November 2008 - 389-commits - Fedora Mailing-Lists

[Fedora-directory-commits] ldapserver/ldap/servers/slapd filter.c, 1.11, 1.12 plugin_internal_op.c, 1.11, 1.12 slapi-private.h, 1.29, 1.30 str2filter.c, 1.6, 1.7

by Nathan Kinder

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7639/ldap/servers/slapd Modified Files: filter.c plugin_internal_op.c slapi-private.h str2filter.c Log Message: Resolves: 220532 Summary: Add access to RUV by users other than "cn=Directory Manager". Index: filter.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/filter.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- filter.c 15 Oct 2008 06:30:04 -0000 1.11 +++ filter.c 26 Nov 2008 22:42:12 -0000 1.12 @@ -54,14 +54,15 @@ static int get_filter_list( Connection *conn, BerElement *ber, struct slapi_filter **f, char **fstr, int maxdepth, int curdepth, - int *subentry_dont_rewrite, int *has_tombstone_filter); + int *subentry_dont_rewrite, int *has_tombstone_filter, int *has_ruv_filter); static int get_substring_filter(); static int get_extensible_filter( BerElement *ber, mr_filter_t* ); static int get_filter_internal( Connection *conn, BerElement *ber, struct slapi_filter **filt, char **fstr, int maxdepth, int curdepth, - int *subentry_dont_rewrite, int *has_tombstone_filter); + int *subentry_dont_rewrite, int *has_tombstone_filter, int *has_ruv_filter); static int tombstone_check_filter(Slapi_Filter *f); +static int ruv_check_filter(Slapi_Filter *f); static void filter_optimize(Slapi_Filter *f); @@ -83,20 +84,23 @@ { int subentry_dont_rewrite = 0; /* Re-write unless we're told not to */ int has_tombstone_filter = 0; /* Check if nsTombstone appears */ + int has_ruv_filter = 0; /* Check if searching for RUV */ int return_value = 0; char *logbuf = NULL; size_t logbufsize = 0; return_value = get_filter_internal(conn, ber, filt, fstr, config_get_max_filter_nest_level(), /* maximum depth */ - 0, /* current depth */ - &subentry_dont_rewrite, &has_tombstone_filter); + 0, /* current depth */ &subentry_dont_rewrite, + &has_tombstone_filter, &has_ruv_filter); if (0 == return_value) { /* Don't try to re-write if there was an error */ if (subentry_dont_rewrite || scope == LDAP_SCOPE_BASE) (*filt)->f_flags |= SLAPI_FILTER_LDAPSUBENTRY; if (has_tombstone_filter) (*filt)->f_flags |= SLAPI_FILTER_TOMBSTONE; + if (has_ruv_filter) + (*filt)->f_flags |= SLAPI_FILTER_RUV; } if (LDAPDebugLevelIsSet( LDAP_DEBUG_FILTER ) && *filt != NULL @@ -175,7 +179,7 @@ static int get_filter_internal( Connection *conn, BerElement *ber, struct slapi_filter **filt, char **fstr, int maxdepth, int curdepth, - int *subentry_dont_rewrite, int *has_tombstone_filter ) + int *subentry_dont_rewrite, int *has_tombstone_filter, int *has_ruv_filter ) { ber_len_t len; int err; @@ -272,6 +276,18 @@ *has_tombstone_filter = tombstone_check_filter(f); } } + + if ( 0 == strcasecmp ( f->f_avtype, "nsuniqueid")) { + /* + * Check if it's a RUV filter. + * We need to do it once per filter, so if flag is already set, + * don't bother doing it + */ + if (!(*has_ruv_filter)) { + *has_ruv_filter = ruv_check_filter(f); + } + } + *fstr=filter_escape_filter_value(f, FILTER_EQ_FMT, FILTER_EQ_LEN); } break; @@ -342,7 +358,8 @@ case LDAP_FILTER_AND: LDAPDebug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 ); if ( (err = get_filter_list( conn, ber, &f->f_and, &ftmp, maxdepth, - curdepth, subentry_dont_rewrite, has_tombstone_filter )) + curdepth, subentry_dont_rewrite, + has_tombstone_filter, has_ruv_filter )) == 0 ) { filter_compute_hash(f); *fstr = slapi_ch_smprintf( "(&%s)", ftmp ); @@ -353,7 +370,8 @@ case LDAP_FILTER_OR: LDAPDebug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 ); if ( (err = get_filter_list( conn, ber, &f->f_or, &ftmp, maxdepth, - curdepth, subentry_dont_rewrite, has_tombstone_filter )) + curdepth, subentry_dont_rewrite, + has_tombstone_filter, has_ruv_filter )) == 0 ) { filter_compute_hash(f); *fstr = slapi_ch_smprintf( "(|%s)", ftmp ); @@ -365,7 +383,8 @@ LDAPDebug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 ); (void) ber_skip_tag( ber, &len ); if ( (err = get_filter_internal( conn, ber, &f->f_not, &ftmp, maxdepth, - curdepth, subentry_dont_rewrite, has_tombstone_filter )) + curdepth, subentry_dont_rewrite, + has_tombstone_filter, has_ruv_filter )) == 0 ) { filter_compute_hash(f); *fstr = slapi_ch_smprintf( "(!%s)", ftmp ); @@ -394,7 +413,7 @@ get_filter_list( Connection *conn, BerElement *ber, struct slapi_filter **f, char **fstr, int maxdepth, int curdepth, int *subentry_dont_rewrite, - int *has_tombstone_filter) + int *has_tombstone_filter, int* has_ruv_filter) { struct slapi_filter **new; int err; @@ -411,7 +430,8 @@ tag = ber_next_element( ber, &len, last ) ) { char *ftmp; if ( (err = get_filter_internal( conn, ber, new, &ftmp, maxdepth, - curdepth, subentry_dont_rewrite, has_tombstone_filter)) + curdepth, subentry_dont_rewrite, + has_tombstone_filter, has_ruv_filter)) != 0 ) { if ( *fstr != NULL ) { slapi_ch_free((void**)fstr ); @@ -1450,6 +1470,17 @@ return 0; /* Not nsTombstone filter */ } + +static int +ruv_check_filter(Slapi_Filter *f) +{ + if ( 0 == strcasecmp ( f->f_avvalue.bv_val, "ffffffff-ffffffff-ffffffff-ffffffff")) { + return 1; /* Contains a RUV filter */ + } + return 0; /* Not a RUV filter */ +} + + /* filter_optimize * --------------- * takes a filter and optimizes it for fast evaluation Index: plugin_internal_op.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/plugin_internal_op.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- plugin_internal_op.c 17 Oct 2008 22:12:47 -0000 1.11 +++ plugin_internal_op.c 26 Nov 2008 22:42:12 -0000 1.12 @@ -720,7 +720,11 @@ op->o_search_referral_handler = internal_ref_entry_callback; filter = slapi_str2filter(ifstr ? (fstr = slapi_ch_strdup(ifstr)) : NULL); - if(scope == LDAP_SCOPE_BASE) filter->f_flags |= (SLAPI_FILTER_LDAPSUBENTRY | SLAPI_FILTER_TOMBSTONE); + if(scope == LDAP_SCOPE_BASE) { + filter->f_flags |= (SLAPI_FILTER_LDAPSUBENTRY | + SLAPI_FILTER_TOMBSTONE | SLAPI_FILTER_RUV); + } + if (NULL == filter) { send_ldap_result(pb, LDAP_FILTER_ERROR, NULL, NULL, 0, NULL); Index: slapi-private.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-private.h,v retrieving revision 1.29 retrieving revision 1.30 diff -u -r1.29 -r1.30 --- slapi-private.h 5 Nov 2008 18:21:06 -0000 1.29 +++ slapi-private.h 26 Nov 2008 22:42:12 -0000 1.30 @@ -68,6 +68,7 @@ /* filter */ #define SLAPI_FILTER_LDAPSUBENTRY 1 #define SLAPI_FILTER_TOMBSTONE 2 +#define SLAPI_FILTER_RUV 4 #define SLAPI_ENTRY_LDAPSUBENTRY 2 /* Index: str2filter.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/str2filter.c,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- str2filter.c 10 Nov 2006 23:45:40 -0000 1.6 +++ str2filter.c 26 Nov 2008 22:42:12 -0000 1.7 @@ -162,6 +162,7 @@ str = next; f->f_flags |= ((*fp)->f_flags & SLAPI_FILTER_LDAPSUBENTRY); f->f_flags |= ((*fp)->f_flags & SLAPI_FILTER_TOMBSTONE); + f->f_flags |= ((*fp)->f_flags & SLAPI_FILTER_RUV); fp = &(*fp)->f_next; } *fp = NULL; @@ -331,6 +332,13 @@ if (0 == strcasecmp (unqstr,SLAPI_ATTR_VALUE_TOMBSTONE)) f->f_flags |= SLAPI_FILTER_TOMBSTONE; } + + if((f->f_choice == LDAP_FILTER_EQUALITY) && + (0 == strncasecmp (str,"nsuniqueid",strlen("nsuniqueid")))) { + if (0 == strcasecmp (unqstr, "ffffffff-ffffffff-ffffffff-ffffffff")) + f->f_flags |= SLAPI_FILTER_RUV; + } + } if ( !unescape_filter ) { f->f_avtype = slapi_ch_strdup( str ); f->f_avvalue.bv_val = slapi_ch_strdup ( value );

15 years

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm ldbm_search.c, 1.14, 1.15

by Nathan Kinder

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7639/ldap/servers/slapd/back-ldbm Modified Files: ldbm_search.c Log Message: Resolves: 220532 Summary: Add access to RUV by users other than "cn=Directory Manager". Index: ldbm_search.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/ldbm_search.c,v retrieving revision 1.14 retrieving revision 1.15 diff -u -r1.14 -r1.15 --- ldbm_search.c 8 Aug 2008 15:53:10 -0000 1.14 +++ ldbm_search.c 26 Nov 2008 22:42:12 -0000 1.15 @@ -1203,11 +1203,17 @@ if((slapi_entry_flag_is_set(e->ep_entry,SLAPI_ENTRY_LDAPSUBENTRY) && !filter_flag_is_set(filter,SLAPI_FILTER_LDAPSUBENTRY)) || (slapi_entry_flag_is_set(e->ep_entry,SLAPI_ENTRY_FLAG_TOMBSTONE) - && (!isroot || !filter_flag_is_set(filter, SLAPI_FILTER_TOMBSTONE)))) + && ((!isroot && !filter_flag_is_set(filter, SLAPI_FILTER_RUV)) || + !filter_flag_is_set(filter, SLAPI_FILTER_TOMBSTONE)))) { /* If the entry is an LDAP subentry and filter don't filter subentries OR * the entry is a TombStone and filter don't filter Tombstone - * don't return the entry + * don't return the entry. We make a special case to allow a non-root user + * to search for the RUV entry using a filter of: + * + * "(&(objectclass=nstombstone)(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff))" + * + * For this RUV case, we let the ACL check apply. */ /* ugaston - we don't want to mistake this filter failure with the one below due to ACL, * because whereas the former should be read as 'no entry must be returned', the latter

15 years

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm vlv.c, 1.16, 1.17

by Noriko Hosoi

Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv24653 Modified Files: vlv.c Log Message: Resolves: #472999 Summary: vlv: memory leak Description: if the addresses of the passed key and the returned key don't match, the space for the returned key is allocated in libdb. Thus, we have to release the returned key. Index: vlv.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/vlv.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- vlv.c 15 Oct 2008 06:30:10 -0000 1.16 +++ vlv.c 26 Nov 2008 20:11:53 -0000 1.17 @@ -990,6 +990,10 @@ } LDAPDebug( LDAP_DEBUG_TRACE, "<= vlv_build_candidate_list_byvalue: Not Found. Index=%lu\n",si,0,0); } + if (key.data != typedown_value[0]->bv_val) { /* in case new key is set + in dbc->c_get(DB_SET_RANGE) */ + slapi_ch_free(&(key.data)); + } ber_bvecfree((struct berval**)typedown_value); return si; }

15 years

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/slapd libglobs.c, 1.31, 1.32 sasl_io.c, 1.16, 1.17 slap.h, 1.40, 1.41

by Nathan Kinder

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9219/ldap/servers/slapd Modified Files: libglobs.c sasl_io.c slap.h Log Message: Resolves: 387851 Summary: Added validation for nsslapd-maxsasliosize value. Index: libglobs.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/libglobs.c,v retrieving revision 1.31 retrieving revision 1.32 diff -u -r1.31 -r1.32 --- libglobs.c 25 Nov 2008 19:20:26 -0000 1.31 +++ libglobs.c 26 Nov 2008 17:32:21 -0000 1.32 @@ -856,6 +856,7 @@ cfg->ioblocktimeout = SLAPD_DEFAULT_IOBLOCK_TIMEOUT; cfg->outbound_ldap_io_timeout = SLAPD_DEFAULT_OUTBOUND_LDAP_IO_TIMEOUT; cfg->max_filter_nest_level = SLAPD_DEFAULT_MAX_FILTER_NEST_LEVEL; + cfg->maxsasliosize = SLAPD_DEFAULT_MAX_SASLIO_SIZE; #ifdef _WIN32 cfg->conntablesize = SLAPD_DEFAULT_CONNTABLESIZE; @@ -4494,21 +4495,41 @@ config_set_maxsasliosize( const char *attrname, char *value, char *errorbuf, int apply ) { int retVal = LDAP_SUCCESS; + long maxsasliosize; + char *endptr; slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); if ( config_value_is_null( attrname, value, errorbuf, 0 )) { return LDAP_OPERATIONS_ERROR; } - if ( !apply ) { - return retVal; + maxsasliosize = strtol(value, &endptr, 10); + + /* Check for non-numeric garbage in the value */ + if (*endptr != '\0') { + retVal = LDAP_OPERATIONS_ERROR; } - CFG_LOCK_WRITE(slapdFrontendConfig); + /* Check for a value overflow */ + if (((maxsasliosize == LONG_MAX) || (maxsasliosize == LONG_MIN)) && (errno == ERANGE)){ + retVal = LDAP_OPERATIONS_ERROR; + } + + /* A setting of -1 means unlimited. Don't allow other negative values. */ + if ((maxsasliosize < 0) && (maxsasliosize != -1)) { + retVal = LDAP_OPERATIONS_ERROR; + } - slapdFrontendConfig->maxsasliosize = atol(value); + if (retVal != LDAP_SUCCESS) { + PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, + "%s: \"%s\" is invalid. Value must range from -1 to %ld", + attrname, value, LONG_MAX ); + } else if (apply) { + CFG_LOCK_WRITE(slapdFrontendConfig); + slapdFrontendConfig->maxsasliosize = maxsasliosize; + CFG_UNLOCK_WRITE(slapdFrontendConfig); + } - CFG_UNLOCK_WRITE(slapdFrontendConfig); return retVal; } @@ -4519,9 +4540,6 @@ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); maxsasliosize = slapdFrontendConfig->maxsasliosize; - if (maxsasliosize == 0) { - maxsasliosize = 2 * 1024 * 1024; /* Default: 2Mb */ - } return maxsasliosize; } Index: sasl_io.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/sasl_io.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- sasl_io.c 25 Nov 2008 19:20:27 -0000 1.16 +++ sasl_io.c 26 Nov 2008 17:32:21 -0000 1.17 @@ -195,6 +195,7 @@ int ret = 0; unsigned char buffer[4]; size_t packet_length = 0; + size_t saslio_limit; ret = PR_Recv(c->c_prfd,buffer,sizeof(buffer),0,PR_INTERVAL_NO_WAIT); if (ret < 0) { @@ -216,7 +217,10 @@ LDAPDebug( LDAP_DEBUG_CONNS, "read sasl packet length %ld on connection %" PRIu64 "\n", packet_length, c->c_connid, 0 ); - if (packet_length > config_get_maxsasliosize()) { + /* Check if the packet length is larger than our max allowed. A + * setting of -1 means that we allow any size SASL IO packet. */ + saslio_limit = config_get_maxsasliosize(); + if(((long)saslio_limit != -1) && (packet_length > saslio_limit)) { LDAPDebug( LDAP_DEBUG_ANY, "SASL encrypted packet length exceeds maximum allowed limit (length=%ld, limit=%ld)." " Change the nsslapd-maxsasliosize attribute in cn=config to increase limit.\n", Index: slap.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slap.h,v retrieving revision 1.40 retrieving revision 1.41 diff -u -r1.40 -r1.41 --- slap.h 25 Nov 2008 19:20:27 -0000 1.40 +++ slap.h 26 Nov 2008 17:32:21 -0000 1.41 @@ -279,6 +279,7 @@ #define SLAPD_DEFAULT_LOOKTHROUGHLIMIT 5000 /* use -1 for no limit */ #define SLAPD_DEFAULT_GROUPNESTLEVEL 5 #define SLAPD_DEFAULT_MAX_FILTER_NEST_LEVEL 40 /* use -1 for no limit */ +#define SLAPD_DEFAULT_MAX_SASLIO_SIZE 2097152 /* 2MB in bytes. Use -1 for no limit */ #define SLAPD_DEFAULT_IOBLOCK_TIMEOUT 1800000 /* half hour in ms */ #define SLAPD_DEFAULT_OUTBOUND_LDAP_IO_TIMEOUT 300000 /* 5 minutes in ms */ #define SLAPD_DEFAULT_RESERVE_FDS 64

15 years

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication cl5_api.c, 1.24, 1.25

by Noriko Hosoi

Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16234 Modified Files: cl5_api.c Log Message: Resolves: #430172 Summary: memory leaks after db "get" deadlocks, e.g. in CL5 trim Description: Even if cursor->c_get returns non SUCCESS(==0), there is an occasion that DBT data holds memory which is allocated in libdb. To release the memory, put slapi_ch_free ((void **)&key.data); slapi_ch_free ((void **)&data.data); just after the while loop, where we come to the point when cursor->c_get fails. Index: cl5_api.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/cl5_api.c,v retrieving revision 1.24 retrieving revision 1.25 diff -u -r1.24 -r1.25 --- cl5_api.c 14 Nov 2008 02:06:34 -0000 1.24 +++ cl5_api.c 26 Nov 2008 00:13:42 -0000 1.25 @@ -5387,6 +5387,21 @@ return CL5_SUCCESS; } + /* + * Bug 430172 - memory leaks after db "get" deadlocks, e.g. in CL5 trim + * Even when db->c_get() does not return success, memory may have been + * allocated in the DBT. This seems to happen when DB_DBT_MALLOC was set, + * the data being retrieved is larger than the page size, and we got + * DB_LOCK_DEADLOCK. libdb allocates the memory and then finds itself + * deadlocked trying to go through the overflow page list. It returns + * DB_LOCK_DEADLOCK which we've assumed meant that no memory was allocated + * for the DBT. + * + * The following slapi_ch_free frees the memory only when the value is + * non NULL, which is true if the situation described above occurs. + */ + slapi_ch_free ((void **)&key.data); + slapi_ch_free ((void **)&data.data); /* walked of the end of the file */ if (rc == DB_NOTFOUND) @@ -5456,6 +5471,21 @@ return rc; } + /* + * Bug 430172 - memory leaks after db "get" deadlocks, e.g. in CL5 trim + * Even when db->c_get() does not return success, memory may have been + * allocated in the DBT. This seems to happen when DB_DBT_MALLOC was set, + * the data being retrieved is larger than the page size, and we got + * DB_LOCK_DEADLOCK. libdb allocates the memory and then finds itself + * deadlocked trying to go through the overflow page list. It returns + * DB_LOCK_DEADLOCK which we've assumed meant that no memory was allocated + * for the DBT. + * + * The following slapi_ch_free frees the memory only when the value is + * non NULL, which is true if the situation described above occurs. + */ + slapi_ch_free ((void **)&key.data); + slapi_ch_free ((void **)&data.data); /* walked of the end of the file or entry is out of range */ if (rc == 0 || rc == DB_NOTFOUND)

15 years

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/slapd libglobs.c, 1.30, 1.31 proto-slap.h, 1.42, 1.43 sasl_io.c, 1.15, 1.16 slap.h, 1.39, 1.40

by Nathan Kinder

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13745/ldap/servers/slapd Modified Files: libglobs.c proto-slap.h sasl_io.c slap.h Log Message: Resolves: 387851 Summary: Add configuration parameter to limit maximum allowed incoming SASL IO packet size. Index: libglobs.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/libglobs.c,v retrieving revision 1.30 retrieving revision 1.31 diff -u -r1.30 -r1.31 --- libglobs.c 13 Nov 2008 21:56:29 -0000 1.30 +++ libglobs.c 25 Nov 2008 19:20:26 -0000 1.31 @@ -525,6 +525,9 @@ {CONFIG_MAXBERSIZE_ATTRIBUTE, config_set_maxbersize, NULL, 0, (void**)&global_slapdFrontendConfig.maxbersize, CONFIG_INT, NULL}, + {CONFIG_MAXSASLIOSIZE_ATTRIBUTE, config_set_maxsasliosize, + NULL, 0, + (void**)&global_slapdFrontendConfig.maxsasliosize, CONFIG_INT, NULL}, {CONFIG_VERSIONSTRING_ATTRIBUTE, config_set_versionstring, NULL, 0, (void**)&global_slapdFrontendConfig.versionstring, CONFIG_STRING, NULL}, @@ -4488,6 +4491,42 @@ } int +config_set_maxsasliosize( const char *attrname, char *value, char *errorbuf, int apply ) +{ + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + if ( config_value_is_null( attrname, value, errorbuf, 0 )) { + return LDAP_OPERATIONS_ERROR; + } + + if ( !apply ) { + return retVal; + } + + CFG_LOCK_WRITE(slapdFrontendConfig); + + slapdFrontendConfig->maxsasliosize = atol(value); + + CFG_UNLOCK_WRITE(slapdFrontendConfig); + return retVal; +} + +size_t +config_get_maxsasliosize() +{ + size_t maxsasliosize; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + maxsasliosize = slapdFrontendConfig->maxsasliosize; + if (maxsasliosize == 0) { + maxsasliosize = 2 * 1024 * 1024; /* Default: 2Mb */ + } + + return maxsasliosize; +} + +int config_set_max_filter_nest_level( const char *attrname, char *value, char *errorbuf, int apply ) { Index: proto-slap.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/proto-slap.h,v retrieving revision 1.42 retrieving revision 1.43 diff -u -r1.42 -r1.43 --- proto-slap.h 7 Nov 2008 22:32:57 -0000 1.42 +++ proto-slap.h 25 Nov 2008 19:20:27 -0000 1.43 @@ -320,6 +320,7 @@ int config_set_referral_mode(const char *attrname, char *url, char *errorbuf, int apply); int config_set_conntablesize(const char *attrname, char *url, char *errorbuf, int apply); int config_set_maxbersize(const char *attrname, char *value, char *errorbuf, int apply ); +int config_set_maxsasliosize(const char *attrname, char *value, char *errorbuf, int apply ); int config_set_versionstring(const char *attrname, char *versionstring, char *errorbuf, int apply ); int config_set_enquote_sup_oc(const char *attrname, char *value, char *errorbuf, int apply ); int config_set_basedn( const char *attrname, char *value, char *errorbuf, int apply ); @@ -442,6 +443,7 @@ int config_get_conntablesize(void); int config_check_referral_mode(void); ber_len_t config_get_maxbersize(); +size_t config_get_maxsasliosize(); char *config_get_versionstring(); char *config_get_buildnum(void); int config_get_enquote_sup_oc(); Index: sasl_io.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/sasl_io.c,v retrieving revision 1.15 retrieving revision 1.16 diff -u -r1.15 -r1.16 --- sasl_io.c 17 Oct 2008 22:12:47 -0000 1.15 +++ sasl_io.c 25 Nov 2008 19:20:27 -0000 1.16 @@ -215,6 +215,15 @@ LDAPDebug( LDAP_DEBUG_CONNS, "read sasl packet length %ld on connection %" PRIu64 "\n", packet_length, c->c_connid, 0 ); + + if (packet_length > config_get_maxsasliosize()) { + LDAPDebug( LDAP_DEBUG_ANY, + "SASL encrypted packet length exceeds maximum allowed limit (length=%ld, limit=%ld)." + " Change the nsslapd-maxsasliosize attribute in cn=config to increase limit.\n", + packet_length, config_get_maxsasliosize(), 0); + return -1; + } + sasl_io_resize_encrypted_buffer(c->c_sasl_io_private, packet_length); /* Cyrus SASL implementation expects to have the length at the first 4 bytes */ Index: slap.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slap.h,v retrieving revision 1.39 retrieving revision 1.40 diff -u -r1.39 -r1.40 --- slap.h 7 Nov 2008 22:32:57 -0000 1.39 +++ slap.h 25 Nov 2008 19:20:27 -0000 1.40 @@ -1764,6 +1764,7 @@ #define CONFIG_REFERRAL_MODE_ATTRIBUTE "nsslapd-referralmode" #define CONFIG_ATTRIBUTE_NAME_EXCEPTION_ATTRIBUTE "nsslapd-attribute-name-exceptions" #define CONFIG_MAXBERSIZE_ATTRIBUTE "nsslapd-maxbersize" +#define CONFIG_MAXSASLIOSIZE_ATTRIBUTE "nsslapd-maxsasliosize" #define CONFIG_MAX_FILTER_NEST_LEVEL_ATTRIBUTE "nsslapd-max-filter-nest-level" #define CONFIG_VERSIONSTRING_ATTRIBUTE "nsslapd-versionstring" #define CONFIG_ENQUOTE_SUP_OC_ATTRIBUTE "nsslapd-enquote-sup-oc" @@ -1981,8 +1982,9 @@ char *ldapi_gidnumber_type; /* type that contains gid number */ char *ldapi_search_base_dn; /* base dn to search for mapped entries */ char *ldapi_auto_dn_suffix; /* suffix to be appended to auto gen DNs */ - int slapi_counters; /* switch to turn slapi_counters on/off */ - int allow_unauth_binds; /* switch to enable/disable unauthenticated binds */ + int slapi_counters; /* switch to turn slapi_counters on/off */ + int allow_unauth_binds; /* switch to enable/disable unauthenticated binds */ + size_t maxsasliosize; /* limit incoming SASL IO packet size */ #ifndef _WIN32 struct passwd *localuserinfo; /* userinfo of localuser */ #endif /* _WIN32 */

15 years

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/plugins/collation collate.c, 1.8, 1.9

by Nathan Kinder

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/collation In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12327/ldap/servers/plugins/collation Modified Files: collate.c Log Message: Resolves: 430321 Summary: Fixed memory leak in collator plug-in. Index: collate.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/collation/collate.c,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- collate.c 10 Nov 2006 23:44:56 -0000 1.8 +++ collate.c 25 Nov 2008 16:15:09 -0000 1.9 @@ -230,7 +230,6 @@ UCollator* collator; UConverter* converter; struct berval** ix_keys; - int is_default_collator; } collation_indexer_t; /* @@ -386,8 +385,8 @@ ucnv_close(etc->converter); etc->converter = NULL; } - if (!etc->is_default_collator) { - /* Don't delete the default collation - it seems to cause problems */ + + if (etc->collator) { ucol_close(etc->collator); etc->collator = NULL; } @@ -469,7 +468,6 @@ oid, profile->decomposition, err); } etc->collator = coll; - etc->is_default_collator = is_default; for (id = collation_id; *id; ++id) { if ((*id)->profile == profile) { break; /* found the 'official' id */

15 years

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm sort.c, 1.12, 1.13

by Noriko Hosoi

Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv24704 Modified Files: sort.c Log Message: Resolves: #472457 Summary: Specially crafted Server Side Sort crashes directory server or makes it unresponsive Description: The cause of the problem was a buffer overflow. The length of the 2 sort specs "-sn;2.16.840.1.113730.3.3.2.18.1.6 -givenName;2.16.840.1.113730.3. 3.2.18.1.6 " is just about the prepared buffer size, which is unfortunate since there is no space for the candidate size, e.g., "(1944)" being added later. By adding the "(1944)" to the static buffer, it caused buffer overflow and crashed your server. The code to check the length of the candidate size before calculating the buffer size is added. Index: sort.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/sort.c,v retrieving revision 1.12 retrieving revision 1.13 diff -u -r1.12 -r1.13 --- sort.c 15 Oct 2008 06:30:10 -0000 1.12 +++ sort.c 24 Nov 2008 20:26:32 -0000 1.13 @@ -113,22 +113,32 @@ int size = SORT_LOG_BSZ + SORT_LOG_PAD; char *prefix = "SORT "; int prefix_size = strlen(prefix); + char candidate_buffer[32]; /* store u_long value; max 20 digits */ + int candidate_size = 0; buffer = stack_buffer; size -= PR_snprintf(buffer,sizeof(stack_buffer),"%s",prefix); + if (candidates) { + if (ALLIDS(candidates)) { + PR_snprintf(candidate_buffer, sizeof(candidate_buffer), "(*)"); + candidate_size = strlen(candidate_buffer); + } else { + PR_snprintf(candidate_buffer, sizeof(candidate_buffer), + "(%lu)", (u_long)candidates->b_nids); + candidate_size = strlen(candidate_buffer); + } + } + size -= (candidate_size + 1); /* 1 for '\0' */ ret = print_out_sort_spec(buffer+prefix_size,s,&size); if (0 != ret) { /* It wouldn't fit in the buffer */ - buffer = slapi_ch_malloc(prefix_size + size + SORT_LOG_PAD); + buffer = + slapi_ch_malloc(prefix_size + size + candidate_size + SORT_LOG_PAD); sprintf(buffer,"%s",prefix); ret = print_out_sort_spec(buffer+prefix_size,s,&size); } - if (candidates) { - if (ALLIDS(candidates)) { - sprintf(buffer+size+prefix_size,"(*)"); - } else { - sprintf(buffer+size+prefix_size,"(%lu)",(u_long)candidates->b_nids); - } + if (0 == ret && candidates) { + sprintf(buffer+size+prefix_size, "%s", candidate_buffer); } /* Now output it */ ldbm_log_access_message(pb,buffer);

15 years

1
0
0 / 0

[Fedora-directory-commits] ldapserver/ldap/servers/slapd pw.c, 1.18, 1.19 result.c, 1.16, 1.17

by Nathan Kinder

Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31927/ldap/servers/slapd Modified Files: pw.c result.c Log Message: Resolves: 216522 Summary: Make password modify extop use fine-grained password policies correctly. Index: pw.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/pw.c,v retrieving revision 1.18 retrieving revision 1.19 diff -u -r1.18 -r1.19 --- pw.c 27 Aug 2008 21:05:49 -0000 1.18 +++ pw.c 24 Nov 2008 17:16:55 -0000 1.19 @@ -1414,9 +1414,7 @@ slapi_pblock_get( pb, SLAPI_OPERATION, &op); slapi_pblock_get( pb, SLAPI_OPERATION_TYPE, &optype ); - if (slapdFrontendConfig->pwpolicy_local == 1) { - if ( !operation_is_flag_set( op, OP_FLAG_INTERNAL ) && dn ) { - + if (dn && (slapdFrontendConfig->pwpolicy_local == 1)) { /* If we're doing an add, COS does not apply yet so we check parents for the pwdpolicysubentry. We look only for virtual attributes, because real ones are for single-target policy. */ @@ -1462,196 +1460,195 @@ } if (values != NULL) { - Slapi_Value *v = NULL; - const struct berval *bvp = NULL; + Slapi_Value *v = NULL; + const struct berval *bvp = NULL; - if ( ((rc = slapi_valueset_first_value( values, &v )) != -1) && - ( bvp = slapi_value_get_berval( v )) != NULL ) { - if ( bvp != NULL ) { - /* we got the pwdpolicysubentry value */ - pw_entry = get_entry ( pb, bvp->bv_val); - } - } + if ( ((rc = slapi_valueset_first_value( values, &v )) != -1) && + ( bvp = slapi_value_get_berval( v )) != NULL ) { + if ( bvp != NULL ) { + /* we got the pwdpolicysubentry value */ + pw_entry = get_entry ( pb, bvp->bv_val); + } + } - slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags); + slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags); - slapi_entry_free( e ); + slapi_entry_free( e ); - if ( pw_entry == NULL ) { - LDAPDebug(LDAP_DEBUG_ANY, "loading global password policy for %s" - "--local policy entry not found\n", escape_string(dn, ebuf),0,0); - goto done; - } + if ( pw_entry == NULL ) { + LDAPDebug(LDAP_DEBUG_ANY, "loading global password policy for %s" + "--local policy entry not found\n", escape_string(dn, ebuf),0,0); + goto done; + } - for (slapi_entry_first_attr(pw_entry, &attr); attr; - slapi_entry_next_attr(pw_entry, attr, &attr)) - { - slapi_attr_get_type(attr, &attr_name); - if (!strcasecmp(attr_name, "passwordminage")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_minage = slapi_value_get_long(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordmaxage")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_maxage = slapi_value_get_long(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordwarning")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_warning = slapi_value_get_long(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordhistory")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_history = - pw_boolean_str2value(slapi_value_get_string(*sval)); - } - } - else - if (!strcasecmp(attr_name, "passwordinhistory")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_inhistory = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordlockout")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_lockout = - pw_boolean_str2value(slapi_value_get_string(*sval)); - } - } - else - if (!strcasecmp(attr_name, "passwordmaxfailure")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_maxfailure = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordunlock")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_unlock = - pw_boolean_str2value(slapi_value_get_string(*sval)); - } - } - else - if (!strcasecmp(attr_name, "passwordlockoutduration")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_lockduration = slapi_value_get_long(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordresetfailurecount")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_resetfailurecount = slapi_value_get_long(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordchange")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_change = - pw_boolean_str2value(slapi_value_get_string(*sval)); - } - } - else - if (!strcasecmp(attr_name, "passwordmustchange")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_must_change = - pw_boolean_str2value(slapi_value_get_string(*sval)); - } - } - else - if (!strcasecmp(attr_name, "passwordchecksyntax")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_syntax = - pw_boolean_str2value(slapi_value_get_string(*sval)); - } - } - else - if (!strcasecmp(attr_name, "passwordminlength")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_minlength = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordmindigits")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_mindigits = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordminalphas")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_minalphas = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordminuppers")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_minuppers = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordminlowers")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_minlowers = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordminspecials")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_minspecials = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordmin8bit")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_min8bit = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordmaxrepeats")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_maxrepeats = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordmincategories")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_mincategories = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordmintokenlength")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_mintokenlength = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordexp")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_exp = - pw_boolean_str2value(slapi_value_get_string(*sval)); - } - } - else - if (!strcasecmp(attr_name, "passwordgracelimit")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_gracelimit = slapi_value_get_int(*sval); - } + for (slapi_entry_first_attr(pw_entry, &attr); attr; + slapi_entry_next_attr(pw_entry, attr, &attr)) + { + slapi_attr_get_type(attr, &attr_name); + if (!strcasecmp(attr_name, "passwordminage")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_minage = slapi_value_get_long(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordmaxage")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_maxage = slapi_value_get_long(*sval); } + } + else + if (!strcasecmp(attr_name, "passwordwarning")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_warning = slapi_value_get_long(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordhistory")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_history = + pw_boolean_str2value(slapi_value_get_string(*sval)); + } + } + else + if (!strcasecmp(attr_name, "passwordinhistory")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_inhistory = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordlockout")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_lockout = + pw_boolean_str2value(slapi_value_get_string(*sval)); + } + } + else + if (!strcasecmp(attr_name, "passwordmaxfailure")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_maxfailure = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordunlock")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_unlock = + pw_boolean_str2value(slapi_value_get_string(*sval)); + } + } + else + if (!strcasecmp(attr_name, "passwordlockoutduration")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_lockduration = slapi_value_get_long(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordresetfailurecount")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_resetfailurecount = slapi_value_get_long(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordchange")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_change = + pw_boolean_str2value(slapi_value_get_string(*sval)); + } + } + else + if (!strcasecmp(attr_name, "passwordmustchange")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_must_change = + pw_boolean_str2value(slapi_value_get_string(*sval)); + } + } + else + if (!strcasecmp(attr_name, "passwordchecksyntax")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_syntax = + pw_boolean_str2value(slapi_value_get_string(*sval)); + } + } + else + if (!strcasecmp(attr_name, "passwordminlength")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_minlength = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordmindigits")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_mindigits = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordminalphas")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_minalphas = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordminuppers")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_minuppers = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordminlowers")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_minlowers = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordminspecials")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_minspecials = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordmin8bit")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_min8bit = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordmaxrepeats")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_maxrepeats = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordmincategories")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_mincategories = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordmintokenlength")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_mintokenlength = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordexp")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_exp = + pw_boolean_str2value(slapi_value_get_string(*sval)); + } + } + else + if (!strcasecmp(attr_name, "passwordgracelimit")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_gracelimit = slapi_value_get_int(*sval); + } + } - } /* end of for() loop */ - if (pw_entry) { - slapi_entry_free(pw_entry); - } - return pwdpolicy; - } else if ( e ) { - slapi_entry_free( e ); + } /* end of for() loop */ + if (pw_entry) { + slapi_entry_free(pw_entry); } + return pwdpolicy; + } else if ( e ) { + slapi_entry_free( e ); } } Index: result.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/result.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- result.c 29 Oct 2008 19:16:29 -0000 1.16 +++ result.c 24 Nov 2008 17:16:55 -0000 1.17 @@ -293,17 +293,12 @@ char *dn; passwdPolicy *pwpolicy = NULL; - - slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn ); - pwpolicy = new_passwdPolicy(pb, dn); - slapi_pblock_get (pb, SLAPI_OPERATION, &operation); if ( ber != NULL ) { flush_ber_element = 0; } - if(err != LDAP_SUCCESS){ /* count the error for snmp */ /* first check for security errors */ @@ -370,10 +365,12 @@ /* invalid password. Update the password retry here */ /* put this here for now. It could be a send_result pre-op plugin. */ - if ( err == LDAP_INVALID_CREDENTIALS && - pwpolicy->pw_lockout == 1 ) { - - update_pw_retry ( pb ); + if (err == LDAP_INVALID_CREDENTIALS) { + slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn ); + pwpolicy = new_passwdPolicy(pb, dn); + if (pwpolicy && (pwpolicy->pw_lockout == 1)) { + update_pw_retry ( pb ); + } } if ( ber == NULL ) {

15 years

1
0
0 / 0

[Fedora-directory-commits] directoryconsole/src/com/netscape/admin/dirserv/panel/replication ActiveDirectoryAgreement.java, 1.1.1.1, 1.2 AgreementDestinationPanel.java, 1.1.1.1, 1.2 AgreementPanel.java, 1.1.1.1, 1.2 AgreementWizard.java, 1.1.1.1, 1.2 AgreementWizardInfo.java, 1.1.1.1, 1.2 IReplicationAgreement.java, 1.1.1.1, 1.2 MMRAgreement.java, 1.1.1.1, 1.2 ReplicationAgreement.java, 1.2, 1.3 ReplicationTool.java, 1.1.1.1, 1.2 WAgreementDestinationPanel.java, 1.1.1.1, 1.2 WAgreementSummaryPanel.java, 1.

by Richard Allen Megginson

Author: rmeggins Update of /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23221/directoryconsole/src/com/netscape/admin/dirserv/panel/replication Modified Files: ActiveDirectoryAgreement.java AgreementDestinationPanel.java AgreementPanel.java AgreementWizard.java AgreementWizardInfo.java IReplicationAgreement.java MMRAgreement.java ReplicationAgreement.java ReplicationTool.java WAgreementDestinationPanel.java WAgreementSummaryPanel.java WindowsAgreementDestinationPanel.java WindowsAgreementWizard.java WindowsAgreementWizardInfo.java replication.properties Log Message: Resolves: bug 469261 Bug Description: Support server-to-server SASL - console replication changes Reviewed by: nkinder (Thanks!) Fix Description: This adds support for starttls, gssapi, and digest to the console for setting up replication agreements. 1) Instead of a checkbox for use ssl, I added 3 radio buttons - no ssl, regular ldaps, starttls - note: active directory supports starttls 2) To the ssl auth and simple auth radio buttons, I added gssapi and digest. The way the logic works is that gssapi is only allowed when using regular ldap, digest and simple bind are allowed always, ssl auth is only allowed with one of the ssl options. gssapi allows an empty bind dn and password, but digest and simple require a bind dn and password. NOTE: we do not support anything other than simple bind with active directory in the GUI I also changed the wording a little bit, and added tool tips (which will hopefully not be too annoying) I did not add additional checking e.g. the console cannot verify that kerberos is set up properly Platforms tested: RHEL5 Flag Day: no Doc impact: oh yes Index: ActiveDirectoryAgreement.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/ActiveDirectoryAgreement.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- ActiveDirectoryAgreement.java 18 Jul 2005 00:56:06 -0000 1.1.1.1 +++ ActiveDirectoryAgreement.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -149,6 +149,7 @@ } else if (attr.getName().equalsIgnoreCase( ReplicationTool.REPLICA_TRANSPORT_ATTR)) { setUseSSL(val); + setUseStartTLS(val); } else if (attr.getName().equalsIgnoreCase( ReplicationTool.MMR_NAME_ATTR)) { cn = val; @@ -248,13 +249,18 @@ newAttrs.add(attr); } - if( useSSL ) { - attr = new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, - ReplicationTool.REPLICA_TRANSPORT_SSL ); + if( useSSL || useStartTLS ) { + if (useStartTLS) { + attr = new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, + ReplicationTool.REPLICA_TRANSPORT_TLS ); + } else { + attr = new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, + ReplicationTool.REPLICA_TRANSPORT_SSL ); + } newAttrs.add(attr); } - if( useSSL && useSSLAuth ) { + if( (useSSL || useStartTLS) && useSSLAuth ) { attr = new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, ReplicationTool.REPLICA_BINDMETHOD_SSLCLIENTAUTH ); newAttrs.add(attr); Index: AgreementDestinationPanel.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/AgreementDestinationPanel.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- AgreementDestinationPanel.java 18 Jul 2005 00:56:06 -0000 1.1.1.1 +++ AgreementDestinationPanel.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -82,20 +82,55 @@ _myPanel.setLayout(new GridBagLayout()); _myPanel.setBackground(getBackground()); + //connection radio buttons + ButtonGroup connGroup = new ButtonGroup(); + //plain old ldap button + _noEncrypt = makeJRadioButton(_resource.getString( + "replication-destination-noEncrypt","label")); + _noEncrypt.setToolTipText(_resource.getString( + "replication-destination-noEncrypt","ttip")); + connGroup.add(_noEncrypt); + ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.WEST; + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.NONE; + gbc.weightx = 1.0; + _myPanel.add(_noEncrypt, gbc); + //ssl check box - _sslEncrypt = makeJCheckBox(_resource.getString( + _sslEncrypt = makeJRadioButton(_resource.getString( "replication-destination-sslEncrypt","label")); + _sslEncrypt.setToolTipText(_resource.getString( + "replication-destination-sslEncrypt","ttip")); + connGroup.add(_sslEncrypt); ReplicationTool.resetGBC(gbc); - gbc.anchor = gbc.WEST; + gbc.anchor = gbc.WEST; gbc.gridwidth = gbc.REMAINDER; gbc.fill = gbc.NONE; gbc.weightx=1.0; _myPanel.add(_sslEncrypt, gbc); + //tls check box + _tlsEncrypt = makeJRadioButton(_resource.getString( + "replication-destination-startTLS","label")); + _tlsEncrypt.setToolTipText(_resource.getString( + "replication-destination-startTLS","ttip")); + connGroup.add(_tlsEncrypt); + ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.WEST; + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.NONE; + gbc.weightx=1.0; + _myPanel.add(_tlsEncrypt, gbc); + /* add DSEntry to correctly update field coloring and buttons enabling/disabling */ + _ldapDSEntry = new DSEntryBoolean ("on", _noEncrypt); + setComponentTable(_noEncrypt, _ldapDSEntry); _sslDSEntry = new DSEntryBoolean ("off", _sslEncrypt); setComponentTable(_sslEncrypt, _sslDSEntry); + _tlsDSEntry = new DSEntryBoolean ("off", _tlsEncrypt); + setComponentTable(_tlsEncrypt, _tlsDSEntry); //auth using label JLabel auth = makeJLabel(_resource.getString( @@ -116,40 +151,80 @@ gbc.insets = new Insets(0,0,0,0); _myPanel.add(authModePanel, gbc); - //ssl auth radio button - ButtonGroup authGroup = new ButtonGroup(); - _sslAuth = makeJRadioButton(_resource.getString( - "replication-destination-sslClientAuth","label")); - authGroup.add(_sslAuth); - ReplicationTool.resetGBC(gbc); - gbc.anchor = gbc.WEST; - gbc.gridwidth = gbc.REMAINDER; - gbc.fill = gbc.NONE; - gbc.weightx=1.0; - authModePanel.add(_sslAuth, gbc); - - /* add DSEntry to correctly update field - coloring and buttons enabling/disabling */ - _sslAuthDSEntry = new DSEntryBoolean ("off", _sslAuth); - setComponentTable(_sslAuth, _sslAuthDSEntry); + if(_agreement.getAgreementType() != ReplicationAgreement.AGREEMENT_TYPE_AD) { + //ssl auth radio button + ButtonGroup authGroup = new ButtonGroup(); + _sslAuth = makeJRadioButton(_resource.getString( + "replication-destination-sslClientAuth","label")); + _sslAuth.setToolTipText(_resource.getString( + "replication-destination-sslClientAuth","ttip")); + authGroup.add(_sslAuth); + ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.WEST; + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.NONE; + gbc.weightx=1.0; + authModePanel.add(_sslAuth, gbc); + + /* add DSEntry to correctly update field + coloring and buttons enabling/disabling */ + _sslAuthDSEntry = new DSEntryBoolean ("off", _sslAuth); + setComponentTable(_sslAuth, _sslAuthDSEntry); + + //gssapi auth radio button + _gssapiAuth = makeJRadioButton(_resource.getString( + "replication-destination-gssapiAuth","label")); + _gssapiAuth.setToolTipText(_resource.getString( + "replication-destination-gssapiAuth","ttip")); + authGroup.add(_gssapiAuth); + ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.WEST; + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.NONE; + gbc.weightx = 1.0; + authModePanel.add(_gssapiAuth, gbc); - //simple auth radio button - _simpAuth = makeJRadioButton(_resource.getString( - "replication-destination-simpleAuth","label")); - authGroup.add(_simpAuth); - ReplicationTool.resetGBC(gbc); - gbc.insets.top = 0; - gbc.anchor = gbc.WEST; - gbc.gridwidth = gbc.REMAINDER; - gbc.fill = gbc.NONE; - gbc.weightx=1.0; - authModePanel.add(_simpAuth, gbc); + /* add DSEntry to correctly update field + coloring and buttons enabling/disabling */ + _gssapiAuthDSEntry = new DSEntryBoolean ("off", _gssapiAuth); + setComponentTable(_gssapiAuth, _gssapiAuthDSEntry); + + //digest auth radio button + _digestAuth = makeJRadioButton(_resource.getString( + "replication-destination-digestAuth","label")); + _digestAuth.setToolTipText(_resource.getString( + "replication-destination-digestAuth","ttip")); + authGroup.add(_digestAuth); + ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.WEST; + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.NONE; + gbc.weightx = 1.0; + authModePanel.add(_digestAuth, gbc); - /* add DSEntry to correctly update field - coloring and buttons enabling/disabling */ - _simpAuthDSEntry = new DSEntryBoolean ("on", _simpAuth); - setComponentTable(_simpAuth, _simpAuthDSEntry); + /* add DSEntry to correctly update field + coloring and buttons enabling/disabling */ + _digestAuthDSEntry = new DSEntryBoolean ("off", _digestAuth); + setComponentTable(_digestAuth, _digestAuthDSEntry); + + //simple auth radio button + _simpAuth = makeJRadioButton(_resource.getString( + "replication-destination-simpleAuth","label")); + authGroup.add(_simpAuth); + ReplicationTool.resetGBC(gbc); + gbc.insets.top = 0; + gbc.anchor = gbc.WEST; + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.NONE; + gbc.weightx=1.0; + authModePanel.add(_simpAuth, gbc); + /* add DSEntry to correctly update field + coloring and buttons enabling/disabling */ + _simpAuthDSEntry = new DSEntryBoolean ("on", _simpAuth); + setComponentTable(_simpAuth, _simpAuthDSEntry); + } + //simp panel JPanel simpPanel = new JPanel(new GridBagLayout()); ReplicationTool.resetGBC(gbc); @@ -202,7 +277,7 @@ /* add DSEntry to correctly update field coloring and buttons enabling/disabling */ - _pwdDSEntry = new DSEntryTextStrict ("", _pwdText, _pwd); + _pwdDSEntry = new pwdDSEntry ("", _pwdText, _pwd); setComponentTable(_pwdText, _pwdDSEntry); if(_agreement.getAgreementType() == ReplicationAgreement.AGREEMENT_TYPE_AD){ @@ -275,9 +350,13 @@ } private void enableFields(){ - _sslEncrypt.setEnabled(false); - _sslAuth.setEnabled(_sslEncrypt.isSelected()); - _simpAuth.setEnabled(_sslEncrypt.isSelected()); + boolean ssl = _sslEncrypt.isSelected() || _tlsEncrypt.isSelected(); + if (_sslAuth != null) { + _sslAuth.setEnabled(ssl); + } + if (_gssapiAuth != null) { + _gssapiAuth.setEnabled(!ssl); + } } @@ -298,35 +377,81 @@ } //========= ACTIONLISTENER ================= - public void actionPerformed(ActionEvent e) { - if (e.getSource().equals(_sslAuth)) { - if (_sslAuth.isSelected()) { - //disable - enableSimpleAuth (false); - } - } - if (e.getSource().equals(_simpAuth)) { - if (_simpAuth.isSelected()) { - //enable - enableSimpleAuth (true); - } + public void actionPerformed(ActionEvent e) { + _bindDSEntry.setSkipCheck(false); + _pwdDSEntry.setSkipCheck(false); + if (e.getSource().equals(_sslAuth) && _sslAuth.isSelected()) { + setDirtyFlag(); + //disable + enableSimpleAuth (false); + } + if (e.getSource().equals(_gssapiAuth) && _gssapiAuth.isSelected()) { + setDirtyFlag(); + // enable + enableSimpleAuth (true); + // requires ldap + _noEncrypt.setSelected(true); + /* set to use non-SSL port LDAP */ + _portAttr = ATTR_PORT; + _bindDSEntry.setSkipCheck(true); + _pwdDSEntry.setSkipCheck(true); + } + if (e.getSource().equals(_simpAuth) && _simpAuth.isSelected()) { + setDirtyFlag(); + //enable + enableSimpleAuth (true); + } + if (e.getSource().equals(_digestAuth) && _digestAuth.isSelected()) { + setDirtyFlag(); + //enable + enableSimpleAuth (true); + } + + if (e.getSource().equals(_noEncrypt) && _noEncrypt.isSelected()) { + setDirtyFlag(); + //disable + if (_sslAuth != null) { + _sslAuth.setEnabled(false); + } + //enable + if ((_sslAuth != null) && _sslAuth.isSelected() && (_simpAuth != null)) { + // have to select something else + _simpAuth.setSelected(true); + } + enableSimpleAuth(true); + if (_gssapiAuth != null) { + _gssapiAuth.setEnabled(true); + } + if (_digestAuth != null) { + _digestAuth.setEnabled(true); + } + + /* set to use non-SSL port */ + _portAttr = ATTR_PORT; + } + boolean ssl_selected = false; + if (e.getSource().equals(_sslEncrypt) && _sslEncrypt.isSelected()) { + /* set to use SSL port */ + _portAttr = ATTR_SSL_PORT; + ssl_selected = true; } - if (e.getSource().equals(_sslEncrypt)) { - setDirtyFlag(); - if (_sslEncrypt.isSelected()) { - //enable - _sslAuth.setEnabled(true); - - _portAttr = ATTR_SSL_PORT; - } else { - //disable - _sslAuth.setEnabled(false); - //enable - _simpAuth.setSelected(true); - enableSimpleAuth (true); - - _portAttr = ATTR_PORT; - } + if (e.getSource().equals(_tlsEncrypt) && _tlsEncrypt.isSelected()) { + /* set to use non-SSL port for startTLS */ + _portAttr = ATTR_PORT; + ssl_selected = true; + } + if (ssl_selected) { + if (_sslAuth != null) { + _sslAuth.setEnabled(true); + } + if (_gssapiAuth != null) { + _gssapiAuth.setEnabled(false); + if (_gssapiAuth.isSelected()) { + // have to select something else + _simpAuth.setSelected(true); + enableSimpleAuth(true); + } + } } super.actionPerformed (e); } @@ -351,34 +476,30 @@ public void getUpdateInfo( Object inf ) { AgreementWizardInfo info = (AgreementWizardInfo)inf; - if (_sslEncrypt.isSelected()) - info.setSSL(true); - else - info.setSSL(false); + info.setStartTLS(_tlsEncrypt.isSelected()); + info.setSSL(_sslEncrypt.isSelected()); + info.setSSLAuth( (_sslAuth != null) && _sslAuth.isSelected() ); + info.setGSSAPIAuth( (_gssapiAuth != null) && _gssapiAuth.isSelected() ); + info.setDigestAuth( (_digestAuth != null) && _digestAuth.isSelected() ); - if (!_sslAuth.isSelected()) { - info.setBindDN(_bindText.getText()); - info.setBindPWD(_pwdText.getText()); - info.setSSLAuth( false ); - if(_agreement.getAgreementType() == ReplicationAgreement.AGREEMENT_TYPE_AD) - { - if(_newWinUserSyncCB.isSelected()) - { - info.setNewWinUserSync("on"); - }else{ - info.setNewWinUserSync("off"); - } - if(_newWinGroupSyncCB.isSelected()) - { - info.setNewWinGroupSync("on"); - }else{ - info.setNewWinGroupSync("off"); - } - } - } else { + if (info.getSSLAuth()) { info.setBindDN(""); info.setBindPWD(""); - info.setSSLAuth( true ); + } else { + info.setBindDN(_bindText.getText()); + info.setBindPWD(_pwdText.getText()); + } + if(_agreement.getAgreementType() == ReplicationAgreement.AGREEMENT_TYPE_AD) { + if(_newWinUserSyncCB.isSelected()) { + info.setNewWinUserSync("on"); + }else{ + info.setNewWinUserSync("off"); + } + if(_newWinGroupSyncCB.isSelected()) { + info.setNewWinGroupSync("on"); + }else{ + info.setNewWinGroupSync("off"); + } } } @@ -409,29 +530,35 @@ _origPwd = _agreement.getBindCredentials(); _origBindDN = _agreement.getBindDN(); } - if (_agreement.getUseSSL()) { - _sslDSEntry.fakeInitModel ("on"); - _sslEncrypt.setSelected(true); - _portAttr = ATTR_SSL_PORT; - - if (_agreement.getUseSSLAuth()) { - //SSL client Auth - enableSimpleAuth (false); - _sslAuth.setEnabled(true); - _sslAuthDSEntry.fakeInitModel ("on"); - _simpAuthDSEntry.fakeInitModel ("off"); - - } else { - //Simple Auth with SSL - _sslAuth.setEnabled(true); - _simpAuth.setSelected(true); - _simpAuthDSEntry.fakeInitModel ("on"); - enableSimpleAuth (true); - } - } else { - _portAttr = ATTR_PORT; - setSimpAuth(); + boolean ssl = _agreement.getUseSSL() || _agreement.getUseStartTLS(); + _ldapDSEntry.fakeInitModel(ssl ? "off" : "on"); + _noEncrypt.setSelected(!ssl); + _sslEncrypt.setSelected(_agreement.getUseSSL()); + _sslDSEntry.fakeInitModel(_agreement.getUseSSL() ? "on" : "off"); + _tlsEncrypt.setSelected(_agreement.getUseStartTLS()); + _tlsDSEntry.fakeInitModel(_agreement.getUseStartTLS() ? "on" : "off"); + _portAttr = _agreement.getUseSSL() ? ATTR_SSL_PORT : ATTR_PORT; + + if (_sslAuth != null) { + _sslAuth.setEnabled(ssl); + _sslAuth.setSelected(_agreement.getUseSSLAuth()); + _sslAuthDSEntry.fakeInitModel (_agreement.getUseSSLAuth() ? "on" : "off"); + enableSimpleAuth (!_agreement.getUseSSLAuth()); + } + if (_gssapiAuth != null) { + _gssapiAuth.setEnabled(!ssl); + _gssapiAuth.setSelected(_agreement.getUseGSSAPIAuth()); + _gssapiAuthDSEntry.fakeInitModel (_agreement.getUseGSSAPIAuth() ? "on" : "off"); + } + if (_digestAuth != null) { + _digestAuth.setSelected(_agreement.getUseDigestAuth()); + _digestAuthDSEntry.fakeInitModel (_agreement.getUseDigestAuth() ? "on" : "off"); + } + if (_simpAuth != null) { + _simpAuth.setEnabled(!_agreement.getUseSSLAuth()); + _simpAuthDSEntry.fakeInitModel (_agreement.getUseSSLAuth() ? "on" : "off"); } + if(_agreement.getAgreementType() == ReplicationAgreement.AGREEMENT_TYPE_AD){ if(((ActiveDirectoryAgreement)_agreement).getNewWinUserSync().compareTo("on") == 0){ _newWinUserSyncCB.setSelected(true); @@ -450,16 +577,6 @@ } } - /** - * Set simple auth selection - */ - private void setSimpAuth() { - //Simple Auth no SSL - _sslDSEntry.fakeInitModel ("off"); - _sslAuth.setEnabled(false); - _simpAuthDSEntry.fakeInitModel ("on"); - } - private void enableSimpleAuth (boolean enable){ _bind.setEnabled(enable); _bind.repaint(1); @@ -485,6 +602,8 @@ class bindDSEntry extends DSEntryTextStrict { + private boolean skipCheck = false; + bindDSEntry(String model, JComponent view1, JComponent view2) { super (model, view1, view2); } @@ -496,15 +615,50 @@ /* disabled field is always valid */ if (!tf.isEnabled ()) return 0; + + if (skipCheck) { + return 0; + } if (!dn.equals ("") && DSUtil.isValidDN (dn)) return 0; else return 1; } + + public void setSkipCheck(boolean val) { + skipCheck = val; + } } - /*========================================================== + class pwdDSEntry extends DSEntryTextStrict + { + private boolean skipCheck = false; + + pwdDSEntry(String model, JComponent view1, JComponent view2) { + super (model, view1, view2); + } + + public int validate (){ + JTextField tf = (JTextField) getView (0); + String dn = tf.getText (); + + /* disabled field is always valid */ + if (!tf.isEnabled ()) + return 0; + + if (skipCheck) { + return 0; + } + return super.validate(); + } + + public void setSkipCheck(boolean val) { + skipCheck = val; + } + } + + /*========================================================== * variables *==========================================================*/ private ConsoleInfo _serverInfo; @@ -517,20 +671,25 @@ private boolean refreshed = false; JTextField _bindText; - private JCheckBox _sslEncrypt, _newWinUserSyncCB, _newWinGroupSyncCB; - private JRadioButton _simpAuth, _sslAuth; + private JRadioButton _noEncrypt, _sslEncrypt, _tlsEncrypt; + private JCheckBox _newWinUserSyncCB, _newWinGroupSyncCB; + private JRadioButton _simpAuth = null, _sslAuth = null, _gssapiAuth = null, _digestAuth = null; JPasswordField _pwdText; private JLabel _bind, _pwd, _newWinUserSync, _newWinGroupSync; private JFrame _frame; private ImageIcon _icon; private bindDSEntry _bindDSEntry; - private DSEntryTextStrict _pwdDSEntry; + private pwdDSEntry _pwdDSEntry; private DSEntryBoolean _newUserDSEntry; private DSEntryBoolean _newGroupDSEntry; + private DSEntryBoolean _ldapDSEntry; private DSEntryBoolean _sslDSEntry; - private DSEntryBoolean _sslAuthDSEntry; - private DSEntryBoolean _simpAuthDSEntry; + private DSEntryBoolean _tlsDSEntry; + private DSEntryBoolean _sslAuthDSEntry = null; + private DSEntryBoolean _simpAuthDSEntry = null; + private DSEntryBoolean _gssapiAuthDSEntry = null; + private DSEntryBoolean _digestAuthDSEntry = null; private String _origBindDN; private String _origPwd; Index: AgreementPanel.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/AgreementPanel.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- AgreementPanel.java 18 Jul 2005 00:56:06 -0000 1.1.1.1 +++ AgreementPanel.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -131,6 +131,7 @@ // Determine whether SSL is used and what type. info.setSSL(_adAgreement.getUseSSL()); + info.setStartTLS(_adAgreement.getUseStartTLS()); info.setSSLAuth(_adAgreement.getUseSSLAuth()); // Set the description. @@ -254,8 +255,11 @@ _agreement.setReplicatedSubtree(info.getSubtree()); _agreement.setUpdateSchedule(info.getDate()); _agreement.setUseSSL(info.getSSL()); + _agreement.setUseStartTLS(info.getStartTLS()); _agreement.setUseSSLAuth( info.getSSLAuth()); - + _agreement.setUseGSSAPIAuth( info.getGSSAPIAuth()); + _agreement.setUseDigestAuth( info.getDigestAuth()); + if (info.getBindDN().equals("")) { _agreement.setBindDN(null); } else { Index: AgreementWizard.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/AgreementWizard.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- AgreementWizard.java 18 Jul 2005 00:56:07 -0000 1.1.1.1 +++ AgreementWizard.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -20,6 +20,7 @@ package com.netscape.admin.dirserv.panel.replication; import java.awt.*; + import com.netscape.admin.dirserv.wizard.*; import javax.swing.*; import com.netscape.management.client.util.*; @@ -37,7 +38,7 @@ public class AgreementWizard extends WizardWidget { public AgreementWizard(JFrame parent, AgreementWizardInfo info) { - super(parent, _resource.getString("replication-agreementWizard","label")); + super(parent, _resource.getString("replication-agreementWizard","label"), new Dimension(460,550)); getAccessibleContext().setAccessibleDescription(_resource.getString("replication-agreementWizard", "description")); //parent.setIconImage(ReplicationTool.getImage(_resource.getString("replication-agreementWizard","frameIcon")).getImage()); @@ -62,6 +63,7 @@ } info.setSubtree(info.getCopyAgreement().getReplicatedSubtree()); info.setSSL(info.getCopyAgreement().getUseSSL()); + info.setStartTLS(info.getCopyAgreement().getUseStartTLS()); if (info.getCopyAgreement().getBindDN()!= null) { info.setBindDN(info.getCopyAgreement().getBindDN()); } else { Index: AgreementWizardInfo.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/AgreementWizardInfo.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- AgreementWizardInfo.java 18 Jul 2005 00:56:07 -0000 1.1.1.1 +++ AgreementWizardInfo.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -213,6 +213,18 @@ return false; } + //ssl + void setStartTLS(boolean type) { + _content.put(AGREEMENT_EXTENSION+"startTLS", new Boolean(type)); + } + + boolean getStartTLS() { + if (_content.get(AGREEMENT_EXTENSION+"startTLS")!= null) + return ((Boolean)_content.get(AGREEMENT_EXTENSION+"startTLS")).booleanValue(); + else + return false; + } + //Auth type void setSSLAuth(boolean type) { _content.put(AGREEMENT_EXTENSION+"sslauth", new Boolean(type)); @@ -225,6 +237,30 @@ return false; } + //Auth type + void setGSSAPIAuth(boolean type) { + _content.put(AGREEMENT_EXTENSION+"gssapi", new Boolean(type)); + } + + boolean getGSSAPIAuth() { + if (_content.get(AGREEMENT_EXTENSION+"gssapi")!= null) + return ((Boolean)_content.get(AGREEMENT_EXTENSION+"gssapi")).booleanValue(); + else + return false; + } + + //Auth type + void setDigestAuth(boolean type) { + _content.put(AGREEMENT_EXTENSION+"digest", new Boolean(type)); + } + + boolean getDigestAuth() { + if (_content.get(AGREEMENT_EXTENSION+"digest")!= null) + return ((Boolean)_content.get(AGREEMENT_EXTENSION+"digest")).booleanValue(); + else + return false; + } + //bindDN void setBindDN(String dn) { if (dn != null) { @@ -390,12 +426,20 @@ buf.append(" "); buf.append(_resource.getString("replication-destination-sslEncrypt","label")+"\n"); } + if (getStartTLS()) { + buf.append(" "); + buf.append(_resource.getString("replication-destination-startTLS","label")+"\n"); + } //bind info buf.append(" "); buf.append(_resource.getString("replication-destination-authUsing","label")+" "); if (getSSL() && getSSLAuth()) { buf.append(_resource.getString("replication-destination-sslClientAuth","label")+"\n"); + } else if (getGSSAPIAuth()) { + buf.append(_resource.getString("replication-destination-gssapiAuth","label")+"\n"); + } else if (getDigestAuth()) { + buf.append(_resource.getString("replication-destination-digestAuth","label")+"\n"); } else { buf.append(_resource.getString("replication-destination-simpleAuth","label")+"\n"); } Index: IReplicationAgreement.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/IReplicationAgreement.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- IReplicationAgreement.java 18 Jul 2005 00:56:07 -0000 1.1.1.1 +++ IReplicationAgreement.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -157,6 +157,21 @@ public String[] getUpdateScheduleStrings(); /** + * Set the useStartTLS flag + */ + public void setUseStartTLS(String val); + + /** + * Set the useSSL flag + */ + public void setUseStartTLS(boolean val); + + /** + * Get the useSSL flag + */ + public boolean getUseStartTLS(); + + /** * Set the useSSL flag */ public void setUseSSL(String val); @@ -172,6 +187,51 @@ public boolean getUseSSL(); /** + * Set the sslAuth flag + */ + public void setUseSSLAuth(String val); + + /** + * Set the sslAuth flag + */ + public void setUseSSLAuth(boolean val); + + /** + * Get the sslAuth flag + */ + public boolean getUseSSLAuth(); + + /** + * Set the GSSAPIAuth flag + */ + public void setUseGSSAPIAuth(String val); + + /** + * Set the GSSAPIAuth flag + */ + public void setUseGSSAPIAuth(boolean val); + + /** + * Get the GSSAPIAuth flag + */ + public boolean getUseGSSAPIAuth(); + + /** + * Set the DigestAuth flag + */ + public void setUseDigestAuth(String val); + + /** + * Set the DigestAuth flag + */ + public void setUseDigestAuth(boolean val); + + /** + * Get the DigestAuth flag + */ + public boolean getUseDigestAuth(); + + /** * Get the CN (common name) of this entry */ public String getEntryCN(); Index: MMRAgreement.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/MMRAgreement.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- MMRAgreement.java 18 Jul 2005 00:56:07 -0000 1.1.1.1 +++ MMRAgreement.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -20,6 +20,7 @@ package com.netscape.admin.dirserv.panel.replication; import netscape.ldap.*; + import com.netscape.management.client.util.Debug; import com.netscape.management.client.util.ResourceSet; import com.netscape.management.client.console.ConsoleInfo; @@ -156,12 +157,15 @@ } else if (attr.getName().equalsIgnoreCase( ReplicationTool.REPLICA_TRANSPORT_ATTR)) { setUseSSL(val); + setUseStartTLS(val); } else if (attr.getName().equalsIgnoreCase( ReplicationTool.MMR_NAME_ATTR)) { cn = val; } else if (attr.getName().equalsIgnoreCase( ReplicationTool.REPLICA_BINDMETHOD_ATTR)) { setUseSSLAuth(val); + setUseGSSAPIAuth(val); + setUseDigestAuth(val); } else if (attr.getName().equalsIgnoreCase( ReplicationTool.REPLICA_REFRESH_ATTR)) { setORCValue(val); @@ -224,22 +228,30 @@ newAttrs.add(attr); } - if( useSSL ) { - attr = new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, - ReplicationTool.REPLICA_TRANSPORT_SSL ); - newAttrs.add(attr); - - } - if( useSSL && useSSLAuth ) { - attr = new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, - ReplicationTool.REPLICA_BINDMETHOD_SSLCLIENTAUTH ); - newAttrs.add(attr); + if ( useStartTLS ) { + newAttrs.add(new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, + ReplicationTool.REPLICA_TRANSPORT_TLS )); + } else if ( useSSL ) { + newAttrs.add(new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, + ReplicationTool.REPLICA_TRANSPORT_SSL )); + } else { + newAttrs.add(new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, + ReplicationTool.REPLICA_TRANSPORT_LDAP )); + } + + if ( useSSLAuth ) { + newAttrs.add(new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, + ReplicationTool.REPLICA_BINDMETHOD_SSLCLIENTAUTH )); + } else if ( useGSSAPIAuth ) { + newAttrs.add(new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, + ReplicationTool.REPLICA_BINDMETHOD_SASL_GSSAPI )); + } else if ( useDigestAuth ) { + newAttrs.add(new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, + ReplicationTool.REPLICA_BINDMETHOD_SASL_DIGEST_MD5 )); } else { - attr = new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, - ReplicationTool.REPLICA_BINDMETHOD_SIMPLE ); - newAttrs.add(attr); + newAttrs.add(new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, + ReplicationTool.REPLICA_BINDMETHOD_SIMPLE )); } - // XXXggood filtered and selective attribute attributes would // get written @@ -327,14 +339,30 @@ } Debug.println("MMRAgreement.writeToServer: useSSLAuth="+ useSSLAuth ); - if( useSSLAuth ) { - attr = new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, - ReplicationTool.REPLICA_BINDMETHOD_SSLCLIENTAUTH ); - } else { - attr = new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, - ReplicationTool.REPLICA_BINDMETHOD_SIMPLE ); - } - mods.add(LDAPModification.REPLACE, attr); + if ( useStartTLS ) { + mods.add(LDAPModification.REPLACE, new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, + ReplicationTool.REPLICA_TRANSPORT_TLS )); + } else if ( useSSL ) { + mods.add(LDAPModification.REPLACE, new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, + ReplicationTool.REPLICA_TRANSPORT_SSL )); + } else { + mods.add(LDAPModification.REPLACE, new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, + ReplicationTool.REPLICA_TRANSPORT_LDAP )); + } + + if ( useSSLAuth ) { + mods.add(LDAPModification.REPLACE, new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, + ReplicationTool.REPLICA_BINDMETHOD_SSLCLIENTAUTH )); + } else if ( useGSSAPIAuth ) { + mods.add(LDAPModification.REPLACE, new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, + ReplicationTool.REPLICA_BINDMETHOD_SASL_GSSAPI )); + } else if ( useDigestAuth ) { + mods.add(LDAPModification.REPLACE, new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, + ReplicationTool.REPLICA_BINDMETHOD_SASL_DIGEST_MD5 )); + } else { + mods.add(LDAPModification.REPLACE, new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, + ReplicationTool.REPLICA_BINDMETHOD_SIMPLE )); + } String[] sched = getUpdateScheduleStrings(); attr = new LDAPAttribute(ReplicationTool.REPLICA_SCHEDULE_ATTR); Index: ReplicationAgreement.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/ReplicationAgreement.java,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- ReplicationAgreement.java 2 Jul 2007 19:44:09 -0000 1.2 +++ ReplicationAgreement.java 24 Nov 2008 16:09:23 -0000 1.3 @@ -337,6 +337,34 @@ return useSSL; } + /** + * Set the useStartTLS flag + */ + public void setUseStartTLS(String val) { + Debug.println(8,"ReplicationAgreement.useStartTLS() val = " + val); + if ((val != null) && val.equals(ReplicationTool.REPLICA_TRANSPORT_TLS)) { + useStartTLS = true; + useSSL = false; + } else { + useStartTLS = false; + } + Debug.println(8,"ReplicationAgreement.useStartTLS() = " + useStartTLS ); + } + + /** + * Set the useSSL flag + */ + public void setUseStartTLS(boolean val) { + useStartTLS = val; + } + + /** + * Get the useSSL flag + */ + public boolean getUseStartTLS() { + return useStartTLS; + } + /** * Set the setUseSSLAuth flag */ @@ -364,6 +392,59 @@ return useSSLAuth; } + /** + * Set the setUseGSSAPIAuth flag + */ + public void setUseGSSAPIAuth(String val) { + if (val.equalsIgnoreCase("true")) { + useGSSAPIAuth = true; + } else if (val.equals(ReplicationTool.REPLICA_BINDMETHOD_SASL_GSSAPI)) { + useGSSAPIAuth = true; + } else { + useGSSAPIAuth = false; + } + } + + /** + * Set the setUseGSSAPIAuth flag + */ + public void setUseGSSAPIAuth(boolean val) { + useGSSAPIAuth = val; + } + + /** + * Get the setUseGSSAPIAuth flag + */ + public boolean getUseGSSAPIAuth() { + return useGSSAPIAuth; + } + + /** + * Set the setUseDigestAuth flag + */ + public void setUseDigestAuth(String val) { + if (val.equalsIgnoreCase("true")) { + useDigestAuth = true; + } else if (val.equals(ReplicationTool.REPLICA_BINDMETHOD_SASL_DIGEST_MD5)) { + useDigestAuth = true; + } else { + useDigestAuth = false; + } + } + + /** + * Set the setUseDigestAuth flag + */ + public void setUseDigestAuth(boolean val) { + useDigestAuth = val; + } + + /** + * Get the setUseDigestAuth flag + */ + public boolean getUseDigestAuth() { + return useDigestAuth; + } /** * Set the type of agreement. @@ -1265,10 +1346,16 @@ ReplicationTool.REPLICA_CRED_ATTR); setUseSSL(DSUtil.getAttrValue(entry, - ReplicationTool.REPLICA_TRANSPORT_ATTR)); + ReplicationTool.REPLICA_TRANSPORT_ATTR)); + setUseStartTLS(DSUtil.getAttrValue(entry, + ReplicationTool.REPLICA_TRANSPORT_ATTR)); setUseSSLAuth(DSUtil.getAttrValue(entry, ReplicationTool.REPLICA_BINDMETHOD_ATTR)); + setUseGSSAPIAuth(DSUtil.getAttrValue(entry, + ReplicationTool.REPLICA_BINDMETHOD_ATTR)); + setUseDigestAuth(DSUtil.getAttrValue(entry, + ReplicationTool.REPLICA_BINDMETHOD_ATTR)); String[] schedule = DSUtil.getAttrValues(entry, ReplicationTool.REPLICA_SCHEDULE_ATTR); @@ -1713,7 +1800,12 @@ ret += "\n"; ret += "Host: " + getRemoteHost() + "\n"; ret += "Port: " + getRemotePort() + "\n"; - ret += "Subtree: " + replicatedSubtree; + ret += "Subtree: " + replicatedSubtree + "\n"; + ret += "SSL: " + useSSL + "\n"; + ret += "TLS: " + useStartTLS + "\n"; + ret += "SSL Client Auth: " + useSSLAuth + "\n"; + ret += "SASL/GSSAPI Auth: " + useGSSAPIAuth + "\n"; + ret += "SASL/Digest-MD5 Auth: " + useDigestAuth + "\n"; return ret; } @@ -1837,8 +1929,11 @@ protected String bindCredentials; // The credentials (password) used when connectin to the consumer. protected Vector updateSchedule; // Schedule(s) for updates //protected ReplicationAgreementEditor editor; // Reference to repl agrmt editor window. If null, no window is open - protected boolean useSSL; // true if SSL should be used when connecting to replote server - protected boolean useSSLAuth; // true if useSSL and strong auth by SSL required + protected boolean useSSL; // true if SSL should be used when connecting to remote server + protected boolean useStartTLS; // true if startTLS should be used when connecting to remote server + protected boolean useSSLAuth; // true if useSSL and strong auth by SSL required + protected boolean useGSSAPIAuth; // true if using SASL/GSSAPI for auth + protected boolean useDigestAuth; // true if using SASL/Digest-MD5 for auth protected int agreementType; // mmr or legacyr //protected Vector namingContexts; // Naming contexts supported by the server protected String orcValue; // non-null if replica is being reinitialized Index: ReplicationTool.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/ReplicationTool.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- ReplicationTool.java 18 Jul 2005 00:56:09 -0000 1.1.1.1 +++ ReplicationTool.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -105,13 +105,15 @@ final static String REPLICA_PORT_ATTR = "nsDS5ReplicaPort"; final static String REPLICA_TRANSPORT_ATTR = "nsDS5ReplicaTransportInfo"; final static String REPLICA_TRANSPORT_SSL = "SSL"; - final static String REPLICA_TRANSPORT_STARTTLS = "startTLS"; + final static String REPLICA_TRANSPORT_TLS = "TLS"; final static String REPLICA_TRANSPORT_LDAP= "LDAP"; final static String REPLICA_CRED_ATTR = "nsDS5ReplicaCredentials"; final static String REPLICA_BINDMETHOD_ATTR = "nsDS5ReplicaBindMethod"; final static String REPLICA_REPLATTRS_ATTR = "nsDS5ReplicatedAttributeList"; final static String REPLICA_BINDMETHOD_SIMPLE = "SIMPLE"; final static String REPLICA_BINDMETHOD_SSLCLIENTAUTH = "SSLCLIENTAUTH"; + final static String REPLICA_BINDMETHOD_SASL_GSSAPI = "SASL/GSSAPI"; + final static String REPLICA_BINDMETHOD_SASL_DIGEST_MD5 = "SASL/DIGEST-MD5"; final static String REPLICA_SCHEDULE_ATTR = "nsDS5ReplicaUpdateSchedule"; final static String REPLICA_REFRESH_ATTR = "nsds5BeginReplicaRefresh"; final static String MMR_NAME_ATTR = "cn"; Index: WAgreementDestinationPanel.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/WAgreementDestinationPanel.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- WAgreementDestinationPanel.java 18 Jul 2005 00:56:10 -0000 1.1.1.1 +++ WAgreementDestinationPanel.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -147,77 +147,143 @@ gbc.weightx = 1.0; add(authPanel, gbc); - //ssl check box - _sslEncrypt = new JCheckBox(_resource.getString( + //connection radio buttons + ButtonGroup connGroup = new ButtonGroup(); + //plain old ldap button + _noEncrypt = new JRadioButton(_resource.getString( + "replication-destination-noEncrypt","label")); + _noEncrypt.setToolTipText(_resource.getString( + "replication-destination-noEncrypt","ttip")); + _noEncrypt.setSelected(true); // default is on + _noEncrypt.addActionListener(this); + connGroup.add(_noEncrypt); + ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.WEST; + gbc.insets = new Insets(0, space, 0, different); + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.HORIZONTAL; + gbc.weightx = 1.0; + authPanel.add(_noEncrypt, gbc); + + //ssl button + _sslEncrypt = new JRadioButton(_resource.getString( "replication-destination-sslEncrypt","label")); + _sslEncrypt.setToolTipText(_resource.getString( + "replication-destination-sslEncrypt","ttip")); _sslEncrypt.addActionListener(this); + connGroup.add(_sslEncrypt); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.WEST; - gbc.insets = new Insets(0, space, different, different); + gbc.insets = new Insets(0, space, 0, different); gbc.gridwidth = gbc.REMAINDER; gbc.fill = gbc.HORIZONTAL; gbc.weightx = 1.0; authPanel.add(_sslEncrypt, gbc); + //tls button + _tlsEncrypt = new JRadioButton(_resource.getString( + "replication-destination-startTLS","label")); + _tlsEncrypt.setToolTipText(_resource.getString( + "replication-destination-startTLS","ttip")); + _tlsEncrypt.addActionListener(this); + connGroup.add(_tlsEncrypt); + ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.WEST; + gbc.insets = new Insets(0, space, space, different); + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.HORIZONTAL; + gbc.weightx = 1.0; + authPanel.add(_tlsEncrypt, gbc); + //auth using label JLabel auth = new JLabel(_resource.getString( "replication-destination-authUsing","label")); - JPanel authModePanel = new JPanel(new GridBagLayout()); - gbc.insets = new Insets(0,0,0,0); - authPanel.add(authModePanel, gbc); - auth.setLabelFor(authModePanel); - ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.WEST; - gbc.insets = new Insets(0,large,space,different); + gbc.insets = new Insets(0,space,0,different); gbc.gridwidth = gbc.REMAINDER; - gbc.fill = gbc.NONE; + gbc.fill = gbc.HORIZONTAL; gbc.weightx = 1.0; - authModePanel.add(auth, gbc); + authPanel.add(auth, gbc); //ssl auth radio button ButtonGroup authGroup = new ButtonGroup(); _sslAuth = new JRadioButton(_resource.getString( "replication-destination-sslClientAuth","label")); + _sslAuth.setToolTipText(_resource.getString( + "replication-destination-sslClientAuth","ttip")); _sslAuth.addActionListener(this); authGroup.add(_sslAuth); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.WEST; - gbc.insets = new Insets(0,large,0,different); + gbc.insets = new Insets(0,space,0,different); gbc.gridwidth = gbc.REMAINDER; - gbc.fill = gbc.NONE; + gbc.fill = gbc.HORIZONTAL; + gbc.weightx = 1.0; + authPanel.add(_sslAuth, gbc); + + //gssapi auth radio button + _gssapiAuth = new JRadioButton(_resource.getString( + "replication-destination-gssapiAuth","label")); + _gssapiAuth.setToolTipText(_resource.getString( + "replication-destination-gssapiAuth","ttip")); + _gssapiAuth.addActionListener(this); + authGroup.add(_gssapiAuth); + ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.WEST; + gbc.insets = new Insets(0,space,0,different); + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.HORIZONTAL; + gbc.weightx = 1.0; + authPanel.add(_gssapiAuth, gbc); + + //digest auth radio button + _digestAuth = new JRadioButton(_resource.getString( + "replication-destination-digestAuth","label")); + _digestAuth.setToolTipText(_resource.getString( + "replication-destination-digestAuth","ttip")); + _digestAuth.addActionListener(this); + authGroup.add(_digestAuth); + ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.WEST; + gbc.insets = new Insets(0,space,0,different); + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.HORIZONTAL; gbc.weightx = 1.0; - authModePanel.add(_sslAuth, gbc); + authPanel.add(_digestAuth, gbc); //simple auth radio button _simpAuth = new JRadioButton(_resource.getString( "replication-destination-simpleAuth","label")); + _simpAuth.setToolTipText(_resource.getString( + "replication-destination-simpleAuth","ttip")); _simpAuth.addActionListener(this); authGroup.add(_simpAuth); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.WEST; - gbc.insets = new Insets(0,large,0,different); + gbc.insets = new Insets(0,space,0,different); gbc.gridwidth = gbc.REMAINDER; - gbc.fill = gbc.NONE; + gbc.fill = gbc.HORIZONTAL; gbc.weightx = 1.0; - authModePanel.add(_simpAuth, gbc); + authPanel.add(_simpAuth, gbc); //simp panel JPanel simpPanel = new JPanel(); simpPanel.setLayout(new GridBagLayout()); simpPanel.setBackground(getBackground()); ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.NORTH; gbc.gridwidth = gbc.REMAINDER; gbc.weightx=1.0; gbc.insets = new Insets(0,0,0,0); - authModePanel.add(simpPanel, gbc); + authPanel.add(simpPanel, gbc); //bind as _bind = new JLabel(_resource.getString( "replication-destination-bindAs","label")); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.EAST; - gbc.insets = new Insets(0,70,space,different); + gbc.insets = new Insets(0,space+10,space,different); gbc.fill = gbc.NONE; simpPanel.add(_bind, gbc); @@ -237,7 +303,7 @@ "replication-destination-bindPwd","label")); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.EAST; - gbc.insets = new Insets(0,70,space,different); + gbc.insets = new Insets(0,space+10,space,different); gbc.fill = gbc.NONE; simpPanel.add(_pwd, gbc); @@ -336,42 +402,69 @@ _toBox.setSelectedIndex(_toModel.getSize()-1); //no need to get new context } - if (e.getSource().equals(_sslAuth)) { - if (_sslAuth.isSelected()) { - //disable - enableSimpleAuth (false); - } - } - if (e.getSource().equals(_simpAuth)) { - if (_simpAuth.isSelected()) { - //enable - enableSimpleAuth (true); - } - } - if (e.getSource().equals(_sslEncrypt)) { - if (_sslEncrypt.isSelected()) { - //enable - _sslAuth.setEnabled(true); + if (e.getSource().equals(_sslAuth) && _sslAuth.isSelected()) { + //disable + enableSimpleAuth (false); + } + if (e.getSource().equals(_gssapiAuth) && _gssapiAuth.isSelected()) { + // enable + enableSimpleAuth (true); + // requires ldap + _noEncrypt.setSelected(true); + /* set to use non-SSL port LDAP */ + _portAttr = ATTR_PORT; + } + if (e.getSource().equals(_simpAuth) && _simpAuth.isSelected()) { + //enable + enableSimpleAuth (true); + } + if (e.getSource().equals(_digestAuth) && _digestAuth.isSelected()) { + //enable + enableSimpleAuth (true); + } + + if (e.getSource().equals(_noEncrypt) && _noEncrypt.isSelected()) { + /* set to use non-SSL port LDAP */ + _portAttr = ATTR_PORT; + //disable + _sslAuth.setEnabled(false); + //enable + if (_sslAuth.isSelected()) { + // have to select something else + _simpAuth.setSelected(true); + } + enableSimpleAuth(true); + _gssapiAuth.setEnabled(true); + _digestAuth.setEnabled(true); - /* set to use SSL port */ - _portAttr = ATTR_SECURE_PORT; - - } else { - //disable - _sslAuth.setEnabled(false); - //enable - _simpAuth.setSelected(true); - enableSimpleAuth(true); - - /* set to use non-SSL port */ - _portAttr = ATTR_PORT; - } + /* set to use non-SSL port */ + _portAttr = ATTR_PORT; /* set appropriate to and from servers */ populateInstanceModel(_consoleInfo); _toText.setText(_server.getKey()); } + boolean ssl_selected = false; + if (e.getSource().equals(_sslEncrypt) && _sslEncrypt.isSelected()) { + /* set to use SSL port */ + _portAttr = ATTR_SECURE_PORT; + ssl_selected = true; + } + if (e.getSource().equals(_tlsEncrypt) && _tlsEncrypt.isSelected()) { + /* set to use non-SSL port for startTLS */ + _portAttr = ATTR_PORT; + ssl_selected = true; + } + if (ssl_selected) { + _sslAuth.setEnabled(true); + _gssapiAuth.setEnabled(false); + if (_gssapiAuth.isSelected()) { + // have to select something else + _simpAuth.setSelected(true); + enableSimpleAuth(true); + } + } checkNextButton(); } @@ -426,6 +519,9 @@ return false; } } + // else if digest or gssapi auth is selected, there really isn't much + // we can do to validate the fields - password is not required, and + // the format can be different //check box //check consumer @@ -464,36 +560,62 @@ } public void getUpdateInfo(WizardInfo info) { - Debug.println("WAgreementDestinationPanel: getUpdateInfo()"); - Hashtable serverItem = (Hashtable) _toBox.getSelectedItem(); - ServerInstance toServer = - (ServerInstance) serverItem.get( - CustomComboBoxModel.SELECTION_DATA); - _wizardInfo.setFromServer(_server); - _wizardInfo.setToServer(toServer); - if (_sslEncrypt.isSelected()) { - _wizardInfo.setSSL(true); - _wizardInfo.setSSLAuth(_sslAuth.isSelected()); - - } else { - _wizardInfo.setSSL(false); - _wizardInfo.setSSLAuth(false); - } - - // Set bindDN and password iff not using client auth. - if (_sslEncrypt.isSelected() && _sslAuth.isSelected()) { - _wizardInfo.setSSLAuth(true); - _wizardInfo.setBindDN(""); - _wizardInfo.setBindPWD(""); - } else { - _wizardInfo.setSSLAuth(false); - _wizardInfo.setBindDN(_bindText.getText()); - _wizardInfo.setBindPWD(_pwdText.getText()); - } - if (_replicaPanel != null) { - _wizardInfo.setReplicaEntry(_replicaPanel.getReplicaEntry()); - _wizardInfo.setSubtree(_replicaPanel.getSuffix()); - } + Debug.println("WAgreementDestinationPanel: getUpdateInfo()"); + Hashtable serverItem = (Hashtable) _toBox.getSelectedItem(); + ServerInstance toServer = + (ServerInstance) serverItem.get( + CustomComboBoxModel.SELECTION_DATA); + _wizardInfo.setFromServer(_server); + _wizardInfo.setToServer(toServer); + + boolean ssl = false; + if (_tlsEncrypt.isSelected()) { + _wizardInfo.setSSL(false); + _wizardInfo.setStartTLS(true); + ssl = true; + } else if (_sslEncrypt.isSelected()) { + _wizardInfo.setSSL(true); + _wizardInfo.setStartTLS(false); + ssl = true; + } else { + _wizardInfo.setSSL(false); + _wizardInfo.setStartTLS(false); + } + + if (ssl) { + boolean need_dn_pw = false; + if (_sslAuth.isSelected()) { + _wizardInfo.setSSLAuth(true); + _wizardInfo.setDigestAuth(false); + } else { + _wizardInfo.setSSLAuth(false); + _wizardInfo.setDigestAuth(_digestAuth.isSelected()); + need_dn_pw = true; + } + if (need_dn_pw) { + _wizardInfo.setBindDN(_bindText.getText()); + _wizardInfo.setBindPWD(_pwdText.getText()); + } else { + _wizardInfo.setBindDN(""); + _wizardInfo.setBindPWD(""); + } + _wizardInfo.setGSSAPIAuth(false); + } else { + if (_gssapiAuth.isSelected()) { + _wizardInfo.setGSSAPIAuth(true); + _wizardInfo.setDigestAuth(false); + } else { + _wizardInfo.setGSSAPIAuth(false); + _wizardInfo.setDigestAuth(_digestAuth.isSelected()); + } + _wizardInfo.setBindDN(_bindText.getText()); + _wizardInfo.setBindPWD(_pwdText.getText()); + _wizardInfo.setSSLAuth(false); + } + if (_replicaPanel != null) { + _wizardInfo.setReplicaEntry(_replicaPanel.getReplicaEntry()); + _wizardInfo.setSubtree(_replicaPanel.getSuffix()); + } } public String getErrorMessage() { @@ -511,7 +633,6 @@ GridBagConstraints gbc = new GridBagConstraints(); int space = UIFactory.getComponentSpace(); int different = UIFactory.getDifferentSpace(); - int large = 40; _fromPanel.removeAll(); ReplicationTool.resetGBC(gbc); @@ -580,29 +701,42 @@ private void copyData() { _pwdText.setText(_wizardInfo.getBindPWD()); _bindText.setText(_wizardInfo.getBindDN()); - if (_wizardInfo.getSSL()) { - _sslEncrypt.setSelected(true); - // if (_copy.getBindCredentials().equals("")) { - if(_wizardInfo.getSSLAuth()) { + boolean ssl = false; + if (_wizardInfo.getStartTLS()) { + _tlsEncrypt.setSelected(true); + ssl = true; + } else if (_wizardInfo.getSSL()) { + _sslEncrypt.setSelected(true); + ssl = true; + } else { + _noEncrypt.setSelected(true); + } + if (ssl) { + if (_wizardInfo.getSSLAuth()) { //SSL client Auth enableSimpleAuth (false); _sslAuth.setEnabled(true); _sslAuth.setSelected(true); - } else { - //Simple Auth with SSL + //id/pwd auth with ssl _sslAuth.setEnabled(false); - _simpAuth.setSelected(true); + _simpAuth.setSelected(!_wizardInfo.getDigestAuth()); + _digestAuth.setSelected(_wizardInfo.getDigestAuth()); enableSimpleAuth (true); } + _gssapiAuth.setEnabled(false); } else { - setSimpAuth(); + if (_wizardInfo.getGSSAPIAuth()) { + _gssapiAuth.setEnabled(true); + _gssapiAuth.setSelected(true); + enableSimpleAuth (false); + } else { + _simpAuth.setSelected(!_wizardInfo.getDigestAuth()); + _digestAuth.setSelected(_wizardInfo.getDigestAuth()); + enableSimpleAuth (true); + } + _sslAuth.setEnabled(false); } - -// if (_sslAuth.isSelected ()) -// _portAttr = ATTR_SECURE_PORT; -// else -// _portAttr = ATTR_PORT; } /** @@ -611,6 +745,7 @@ private void setSimpAuth() { //Simple Auth no SSL _sslEncrypt.setSelected(false); + _tlsEncrypt.setSelected(false); _sslAuth.setEnabled(false); _simpAuth.setSelected(true); @@ -954,7 +1089,7 @@ if ((serverItem == null) || serverItem.get(CustomComboBoxModel.SELECTION_TITLE).equals(CONSUMER_LIST_NOT_AVAILABLE)) { state = false; - } else if (_simpAuth.isSelected()) { + } else if (_simpAuth.isSelected() || _digestAuth.isSelected()) { if (_bindText.getText().trim().equals("") || !DSUtil.isValidDN(_bindText.getText()) || _pwdText.getText().trim().equals("")) { @@ -981,8 +1116,8 @@ private JTextField _bindText; private JButton _toButton; private JComboBox _fromBox, _toBox; - private JCheckBox _sslEncrypt; - private JRadioButton _simpAuth, _sslAuth; + private JRadioButton _noEncrypt, _sslEncrypt, _tlsEncrypt; + private JRadioButton _simpAuth, _sslAuth, _gssapiAuth, _digestAuth; private JPasswordField _pwdText; private JLabel _bind, _pwd; private CustomComboBoxModel _fromModel, _toModel; Index: WAgreementSummaryPanel.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/WAgreementSummaryPanel.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- WAgreementSummaryPanel.java 18 Jul 2005 00:56:11 -0000 1.1.1.1 +++ WAgreementSummaryPanel.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -133,12 +133,13 @@ agreement.setReplicatedSubtree(_wizardInfo.getSubtree()); agreement.setConsumerHost(_wizardInfo.getToServer().getHost()); agreement.setConsumerPort(_wizardInfo.getToServer().getPort()); - if (_wizardInfo.getSSL()){ - agreement.setUseSSL(true); - if(_wizardInfo.getSSLAuth()){ - agreement.setUseSSLAuth(true); - } - } + + agreement.setUseSSL(_wizardInfo.getSSL()); + agreement.setUseStartTLS(_wizardInfo.getStartTLS()); + + agreement.setUseSSLAuth(_wizardInfo.getSSLAuth()); + agreement.setUseGSSAPIAuth(_wizardInfo.getGSSAPIAuth()); + agreement.setUseDigestAuth(_wizardInfo.getDigestAuth()); if (!_wizardInfo.getBindDN().equals("")) { agreement.setBindDN(_wizardInfo.getBindDN()); @@ -163,8 +164,15 @@ agreement.setWindowsDomain(_wizardInfo.getWindowsDomain()); agreement.setConsumerHost(_wizardInfo.getToServer().getHost()); agreement.setConsumerPort(_wizardInfo.getToServer().getPort()); - agreement.setUseSSL( _wizardInfo.getSSL() ); - agreement.setUpdateSchedule(_wizardInfo.getDate()); + agreement.setUpdateSchedule(_wizardInfo.getDate()); + + agreement.setUseSSL(_wizardInfo.getSSL()); + agreement.setUseStartTLS(_wizardInfo.getStartTLS()); + + agreement.setUseSSLAuth(_wizardInfo.getSSLAuth()); + agreement.setUseGSSAPIAuth(_wizardInfo.getGSSAPIAuth()); + agreement.setUseDigestAuth(_wizardInfo.getDigestAuth()); + if (!_wizardInfo.getBindDN().equals("")) { agreement.setBindDN(_wizardInfo.getBindDN()); agreement.setBindCredentials(_wizardInfo.getBindPWD()); @@ -190,8 +198,14 @@ agreement.setReplicatedSubtree(_wizardInfo.getSubtree()); agreement.setConsumerHost(_wizardInfo.getToServer().getHost()); agreement.setConsumerPort(_wizardInfo.getToServer().getPort()); - if (_wizardInfo.getSSL()) - agreement.setUseSSL(true); + + agreement.setUseSSL(_wizardInfo.getSSL()); + agreement.setUseStartTLS(_wizardInfo.getStartTLS()); + + agreement.setUseSSLAuth(_wizardInfo.getSSLAuth()); + agreement.setUseGSSAPIAuth(_wizardInfo.getGSSAPIAuth()); + agreement.setUseDigestAuth(_wizardInfo.getDigestAuth()); + if (!_wizardInfo.getBindDN().equals("")) { agreement.setBindDN(_wizardInfo.getBindDN()); agreement.setBindCredentials(_wizardInfo.getBindPWD()); Index: WindowsAgreementDestinationPanel.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/WindowsAgreementDestinationPanel.java,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- WindowsAgreementDestinationPanel.java 16 Oct 2007 16:41:44 -0000 1.2 +++ WindowsAgreementDestinationPanel.java 24 Nov 2008 16:09:23 -0000 1.3 @@ -29,7 +29,6 @@ import com.netscape.admin.dirserv.panel.*; import com.netscape.management.client.*; import com.netscape.management.client.console.*; -import com.netscape.management.client.util.JButtonFactory; import com.netscape.management.client.util.*; import netscape.ldap.*; import netscape.ldap.util.DN; @@ -361,65 +360,54 @@ gbc.weightx = 1.0; add(authPanel, gbc); - //ssl check box - _sslEncrypt = new JCheckBox(_resource.getString( - "replication-destination-sslEncrypt","label")); - - _sslEncrypt.setSelected(true); - _sslEncrypt.setEnabled(true); - - _sslEncrypt.addActionListener(this); + //connection radio buttons + ButtonGroup connGroup = new ButtonGroup(); + //plain old ldap button + _noEncrypt = new JRadioButton(_resource.getString( + "replication-destination-noEncrypt","label")); + _noEncrypt.setToolTipText(_resource.getString( + "replication-destination-noEncrypt","ttip")); + _noEncrypt.setSelected(true); // default is on + _noEncrypt.addActionListener(this); + connGroup.add(_noEncrypt); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.WEST; - gbc.insets = new Insets(0, space, different, different); + gbc.insets = new Insets(0, space, 0, different); gbc.gridwidth = gbc.REMAINDER; gbc.fill = gbc.HORIZONTAL; gbc.weightx = 1.0; - authPanel.add(_sslEncrypt, gbc); - - //auth using label - JLabel auth = new JLabel(_resource.getString( - "replication-destination-authUsing","label")); - JPanel authModePanel = new JPanel(new GridBagLayout()); - gbc.insets = new Insets(0,0,0,0); - authPanel.add(authModePanel, gbc); - auth.setLabelFor(authModePanel); - - ReplicationTool.resetGBC(gbc); - gbc.anchor = gbc.WEST; - gbc.insets = new Insets(0,large,space,different); - gbc.gridwidth = gbc.REMAINDER; - gbc.fill = gbc.NONE; - gbc.weightx = 1.0; - //authModePanel.add(auth, gbc); - - /*ssl auth radio button - ButtonGroup authGroup = new ButtonGroup(); - _sslAuth = new JRadioButton(_resource.getString( - "replication-destination-sslClientAuth","label")); - _sslAuth.addActionListener(this); - authGroup.add(_sslAuth); + authPanel.add(_noEncrypt, gbc); + + //ssl button + _sslEncrypt = new JRadioButton(_resource.getString( + "replication-destination-sslEncrypt","label")); + _sslEncrypt.setToolTipText(_resource.getString( + "replication-destination-sslEncrypt","ttip")); + _sslEncrypt.addActionListener(this); + connGroup.add(_sslEncrypt); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.WEST; - gbc.insets = new Insets(0,large,0,different); + gbc.insets = new Insets(0, space, 0, different); gbc.gridwidth = gbc.REMAINDER; - gbc.fill = gbc.NONE; + gbc.fill = gbc.HORIZONTAL; gbc.weightx = 1.0; - //authModePanel.add(_sslAuth, gbc); - - //simple auth radio button - _simpAuth = new JRadioButton(_resource.getString( - "replication-destination-simpleAuth","label")); - _simpAuth.addActionListener(this); - authGroup.add(_simpAuth); + authPanel.add(_sslEncrypt, gbc); + + //tls button + _tlsEncrypt = new JRadioButton(_resource.getString( + "replication-destination-startTLS","label")); + _tlsEncrypt.setToolTipText(_resource.getString( + "replication-destination-startTLS","ttip")); + _tlsEncrypt.addActionListener(this); + connGroup.add(_tlsEncrypt); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.WEST; - gbc.insets = new Insets(0,large,0,different); + gbc.insets = new Insets(0, space, space, different); gbc.gridwidth = gbc.REMAINDER; - gbc.fill = gbc.NONE; + gbc.fill = gbc.HORIZONTAL; gbc.weightx = 1.0; - //authModePanel.add(_simpAuth, gbc);*/ - + authPanel.add(_tlsEncrypt, gbc); + //simp panel JPanel simpPanel = new JPanel(); simpPanel.setLayout(new GridBagLayout()); @@ -428,14 +416,14 @@ gbc.gridwidth = gbc.REMAINDER; gbc.weightx=1.0; gbc.insets = new Insets(0,0,0,0); - authModePanel.add(simpPanel, gbc); + authPanel.add(simpPanel, gbc); //bind as _bind = new JLabel(_resource.getString( "replication-destination-bindAs","label")); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.EAST; - gbc.insets = new Insets(0,70,space,different); + gbc.insets = new Insets(0,space+10,space,different); gbc.fill = gbc.NONE; simpPanel.add(_bind, gbc); @@ -455,7 +443,7 @@ "replication-destination-bindPwd","label")); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.EAST; - gbc.insets = new Insets(0,70,space,different); + gbc.insets = new Insets(0,space+10,space,different); gbc.fill = gbc.NONE; simpPanel.add(_pwd, gbc); @@ -559,23 +547,15 @@ } - if (e.getSource().equals(_sslEncrypt)) { - if (_sslEncrypt.isSelected()) { - enableSimpleAuth(false); - /* set to use SSL port */ - _domainControllerPort.setText(ATTR_SECURE_PORT); - - } else { - enableSimpleAuth(true); - - /* set to use non-SSL port */ - _domainControllerPort.setText(ATTR_PORT); - } - - /* set appropriate to and from servers */ - //populateInstanceModel(_consoleInfo); - - //_toText.setText(_server.getKey()); + if (e.getSource().equals(_tlsEncrypt) && _tlsEncrypt.isSelected()) { + /* use regular LDAP port for startTLS */ + _domainControllerPort.setText(ATTR_PORT); + } else if (e.getSource().equals(_sslEncrypt) && _sslEncrypt.isSelected()) { + /* set to use SSL port */ + _domainControllerPort.setText(ATTR_SECURE_PORT); + } else if (e.getSource().equals(_noEncrypt) && _noEncrypt.isSelected()) { + /* use regular LDAP port */ + _domainControllerPort.setText(ATTR_PORT); } if (e.getSource()==_syncNewWinUsers) @@ -721,21 +701,15 @@ toServer.setHost(_domainController.getText()); toServer.setPort(Integer.parseInt(_domainControllerPort.getText())); //xxx - - _wizardInfo.setFromServer(_server); _wizardInfo.setToServer(toServer); - if (_sslEncrypt.isSelected()) { - _wizardInfo.setSSL(true); - _wizardInfo.setSSLAuth(false); - - } else { - _wizardInfo.setSSL(false); - _wizardInfo.setSSLAuth(false); - } - + _wizardInfo.setStartTLS(_tlsEncrypt.isSelected()); + _wizardInfo.setSSL(_sslEncrypt.isSelected()); + /* none of these other auth methods are currently supported */ _wizardInfo.setSSLAuth(false); + _wizardInfo.setGSSAPIAuth(false); + _wizardInfo.setDigestAuth(false); _wizardInfo.setBindDN(_bindText.getText()); _wizardInfo.setBindPWD(_pwdText.getText()); @@ -816,25 +790,10 @@ private void copyData() { _pwdText.setText(_wizardInfo.getBindPWD()); _bindText.setText(_wizardInfo.getBindDN()); - if (_wizardInfo.getSSL()) { - _sslEncrypt.setSelected(true); - // if (_copy.getBindCredentials().equals("")) { - if(_wizardInfo.getSSLAuth()) { - //SSL client Auth - enableSimpleAuth(false); - - } else { - //Simple Auth with SSL - enableSimpleAuth(true); - } - } else { - setSimpAuth(); - } - - // if (_sslAuth.isSelected ()) - // _portAttr = ATTR_SECURE_PORT; - // else - // _portAttr = ATTR_PORT; + _tlsEncrypt.setSelected(_wizardInfo.getStartTLS()); + _sslEncrypt.setSelected(_wizardInfo.getSSL()); + enableSimpleAuth(true); + /* none of the other auth methods are currently supported */ } /** @@ -843,6 +802,7 @@ private void setSimpAuth() { //Simple Auth no SSL _sslEncrypt.setSelected(false); + _tlsEncrypt.setSelected(false); enableSimpleAuth(true); } @@ -1242,8 +1202,8 @@ //private JButton _fetchDcButton; private JComboBox _fromBox, _toBox; - private JCheckBox _sslEncrypt; - private JRadioButton _simpAuth, _sslAuth; + private JRadioButton _noEncrypt, _sslEncrypt, _tlsEncrypt; + private JRadioButton _simpAuth = null, _sslAuth = null, _gssapiAuth = null, _digestAuth = null; private JPasswordField _pwdText; private JLabel _bind, _pwd; private CustomComboBoxModel _fromModel; Index: WindowsAgreementWizard.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/WindowsAgreementWizard.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- WindowsAgreementWizard.java 18 Jul 2005 00:56:12 -0000 1.1.1.1 +++ WindowsAgreementWizard.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -37,7 +37,7 @@ public class WindowsAgreementWizard extends WizardWidget { public WindowsAgreementWizard(JFrame parent, AgreementWizardInfo info) { - super(parent, _resource.getString("replication-agreementWizard","label"), new Dimension(460,560)); + super(parent, _resource.getString("replication-agreementWizard","label"), new Dimension(460,580)); @@ -61,6 +61,7 @@ } info.setSubtree(info.getCopyAgreement().getReplicatedSubtree()); info.setSSL(info.getCopyAgreement().getUseSSL()); + info.setStartTLS(info.getCopyAgreement().getUseStartTLS()); if (info.getCopyAgreement().getBindDN()!= null) { info.setBindDN(info.getCopyAgreement().getBindDN()); } else { Index: WindowsAgreementWizardInfo.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/WindowsAgreementWizardInfo.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- WindowsAgreementWizardInfo.java 18 Jul 2005 00:56:12 -0000 1.1.1.1 +++ WindowsAgreementWizardInfo.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -192,6 +192,18 @@ return (ServerInstance)_content.get(AGREEMENT_EXTENSION+"to"); } + //tls + void setStartTLS(boolean type) { + _content.put(AGREEMENT_EXTENSION+"startTLS", new Boolean(type)); + } + + boolean getStartTLS() { + if (_content.get(AGREEMENT_EXTENSION+"startTLS")!= null) + return ((Boolean)_content.get(AGREEMENT_EXTENSION+"startTLS")).booleanValue(); + else + return false; + } + //ssl void setSSL(boolean type) { _content.put(AGREEMENT_EXTENSION+"ssl", new Boolean(type)); @@ -377,6 +389,10 @@ } //connection + if (getStartTLS()) { + buf.append(" "); + buf.append(_resource.getString("replication-destination-startTLS","label")+"\n"); + } if (getSSL()) { buf.append(" "); buf.append(_resource.getString("replication-destination-sslEncrypt","label")+"\n"); @@ -385,7 +401,7 @@ //bind info buf.append(" "); buf.append(_resource.getString("replication-destination-authUsing","label")+" "); - if (getSSL() && getSSLAuth()) { + if ((getStartTLS() || getSSL()) && getSSLAuth()) { buf.append(_resource.getString("replication-destination-sslClientAuth","label")+"\n"); } else { buf.append(_resource.getString("replication-destination-simpleAuth","label")+"\n"); Index: replication.properties =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/replication.properties,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- replication.properties 18 Jul 2005 00:56:13 -0000 1.1.1.1 +++ replication.properties 24 Nov 2008 16:09:23 -0000 1.2 @@ -162,11 +162,21 @@ replication-destination-otherButton-mnemonic=O replication-destination-browseButton-label=Browse... replication-destination-browseButton=mnemonic=B -replication-destination-sslEncrypt-label=Using encrypted SSL connection -replication-destination-sslEncrypt-ttip=SSL communications between supplier and consumer server -replication-destination-authUsing-label=Authenticate using: -replication-destination-simpleAuth-label=Simple authentication -replication-destination-sslClientAuth-label=SSL client authentication +replication-destination-noEncrypt-label=Use LDAP (no encryption) +replication-destination-noEncrypt-ttip=Use plain LDAP with no encryption +replication-destination-sslEncrypt-label=Use TLS/SSL (TLS/SSL encryption with LDAPS) +replication-destination-sslEncrypt-ttip=Use TLSv1/SSLv3 encryption using the LDAPS port (636) +replication-destination-startTLS-label=Use StartTLS (TLS/SSL encryption with LDAP) +replication-destination-startTLS-ttip=Start a TLSv1/SSLv3 encryption session on the LDAP connection +replication-destination-authUsing-label=Authentication mechanism: +replication-destination-simpleAuth-label=Simple (Bind DN/Password) +replication-destination-simpleAuth-ttip=Authenticate using a DN and a password (Simple auth) +replication-destination-sslClientAuth-label=Server TLS/SSL Certificate (requires TLS/SSL server set up) +replication-destination-sslClientAuth-ttip=Use the server's certificate to do TLS/SSL client cert auth (requires that the server has been set up to be an SSL server) +replication-destination-gssapiAuth-label=SASL/GSSAPI (requires server Kerberos keytab) +replication-destination-gssapiAuth-ttip=Authenticate using SASL/GSSAPI and the server's Kerberos keytab (supplier and consumer must both support SASL/GSSAPI/Kerberos) +replication-destination-digestAuth-label=SASL/DIGEST-MD5 (SASL user id and password) +replication-destination-digestAuth-ttip=Authenticate using SASL/DIGEST-MD5 - requires consumer support for digest password and identity mapping replication-destination-bindAs-label=Bind as: replication-destination-bindPwd-label=Password: replication-destination-new-user-sync-label=New Windows User Sync

15 years

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-commits November 2008