[Fedora-directory-commits] ldapserver/ldap/servers/plugins/acl acl.c, 1.12, 1.13
by Nathan Kinder
Author: nkinder
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/acl
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9536/ldap/servers/plugins/acl
Modified Files:
acl.c
Log Message:
Resolves: 470918
Summary: Made replica_set_updatedn detect value add modify operations properly.
Index: acl.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/acl/acl.c,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- acl.c 17 Oct 2008 22:12:46 -0000 1.12
+++ acl.c 13 Nov 2008 23:08:17 -0000 1.13
@@ -1428,14 +1428,14 @@
for ( i = 0; mod->mod_bvalues[i] != NULL; i++ ) {
- if ( ((mod->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD) ||
- ((mod->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_REPLACE)) {
+ if (SLAPI_IS_MOD_ADD(mod->mod_op) ||
+ SLAPI_IS_MOD_REPLACE(mod->mod_op)) {
rv = acl_access_allowed (pb,e,
mod->mod_type,
mod->mod_bvalues[i],
ACLPB_SLAPI_ACL_WRITE_ADD); /*was SLAPI_ACL_WRITE*/
- } else if ((mod->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) {
+ } else if (SLAPI_IS_MOD_DELETE(mod->mod_op)) {
rv = acl_access_allowed (pb,e,
mod->mod_type,
mod->mod_bvalues[i],
15 years, 5 months
[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication repl5_replica.c, 1.19, 1.20
by Nathan Kinder
Author: nkinder
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9536/ldap/servers/plugins/replication
Modified Files:
repl5_replica.c
Log Message:
Resolves: 470918
Summary: Made replica_set_updatedn detect value add modify operations properly.
Index: repl5_replica.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5_replica.c,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- repl5_replica.c 17 Oct 2008 22:12:47 -0000 1.19
+++ repl5_replica.c 13 Nov 2008 23:08:18 -0000 1.20
@@ -911,12 +911,12 @@
if (!r->updatedn_list)
r->updatedn_list = replica_updatedn_list_new(NULL);
- if (mod_op & LDAP_MOD_DELETE || vs == NULL ||
+ if (SLAPI_IS_MOD_DELETE(mod_op) || vs == NULL ||
(0 == slapi_valueset_count(vs))) /* null value also causes list deletion */
replica_updatedn_list_delete(r->updatedn_list, vs);
- else if (mod_op & LDAP_MOD_REPLACE)
+ else if (SLAPI_IS_MOD_REPLACE(mod_op))
replica_updatedn_list_replace(r->updatedn_list, vs);
- else if (mod_op & LDAP_MOD_ADD)
+ else if (SLAPI_IS_MOD_ADD(mod_op))
replica_updatedn_list_add(r->updatedn_list, vs);
PR_Unlock(r->repl_lock);
15 years, 5 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd libglobs.c, 1.29, 1.30
by Nathan Kinder
Author: nkinder
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv558/ldap/servers/slapd
Modified Files:
libglobs.c
Log Message:
Resolves: 470393
Summary: nsslapd-timelimit setting should accept a value of -1.
Index: libglobs.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/libglobs.c,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -r1.29 -r1.30
--- libglobs.c 7 Nov 2008 22:32:57 -0000 1.29
+++ libglobs.c 13 Nov 2008 21:56:29 -0000 1.30
@@ -3018,9 +3018,9 @@
errno = 0;
nVal = strtol(value, &endp, 10);
- if ( *endp != '\0' || errno == ERANGE || nVal < 0 ) {
+ if ( *endp != '\0' || errno == ERANGE || nVal < -1 ) {
PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid value \"%s\", time limit must range from 0 to %ld",
+ "%s: invalid value \"%s\", time limit must range from -1 to %ld",
attrname, value, LONG_MAX );
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
15 years, 5 months
[Fedora-directory-commits] ldapserver config.h.in,1.25,1.26
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2757/ldapserver
Modified Files:
config.h.in
Log Message:
Resolves: bug 469261
Bug Description: Support server-to-server SASL - kerberos improvements
Reviewed by: ssorce (Thanks!)
Fix Description: I made several improvements to the kerberos code at
Simo's suggestion
First look for the principal in the ccache. If not found, use the
username if it does not look like a DN. If still not found, construct a
principal using the krb5_sname_to_principal() function to construct
"ldap/fqdn@REALM".
Next, see if the credentials for this principal are still valid. In
order to grab the credentials from the ccache, I needed to construct the
server principal, which in this case is the TGS service principal (e.g.
krbtgt/REALM@REALM). If the credentials are present and not expired,
then the code assumes they are ok and does not acquire new credentials.
If the credentials are expired or not found, the code will then use the
keytab to authenticate.
Based on more feedback from Simo, I made some additional changes:
* Go ahead and reacquire the creds if they have expired or will expire in 30 seconds - this is not configurable but could be made to be - 30 seconds should be long enough so that the credentials will not expire by the time they are actually used deep in the ldap/sasl/gssapi/krb code, and short enough so that this won't cause unnecessary credential churn
* Retry the bind in the case of Ticket expired. There is no way that I can see to get the actual error code - fortunately the extended ldap error message has this information
Platforms tested: Fedora 8, Fedora 9
Flag Day: no
Doc impact: oh yes
Index: config.h.in
===================================================================
RCS file: /cvs/dirsec/ldapserver/config.h.in,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- config.h.in 29 Oct 2008 19:16:29 -0000 1.25
+++ config.h.in 12 Nov 2008 17:42:37 -0000 1.26
@@ -84,12 +84,24 @@
/* Define to 1 if you have the `getpagesize' function. */
#undef HAVE_GETPAGESIZE
+/* define if you have HEIMDAL Kerberos */
+#undef HAVE_HEIMDAL_KERBEROS
+
+/* Define to 1 if you have the <heim_err.h> header file. */
+#undef HAVE_HEIM_ERR_H
+
/* Define to 1 if you have the `inet_ntoa' function. */
#undef HAVE_INET_NTOA
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
+/* define if you have Kerberos V */
+#undef HAVE_KRB5
+
+/* Define to 1 if you have the `krb5_cc_new_unique' function. */
+#undef HAVE_KRB5_CC_NEW_UNIQUE
+
/* Define to 1 if you have the `localtime_r' function. */
#undef HAVE_LOCALTIME_R
15 years, 5 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd util.c, 1.18, 1.19
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2757/ldapserver/ldap/servers/slapd
Modified Files:
util.c
Log Message:
Resolves: bug 469261
Bug Description: Support server-to-server SASL - kerberos improvements
Reviewed by: ssorce (Thanks!)
Fix Description: I made several improvements to the kerberos code at
Simo's suggestion
First look for the principal in the ccache. If not found, use the
username if it does not look like a DN. If still not found, construct a
principal using the krb5_sname_to_principal() function to construct
"ldap/fqdn@REALM".
Next, see if the credentials for this principal are still valid. In
order to grab the credentials from the ccache, I needed to construct the
server principal, which in this case is the TGS service principal (e.g.
krbtgt/REALM@REALM). If the credentials are present and not expired,
then the code assumes they are ok and does not acquire new credentials.
If the credentials are expired or not found, the code will then use the
keytab to authenticate.
Based on more feedback from Simo, I made some additional changes:
* Go ahead and reacquire the creds if they have expired or will expire in 30 seconds - this is not configurable but could be made to be - 30 seconds should be long enough so that the credentials will not expire by the time they are actually used deep in the ldap/sasl/gssapi/krb code, and short enough so that this won't cause unnecessary credential churn
* Retry the bind in the case of Ticket expired. There is no way that I can see to get the actual error code - fortunately the extended ldap error message has this information
Platforms tested: Fedora 8, Fedora 9
Flag Day: no
Doc impact: oh yes
Index: util.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/util.c,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- util.c 5 Nov 2008 18:21:06 -0000 1.18
+++ util.c 12 Nov 2008 17:42:37 -0000 1.19
@@ -72,10 +72,6 @@
#define _CSEP '/'
#endif
-#ifdef HAVE_KRB5
-static void set_krb5_creds();
-#endif
-
static int special_np(unsigned char c)
{
@@ -1136,7 +1132,7 @@
if (msgidp) { /* let caller process result */
*msgidp = mymsgid;
} else { /* process results */
- rc = ldap_result(ld, mymsgid, LDAP_MSG_ALL, timeout, &result);
+ rc = ldap_result(ld, mymsgid, LDAP_MSG_ALL, timeout, &result);
if (-1 == rc) { /* error */
rc = ldap_get_lderrno(ld, NULL, NULL);
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
@@ -1219,6 +1215,16 @@
char *realm;
} ldapSaslInteractVals;
+#ifdef HAVE_KRB5
+static void set_krb5_creds(
+ const char *authid,
+ const char *username,
+ const char *passwd,
+ const char *realm,
+ ldapSaslInteractVals *vals
+);
+#endif
+
static void *
ldap_sasl_set_interact_vals(LDAP *ld, const char *mech, const char *authid,
const char *username, const char *passwd,
@@ -1249,12 +1255,6 @@
}
}
-#ifdef HAVE_KRB5
- if (mech && !strcmp(mech, "GSSAPI")) {
- username = NULL; /* get from krb creds */
- }
-#endif
-
if (username) { /* use explicit passed in value */
vals->username = slapi_ch_strdup(username);
} else { /* use option value if any */
@@ -1281,7 +1281,7 @@
#ifdef HAVE_KRB5
if (mech && !strcmp(mech, "GSSAPI")) {
- set_krb5_creds();
+ set_krb5_creds(authid, username, passwd, realm, vals);
}
#endif /* HAVE_KRB5 */
@@ -1368,6 +1368,20 @@
return (LDAP_SUCCESS);
}
+/* figure out from the context and this error if we should
+ attempt to retry the bind */
+static int
+can_retry_bind(LDAP *ld, const char *mech, const char *bindid,
+ const char *creds, int rc, const char *errmsg)
+{
+ int localrc = 0;
+ if (errmsg && strstr(errmsg, "Ticket expired")) {
+ localrc = 1;
+ }
+
+ return localrc;
+}
+
int
slapd_ldap_sasl_interactive_bind(
LDAP *ld, /* ldap connection */
@@ -1380,22 +1394,36 @@
)
{
int rc = LDAP_SUCCESS;
- void *defaults = ldap_sasl_set_interact_vals(ld, mech, NULL, bindid,
- creds, NULL);
- /* have to first set the defaults used by the callback function */
- /* call the bind function */
- rc = ldap_sasl_interactive_bind_ext_s(ld, bindid, mech, serverctrls,
- NULL, LDAP_SASL_QUIET,
- ldap_sasl_interact_cb, defaults,
- returnedctrls);
- ldap_sasl_free_interact_vals(defaults);
- if (LDAP_SUCCESS != rc) {
- slapi_log_error(SLAPI_LOG_FATAL, "slapd_ldap_sasl_interactive_bind",
- "Error: could not perform interactive bind for id "
- "[%s] mech [%s]: error %d (%s)\n",
- bindid ? bindid : "(anon)",
- mech ? mech : "SIMPLE",
- rc, ldap_err2string(rc));
+ int tries = 0;
+
+ while (tries < 2) {
+ void *defaults = ldap_sasl_set_interact_vals(ld, mech, NULL, bindid,
+ creds, NULL);
+ /* have to first set the defaults used by the callback function */
+ /* call the bind function */
+ rc = ldap_sasl_interactive_bind_ext_s(ld, bindid, mech, serverctrls,
+ NULL, LDAP_SASL_QUIET,
+ ldap_sasl_interact_cb, defaults,
+ returnedctrls);
+ ldap_sasl_free_interact_vals(defaults);
+ if (LDAP_SUCCESS != rc) {
+ char *errmsg = NULL;
+ rc = ldap_get_lderrno(ld, NULL, &errmsg);
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_ldap_sasl_interactive_bind",
+ "Error: could not perform interactive bind for id "
+ "[%s] mech [%s]: error %d (%s) (%s)\n",
+ bindid ? bindid : "(anon)",
+ mech ? mech : "SIMPLE",
+ rc, ldap_err2string(rc), errmsg);
+ if (can_retry_bind(ld, mech, bindid, creds, rc, errmsg)) {
+ ; /* pass through to retry one time */
+ } else {
+ break; /* done - fail - cannot retry */
+ }
+ } else {
+ break; /* done - success */
+ }
+ tries++;
}
return rc;
@@ -1506,6 +1534,94 @@
return;
}
+static int
+looks_like_a_dn(const char *username)
+{
+ return (username && strchr(username, '='));
+}
+
+static int
+credentials_are_valid(
+ krb5_context ctx,
+ krb5_ccache cc,
+ krb5_principal princ,
+ const char *princ_name,
+ int *rc
+)
+{
+ char *logname = "credentials_are_valid";
+ int myrc = 0;
+ krb5_creds mcreds; /* match these values */
+ krb5_creds creds; /* returned creds */
+ char *tgs_princ_name = NULL;
+ krb5_timestamp currenttime;
+ int authtracelevel = SLAPI_LOG_SHELL; /* special auth tracing */
+ int realm_len;
+ char *realm_str;
+ int time_buffer = 30; /* seconds - go ahead and renew if creds are
+ about to expire */
+
+ memset(&mcreds, 0, sizeof(mcreds));
+ memset(&creds, 0, sizeof(creds));
+ *rc = 0;
+ if (!cc) {
+ /* ok - no error */
+ goto cleanup;
+ }
+
+ /* have to construct the tgs server principal in
+ order to set mcreds.server required in order
+ to use krb5_cc_retrieve_creds() */
+ /* get default realm first */
+ realm_len = krb5_princ_realm(ctx, princ)->length;
+ realm_str = krb5_princ_realm(ctx, princ)->data;
+ tgs_princ_name = slapi_ch_smprintf("%s/%*s@%*s", KRB5_TGS_NAME,
+ realm_len, realm_str,
+ realm_len, realm_str);
+
+ if ((*rc = krb5_parse_name(ctx, tgs_princ_name, &mcreds.server))) {
+ slapi_log_error(SLAPI_LOG_FATAL, logname,
+ "Could parse principal [%s]: %d (%s)\n",
+ tgs_princ_name, *rc, error_message(*rc));
+ goto cleanup;
+ }
+
+ mcreds.client = princ;
+ if ((*rc = krb5_cc_retrieve_cred(ctx, cc, 0, &mcreds, &creds))) {
+ if (*rc == KRB5_CC_NOTFOUND) {
+ /* ok - no creds for this princ in the cache */
+ *rc = 0;
+ }
+ goto cleanup;
+ }
+
+ /* have the creds - now look at the timestamp */
+ if ((*rc = krb5_timeofday(ctx, ¤ttime))) {
+ slapi_log_error(SLAPI_LOG_FATAL, logname,
+ "Could not get current time: %d (%s)\n",
+ *rc, error_message(*rc));
+ goto cleanup;
+ }
+
+ if (currenttime > (creds.times.endtime + time_buffer)) {
+ slapi_log_error(authtracelevel, logname,
+ "Credentials for [%s] have expired or will soon "
+ "expire - now [%d] endtime [%d]\n", princ_name,
+ currenttime, creds.times.endtime);
+ goto cleanup;
+ }
+
+ myrc = 1; /* credentials are valid */
+cleanup:
+ krb5_free_cred_contents(ctx, &creds);
+ slapi_ch_free_string(&tgs_princ_name);
+ if (mcreds.server) {
+ krb5_free_principal(ctx, mcreds.server);
+ }
+
+ return myrc;
+}
+
/*
* This implementation assumes that we want to use the
* keytab from the default keytab env. var KRB5_KTNAME
@@ -1517,7 +1633,13 @@
* env var to point to those credentials.
*/
static void
-set_krb5_creds()
+set_krb5_creds(
+ const char *authid,
+ const char *username,
+ const char *passwd,
+ const char *realm,
+ ldapSaslInteractVals *vals
+)
{
char *logname = "set_krb5_creds";
const char *cc_type = "MEMORY"; /* keep cred cache in memory */
@@ -1526,11 +1648,8 @@
krb5_principal princ = NULL;
char *princ_name = NULL;
krb5_error_code rc = 0;
- krb5_error_code looprc = 0;
krb5_creds creds;
krb5_keytab kt = NULL;
- krb5_keytab_entry ktent;
- krb5_kt_cursor ktcur = NULL;
char *cc_name = NULL;
char ktname[MAX_KEYTAB_NAME_LEN];
static char cc_env_name[1024+32]; /* size from ccdefname.c */
@@ -1634,6 +1753,57 @@
goto cleanup;
}
+ /* need to figure out which principal to use
+ 1) use the one from the ccache
+ 2) use username
+ 3) construct one in the form ldap/fqdn@REALM
+ */
+ if (!princ && username && !looks_like_a_dn(username) &&
+ (rc = krb5_parse_name(ctx, username, &princ))) {
+ slapi_log_error(SLAPI_LOG_FATAL, logname,
+ "Error: could not convert [%s] into a kerberos "
+ "principal: %d (%s)\n", username,
+ rc, error_message(rc));
+ goto cleanup;
+ }
+
+ /* if still no principal, construct one */
+ if (!princ &&
+ (rc = krb5_sname_to_principal(ctx, NULL, "ldap",
+ KRB5_NT_SRV_HST, &princ))) {
+ slapi_log_error(SLAPI_LOG_FATAL, logname,
+ "Error: could not construct ldap service "
+ "principal: %d (%s)\n", rc, error_message(rc));
+ goto cleanup;
+ }
+
+ if ((rc = krb5_unparse_name(ctx, princ, &princ_name))) {
+ slapi_log_error(SLAPI_LOG_FATAL, logname,
+ "Unable to get name of principal: "
+ "%d (%s)\n", rc, error_message(rc));
+ goto cleanup;
+ }
+
+ slapi_log_error(authtracelevel, logname,
+ "Using principal named [%s]\n", princ_name);
+
+ /* grab the credentials from the ccache, if any -
+ if the credentials are still valid, we do not have
+ to authenticate again */
+ if (credentials_are_valid(ctx, cc, princ, princ_name, &rc)) {
+ slapi_log_error(authtracelevel, logname,
+ "Credentials for principal [%s] are still "
+ "valid - no auth is necessary.\n",
+ princ_name);
+ goto cleanup;
+ } else if (rc) { /* some error other than "there are no credentials" */
+ slapi_log_error(SLAPI_LOG_FATAL, logname,
+ "Unable to verify cached credentials for "
+ "principal [%s]: %d (%s)\n", princ_name,
+ rc, error_message(rc));
+ goto cleanup;
+ }
+
/* find our default keytab */
if ((rc = krb5_kt_default(ctx, &kt))) {
slapi_log_error(SLAPI_LOG_FATAL, logname,
@@ -1653,60 +1823,6 @@
slapi_log_error(authtracelevel, logname,
"Using keytab named [%s]\n", ktname);
- /* if there was no cache, or no principal in the cache, we look
- in the keytab */
- if (!princ) {
- /* just use the first principal in the keytab
- "first principals, clarice"
- */
- if ((rc = krb5_kt_start_seq_get(ctx, kt, &ktcur))) {
- slapi_log_error(SLAPI_LOG_FATAL, logname,
- "Unable to open keytab [%s] cursor: %d (%s)\n",
- ktname, rc, error_message(rc));
- goto cleanup;
- }
-
- memset(&ktent, 0, sizeof(ktent));
- while ((looprc = krb5_kt_next_entry(ctx, kt, &ktent, &ktcur)) == 0) {
- if ((looprc = krb5_unparse_name(ctx, ktent.principal,
- &princ_name))) {
- slapi_log_error(SLAPI_LOG_FATAL, logname,
- "Unable to get name from keytab [%s] "
- "principal: %d (%s)\n", ktname, looprc,
- error_message(looprc));
- break;
- }
- /* found one - make a copy to free later */
- if ((looprc = krb5_copy_principal(ctx, ktent.principal,
- &princ))) {
- slapi_log_error(SLAPI_LOG_FATAL, logname,
- "Unable to copy keytab [%s] principal [%s]: "
- "%d (%s)\n", ktname, princ_name, looprc,
- error_message(looprc));
- break;
- }
- slapi_log_error(authtracelevel, logname,
- "Using keytab principal [%s]\n", princ_name);
- break;
- }
-
- krb5_free_keytab_entry_contents(ctx, &ktent);
- memset(&ktent, 0, sizeof(ktent));
- if ((rc = krb5_kt_end_seq_get(ctx, kt, &ktcur))) {
- slapi_log_error(SLAPI_LOG_FATAL, logname,
- "Unable to close keytab [%s] cursor: %d (%s)\n",
- ktname, rc, error_message(rc));
- goto cleanup;
- }
-
- /* if we had an error in the loop above, just bail out
- after closing the keytab cursor and keytab */
- if (looprc) {
- rc = looprc;
- goto cleanup;
- }
- }
-
/* now do the actual kerberos authentication using
the keytab, and get the creds */
rc = krb5_get_init_creds_keytab(ctx, &creds, princ, kt,
@@ -1809,6 +1925,9 @@
cc_env_name);
}
+ /* use NULL as username */
+ slapi_ch_free_string(&vals->username);
+
cleanup:
krb5_free_unparsed_name(ctx, princ_name);
if (kt) { /* NULL not allowed */
15 years, 5 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd slapi_counter.c, 1.5, 1.6
by Nathan Kinder
Author: nkinder
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30012/ldap/servers/slapd
Modified Files:
slapi_counter.c
Log Message:
Resolves: 207457
Summary: Correct use of offset in counter ASM for passed in parameter.
Index: slapi_counter.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi_counter.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- slapi_counter.c 30 Oct 2008 19:06:55 -0000 1.5
+++ slapi_counter.c 12 Nov 2008 16:58:06 -0000 1.6
@@ -451,7 +451,7 @@
" movl 4%0, %%edx;"
/* Put addval in ECX:EBX */
" movl %2, %%ebx;"
- " movl 4%2, %%ecx;"
+ " movl 4+%2, %%ecx;"
/* Add value from EDX:EAX to value in ECX:EBX */
" addl %%eax, %%ebx;"
" adcl %%edx, %%ecx;"
@@ -498,7 +498,7 @@
" movl %%edx, %%ecx;"
/* Subtract subval from value in ECX:EBX */
" subl %2, %%ebx;"
- " sbbl 4%2, %%ecx;"
+ " sbbl 4+%2, %%ecx;"
/* If EDX:EAX and ptr are the same, replace *ptr with ECX:EBX */
" lock; cmpxchg8b %0;"
" jnz retrysub;"
15 years, 5 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm cache.c, 1.7, 1.8
by Noriko Hosoi
Author: nhosoi
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv22092
Modified Files:
cache.c
Log Message:
Resolves: #207457
Summary: (64bitcounters) rhds 7.1 - server stats use 32-bit integers - entrycachehitratio 1503%
Description: additional fix for #207457; e->ep_refcnt should have been
protected by cache->c_mutex, otherwise it breaks the lru list under the stress.
Index: cache.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/cache.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- cache.c 24 Oct 2008 22:36:59 -0000 1.7
+++ cache.c 11 Nov 2008 21:31:41 -0000 1.8
@@ -938,8 +938,8 @@
}
if (e->ep_refcnt == 0)
lru_delete(cache, e);
- PR_Unlock(cache->c_mutex);
e->ep_refcnt++;
+ PR_Unlock(cache->c_mutex);
slapi_counter_increment(cache->c_hits);
} else {
PR_Unlock(cache->c_mutex);
@@ -969,8 +969,8 @@
}
if (e->ep_refcnt == 0)
lru_delete(cache, e);
- PR_Unlock(cache->c_mutex);
e->ep_refcnt++;
+ PR_Unlock(cache->c_mutex);
slapi_counter_increment(cache->c_hits);
} else {
PR_Unlock(cache->c_mutex);
@@ -1000,8 +1000,8 @@
}
if (e->ep_refcnt == 0)
lru_delete(cache, e);
- PR_Unlock(cache->c_mutex);
e->ep_refcnt++;
+ PR_Unlock(cache->c_mutex);
slapi_counter_increment(cache->c_hits);
} else {
PR_Unlock(cache->c_mutex);
15 years, 5 months
[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication windows_connection.c, 1.20, 1.21 repl5_connection.c, 1.11, 1.12
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31171/ldapserver/ldap/servers/plugins/replication
Modified Files:
windows_connection.c repl5_connection.c
Log Message:
Resolves: bug 469261
Bug Description: Support server-to-server SASL - part 4 - pta, winsync
Reviewed by: nhosoi (Thanks!)
Fix Description: Allow pass through auth (PTA) to use starttls. PTA uses the old style argv config params, so I just added an optional starttls (0, 1) to the end of the list, since there is currently no way to encode the startTLS extop in the LDAP URL. NOTE: adding support for true pass through auth for sasl or external cert auth will require a lot of work - not sure it's worth it - anyone other than console users can use chaining backend instead.
For windows sync, I just ported the same slapi_ldap_init/slapi_ldap_bind changes made to regular replication to the windows specific code. The Windows code still needs the do_simple_bind function to check the windows password, but it is not used for server to server bind anymore. NOTE: Windows does support startTLS, but I did not test the SASL mechanisms with Windows.
Platforms tested: Fedora 9
Flag Day: no
Doc impact: yes
Index: windows_connection.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_connection.c,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- windows_connection.c 27 Aug 2008 21:46:55 -0000 1.20
+++ windows_connection.c 10 Nov 2008 23:57:47 -0000 1.21
@@ -102,9 +102,6 @@
static Slapi_Eq_Context repl5_start_debug_timeout(int *setlevel);
static void repl5_stop_debug_timeout(Slapi_Eq_Context eqctx, int *setlevel);
static void repl5_debug_timeout_callback(time_t when, void *arg);
-#ifndef DSE_RETURNTEXT_SIZE
-#define SLAPI_DSE_RETURNTEXT_SIZE 512
-#endif
#define STATE_CONNECTED 600
#define STATE_DISCONNECTED 601
@@ -1190,21 +1187,14 @@
conn->plain = slapi_ch_strdup (plain);
if (!pw_ret) slapi_ch_free((void**)&plain);
}
+
/* ugaston: if SSL has been selected in the replication agreement, SSL client
* initialisation should be done before ever trying to open any connection at all.
*/
- if (conn->transport_flags == TRANSPORT_FLAG_TLS)
- {
- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
- "%s: Replication secured by StartTLS not currently supported\n",
- agmt_get_long_name(conn->agmt));
-
- return_value = CONN_OPERATION_FAILED;
- conn->last_ldap_error = LDAP_STRONG_AUTH_NOT_SUPPORTED;
- conn->state = STATE_DISCONNECTED;
- } else if(conn->transport_flags == TRANSPORT_FLAG_SSL)
+ if ((conn->transport_flags == TRANSPORT_FLAG_TLS) ||
+ (conn->transport_flags == TRANSPORT_FLAG_SSL))
{
/** Make sure the SSL Library has been initialized before anything else **/
@@ -1217,11 +1207,13 @@
conn->last_operation = CONN_INIT;
ber_bvfree(creds);
creds = NULL;
- LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_connect\n", 0, 0, 0 );
return CONN_SSL_NOT_ENABLED;
- } else
+ } else if (conn->transport_flags == TRANSPORT_FLAG_SSL)
{
secure = 1;
+ } else
+ {
+ secure = 2; /* 2 means starttls security */
}
}
@@ -1230,11 +1222,12 @@
/* Now we initialize the LDAP Structure and set options */
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
- "%s: Trying %s slapi_ldap_init\n",
+ "%s: Trying %s%s slapi_ldap_init_ext\n",
agmt_get_long_name(conn->agmt),
- secure ? "secure" : "non-secure");
+ secure ? "secure" : "non-secure",
+ (secure == 2) ? " startTLS" : "");
- conn->ld = slapi_ldap_init(conn->hostname, conn->port, secure, 0);
+ conn->ld = slapi_ldap_init_ext(NULL, conn->hostname, conn->port, secure, 0, NULL);
if (NULL == conn->ld)
{
return_value = CONN_OPERATION_FAILED;
@@ -1242,9 +1235,10 @@
conn->last_operation = CONN_INIT;
conn->last_ldap_error = LDAP_LOCAL_ERROR;
slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
- "%s: Failed to establish %sconnection to the consumer\n",
+ "%s: Failed to establish %s%sconnection to the consumer\n",
agmt_get_long_name(conn->agmt),
- secure ? "secure " : "");
+ secure ? "secure " : "",
+ (secure == 2) ? "startTLS " : "");
ber_bvfree(creds);
creds = NULL;
LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_connect\n", 0, 0, 0 );
@@ -1684,6 +1678,26 @@
LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_set_agmt_changed\n", 0, 0, 0 );
}
+static const char *
+bind_method_to_mech(int bindmethod)
+{
+ switch (bindmethod) {
+ case BINDMETHOD_SSL_CLIENTAUTH:
+ return LDAP_SASL_EXTERNAL;
+ break;
+ case BINDMETHOD_SASL_GSSAPI:
+ return "GSSAPI";
+ break;
+ case BINDMETHOD_SASL_DIGEST_MD5:
+ return "DIGEST-MD5";
+ break;
+ default: /* anything else */
+ return LDAP_SASL_SIMPLE;
+ }
+
+ return LDAP_SASL_SIMPLE;
+}
+
/*
* Check the result of an ldap_simple_bind operation to see we it
* contains the expiration controls
@@ -1695,101 +1709,26 @@
{
LDAPControl **ctrls = NULL;
- LDAPMessage *res = NULL;
- char *errmsg = NULL;
LDAP *ld = conn->ld;
- int msgid;
- int *msgidAdr = &msgid;
int rc;
+ const char *mech = bind_method_to_mech(conn->bindmethod);
- char * optype; /* ldap_simple_bind or slapd_SSL_client_bind */
-
- LDAPDebug( LDAP_DEBUG_TRACE, "=> windows_conn_set_agmt_changed\n", 0, 0, 0 );
-
- if ( conn->transport_flags == TRANSPORT_FLAG_SSL )
- {
- char *auth;
- optype = "ldap_sasl_bind";
-
- if ( conn->bindmethod == BINDMETHOD_SSL_CLIENTAUTH )
- {
- rc = slapd_sasl_ext_client_bind(conn->ld, &msgidAdr);
- auth = "SSL client authentication";
-
- if ( rc == LDAP_SUCCESS )
- {
- if (conn->last_ldap_error != rc)
- {
- conn->last_ldap_error = rc;
- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
- "%s: Replication bind with %s resumed\n",
- agmt_get_long_name(conn->agmt), auth);
- }
- }
- else
- {
- /* Do not report the same error over and over again */
- if (conn->last_ldap_error != rc)
- {
- conn->last_ldap_error = rc;
- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
- "%s: Replication bind with %s failed: LDAP error %d (%s)\n",
- agmt_get_long_name(conn->agmt), auth, rc,
- ldap_err2string(rc));
- }
+ LDAPDebug( LDAP_DEBUG_TRACE, "=> bind_and_check_pwp\n", 0, 0, 0 );
- LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_set_agmt_changed - CONN_OPERATION_FAILED\n", 0, 0, 0 );
+ rc = slapi_ldap_bind(conn->ld, binddn, password, mech, NULL,
+ &ctrls, NULL, NULL);
- return (CONN_OPERATION_FAILED);
- }
- }
- else
- {
- if( ( msgid = do_simple_bind( conn, ld, binddn, password ) ) == -1 )
- {
- LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_set_agmt_changed - CONN_OPERATION_FAILED\n", 0, 0, 0 );
- return (CONN_OPERATION_FAILED);
- }
- }
- }
- else
+ if ( rc == LDAP_SUCCESS )
{
- optype = "ldap_simple_bind";
- if( ( msgid = do_simple_bind( conn, ld, binddn, password ) ) == -1 )
+ if (conn->last_ldap_error != rc)
{
- LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_set_agmt_changed - CONN_OPERATION_FAILED\n", 0, 0, 0 );
- return (CONN_OPERATION_FAILED);
+ conn->last_ldap_error = rc;
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
+ "%s: Replication bind with %s auth resumed\n",
+ agmt_get_long_name(conn->agmt),
+ mech ? mech : "SIMPLE");
}
- }
- /* Wait for the result */
- if ( ldap_result( ld, msgid, LDAP_MSG_ALL, NULL, &res ) == -1 )
- {
- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
- "%s: Received error from consumer for %s operation\n",
-
- agmt_get_long_name(conn->agmt), optype);
- LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_set_agmt_changed - CONN_OPERATION_FAILED\n", 0, 0, 0 );
-
- return (CONN_OPERATION_FAILED);
- }
- /* Don't check ldap_result against 0 because, no timeout is specified */
-
- /* Free res as we won't use it any longer */
- if ( ldap_parse_result( ld, res, &rc, NULL, NULL, NULL, &ctrls, 1 /* Free res */)
- != LDAP_SUCCESS )
- {
- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
- "%s: Received error from consumer for %s operation\n",
- agmt_get_long_name(conn->agmt), optype);
-
- LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_set_agmt_changed - CONN_OPERATION_FAILED\n", 0, 0, 0 );
-
- return (CONN_OPERATION_FAILED);
- }
-
- if ( rc == LDAP_SUCCESS )
- {
if ( ctrls )
{
int i;
@@ -1820,20 +1759,28 @@
ldap_controls_free( ctrls );
}
- LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_set_agmt_changed - CONN_OPERATION_SUCCESS\n", 0, 0, 0 );
+ LDAPDebug( LDAP_DEBUG_TRACE, "<= bind_and_check_pwp - CONN_OPERATION_SUCCESS\n", 0, 0, 0 );
return (CONN_OPERATION_SUCCESS);
}
else
{
- /* errmsg is a pointer directly into the ld structure - do not free */
- rc = ldap_get_lderrno( ld, NULL, &errmsg );
- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
- "%s: Replication bind to %s on consumer failed: %d (%s)\n",
- agmt_get_long_name(conn->agmt), binddn, rc, errmsg);
+ ldap_controls_free( ctrls );
+ /* Do not report the same error over and over again */
+ if (conn->last_ldap_error != rc)
+ {
+ char *errmsg = NULL;
+ conn->last_ldap_error = rc;
+ /* errmsg is a pointer directly into the ld structure - do not free */
+ rc = ldap_get_lderrno( ld, NULL, &errmsg );
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
+ "%s: Replication bind with %s auth failed: LDAP error %d (%s) (%s)\n",
+ agmt_get_long_name(conn->agmt),
+ mech ? mech : "SIMPLE", rc,
+ ldap_err2string(rc), errmsg);
+ }
- conn->last_ldap_error = rc; /* specific error */
- LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_set_agmt_changed - CONN_OPERATION_FAILED\n", 0, 0, 0 );
+ LDAPDebug( LDAP_DEBUG_TRACE, "<= bind_and_check_pwp - CONN_OPERATION_FAILED\n", 0, 0, 0 );
return (CONN_OPERATION_FAILED);
}
}
@@ -1861,7 +1808,7 @@
ldap_parse_result( conn->ld, res, &rc, NULL, NULL, NULL, NULL, 1 /* Free res */);
/* rebind as the DN specified in the sync agreement */
- do_simple_bind(conn, conn->ld, conn->binddn, conn->plain);
+ bind_and_check_pwp(conn, conn->binddn, conn->plain);
return rc;
}
@@ -1886,10 +1833,11 @@
conn->last_ldap_error = ldaperr;
slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
"%s: Simple bind failed, "
- SLAPI_COMPONENT_NAME_LDAPSDK " error %d (%s), "
+ SLAPI_COMPONENT_NAME_LDAPSDK " error %d (%s) (%s), "
SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n",
agmt_get_long_name(conn->agmt),
- ldaperr, ldaperrtext ? ldaperrtext : ldap_err2string(ldaperr),
+ ldaperr, ldap_err2string(ldaperr),
+ ldaperrtext ? ldaperrtext : "",
prerr, slapd_pr_strerror(prerr));
}
}
Index: repl5_connection.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5_connection.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- repl5_connection.c 5 Nov 2008 18:21:05 -0000 1.11
+++ repl5_connection.c 10 Nov 2008 23:57:47 -0000 1.12
@@ -991,9 +991,10 @@
conn->last_operation = CONN_INIT;
conn->last_ldap_error = LDAP_LOCAL_ERROR;
slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
- "%s: Failed to establish %sconnection to the consumer\n",
+ "%s: Failed to establish %s%sconnection to the consumer\n",
agmt_get_long_name(conn->agmt),
- secure ? "secure " : "");
+ secure ? "secure " : "",
+ (secure == 2) ? "startTLS " : "");
ber_bvfree(creds);
creds = NULL;
return return_value;
15 years, 5 months
[Fedora-directory-commits] ldapserver/ldap/servers/plugins/passthru passthru.h, 1.5, 1.6 ptconfig.c, 1.9, 1.10
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/passthru
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31171/ldapserver/ldap/servers/plugins/passthru
Modified Files:
passthru.h ptconfig.c
Log Message:
Resolves: bug 469261
Bug Description: Support server-to-server SASL - part 4 - pta, winsync
Reviewed by: nhosoi (Thanks!)
Fix Description: Allow pass through auth (PTA) to use starttls. PTA uses the old style argv config params, so I just added an optional starttls (0, 1) to the end of the list, since there is currently no way to encode the startTLS extop in the LDAP URL. NOTE: adding support for true pass through auth for sasl or external cert auth will require a lot of work - not sure it's worth it - anyone other than console users can use chaining backend instead.
For windows sync, I just ported the same slapi_ldap_init/slapi_ldap_bind changes made to regular replication to the windows specific code. The Windows code still needs the do_simple_bind function to check the windows password, but it is not used for server to server bind anymore. NOTE: Windows does support startTLS, but I did not test the SASL mechanisms with Windows.
Platforms tested: Fedora 9
Flag Day: no
Doc impact: yes
Index: passthru.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/passthru/passthru.h,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- passthru.h 10 Nov 2006 23:45:04 -0000 1.5
+++ passthru.h 10 Nov 2008 23:57:47 -0000 1.6
@@ -112,7 +112,7 @@
char *ptsrvr_url; /* copy from argv[i] */
char *ptsrvr_hostname;
int ptsrvr_port;
- int ptsrvr_secure; /* use SSL? */
+ int ptsrvr_secure; /* use SSL? or TLS == 2 */
int ptsrvr_ldapversion;
int ptsrvr_maxconnections;
int ptsrvr_maxconcurrency;
Index: ptconfig.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/passthru/ptconfig.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- ptconfig.c 8 Oct 2008 17:29:02 -0000 1.9
+++ ptconfig.c 10 Nov 2008 23:57:47 -0000 1.10
@@ -101,7 +101,7 @@
int
passthru_config( int argc, char **argv )
{
- int i, j, rc, tosecs, using_def_connlifetime;
+ int i, j, rc, tosecs, using_def_connlifetime, starttls = 0;
char **suffixarray;
PassThruServer *prevsrvr, *srvr;
PassThruSuffix *suffix, *prevsuffix;
@@ -170,11 +170,13 @@
* parse parameters. format is:
* maxconnections,maxconcurrency,timeout,ldapversion
* OR maxconnections,maxconcurrency,timeout,ldapversion,lifetime
+ * OR maxconnections,maxconcurrency,timeout,ldapversion,lifetime,starttls
*/
*p++ = '\0'; /* p points at space preceding optional arguments */
- rc = sscanf( p, "%d,%d,%d,%d,%d", &srvr->ptsrvr_maxconnections,
+ rc = sscanf( p, "%d,%d,%d,%d,%d,%d", &srvr->ptsrvr_maxconnections,
&srvr->ptsrvr_maxconcurrency, &tosecs,
- &srvr->ptsrvr_ldapversion, &srvr->ptsrvr_connlifetime );
+ &srvr->ptsrvr_ldapversion, &srvr->ptsrvr_connlifetime,
+ &starttls);
if ( rc < 4 ) {
slapi_log_error( SLAPI_LOG_FATAL, PASSTHRU_PLUGIN_SUBSYSTEM,
"server parameters should be in the form "
@@ -184,8 +186,13 @@
} else if ( rc < 5 ) {
using_def_connlifetime = 1;
srvr->ptsrvr_connlifetime = PASSTHRU_DEF_SRVR_CONNLIFETIME;
- } else {
- using_def_connlifetime = 0;
+ starttls = 0;
+ } else if ( rc < 6 ) {
+ using_def_connlifetime = 0; /* lifetime specified */
+ starttls = 0; /* but not starttls */
+ } else { /* all 6 args supplied */
+ using_def_connlifetime = 0; /* lifetime specified */
+ /* and starttls */
}
if ( srvr->ptsrvr_ldapversion != LDAP_VERSION2
@@ -241,6 +248,9 @@
srvr->ptsrvr_port = ludp->lud_port;
srvr->ptsrvr_secure =
(( ludp->lud_options & LDAP_URL_OPT_SECURE ) != 0 );
+ if (starttls) {
+ srvr->ptsrvr_secure = 2;
+ }
/*
* If a space-separated list of hosts is configured for failover,
15 years, 5 months
[Fedora-directory-commits] ldapserver/ldap/servers/plugins/dna dna.c, 1.14, 1.15
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/dna
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv15522/ldapserver/ldap/servers/plugins/dna
Modified Files:
dna.c
Log Message:
Resolves: bug 469261
Bug Description: Support server-to-server SASL - part 3 - dna plugin
Reviewed by: nkinder (Thanks!)
Fix Description: Changed the DNA code to use the new slapi_ldap_init/slapi_ldap_bind code. Also changed the code to get the port number to use from the replication agreement. Added some more replication internal code knowledge to the DNA code (unfortunately).
Platforms tested: Fedora 9
Flag Day: no
Doc impact: yes
Index: dna.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/dna/dna.c,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- dna.c 3 Nov 2008 23:21:16 -0000 1.14
+++ dna.c 10 Nov 2008 16:01:05 -0000 1.15
@@ -118,6 +118,7 @@
#define DNA_REPL_CREDS "nsds5ReplicaCredentials"
#define DNA_REPL_BIND_METHOD "nsds5ReplicaBindMethod"
#define DNA_REPL_TRANSPORT "nsds5ReplicaTransportInfo"
+#define DNA_REPL_PORT "nsds5ReplicaPort"
#define DNA_FEATURE_DESC "Distributed Numeric Assignment"
#define DNA_EXOP_FEATURE_DESC "DNA Range Extension Request"
@@ -261,7 +262,7 @@
static int dna_is_replica_bind_dn(char *range_dn, char *bind_dn);
static int dna_get_replica_bind_creds(char *range_dn, struct dnaServer *server,
char **bind_dn, char **bind_passwd,
- char **bind_method, int *is_ssl);
+ char **bind_method, int *is_ssl, int *port);
/**
*
@@ -1483,7 +1484,6 @@
return ret;
}
-
/*
* dna_request_range()
*
@@ -1500,7 +1500,6 @@
char *bind_passwd = NULL;
char *bind_method = NULL;
int is_ssl = 0;
- int is_client_auth = 0;
struct berval *request = NULL;
char *retoid = NULL;
struct berval *responsedata = NULL;
@@ -1510,6 +1509,7 @@
char *upper_str = NULL;
int set_extend_flag = 0;
int ret = LDAP_OPERATIONS_ERROR;
+ int port = 0;
/* See if we're allowed to send a range request now */
slapi_lock_mutex(config_entry->extend_lock);
@@ -1529,26 +1529,14 @@
/* Fetch the replication bind dn info */
if (dna_get_replica_bind_creds(config_entry->shared_cfg_base, server,
- &bind_dn, &bind_passwd, &bind_method, &is_ssl) != 0) {
+ &bind_dn, &bind_passwd, &bind_method,
+ &is_ssl, &port) != 0) {
slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM,
"dna_request_range: Unable to retrieve "
"replica bind credentials.\n");
goto bail;
}
- if (strcasecmp(bind_method, "SIMPLE") == 0) {
- slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM,
- "dna_request_range: Using SIMPLE bind method.\n");
- } else if (strcasecmp(bind_method, "SSLCLIENTAUTH") == 0) {
- slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM,
- "dna_request_range: Using SSLCLIENTAUTH bind method.\n");
- is_client_auth = 1;
- } else {
- slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM,
- "dna_request_range: Unknown bind method.\n");
- goto bail;
- }
-
if ((request = dna_create_range_request(config_entry->shared_cfg_base)) == NULL) {
slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM,
"dna_request_range: Failed to create "
@@ -1556,7 +1544,7 @@
goto bail;
}
- if ((ld = slapi_ldap_init(server->host, is_ssl?server->secureport:server->port, is_ssl, 0)) == NULL) {
+ if ((ld = slapi_ldap_init(server->host, port, is_ssl, 0)) == NULL) {
slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM,
"dna_request_range: Unable to "
"initialize LDAP session to server %s:%u.\n",
@@ -1567,15 +1555,11 @@
/* Disable referrals and set timelimit and a connect timeout */
ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &config_entry->timeout);
- ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &config_entry->timeout);
+ ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &config_entry->timeout);
/* Bind to the replica server */
- if (is_client_auth) {
- ret = slapd_SSL_client_bind_s(ld, bind_dn, bind_passwd,
- is_ssl, LDAP_VERSION3);
- } else {
- ret = ldap_simple_bind_s(ld, bind_dn, bind_passwd);
- }
+ ret = slapi_ldap_bind(ld, bind_dn, bind_passwd, bind_method,
+ NULL, NULL, NULL, NULL);
if (ret != LDAP_SUCCESS) {
slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM,
@@ -2363,14 +2347,14 @@
static int dna_get_replica_bind_creds(char *range_dn, struct dnaServer *server,
char **bind_dn, char **bind_passwd,
- char **bind_method, int *is_ssl)
+ char **bind_method, int *is_ssl, int *port)
{
Slapi_PBlock *pb = NULL;
Slapi_DN *range_sdn = NULL;
char *replica_dn = NULL;
Slapi_Backend *be = NULL;
const char *be_suffix = NULL;
- char *attrs[5];
+ char *attrs[6];
char *filter = NULL;
char *bind_cred = NULL;
char *transport = NULL;
@@ -2388,15 +2372,16 @@
replica_dn = slapi_ch_smprintf("cn=replica,cn=\"%s\",cn=mapping tree,cn=config",
be_suffix);
- filter = slapi_ch_smprintf("(&(nsds5ReplicaHost=%s)(|(nsds5ReplicaPort=%u)"
- "(nsds5ReplicaPort=%u)))",
+ filter = slapi_ch_smprintf("(&(nsds5ReplicaHost=%s)(|(" DNA_REPL_PORT "=%u)"
+ "(" DNA_REPL_PORT "=%u)))",
server->host, server->port, server->secureport);
attrs[0] = DNA_REPL_BIND_DN;
attrs[1] = DNA_REPL_CREDS;
attrs[2] = DNA_REPL_BIND_METHOD;
attrs[3] = DNA_REPL_TRANSPORT;
- attrs[4] = 0;
+ attrs[4] = DNA_REPL_PORT;
+ attrs[5] = 0;
pb = slapi_pblock_new();
if (NULL == pb) {
@@ -2440,14 +2425,34 @@
*bind_method = slapi_entry_attr_get_charptr(entries[0], DNA_REPL_BIND_METHOD);
bind_cred = slapi_entry_attr_get_charptr(entries[0], DNA_REPL_CREDS);
transport = slapi_entry_attr_get_charptr(entries[0], DNA_REPL_TRANSPORT);
+ *port = slapi_entry_attr_get_int(entries[0], DNA_REPL_PORT);
/* Check if we should use SSL */
if (transport && (strcasecmp(transport, "SSL") == 0)) {
*is_ssl = 1;
+ } else if (transport && (strcasecmp(transport, "TLS") == 0)) {
+ *is_ssl = 2;
} else {
*is_ssl = 0;
}
+ /* fix up the bind method */
+ if ((NULL == *bind_method) || (strcasecmp(*bind_method, "SIMPLE") == 0)) {
+ slapi_ch_free_string(bind_method);
+ *bind_method = slapi_ch_strdup(LDAP_SASL_SIMPLE);
+ } else if (strcasecmp(*bind_method, "SSLCLIENTAUTH") == 0) {
+ slapi_ch_free_string(bind_method);
+ *bind_method = slapi_ch_strdup(LDAP_SASL_EXTERNAL);
+ } else if (strcasecmp(*bind_method, "SASL/GSSAPI") == 0) {
+ slapi_ch_free_string(bind_method);
+ *bind_method = slapi_ch_strdup("GSSAPI");
+ } else if (strcasecmp(*bind_method, "SASL/DIGEST-MD5") == 0) {
+ slapi_ch_free_string(bind_method);
+ *bind_method = slapi_ch_strdup("DIGEST-MD5");
+ } else { /* some other weird value */
+ ; /* just use it directly */
+ }
+
/* Decode the password */
if (bind_cred) {
int pw_ret = 0;
@@ -2472,7 +2477,7 @@
/* If we didn't get both a bind DN and a decoded password,
* then just free everything and return an error. */
- if (*bind_dn && *bind_passwd && *bind_method) {
+ if (*bind_dn && *bind_passwd) {
ret = 0;
} else {
slapi_ch_free_string(bind_dn);
15 years, 5 months