September 2007 - 389-commits - Fedora Mailing-Lists

[Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm index.c, 1.11, 1.12

by Doctor Conrad

Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12769/servers/slapd/back-ldbm Modified Files: index.c Log Message: Resolves #222918 Summary: server crash after deleting supposedly deleted attribute Description: index.c: if there is no attribute to delete, don't call index_addordel_values_svstring.c: changed string_values2keys to handle NULL bvals Index: index.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/index.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- index.c 28 Sep 2007 22:54:16 -0000 1.11 +++ index.c 28 Sep 2007 23:46:40 -0000 1.12 @@ -628,9 +628,12 @@ flags = BE_INDEX_DEL|BE_INDEX_PRESENCE|BE_INDEX_EQUALITY; } - /* Update the index */ - index_addordel_values_sv( be, mods[i]->mod_type, - deleted_valueArray, evals, id, flags, txn); + /* Update the index, if necessary */ + if (deleted_valueArray) { + index_addordel_values_sv( be, mods[i]->mod_type, + deleted_valueArray, evals, id, + flags, txn ); + } slapi_valueset_free(mod_vals); } else { @@ -645,18 +648,18 @@ flags = BE_INDEX_DEL; } - /* If the same value doesn't exist in a subtype, set - * BE_INDEX_EQUALITY flag so the equality index is - * removed. - */ - slapi_entry_attr_find( olde->ep_entry, mods[i]->mod_type, &curr_attr); + /* If the same value doesn't exist in a subtype, set + * BE_INDEX_EQUALITY flag so the equality index is + * removed. + */ + slapi_entry_attr_find( olde->ep_entry, mods[i]->mod_type, &curr_attr); for (j = 0; mods_valueArray[j] != NULL; j++ ) { - if ( valuearray_find(curr_attr, evals, mods_valueArray[j]) == -1 ) { + if ( valuearray_find(curr_attr, evals, mods_valueArray[j]) == -1 ) { if (!(flags & BE_INDEX_EQUALITY)) { - flags |= BE_INDEX_EQUALITY; + flags |= BE_INDEX_EQUALITY; } } - } + } rc = index_addordel_values_sv( be, basetype, mods_valueArray,

16 years, 2 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/plugins/syntaxes string.c, 1.8, 1.9

by Doctor Conrad

Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/syntaxes In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12769/servers/plugins/syntaxes Modified Files: string.c Log Message: Resolves #222918 Summary: server crash after deleting supposedly deleted attribute Description: index.c: if there is no attribute to delete, don't call index_addordel_values_svstring.c: changed string_values2keys to handle NULL bvals Index: string.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/syntaxes/string.c,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- string.c 19 Sep 2007 19:32:03 -0000 1.8 +++ string.c 28 Sep 2007 23:46:40 -0000 1.9 @@ -310,59 +310,54 @@ string_values2keys( Slapi_PBlock *pb, Slapi_Value **bvals, Slapi_Value ***ivals, int syntax, int ftype ) { - int nsubs, numbvals, i, n, j; - Slapi_Value **nbvals; + int nsubs, numbvals = 0, n; + Slapi_Value **nbvals, **nbvlp; + Slapi_Value **bvlp; char *w, *c, *p; - char buf[SUBLEN+1]; switch ( ftype ) { case LDAP_FILTER_EQUALITY: /* allocate a new array for the normalized values */ - for ( numbvals = 0; bvals[numbvals] != NULL; numbvals++ ) { - /* NULL */ + for ( bvlp = bvals; bvlp && *bvlp; bvlp++ ) { + numbvals++; } - nbvals = (Slapi_Value **) slapi_ch_malloc( (numbvals+1) * sizeof(Slapi_Value *)); + nbvals = (Slapi_Value **) slapi_ch_calloc( (numbvals + 1), sizeof(Slapi_Value *)); - for ( i = 0; i < numbvals; i++ ) + for ( bvlp = bvals, nbvlp = nbvals; bvlp && *bvlp; bvlp++, nbvlp++ ) { - c = slapi_ch_strdup(slapi_value_get_string(bvals[i])); + c = slapi_ch_strdup(slapi_value_get_string(*bvlp)); /* if the NORMALIZED flag is set, skip normalizing */ - if (!(slapi_value_get_flags(bvals[i]) & SLAPI_ATTR_FLAG_NORMALIZED)) + if (!(slapi_value_get_flags(*bvlp) & SLAPI_ATTR_FLAG_NORMALIZED)) value_normalize( c, syntax, 1 /* trim leading blanks */ ); - nbvals[i] = slapi_value_new_string_passin(c); + *nbvlp = slapi_value_new_string_passin(c); } - nbvals[i] = NULL; *ivals = nbvals; break; case LDAP_FILTER_APPROX: /* XXX should not do this twice! XXX */ /* get an upper bound on the number of ivals */ - numbvals = 0; - for ( i = 0; bvals[i] != NULL; i++ ) { - for ( w = first_word( (char*)slapi_value_get_string(bvals[i]) ); w != NULL; - w = next_word( w ) ) { + for ( bvlp = bvals; bvlp && *bvlp; bvlp++ ) { + for ( w = first_word( (char*)slapi_value_get_string(*bvlp) ); + w != NULL; w = next_word( w ) ) { numbvals++; } } - nbvals = (Slapi_Value **) slapi_ch_malloc( (numbvals + 1) * sizeof(Slapi_Value *) ); + nbvals = (Slapi_Value **) slapi_ch_calloc( (numbvals + 1), sizeof(Slapi_Value *) ); n = 0; - for ( i = 0; bvals[i] != NULL; i++ ) { - for ( w = first_word( (char*)slapi_value_get_string(bvals[i]) ); w != NULL; - w = next_word( w ) ) { + nbvlp = nbvals; + for ( bvlp = bvals; bvlp && *bvlp; bvlp++ ) { + for ( w = first_word( (char*)slapi_value_get_string(*bvlp) ); + w != NULL; w = next_word( w ) ) { if ( (c = phonetic( w )) != NULL ) { - nbvals[n] = slapi_value_new_string_passin(c); - n++; + *nbvlp = slapi_value_new_string_passin(c); + nbvlp++; } } } - nbvals[n] = NULL; - if ( n == 0 ) { - slapi_ch_free((void**)ivals ); - return( 0 ); - } + /* even if (n == 0), we should return the array nbvals w/ NULL items */ *ivals = nbvals; break; @@ -370,9 +365,11 @@ { /* XXX should remove duplicates! XXX */ Slapi_Value *bvdup; - const struct berval *bvp; + const struct berval *bvp; + char buf[SUBLEN+1]; + int i; nsubs = 0; - for ( i = 0; bvals[i] != NULL; i++ ) { + for ( bvlp = bvals; bvlp && *bvlp; bvlp++ ) { /* * Note: this calculation may err on the high side, * because value_normalize(), which is called below @@ -384,27 +381,26 @@ * the only downside is that we allocate more space than * we really need. */ - nsubs += slapi_value_get_length(bvals[i]) - SUBLEN + 3; + nsubs += slapi_value_get_length(*bvlp) - SUBLEN + 3; } - *ivals = (Slapi_Value **) slapi_ch_malloc( (nsubs + 1) * sizeof(Slapi_Value *) ); + *ivals = (Slapi_Value **) slapi_ch_calloc( (nsubs + 1), sizeof(Slapi_Value *) ); buf[SUBLEN] = '\0'; n = 0; bvdup= slapi_value_new(); - for ( i = 0; bvals[i] != NULL; i++ ) - { - c = slapi_ch_strdup(slapi_value_get_string(bvals[i])); + for ( bvlp = bvals; bvlp && *bvlp; bvlp++ ) { + c = slapi_ch_strdup(slapi_value_get_string(*bvlp)); value_normalize( c, syntax, 1 /* trim leading blanks */ ); - slapi_value_set_string_passin(bvdup, c); + slapi_value_set_string_passin(bvdup, c); - bvp = slapi_value_get_berval(bvdup); + bvp = slapi_value_get_berval(bvdup); /* leading */ if ( bvp->bv_len > SUBLEN - 2 ) { buf[0] = '^'; - for ( j = 0; j < SUBLEN - 1; j++ ) { - buf[j + 1] = bvp->bv_val[j]; + for ( i = 0; i < SUBLEN - 1; i++ ) { + buf[i + 1] = bvp->bv_val[i]; } (*ivals)[n] = slapi_value_new_string(buf); n++; @@ -414,8 +410,8 @@ for ( p = bvp->bv_val; p < (bvp->bv_val + bvp->bv_len - SUBLEN + 1); p++ ) { - for ( j = 0; j < SUBLEN; j++ ) { - buf[j] = p[j]; + for ( i = 0; i < SUBLEN; i++ ) { + buf[i] = p[i]; } buf[SUBLEN] = '\0'; (*ivals)[n] = slapi_value_new_string(buf); @@ -425,8 +421,8 @@ /* trailing */ if ( bvp->bv_len > SUBLEN - 2 ) { p = bvp->bv_val + bvp->bv_len - SUBLEN + 1; - for ( j = 0; j < SUBLEN - 1; j++ ) { - buf[j] = p[j]; + for ( i = 0; i < SUBLEN - 1; i++ ) { + buf[i] = p[i]; } buf[SUBLEN - 1] = '$'; (*ivals)[n] = slapi_value_new_string(buf); @@ -434,7 +430,6 @@ } } slapi_value_free(&bvdup); - (*ivals)[n] = NULL; } break; }

16 years, 2 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/slapd saslbind.c, 1.24, 1.25

by Doctor Conrad

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12366/servers/slapd Modified Files: saslbind.c Log Message: Resolves: 311851 Summary: Remove hard-coded SASL mappings and use config based regex mappings instead. Index: saslbind.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/saslbind.c,v retrieving revision 1.24 retrieving revision 1.25 diff -u -r1.24 -r1.25 --- saslbind.c 8 Jun 2007 23:19:18 -0000 1.24 +++ saslbind.c 28 Sep 2007 23:34:55 -0000 1.25 @@ -290,115 +290,55 @@ ) { int found = 0; - unsigned fsize = 0, ulen, rlen = 0; int attrsonly = 0, scope = LDAP_SCOPE_SUBTREE; - char filter[1024], *fptr = filter; LDAPControl **ctrls = NULL; Slapi_Entry *entry = NULL; Slapi_DN *sdn; char **attrs = NULL; - char *userattr = "uid", *realmattr = NULL, *ufilter = NULL; - void *node; int regexmatch = 0; - char *regex_ldap_search_base = NULL; - char *regex_ldap_search_filter = NULL; + char *base = NULL; + char *filter = NULL; - /* TODO: userattr & realmattr should be configurable */ - - /* - * Check for dn: prefix. See RFC 2829 section 9. - */ - if (strncasecmp(user, "dn:", 3) == 0) { - sprintf(fptr, "(objectclass=*)"); - scope = LDAP_SCOPE_BASE; - ids_sasl_user_search((char*)user+3, scope, filter, + /* Check for wildcards in the authid and realm. If we encounter one, + * just fail the mapping without performing a costly internal search. */ + if (user && strchr(user, '*')) { + LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search encountered a wildcard in " + "the authid. Not attempting to map to entry. (authid=%s)\n", user, 0, 0); + return NULL; + } else if (user_realm && strchr(user_realm, '*')) { + LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search encountered a wildcard in " + "the realm. Not attempting to map to entry. (realm=%s)\n", user_realm, 0, 0); + return NULL; + } + + /* New regex-based identity mapping */ + regexmatch = sasl_map_domap((char*)user, (char*)user_realm, &base, &filter); + if (regexmatch) { + ids_sasl_user_search(base, scope, filter, ctrls, attrs, attrsonly, &entry, &found); - } else { - int offset = 0; - if (strncasecmp(user,"u:",2) == 0 ) - offset = 2; - /* TODO: quote the filter values */ - - /* New regex-based identity mapping : we call it here before the old code. - * If there's a match, we skip the old way, otherwise we plow ahead for backwards compatibility reasons - */ - regexmatch = sasl_map_domap((char*)user, (char*)user_realm, &regex_ldap_search_base, &regex_ldap_search_filter); - if (regexmatch) { - - ids_sasl_user_search(regex_ldap_search_base, scope, regex_ldap_search_filter, - ctrls, attrs, attrsonly, - &entry, &found); - - /* Free the filter etc */ - slapi_ch_free((void**)&regex_ldap_search_base); - slapi_ch_free((void**)&regex_ldap_search_filter); - } else { - - /* Ensure no buffer overflow. */ - /* We don't know what the upper limits on username and - * realm lengths are. There don't seem to be any defined - * in the relevant standards. We may find in the future - * that a 1K buffer is insufficient for some mechanism, - * but it seems unlikely given that the values are exposed - * to the end user. - */ - ulen = strlen(user+offset); - fsize += strlen(userattr) + ulen; - if (realmattr && user_realm) { - rlen = strlen(user_realm); - fsize += strlen(realmattr) + rlen; - } - if (ufilter) fsize += strlen(ufilter); - fsize += 100; /* includes a good safety margin */ - if (fsize > 1024) { - LDAPDebug(LDAP_DEBUG_ANY, "sasl user name and/or realm too long" - " (ulen=%u, rlen=%u)\n", ulen, rlen, 0); - return NULL; - } - - /* now we can safely write the filter */ - sprintf(fptr, "(&(%s=%s)", userattr, user+offset); - fptr += strlen(fptr); - if (realmattr && user_realm) { - sprintf(fptr, "(%s=%s)", realmattr, user_realm); - fptr += strlen(fptr); - } - if (ufilter) { - if (*ufilter == '(') { - sprintf(fptr, "%s", ufilter); - } else { - sprintf(fptr, "(%s)", ufilter); - } - fptr += strlen(fptr); - } - sprintf(fptr, ")"); - - /* iterate through the naming contexts */ - for (sdn = slapi_get_first_suffix(&node, 0); sdn != NULL; - sdn = slapi_get_next_suffix(&node, 0)) { - - ids_sasl_user_search((char*)slapi_sdn_get_dn(sdn), scope, filter, - ctrls, attrs, attrsonly, - &entry, &found); + if (found == 1) { + LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search found this entry: dn:%s, " + "matching filter=%s\n", entry->e_sdn.dn, filter, 0); + } else if (found == 0) { + LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search found no entries matching " + "filter=%s\n", filter, 0, 0); + } else { + LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search found more than one entry " + "matching filter=%s\n", filter, 0, 0); + if (entry) { + slapi_entry_free(entry); + entry = NULL; } } - } - if (found == 1) { - LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search found this entry: dn:%s, matching filter=%s\n", entry->e_sdn.dn, filter, 0); - return entry; - } - - if (found == 0) { - LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search found no entries matching filter=%s\n", filter, 0, 0); - } else { - LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search found more than one entry matching filter=%s\n", filter, 0, 0); + /* Free the filter etc */ + slapi_ch_free_string(&base); + slapi_ch_free_string(&filter); } - if (entry) slapi_entry_free(entry); - return NULL; + return entry; } static char *buf2str(const char *buf, unsigned buflen)

16 years, 2 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/ldif template-sasl.ldif.in, NONE, 1.1

by Doctor Conrad

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/ldif In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12366/ldif Added Files: template-sasl.ldif.in Log Message: Resolves: 311851 Summary: Remove hard-coded SASL mappings and use config based regex mappings instead. --- NEW FILE template-sasl.ldif.in --- # replace the Suffix token with your suffix e.g. dc=example,dc=com dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: Kerberos uid mapping nsSaslMapRegexString: $.*$(a)$.*$\.$.*$ nsSaslMapBaseDNTemplate: dc=\2,dc=\3 nsSaslMapFilterTemplate: (uid=\1) dn: cn=rfc 2829 dn syntax,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: rfc 2829 dn syntax nsSaslMapRegexString: ^dn:$.*$ nsSaslMapBaseDNTemplate: \1 nsSaslMapFilterTemplate: (objectclass=*) dn: cn=rfc 2829 u syntax,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: rfc 2829 u syntax nsSaslMapRegexString: ^u:$.*$ nsSaslMapBaseDNTemplate: %ds_suffix% nsSaslMapFilterTemplate: (uid=\1) dn: cn=uid mapping,cn=mapping,cn=sasl,cn=config objectClass: top objectClass: nsSaslMapping cn: uid mapping nsSaslMapRegexString: ^[^:@]+$ nsSaslMapBaseDNTemplate: %ds_suffix% nsSaslMapFilterTemplate: (uid=&)

16 years, 2 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/admin/src/scripts DSCreate.pm.in, 1.6, 1.7

by Doctor Conrad

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/admin/src/scripts In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv12366/admin/src/scripts Modified Files: DSCreate.pm.in Log Message: Resolves: 311851 Summary: Remove hard-coded SASL mappings and use config based regex mappings instead. Index: DSCreate.pm.in =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/admin/src/scripts/DSCreate.pm.in,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- DSCreate.pm.in 7 Sep 2007 15:02:25 -0000 1.6 +++ DSCreate.pm.in 28 Sep 2007 23:34:55 -0000 1.7 @@ -295,7 +295,8 @@ } my @ldiffiles = ("$inf->{General}->{prefix}@templatedir(a)/template-dse.ldif", - "$inf->{General}->{prefix}@templatedir(a)/template-suffix-db.ldif"); + "$inf->{General}->{prefix}@templatedir(a)/template-suffix-db.ldif", + "$inf->{General}->{prefix}@templatedir(a)/template-sasl.ldif"); if ("@enable_pam_passthru@") { push @ldiffiles, "$inf->{General}->{prefix}@templatedir(a)/template-pampta.ldif"; }

16 years, 2 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm index.c, 1.10, 1.11

by Doctor Conrad

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4287 Modified Files: index.c Log Message: Resolves: 219586 Summary: Fixed leak of Slapi_Value in index code. Index: index.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/index.c,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- index.c 10 Nov 2006 23:45:39 -0000 1.10 +++ index.c 28 Sep 2007 22:54:16 -0000 1.11 @@ -535,7 +535,8 @@ slapi_entry_attr_find( olde->ep_entry, mods[i]->mod_type, &curr_attr ); if ( mods_valueArray != NULL ) { for ( j = 0; mods_valueArray[j] != NULL; j++ ) { - valuearray_remove_value(curr_attr, evals, mods_valueArray[j]); + Slapi_Value *rval = valuearray_remove_value(curr_attr, evals, mods_valueArray[j]); + slapi_value_free( &rval ); } } @@ -549,7 +550,8 @@ } } else { /* Remove duplicate value from deleted value array */ - valuearray_remove_value(curr_attr, deleted_valueArray, deleted_valueArray[j]); + Slapi_Value *rval = valuearray_remove_value(curr_attr, deleted_valueArray, deleted_valueArray[j]); + slapi_value_free( &rval ); j--; } } @@ -615,7 +617,8 @@ } } else { /* Remove duplicate value from the mod list */ - valuearray_remove_value(curr_attr, deleted_valueArray, deleted_valueArray[j]); + Slapi_Value *rval = valuearray_remove_value(curr_attr, deleted_valueArray, deleted_valueArray[j]); + slapi_value_free( &rval ); j--; } }

16 years, 2 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/plugins/passthru ptconfig.c, 1.6, 1.7

by Doctor Conrad

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/passthru In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4136 Modified Files: ptconfig.c Log Message: Resolves: 197997 Summary: Fixed PTA config parsing to use a comma delimiter instread of a space. Index: ptconfig.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/passthru/ptconfig.c,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- ptconfig.c 10 Nov 2006 23:45:04 -0000 1.6 +++ ptconfig.c 28 Sep 2007 22:46:50 -0000 1.7 @@ -134,7 +134,7 @@ srvr = (PassThruServer *)slapi_ch_calloc( 1, sizeof( PassThruServer )); srvr->ptsrvr_url = slapi_ch_strdup( argv[i] ); - if (( p = strchr( srvr->ptsrvr_url, ' ' )) == NULL ) { + if (( p = strchr( srvr->ptsrvr_url, ',' )) == NULL ) { /* * use defaults for maxconnections, maxconcurrency, timeout, * LDAP version, and connlifetime.

16 years, 2 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication repl5_agmt.c, 1.11, 1.12

by Doctor Conrad

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4048 Modified Files: repl5_agmt.c Log Message: Resolves: 158667 Summary: Fractional replication log statement needed a newline. Index: repl5_agmt.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5_agmt.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- repl5_agmt.c 10 Nov 2006 23:45:17 -0000 1.11 +++ repl5_agmt.c 28 Sep 2007 22:41:09 -0000 1.12 @@ -399,7 +399,7 @@ { /* Report the error to the client */ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "WARNING: " - "Attempt to exclude illegal attributes from a fractional agreement"); + "Attempt to exclude illegal attributes from a fractional agreement\n"); /* Free the list */ slapi_ch_array_free(denied_attrs); goto loser;

16 years, 2 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm ldbm_search.c, 1.10, 1.11

by Doctor Conrad

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13436 Modified Files: ldbm_search.c Log Message: Resolves: 288521 Summary: Presence filter using attribute subtype returns incorrect search results. Index: ldbm_search.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/ldbm_search.c,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- ldbm_search.c 17 Sep 2007 19:18:31 -0000 1.10 +++ ldbm_search.c 27 Sep 2007 21:33:37 -0000 1.11 @@ -943,10 +943,12 @@ IDList *idl ) { + int rc = 0; + /* Is the ID list ALLIDS ? */ if ( ALLIDS(idl)) { /* If so, then can't optimize */ - return 0; + return rc; } /* Is this a base scope search? */ @@ -956,11 +958,40 @@ * the entrydn index in producing our 1 candidate, and that means * we have not used the filter to produce the candidate list. */ - return 0; + return rc; } - + /* Grok the filter and tell me if it has only equality components in it */ - return grok_filter(f); + rc = grok_filter(f); + + /* If we haven't determined that we can't skip the filter test already, + * do one last check for attribute subtypes. We don't need to worry + * about any complex filters here since grok_filter() will have already + * assumed that we can't skip the filter test in those cases. */ + if (rc != 0) { + char *type = NULL; + char *basetype = NULL; + + /* We don't need to free type since that's taken + * care of when the filter is free'd later. We + * do need to free basetype when we are done. */ + slapi_filter_get_attribute_type(f, &type); + basetype = slapi_attr_basetype(type, NULL, 0); + + /* Is the filter using an attribute subtype? */ + if (strcasecmp(type, basetype) != 0) { + /* If so, we can't optimize since attribute subtypes + * are simply indexed under their basetype attribute. + * The basetype index has no knowledge of the subtype + * itself. In the future, we should add support for + * indexing the subtypes so we can optimize this type + * of search. */ + rc = 0; + } + slapi_ch_free_string(&basetype); + } + + return rc; }

16 years, 2 months

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication windows_connection.c, 1.16, 1.17 windows_protocol_util.c, 1.34, 1.35 windowsrepl.h, 1.13, 1.14

by Doctor Conrad

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15634 Modified Files: windows_connection.c windows_protocol_util.c windowsrepl.h Log Message: Resolves: 238504 Summary: Don't replay AD originated password changes back to AD. Index: windows_connection.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_connection.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- windows_connection.c 12 Sep 2007 23:05:24 -0000 1.16 +++ windows_connection.c 27 Sep 2007 18:33:30 -0000 1.17 @@ -1796,6 +1796,34 @@ } } +/* Attempt to bind as a user to AD in order to see if we posess the + * most current password. Returns the LDAP return code of the bind. */ +int +windows_check_user_password(Repl_Connection *conn, Slapi_DN *sdn, char *password) +{ + const char *binddn = NULL; + LDAPMessage *res = NULL; + int rc = 0; + int msgid = 0; + + /* If we're already connected, this will just return success */ + windows_conn_connect(conn); + + /* Get binddn from sdn */ + binddn = slapi_sdn_get_dn(sdn); + + /* Attempt to do a bind on the existing connection + * using the dn and password that were passed in. */ + msgid = do_simple_bind(conn, conn->ld, (char *) binddn, password); + ldap_result(conn->ld, msgid, LDAP_MSG_ALL, NULL, &res); + ldap_parse_result( conn->ld, res, &rc, NULL, NULL, NULL, NULL, 1 /* Free res */); + + /* rebind as the DN specified in the sync agreement */ + do_simple_bind(conn, conn->ld, conn->binddn, conn->plain); + + return rc; +} + static int do_simple_bind (Repl_Connection *conn, LDAP *ld, char * binddn, char *password) { Index: windows_protocol_util.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_protocol_util.c,v retrieving revision 1.34 retrieving revision 1.35 diff -u -r1.34 -r1.35 --- windows_protocol_util.c 20 Sep 2007 23:32:17 -0000 1.34 +++ windows_protocol_util.c 27 Sep 2007 18:33:30 -0000 1.35 @@ -741,49 +741,62 @@ } else { - char *quoted_password = NULL; - /* AD wants the password in quotes ! */ - quoted_password = PR_smprintf("\"%s\"",password); - if (quoted_password) - { - LDAPMod *pw_mods[2]; - LDAPMod pw_mod; - struct berval bv = {0}; - UChar *unicode_password = NULL; - int32_t unicode_password_length = 0; /* Length in _characters_ */ - int32_t buffer_size = 0; /* Size in _characters_ */ - UErrorCode error = U_ZERO_ERROR; - struct berval *bvals[2]; - /* Need to UNICODE encode the password here */ - /* It's one of those 'ask me first and I will tell you the buffer size' functions */ - u_strFromUTF8(NULL, 0, &unicode_password_length, quoted_password, strlen(quoted_password), &error); - buffer_size = unicode_password_length; - unicode_password = (UChar *)slapi_ch_malloc(unicode_password_length * sizeof(UChar)); - if (unicode_password) { - error = U_ZERO_ERROR; - u_strFromUTF8(unicode_password, buffer_size, &unicode_password_length, quoted_password, strlen(quoted_password), &error); - - /* As an extra special twist, we need to send the unicode in little-endian order for AD to be happy */ - to_little_endian_double_bytes(unicode_password, unicode_password_length); - - bv.bv_len = unicode_password_length * sizeof(UChar); - bv.bv_val = (char*)unicode_password; + /* We will attempt to bind to AD with the new password first. We do + * this to avoid playing a password change that originated from AD + * back to AD. If we just played the password change back, then + * both sides would be in sync, but AD would contain the new password + * twice in it's password history, which undermines the password + * history policies in AD. */ + if (windows_check_user_password(prp->conn, sdn, password)) { + char *quoted_password = NULL; + /* AD wants the password in quotes ! */ + quoted_password = PR_smprintf("\"%s\"",password); + if (quoted_password) + { + LDAPMod *pw_mods[2]; + LDAPMod pw_mod; + struct berval bv = {0}; + UChar *unicode_password = NULL; + int32_t unicode_password_length = 0; /* Length in _characters_ */ + int32_t buffer_size = 0; /* Size in _characters_ */ + UErrorCode error = U_ZERO_ERROR; + struct berval *bvals[2]; + /* Need to UNICODE encode the password here */ + /* It's one of those 'ask me first and I will tell you the buffer size' functions */ + u_strFromUTF8(NULL, 0, &unicode_password_length, quoted_password, strlen(quoted_password), &error); + buffer_size = unicode_password_length; + unicode_password = (UChar *)slapi_ch_malloc(unicode_password_length * sizeof(UChar)); + if (unicode_password) { + error = U_ZERO_ERROR; + u_strFromUTF8(unicode_password, buffer_size, &unicode_password_length, quoted_password, strlen(quoted_password), &error); + + /* As an extra special twist, we need to send the unicode in little-endian order for AD to be happy */ + to_little_endian_double_bytes(unicode_password, unicode_password_length); + + bv.bv_len = unicode_password_length * sizeof(UChar); + bv.bv_val = (char*)unicode_password; - bvals[0] = &bv; - bvals[1] = NULL; + bvals[0] = &bv; + bvals[1] = NULL; - pw_mod.mod_type = "UnicodePwd"; - pw_mod.mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES; - pw_mod.mod_bvalues = bvals; + pw_mod.mod_type = "UnicodePwd"; + pw_mod.mod_op = LDAP_MOD_REPLACE | LDAP_MOD_BVALUES; + pw_mod.mod_bvalues = bvals; - pw_mods[0] = &pw_mod; - pw_mods[1] = NULL; + pw_mods[0] = &pw_mod; + pw_mods[1] = NULL; - pw_return = windows_conn_send_modify(prp->conn, slapi_sdn_get_dn(sdn), pw_mods, NULL, NULL ); + pw_return = windows_conn_send_modify(prp->conn, slapi_sdn_get_dn(sdn), pw_mods, NULL, NULL ); - slapi_ch_free((void**)&unicode_password); + slapi_ch_free((void**)&unicode_password); + } + PR_smprintf_free(quoted_password); } - PR_smprintf_free(quoted_password); + } else { + slapi_log_error(SLAPI_LOG_REPL, windows_repl_plugin_name, + "%s: AD already has the current password for %s. " + "Not sending password modify to AD.\n", + agmt_get_long_name(prp->agmt), slapi_sdn_get_dn(sdn)); } } @@ -1230,15 +1243,32 @@ } if (password) { - return_value = send_password_modify(remote_dn, password, prp); + /* We need to have a non-GUID dn in send_password_modify in order to + * bind as the user to check if we need to send the password change. + * You are supposed to be able to bind using a GUID dn, but it doesn't + * seem to work over plain LDAP. */ + if (is_guid_dn(remote_dn)) { + Slapi_DN *remote_dn_norm = NULL; + int norm_missing = 0; + + map_entry_dn_outbound(local_entry,&remote_dn_norm,prp,&norm_missing, 0); + return_value = send_password_modify(remote_dn_norm, password, prp); + slapi_sdn_free(&remote_dn_norm); + } else { + return_value = send_password_modify(remote_dn, password, prp); + } + if (return_value) { - slapi_log_error(SLAPI_LOG_REPL, windows_repl_plugin_name, "%s: windows_replay_update: update password returned %d\n", + slapi_log_error(SLAPI_LOG_REPL, windows_repl_plugin_name, + "%s: windows_replay_update: update password returned %d\n", agmt_get_long_name(prp->agmt), return_value ); } else { - /* If we successfully added an entry, and then subsequently changed its password, THEN we need to change its status in AD - * in order that it can be used (otherwise the user is marked as disabled). To do this we set this attribute and value: - * userAccountControl: 512 */ + /* If we successfully added an entry, and then subsequently changed + * its password, THEN we need to change its status in AD in order + * that it can be used (otherwise the user is marked as disabled). + * To do this we set this attribute and value: + * userAccountControl: 512 */ if (op->operation_type == SLAPI_OPERATION_ADD && missing_entry) { return_value = send_accountcontrol_modify(remote_dn, prp); Index: windowsrepl.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windowsrepl.h,v retrieving revision 1.13 retrieving revision 1.14 diff -u -r1.13 -r1.14 --- windowsrepl.h 17 Sep 2007 19:18:30 -0000 1.13 +++ windowsrepl.h 27 Sep 2007 18:33:30 -0000 1.14 @@ -100,6 +100,7 @@ ConnResult windows_conn_push_schema(Repl_Connection *conn, CSN **remotecsn); void windows_conn_set_timeout(Repl_Connection *conn, long timeout); void windows_conn_set_agmt_changed(Repl_Connection *conn); +int windows_check_user_password(Repl_Connection *conn, Slapi_DN *sdn, char *password); /* Used to work around a schema incompatibility between Microsoft and the IETF */ #define FAKE_STREET_ATTR_NAME "in#place#of#streetaddress"

16 years, 2 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-commits September 2007