, -389-ds-base-1.2.8.3.ebuild,
+ -389-ds-base-1.2.9.6.ebuild:
+ version bump, closes #405127, #428178, #436768
03 May 2012; Jeff Horelick <jdhore@gentoo.org> 389-ds-base-1.2.8.3.ebuild,
389-ds-base-1.2.9.6.ebuild:
diff --git a/net-nds/389-ds-base/files/389-ds-base-1.2.11-fix-mozldap.patch b/net-nds/389-ds-base/files/389-ds-base-1.2.11-fix-mozldap.patch
new file mode 100644
index 000000000000..7c99085e3d3b
--- /dev/null
+++ b/net-nds/389-ds-base/files/389-ds-base-1.2.11-fix-mozldap.patch
@@ -0,0 +1,28 @@
+commit f5bd0ed47523b39aedb6bcc1f9c0754371159a77
+Author: Rich Megginson <rmeggins at redhat.com>
+Date: Fri Sep 14 09:20:18 2012 -0600
+
+ Ticket #461 - fix build problem with mozldap c sdk
+
+ https://fedorahosted.org/389/ticket/461
+ Reviewed by: rmeggins
+ Fixed by: cgrzemba
+ Branch: master
+ Fix Description: mozldap does not define LDAP_MOD_OP so define it
+ Platforms tested: RHEL6 x86_64
+ Flag Day: no
+ Doc impact: no
+
+diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
+index bfd48b1..4736e82 100644
+--- a/ldap/servers/slapd/pw.c
++++ b/ldap/servers/slapd/pw.c
+@@ -61,6 +61,9 @@
+ #if defined( _WIN32 )
+ #undef LDAPDebug
+ #endif /* _WIN32 */
++#if defined( USE_MOZLDAP )
++#define LDAP_MOD_OP (0x0007)
++#endif /* USE_MOZLDAP */
+
+ #include "slap.h"
diff --git a/net-nds/389-ds-base/files/389-ds-base-1.2.11.16-cve-2012-4450.patch b/net-nds/389-ds-base/files/389-ds-base-1.2.11.16-cve-2012-4450.patch
new file mode 100644
index 000000000000..54d9b1b975d7
--- /dev/null
+++ b/net-nds/389-ds-base/files/389-ds-base-1.2.11.16-cve-2012-4450.patch
@@ -0,0 +1,367 @@
+From 5beb93d42efb807838c09c5fab898876876f8d09 Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi@totoro.usersys.redhat.com>
+Date: Fri, 21 Sep 2012 19:35:18 +0000
+Subject: Trac Ticket #340 - Change on SLAPI_MODRDN_NEWSUPERIOR is not
+
+ evaluated in acl
+
+https://fedorahosted.org/389/ticket/340
+
+Bug Description: When modrdn operation was executed, only newrdn
+change was passed to the acl plugin. Also, the change was used
+only for the acl search, but not for the acl target in the items
+in the acl cache.
+
+Fix Description: This patch also passes the newsuperior update
+to the acl plugin. And the modrdn updates are applied to the
+acl target in the acl cache.
+---
+diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
+index 15e474e..3389404 100644
+--- a/ldap/servers/plugins/acl/acl.c
++++ b/ldap/servers/plugins/acl/acl.c
+@@ -170,9 +170,9 @@ acl_access_allowed_modrdn(
+ * Test if have access to make the first rdn of dn in entry e.
+ */
+
+-static int check_rdn_access( Slapi_PBlock *pb, Slapi_Entry *e, const char *dn,
+- int access) {
+-
++static int
++check_rdn_access( Slapi_PBlock *pb, Slapi_Entry *e, const char *dn, int access)
++{
+ char **dns;
+ char **rdns;
+ int retCode = LDAP_INSUFFICIENT_ACCESS;
+@@ -655,7 +655,8 @@ cleanup_and_ret:
+
+ }
+
+-static void print_access_control_summary( char *source, int ret_val, char *clientDn,
++static void
++print_access_control_summary( char *source, int ret_val, char *clientDn,
+ struct acl_pblock *aclpb,
+ char *right,
+ char *attr,
+@@ -1524,11 +1525,12 @@ acl_check_mods(
+ *
+ **************************************************************************/
+ extern void
+-acl_modified (Slapi_PBlock *pb, int optype, char *n_dn, void *change)
++acl_modified (Slapi_PBlock *pb, int optype, Slapi_DN *e_sdn, void *change)
+ {
+ struct berval **bvalue;
+ char **value;
+ int rv=0; /* returned value */
++ const char* n_dn;
+ char* new_RDN;
+ char* parent_DN;
+ char* new_DN;
+@@ -1537,10 +1539,12 @@ acl_modified (Slapi_PBlock *pb, int optype, char *n_dn, void *change)
+ int j;
+ Slapi_Attr *attr = NULL;
+ Slapi_Entry *e = NULL;
+- Slapi_DN *e_sdn;
+ aclUserGroup *ugroup = NULL;
+
+- e_sdn = slapi_sdn_new_normdn_byval ( n_dn );
++ if (NULL == e_sdn) {
++ return;
++ }
++ n_dn = slapi_sdn_get_dn(e_sdn);
+ /* Before we proceed, Let's first check if we are changing any groups.
+ ** If we are, then we need to change the signature
+ */
+@@ -1768,45 +1772,64 @@ acl_modified (Slapi_PBlock *pb, int optype, char *n_dn, void *change)
+ }
+
+ break;
+- }/* case op is modify*/
++ }/* case op is modify*/
+
+- case SLAPI_OPERATION_MODRDN:
+-
+- new_RDN = (char*) change;
+- slapi_log_error (SLAPI_LOG_ACL, plugin_name,
+- "acl_modified (MODRDN %s => \"%s\"\n",
+- n_dn, new_RDN);
++ case SLAPI_OPERATION_MODRDN:
++ {
++ char **rdn_parent;
++ rdn_parent = (char **)change;
++ new_RDN = rdn_parent[0];
++ parent_DN = rdn_parent[1];
+
+ /* compute new_DN: */
+- parent_DN = slapi_dn_parent (n_dn);
+- if (parent_DN == NULL) {
+- new_DN = new_RDN;
++ if (NULL == parent_DN) {
++ parent_DN = slapi_dn_parent(n_dn);
++ }
++ if (NULL == parent_DN) {
++ if (NULL == new_RDN) {
++ slapi_log_error (SLAPI_LOG_ACL, plugin_name,
++ "acl_modified (MODRDN %s => \"no change\"\n",
++ n_dn);
++ break;
++ } else {
++ new_DN = new_RDN;
++ }
+ } else {
+- new_DN = slapi_create_dn_string("%s,%s", new_RDN, parent_DN);
++ if (NULL == new_RDN) {
++ Slapi_RDN *rdn= slapi_rdn_new();
++ slapi_sdn_get_rdn(e_sdn, rdn);
++ new_DN = slapi_create_dn_string("%s,%s", slapi_rdn_get_rdn(rdn),
++ parent_DN);
++ slapi_rdn_free(&rdn);
++ } else {
++ new_DN = slapi_create_dn_string("%s,%s", new_RDN, parent_DN);
++ }
+ }
++ slapi_log_error (SLAPI_LOG_ACL, plugin_name,
++ "acl_modified (MODRDN %s => \"%s\"\n", n_dn, new_RDN);
+
+ /* Change the acls */
+- acllist_acicache_WRITE_LOCK();
++ acllist_acicache_WRITE_LOCK();
+ /* acllist_moddn_aci_needsLock expects normalized new_DN,
+ * which is no need to be case-ignored */
+ acllist_moddn_aci_needsLock ( e_sdn, new_DN );
+ acllist_acicache_WRITE_UNLOCK();
+
+ /* deallocat the parent_DN */
+- if (parent_DN != NULL) {
+- slapi_ch_free ( (void **) &new_DN );
+- slapi_ch_free ( (void **) &parent_DN );
++ if (parent_DN != NULL) {
++ slapi_ch_free_string(&new_DN);
++ if (parent_DN != rdn_parent[1]) {
++ slapi_ch_free_string(&parent_DN);
++ }
+ }
+ break;
+-
+- default:
++ } /* case op is modrdn */
++ default:
+ /* print ERROR */
+ break;
+ } /*optype switch */
+-
+- slapi_sdn_free ( &e_sdn );
+-
+ }
++
+ /***************************************************************************
+ *
+ * acl__scan_for_acis
+diff --git a/ldap/servers/plugins/acl/acl.h b/ldap/servers/plugins/acl/acl.h
+index 4fa3e3f..28c38e7 100644
+--- a/ldap/servers/plugins/acl/acl.h
++++ b/ldap/servers/plugins/acl/acl.h
+@@ -796,7 +796,8 @@ int acl_read_access_allowed_on_attr ( Slapi_PBlock *pb, Slapi_Entry *e, char
+ struct berval *val, int access);
+ void acl_set_acllist (Slapi_PBlock *pb, int scope, char *base);
+ void acl_gen_err_msg(int access, char *edn, char *attr, char **errbuf);
+-void acl_modified ( Slapi_PBlock *pb, int optype, char *dn, void *change);
++void acl_modified (Slapi_PBlock *pb, int optype, Slapi_DN *e_sdn, void *change);
++
+ int acl_access_allowed_disjoint_resource( Slapi_PBlock *pb, Slapi_Entry *e,
+ char *attr, struct berval *val, int access );
+ int acl_access_allowed_main ( Slapi_PBlock *pb, Slapi_Entry *e, char **attrs,
+@@ -866,7 +867,7 @@ void acllist_print_tree ( Avlnode *root, int *depth, char *start, char *side);
+ AciContainer *acllist_get_aciContainer_new ( );
+ void acllist_done_aciContainer ( AciContainer *);
+
+-aclUserGroup* aclg_find_userGroup (char *n_dn);
++aclUserGroup* aclg_find_userGroup (const char *n_dn);
+ void aclg_regen_ugroup_signature( aclUserGroup *ugroup);
+ void aclg_markUgroupForRemoval ( aclUserGroup *u_group );
+ void aclg_reader_incr_ugroup_refcnt(aclUserGroup* u_group);
+diff --git a/ldap/servers/plugins/acl/aclgroup.c b/ldap/servers/plugins/acl/aclgroup.c
+index c694293..2231304 100644
+--- a/ldap/servers/plugins/acl/aclgroup.c
++++ b/ldap/servers/plugins/acl/aclgroup.c
+@@ -213,7 +213,7 @@ aclg_reset_userGroup ( struct acl_pblock *aclpb )
+ */
+
+ aclUserGroup*
+-aclg_find_userGroup(char *n_dn)
++aclg_find_userGroup(const char *n_dn)
+ {
+ aclUserGroup *u_group = NULL;
+ int i;
+diff --git a/ldap/servers/plugins/acl/acllist.c b/ldap/servers/plugins/acl/acllist.c
+index 9b5363a..e8198af 100644
+--- a/ldap/servers/plugins/acl/acllist.c
++++ b/ldap/servers/plugins/acl/acllist.c
+@@ -600,7 +600,6 @@ void
+ acllist_init_scan (Slapi_PBlock *pb, int scope, const char *base)
+ {
+ Acl_PBlock *aclpb;
+- int i;
+ AciContainer *root;
+ char *basedn = NULL;
+ int index;
+@@ -671,11 +670,6 @@ acllist_init_scan (Slapi_PBlock *pb, int scope, const char *base)
+ aclpb->aclpb_state &= ~ACLPB_SEARCH_BASED_ON_LIST ;
+
+ acllist_acicache_READ_UNLOCK();
+-
+- i = 0;
+- while ( i < aclpb_max_selected_acls && aclpb->aclpb_base_handles_index[i] != -1 ) {
+- i++;
+- }
+ }
+
+ /*
+@@ -893,34 +887,50 @@ acllist_acicache_WRITE_LOCK( )
+ int
+ acllist_moddn_aci_needsLock ( Slapi_DN *oldsdn, char *newdn )
+ {
+-
+-
+ AciContainer *aciListHead;
+ AciContainer *head;
++ aci_t *acip;
++ const char *oldndn;
+
+ /* first get the container */
+
+ aciListHead = acllist_get_aciContainer_new ( );
+ slapi_sdn_free(&aciListHead->acic_sdn);
+- aciListHead->acic_sdn = oldsdn;
+-
++ aciListHead->acic_sdn = oldsdn;
+
+ if ( NULL == (head = (AciContainer *) avl_find( acllistRoot, aciListHead,
+- (IFP) __acllist_aciContainer_node_cmp ) ) ) {
++ (IFP) __acllist_aciContainer_node_cmp ) ) ) {
+
+ slapi_log_error ( SLAPI_PLUGIN_ACL, plugin_name,
+- "Can't find the acl in the tree for moddn operation:olddn%s\n",
+- slapi_sdn_get_ndn ( oldsdn ));
++ "Can't find the acl in the tree for moddn operation:olddn%s\n",
++ slapi_sdn_get_ndn ( oldsdn ));
+ aciListHead->acic_sdn = NULL;
+ __acllist_free_aciContainer ( &aciListHead );
+- return 1;
++ return 1;
+ }
+
+-
+- /* Now set the new DN */
+- slapi_sdn_done ( head->acic_sdn );
+- slapi_sdn_set_normdn_byval ( head->acic_sdn, newdn );
+-
++ /* Now set the new DN */
++ slapi_sdn_set_normdn_byval(head->acic_sdn, newdn);
++
++ /* If necessary, reset the target DNs, as well. */
++ oldndn = slapi_sdn_get_ndn(oldsdn);
++ for (acip = head->acic_list; acip; acip = acip->aci_next) {
++ const char *ndn = slapi_sdn_get_ndn(acip->aci_sdn);
++ char *p = PL_strstr(ndn, oldndn);
++ if (p) {
++ if (p == ndn) {
++ /* target dn is identical, replace it with new DN*/
++ slapi_sdn_set_normdn_byval(acip->aci_sdn, newdn);
++ } else {
++ /* target dn is a descendent of olddn, merge it with new DN*/
++ char *mynewdn;
++ *p = '\0';
++ mynewdn = slapi_ch_smprintf("%s%s", ndn, newdn);
++ slapi_sdn_set_normdn_passin(acip->aci_sdn, mynewdn);
++ }
++ }
++ }
++
+ aciListHead->acic_sdn = NULL;
+ __acllist_free_aciContainer ( &aciListHead );
+
+diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
+index 11e56a9..b79d0f2 100644
+--- a/ldap/servers/slapd/dn.c
++++ b/ldap/servers/slapd/dn.c
+@@ -2097,7 +2097,7 @@ slapi_sdn_set_normdn_byval(Slapi_DN *sdn, const char *normdn)
+ slapi_sdn_done(sdn);
+ sdn->flag = slapi_setbit_uchar(sdn->flag, FLAG_DN);
+ if(normdn == NULL) {
+- sdn->dn = slapi_ch_strdup(normdn);
++ sdn->dn = NULL;
+ sdn->ndn_len = 0;
+ } else {
+ sdn->dn = slapi_ch_strdup(normdn);
+diff --git a/ldap/servers/slapd/plugin_acl.c b/ldap/servers/slapd/plugin_acl.c
+index b878156..3bc3f21 100644
+--- a/ldap/servers/slapd/plugin_acl.c
++++ b/ldap/servers/slapd/plugin_acl.c
+@@ -134,11 +134,10 @@ int
+ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype )
+ {
+ struct slapdplugin *p;
+- char *dn;
+ int rc = 0;
+- void *change = NULL;
+- Slapi_Entry *te = NULL;
+- Slapi_DN *sdn = NULL;
++ void *change = NULL;
++ Slapi_Entry *te = NULL;
++ Slapi_DN *sdn = NULL;
+ Operation *operation;
+
+ slapi_pblock_get (pb, SLAPI_OPERATION, &operation);
+@@ -146,7 +145,7 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype )
+ (void)slapi_pblock_get( pb, SLAPI_TARGET_SDN, &sdn );
+
+ switch ( optype ) {
+- case SLAPI_OPERATION_MODIFY:
++ case SLAPI_OPERATION_MODIFY:
+ (void)slapi_pblock_get( pb, SLAPI_MODIFY_MODS, &change );
+ break;
+ case SLAPI_OPERATION_ADD:
+@@ -158,11 +157,27 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype )
+ }
+ break;
+ case SLAPI_OPERATION_MODRDN:
++ {
++ void *mychange[2];
++ char *newrdn = NULL;
++ Slapi_DN *psdn = NULL;
++ char *pdn = NULL;
++
+ /* newrdn: "change" is normalized but not case-ignored */
+ /* The acl plugin expects normalized newrdn, but no need to be case-
+ * ignored. */
+- (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &change );
++ (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &newrdn );
++ (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR_SDN, &psdn );
++ if (psdn) {
++ pdn = (char *)slapi_sdn_get_dn(psdn);
++ } else {
++ (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWSUPERIOR, &pdn );
++ }
++ mychange[0] = newrdn;
++ mychange[1] = pdn;
++ change = mychange;
+ break;
++ }
+ }
+
+ if (NULL == sdn) {
+@@ -172,10 +187,9 @@ plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype )
+ }
+
+ /* call the global plugins first and then the backend specific */
+- dn = (char*)slapi_sdn_get_ndn(sdn); /* jcm - Had to cast away const */
+ for ( p = get_plugin_list(PLUGIN_LIST_ACL); p != NULL; p = p->plg_next ) {
+ if (plugin_invoke_plugin_sdn(p, SLAPI_PLUGIN_ACL_MODS_UPDATE, pb, sdn)){
+- rc = (*p->plg_acl_mods_update)(pb, optype, dn, change );
++ rc = (*p->plg_acl_mods_update)(pb, optype, sdn, change );
+ if ( rc != LDAP_SUCCESS ) break;
+ }
+ }
+--
+cgit v0.9.0.2