[Fedora-directory-commits] ldapserver/ldap/servers/slapd bind.c, 1.17, 1.18 libglobs.c, 1.28, 1.29 proto-slap.h, 1.41, 1.42 slap.h, 1.38, 1.39
by Nathan Kinder
Author: nkinder
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8277/ldap/servers/slapd
Modified Files:
bind.c libglobs.c proto-slap.h slap.h
Log Message:
Resolves: 316241
Summary: Add config setting to disable unauthenticated binds.
Index: bind.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/bind.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- bind.c 24 Oct 2008 22:36:58 -0000 1.17
+++ bind.c 7 Nov 2008 22:32:57 -0000 1.18
@@ -259,9 +259,6 @@
PR_Lock( pb->pb_conn->c_mutex );
- /* According to RFC2251,
- * "if the bind fails, the connection will be treated as anonymous".
- */
bind_credentials_clear( pb->pb_conn, PR_FALSE, /* do not lock conn */
PR_FALSE /* do not clear external creds. */ );
@@ -442,6 +439,21 @@
plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN );
}
goto free_and_return;
+ } else if ( cred.bv_len == 0 ) {
+ /* Increment unauthenticated bind counter */
+ slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds);
+
+ /* Refuse the operation if unauthenticated binds are disabled. */
+ if (!config_get_unauth_binds_switch()) {
+ /* As stated in RFC 4513, a server SHOULD by default fail
+ * Unauthenticated Bind requests with a resultCode of
+ * unwillingToPerform. */
+ send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL,
+ "Unauthenticated binds are not allowed", 0, NULL);
+ /* increment BindSecurityErrorcount */
+ slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors);
+ goto free_and_return;
+ }
}
break;
default:
@@ -453,26 +465,22 @@
*/
if ( isroot && method == LDAP_AUTH_SIMPLE ) {
- if ( cred.bv_len == 0 ) {
- /* unauthenticated bind */
- slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds);
-
- } else {
+ if (cred.bv_len != 0) {
/* a passwd was supplied -- check it */
Slapi_Value cv;
slapi_value_init_berval(&cv,&cred);
+ /* right dn and passwd - authorize */
if ( is_root_dn_pw( slapi_sdn_get_ndn(&sdn), &cv )) {
- /* right dn and passwd - authorize */
bind_credentials_set( pb->pb_conn, SLAPD_AUTH_SIMPLE,
slapi_ch_strdup( slapi_sdn_get_ndn(&sdn) ),
NULL, NULL, NULL , NULL);
- /* right dn, wrong passwd - reject with invalid creds */
+ /* right dn, wrong passwd - reject with invalid creds */
} else {
send_ldap_result( pb, LDAP_INVALID_CREDENTIALS, NULL,
NULL, 0, NULL );
- /* increment BindSecurityErrorcount */
+ /* increment BindSecurityErrorcount */
slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors);
value_done(&cv);
goto free_and_return;
Index: libglobs.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/libglobs.c,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- libglobs.c 24 Oct 2008 22:36:58 -0000 1.28
+++ libglobs.c 7 Nov 2008 22:32:57 -0000 1.29
@@ -491,7 +491,7 @@
{CONFIG_SLAPI_COUNTER_ATTRIBUTE, config_set_slapi_counters,
NULL, 0,
(void**)&global_slapdFrontendConfig.slapi_counters, CONFIG_ON_OFF,
- config_get_slapi_counters},
+ (ConfigGetFunc)config_get_slapi_counters},
{CONFIG_ACCESSLOG_MINFREEDISKSPACE_ATTRIBUTE, NULL,
log_set_mindiskspace, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_minfreespace, CONFIG_INT, NULL},
@@ -590,7 +590,11 @@
config_set_outbound_ldap_io_timeout,
NULL, 0,
(void **)&global_slapdFrontendConfig.outbound_ldap_io_timeout,
- CONFIG_INT, NULL}
+ CONFIG_INT, NULL},
+ {CONFIG_UNAUTH_BINDS_ATTRIBUTE, config_set_unauth_binds_switch,
+ NULL, 0,
+ (void**)&global_slapdFrontendConfig.allow_unauth_binds, CONFIG_ON_OFF,
+ (ConfigGetFunc)config_get_unauth_binds_switch}
#ifdef MEMPOOL_EXPERIMENTAL
,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
NULL, 0,
@@ -840,6 +844,7 @@
#if defined(ENABLE_AUTO_DN_SUFFIX)
cfg->ldapi_auto_dn_suffix = slapi_ch_strdup("cn=peercred,cn=external,cn=auth");
#endif
+ cfg->allow_unauth_binds = LDAP_OFF;
cfg->slapi_counters = LDAP_ON;
cfg->threadnumber = SLAPD_DEFAULT_MAX_THREADS;
cfg->maxthreadsperconn = SLAPD_DEFAULT_MAX_THREADS_PER_CONN;
@@ -4427,6 +4432,20 @@
return retVal;
}
+
+int
+config_get_unauth_binds_switch(void)
+{
+ int retVal;
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+ CFG_LOCK_READ(slapdFrontendConfig);
+ retVal = slapdFrontendConfig->allow_unauth_binds;
+ CFG_UNLOCK_READ(slapdFrontendConfig);
+
+ return retVal;
+}
+
+
int
config_is_slapd_lite ()
{
@@ -5124,6 +5143,23 @@
}
+int
+config_set_unauth_binds_switch( const char *attrname, char *value,
+ char *errorbuf, int apply )
+{
+ int retVal = LDAP_SUCCESS;
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+ retVal = config_set_onoff(attrname,
+ value,
+ &(slapdFrontendConfig->allow_unauth_binds),
+ errorbuf,
+ apply);
+
+ return retVal;
+}
+
+
/*
* This function is intended to be used from the dse code modify callback. It
* is "optimized" for that case because it takes a berval** of values, which is
Index: proto-slap.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/proto-slap.h,v
retrieving revision 1.41
retrieving revision 1.42
diff -u -r1.41 -r1.42
--- proto-slap.h 4 Nov 2008 18:23:08 -0000 1.41
+++ proto-slap.h 7 Nov 2008 22:32:57 -0000 1.42
@@ -338,6 +338,7 @@
int config_set_rewrite_rfc1274( const char *attrname, char *value, char *errorbuf, int apply );
int config_set_outbound_ldap_io_timeout( const char *attrname, char *value,
char *errorbuf, int apply );
+int config_set_unauth_binds_switch(const char *attrname, char *value, char *errorbuf, int apply );
int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply);
int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply);
@@ -461,6 +462,7 @@
int config_get_hash_filters();
int config_get_rewrite_rfc1274();
int config_get_outbound_ldap_io_timeout(void);
+int config_get_unauth_binds_switch(void);
int config_get_csnlogging();
#ifdef MEMPOOL_EXPERIMENTAL
int config_get_mempool_switch();
Index: slap.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slap.h,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -r1.38 -r1.39
--- slap.h 24 Oct 2008 22:36:58 -0000 1.38
+++ slap.h 7 Nov 2008 22:32:57 -0000 1.39
@@ -1693,6 +1693,7 @@
#define CONFIG_USEROC_ATTRIBUTE "nsslapd-useroc"
#define CONFIG_USERAT_ATTRIBUTE "nsslapd-userat"
#define CONFIG_SVRTAB_ATTRIBUTE "nsslapd-svrtab"
+#define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds"
#ifndef _WIN32
#define CONFIG_LOCALUSER_ATTRIBUTE "nsslapd-localuser"
#endif /* !_WIN32 */
@@ -1981,6 +1982,7 @@
char *ldapi_search_base_dn; /* base dn to search for mapped entries */
char *ldapi_auto_dn_suffix; /* suffix to be appended to auto gen DNs */
int slapi_counters; /* switch to turn slapi_counters on/off */
+ int allow_unauth_binds; /* switch to enable/disable unauthenticated binds */
#ifndef _WIN32
struct passwd *localuserinfo; /* userinfo of localuser */
#endif /* _WIN32 */
15 years, 4 months
[Fedora-directory-commits] ldapserver/ldap/ldif template-dse.ldif.in, 1.10, 1.11
by Nathan Kinder
Author: nkinder
Update of /cvs/dirsec/ldapserver/ldap/ldif
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8277/ldap/ldif
Modified Files:
template-dse.ldif.in
Log Message:
Resolves: 316241
Summary: Add config setting to disable unauthenticated binds.
Index: template-dse.ldif.in
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/ldif/template-dse.ldif.in,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- template-dse.ldif.in 5 Nov 2008 18:21:05 -0000 1.10
+++ template-dse.ldif.in 7 Nov 2008 22:32:57 -0000 1.11
@@ -27,6 +27,7 @@
nsslapd-rewrite-rfc1274: off
nsslapd-return-exact-case: on
nsslapd-ssl-check-hostname: on
+nsslapd-allow-unauthenticated-binds: off
nsslapd-port: %ds_port%
nsslapd-localuser: %ds_user%
nsslapd-errorlog-logging-enabled: on
15 years, 4 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm ldbm_instance_config.c, 1.11, 1.12
by Noriko Hosoi
Author: nhosoi
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27815
Modified Files:
ldbm_instance_config.c
Log Message:
Resolves: #463774
Summary: index files for database should be deleted when db is deleted.
Fix Description: The callback ldbm_instance_post_delete_instance_entry_callback
is called when the backend instance is removed. In the callback, there was a
code to cleanup the primary db (id2entry.db#), but no other index files nor the
instance directory. Also, the code included a bug to get the instance
directory path. The proposed code gets the right instance directory path and
cleans up all the files in the directory, then removes the backend instance
directory.
Index: ldbm_instance_config.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- ldbm_instance_config.c 8 Oct 2008 17:29:04 -0000 1.11
+++ ldbm_instance_config.c 6 Nov 2008 21:04:17 -0000 1.12
@@ -939,34 +939,53 @@
struct dblayer_private_env *pEnv = priv->dblayer_env;
if(pEnv) {
PRDir *dirhandle = NULL;
- char dbName[MAXPATHLEN*2];
- char *dbNamep = NULL;
- char *p;
- int dbbasenamelen, dbnamelen;
- int rc;
+ char inst_dir[MAXPATHLEN*2];
+ char *inst_dirp = NULL;
+
if (inst->inst_dir_name == NULL){
dblayer_get_instance_data_dir(inst->inst_be);
}
- dirhandle = PR_OpenDir(inst->inst_dir_name);
- /* the db dir instance may have been removed already */
- if (dirhandle){
- dbNamep = dblayer_get_full_inst_dir(li, inst,
- dbName, MAXPATHLEN*2);
- dbbasenamelen = strlen(dbNamep);
- dbnamelen = dbbasenamelen + 14; /* "/id2entry.db#" + '\0' */
- if (dbnamelen > MAXPATHLEN*2)
- {
- dbNamep = (char *)slapi_ch_realloc(dbNamep, dbnamelen);
+ inst_dirp = dblayer_get_full_inst_dir(li, inst,
+ inst_dir, MAXPATHLEN*2);
+ if (NULL != inst_dirp) {
+ dirhandle = PR_OpenDir(inst_dirp);
+ /* the db dir instance may have been removed already */
+ if (dirhandle) {
+ PRDirEntry *direntry = NULL;
+ char *dbp = NULL;
+ char *p = NULL;
+ while (NULL != (direntry = PR_ReadDir(dirhandle,
+ PR_SKIP_DOT|PR_SKIP_DOT_DOT))) {
+ int rc;
+ if (!direntry->name)
+ break;
+
+ dbp = PR_smprintf("%s/%s", inst_dirp, direntry->name);
+ if (NULL == dbp) {
+ LDAPDebug (LDAP_DEBUG_ANY,
+ "ldbm_instance_post_delete_instance_entry_callback:"
+ " failed to generate db path: %s/%s\n",
+ inst_dirp, direntry->name, 0);
+ break;
+ }
+
+ p = strstr(dbp, LDBM_FILENAME_SUFFIX);
+ if (NULL != p &&
+ strlen(p) == strlen(LDBM_FILENAME_SUFFIX)) {
+ rc = dblayer_db_remove(pEnv, dbp, 0);
+ } else {
+ rc = PR_Delete(dbp);
+ }
+ PR_ASSERT(rc == 0);
+ PR_smprintf_free(dbp);
+ }
+ PR_CloseDir(dirhandle);
}
- p = dbNamep + dbbasenamelen;
- sprintf(p, "%c%s%s", get_sep(dbNamep),
- "id2entry", LDBM_FILENAME_SUFFIX);
- rc = dblayer_db_remove(pEnv, dbName, 0);
- PR_ASSERT(rc == 0);
- if (dbNamep != dbName)
- slapi_ch_free_string(&dbNamep);
- PR_CloseDir(dirhandle);
+ PR_RmDir(inst_dirp);
} /* non-null dirhandle */
+ if (inst_dirp != inst_dir) {
+ slapi_ch_free_string(&inst_dirp);
+ }
} /* non-null pEnv */
}
15 years, 4 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd mempool.c, 1.1, 1.2
by Noriko Hosoi
Author: nhosoi
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25685
Modified Files:
mempool.c
Log Message:
Resolves: #466702
Summpary: Memory usage research: checking in the experimental code
Comment: added a missing line
Index: mempool.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/mempool.c,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- mempool.c 15 Oct 2008 06:30:05 -0000 1.1
+++ mempool.c 6 Nov 2008 01:02:21 -0000 1.2
@@ -234,6 +234,7 @@
if ((maxfreelist > 0) && (my_mempool[type].mempool_count > maxfreelist)) {
return LDAP_UNWILLING_TO_PERFORM;
} else {
+ ((struct mempool_object *)object)->mempool_next = mempool[type].mempool_head;
my_mempool[type].mempool_head = (struct mempool_object *)object;
my_mempool[type].mempool_cleanup_fn = cleanup;
my_mempool[type].mempool_count++;
15 years, 4 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd sasl_map.c, 1.10, 1.11
by Noriko Hosoi
Author: nhosoi
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23087
Modified Files:
sasl_map.c
Log Message:
Resolves: #459302
Summary: SASL MAP: memory leak in sasl_map_init
Fix Description: sasl_map_done put just comments to free the map list and the
private structure, but not implemented them. Added the code to release the map
list and the private structure.
Index: sasl_map.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/sasl_map.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- sasl_map.c 5 Nov 2008 18:21:06 -0000 1.10
+++ sasl_map.c 6 Nov 2008 00:34:19 -0000 1.11
@@ -101,7 +101,6 @@
return new_priv;
}
-#if 0 /* unused for now */
static void
sasl_map_free_private(sasl_map_private **priv)
{
@@ -109,7 +108,6 @@
slapi_ch_free((void**)priv);
*priv = NULL;
}
-#endif
/* This function does a shallow copy on the payload data supplied, so the caller should not free it, and it needs to be allocated using slapi_ch_malloc() */
static
@@ -132,6 +130,10 @@
static void
sasl_map_free_data(sasl_map_data **dp)
{
+ slapi_ch_free_string(&(*dp)->name);
+ slapi_ch_free_string(&(*dp)->regular_expression);
+ slapi_ch_free_string(&(*dp)->template_base_dn);
+ slapi_ch_free_string(&(*dp)->template_search_filter);
slapi_ch_free((void**)dp);
}
@@ -287,7 +289,8 @@
filtertemplate = slapi_entry_attr_get_charptr( entry, "nsSaslMapFilterTemplate" );
map_name = slapi_entry_attr_get_charptr( entry, "cn" );
- if ( (NULL == regex) || (NULL == basedntemplate) || (NULL == filtertemplate) ) {
+ if ( (NULL == map_name) || (NULL == regex) ||
+ (NULL == basedntemplate) || (NULL == filtertemplate) ) {
/* Invalid entry */
ret = -1;
} else {
@@ -296,6 +299,7 @@
}
if (ret) {
+ slapi_ch_free((void **) &map_name);
slapi_ch_free((void **) ®ex);
slapi_ch_free((void **) &basedntemplate);
slapi_ch_free((void **) &filtertemplate);
@@ -405,8 +409,21 @@
int sasl_map_done()
{
int ret = 0;
+ sasl_map_private *priv = sasl_map_get_global_priv();
+ sasl_map_data *dp = NULL;
+
/* Free the map list */
+ PR_Lock(priv->lock);
+ dp = priv->map_data_list;
+ while (dp) {
+ sasl_map_data *dp_next = dp->next;
+ sasl_map_free_data(&dp);
+ dp = dp_next;
+ }
+ PR_Unlock(priv->lock);
+
/* Free the private structure */
+ sasl_map_free_private(&priv);
return ret;
}
15 years, 4 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm ldif2ldbm.c, 1.20, 1.21
by Noriko Hosoi
Author: nhosoi
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv18655
Modified Files:
ldif2ldbm.c
Log Message:
Resolves: #469792
Summary: vlvindex should not give an error message when the vlvindex is empty
Fix description: In ldbm_fetch_subtrees, if the parent entry to be vlvindexed
('ou=payroll,dc=example,dc=com' in this example) does not exist, then vlvindex
with the proposed code issues this warning but no further messages.
warning: entrydn not indexed on 'ou=payroll,dc=example,dc=com'; entry ou=payroll,dc=example,dc=com may not be added to the database yet.
If the parent entry exists (entry id 10 in this example), but no descendant
entries to be vlvindexed do not, then vlvindex with the proposed code issues
this warning but no further messages.
warning: ancestorid not indexed on 10; possibly, the entry id 10 has no descendants yet.
Index: ldif2ldbm.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/ldif2ldbm.c,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- ldif2ldbm.c 17 Oct 2008 16:54:47 -0000 1.20
+++ ldif2ldbm.c 5 Nov 2008 23:49:58 -0000 1.21
@@ -687,8 +687,16 @@
bv.bv_len = strlen(include[i]);
idl = index_read(be, "entrydn", indextype_EQUALITY, &bv, txn, err);
if (idl == NULL) {
- LDAPDebug(LDAP_DEBUG_ANY, "warning: entrydn not indexed on '%s'\n",
- include[i], 0, 0);
+ if (DB_NOTFOUND == *err) {
+ LDAPDebug(LDAP_DEBUG_ANY,
+ "warning: entrydn not indexed on '%s'; "
+ "entry %s may not be added to the database yet.\n",
+ include[i], include[i], 0);
+ *err = 0; /* not a problem */
+ } else {
+ LDAPDebug(LDAP_DEBUG_ANY,
+ "warning: entrydn not indexed on '%s'\n", include[i], 0, 0);
+ }
continue;
}
id = idl_firstid(idl);
@@ -700,8 +708,17 @@
*/
*err = ldbm_ancestorid_read(be, txn, id, &idl);
if (idl == NULL) {
- LDAPDebug(LDAP_DEBUG_ANY, "warning: ancestorid not indexed on %lu\n",
- id, 0, 0);
+ if (DB_NOTFOUND == *err) {
+ LDAPDebug(LDAP_DEBUG_ANY,
+ "warning: ancestorid not indexed on %lu; "
+ "possibly, the entry id %lu has no descendants yet.\n",
+ id, id, 0);
+ *err = 0; /* not a problem */
+ } else {
+ LDAPDebug(LDAP_DEBUG_ANY,
+ "warning: ancestorid not indexed on %lu\n",
+ id, 0, 0);
+ }
continue;
}
@@ -1474,20 +1491,23 @@
idl = ldbm_fetch_subtrees(be, suffix_list, &err);
charray_free(suffix_list);
if (! idl) {
- LDAPDebug(LDAP_DEBUG_ANY,
+ /* most likely, indexes are bad if err is set. */
+ if (0 != err) {
+ LDAPDebug(LDAP_DEBUG_ANY,
"%s: WARNING: Failed to fetch subtree lists: (%d) %s\n",
inst->inst_name, err, dblayer_strerror(err));
- LDAPDebug(LDAP_DEBUG_ANY,
+ LDAPDebug(LDAP_DEBUG_ANY,
"%s: Possibly the entrydn or ancestorid index is "
"corrupted or does not exist.\n", inst->inst_name, 0, 0);
- LDAPDebug(LDAP_DEBUG_ANY,
+ LDAPDebug(LDAP_DEBUG_ANY,
"%s: Attempting brute-force method instead.\n",
inst->inst_name, 0, 0);
- if (task) {
- slapi_task_log_notice(task,
- "%s: WARNING: Failed to fetch subtree lists (err %d) -- "
- "attempting brute-force method instead.",
- inst->inst_name, err);
+ if (task) {
+ slapi_task_log_notice(task,
+ "%s: WARNING: Failed to fetch subtree lists (err %d) -- "
+ "attempting brute-force method instead.",
+ inst->inst_name, err);
+ }
}
} else if (ALLIDS(idl)) {
/* that's no help. */
15 years, 4 months
[Fedora-directory-commits] ldapserver/ldap/servers/slapd sasl_map.c, 1.9, 1.10 saslbind.c, 1.28, 1.29 slapi-plugin.h, 1.33, 1.34 slapi-private.h, 1.28, 1.29 util.c, 1.17, 1.18
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12377/ldapserver/ldap/servers/slapd
Modified Files:
sasl_map.c saslbind.c slapi-plugin.h slapi-private.h util.c
Log Message:
Resolves: bug 469261
Bug Description: Support server-to-server SASL - part 2
Reviewed by: nhosoi (Thanks!)
Fix Description: This part focuses on chaining backend - allowing the mux server to use SASL to connect to the farm server, and allowing SASL authentication to chain. I had to add two new config parameters for chaining:
nsUseStartTLS - on or off - tell connection to use startTLS - default is off
nsBindMechanism - if absent, will just use simple auth. If present, this must be one of the supported mechanisms (EXTERNAL, GSSAPI, DIGEST-MD5) - default is absent (simple bind)
The chaining code uses a timeout, so I had to add a timeout to slapi_ldap_bind, and correct the replication code to pass in a NULL for the timeout parameter.
Fixed a bug in the starttls code in slapi_ldap_init_ext.
The sasl code uses an internal search to find the entry corresponding to the sasl user id. This search could not be chained due to the way it was coded. So I added a new chainable component called cn=sasl and changed the sasl internal search code to use this component ID. This allows the sasl code to work with a chained backend. In order to use chaining with sasl, this component must be set in the chaining configuration nsActiveChainingComponents. I also discovered that password policy must be configured too, in order for the sasl code to determine if the account is locked out.
I fixed a bug in the sasl mapping debug trace code.
Still to come - sasl mappings to work with all of this new code - kerberos code improvements - changes to pta and dna
Platforms tested: Fedora 8, Fedora 9
Flag Day: yes
Doc impact: yes
Index: sasl_map.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/sasl_map.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- sasl_map.c 30 Jun 2008 17:28:16 -0000 1.9
+++ sasl_map.c 5 Nov 2008 18:21:06 -0000 1.10
@@ -440,6 +440,8 @@
}
if (matched) {
if (matched == 1) {
+ char escape_base[BUFSIZ];
+ char escape_filt[BUFSIZ];
/* Allocate buffers for the returned strings */
/* We already computed this, so we could pass it in to speed up a little */
size_t userrealmlen = strlen(sasl_user_and_realm);
@@ -448,7 +450,11 @@
*ldap_search_filter = (char *) slapi_ch_malloc(userrealmlen + strlen(dp->template_search_filter) + 1);
slapd_re_subs(dp->template_base_dn,*ldap_search_base);
slapd_re_subs(dp->template_search_filter,*ldap_search_filter);
- LDAPDebug( LDAP_DEBUG_TRACE, "mapped base dn: %s, filter: %s\n", ldap_search_base, ldap_search_filter, 0 );
+ /* these values are internal regex representations with lots of
+ unprintable control chars - escape for logging */
+ LDAPDebug( LDAP_DEBUG_TRACE, "mapped base dn: %s, filter: %s\n",
+ escape_string( *ldap_search_base, escape_base ),
+ escape_string( *ldap_search_filter, escape_filt ), 0 );
ret = 1;
} else {
LDAPDebug( LDAP_DEBUG_ANY, "sasl_map_check : re_exec failed\n", 0, 0, 0 );
Index: saslbind.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/saslbind.c,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- saslbind.c 4 Nov 2008 23:21:10 -0000 1.28
+++ saslbind.c 5 Nov 2008 18:21:06 -0000 1.29
@@ -81,6 +81,21 @@
slapi_ch_free(&ptr);
}
+static Slapi_ComponentId *sasl_component_id = NULL;
+
+static void generate_component_id()
+{
+ if (NULL == sasl_component_id) {
+ sasl_component_id = generate_componentid(NULL /* Not a plugin */,
+ COMPONENT_SASL);
+ }
+}
+
+static Slapi_ComponentId *sasl_get_component_id()
+{
+ return sasl_component_id;
+}
+
/*
* sasl library callbacks
*/
@@ -238,20 +253,23 @@
)
{
Slapi_Entry **entries = NULL;
- Slapi_PBlock *pb;
+ Slapi_PBlock *pb = NULL;
int i, ret;
LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search basedn=\"%s\" filter=\"%s\"\n", basedn, filter, 0);
/* TODO: set size and time limits */
-
- pb = slapi_search_internal(basedn, scope, filter,
- ctrls, attrs, attrsonly);
- if (pb == NULL) {
- LDAPDebug(LDAP_DEBUG_TRACE, "null pblock from slapi_search_internal\n", 0, 0, 0);
+ pb = slapi_pblock_new();
+ if (!pb) {
+ LDAPDebug(LDAP_DEBUG_TRACE, "null pblock for search_internal_pb\n", 0, 0, 0);
goto out;
}
+ slapi_search_internal_set_pb(pb, basedn, scope, filter, attrs, attrsonly, ctrls,
+ NULL, sasl_get_component_id(), 0);
+
+ slapi_search_internal_pb(pb);
+
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret);
if (ret != LDAP_SUCCESS) {
LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search failed basedn=\"%s\" "
@@ -261,7 +279,11 @@
}
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
- if (entries == NULL) goto out;
+ if ((entries == NULL) || (entries[0] == NULL)) {
+ LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search found no entries\n",
+ 0, 0, 0);
+ goto out;
+ }
for (i = 0; entries[i]; i++) {
(*foundp)++;
@@ -546,6 +568,9 @@
LDAPDebug(LDAP_DEBUG_TRACE, "sasl service fqdn is: %s\n",
serverfqdn, 0, 0);
+ /* get component ID for internal operations */
+ generate_component_id();
+
/* Set SASL memory allocation callbacks */
sasl_set_alloc(
(sasl_malloc_t *)slapi_ch_malloc,
@@ -1016,4 +1041,3 @@
return;
}
-
Index: slapi-plugin.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-plugin.h,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -r1.33 -r1.34
--- slapi-plugin.h 4 Nov 2008 18:23:08 -0000 1.33
+++ slapi-plugin.h 5 Nov 2008 18:21:06 -0000 1.34
@@ -1103,6 +1103,7 @@
const char *mech, /* name of mechanism */
LDAPControl **serverctrls, /* additional controls to send */
LDAPControl ***returnedctrls, /* returned controls */
+ struct timeval *timeout, /* timeout */
int *msgidp /* pass in non-NULL for async handling */
);
Index: slapi-private.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-private.h,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -r1.28 -r1.29
--- slapi-private.h 24 Oct 2008 22:36:58 -0000 1.28
+++ slapi-private.h 5 Nov 2008 18:21:06 -0000 1.29
@@ -720,6 +720,7 @@
#define COMPONENT_RESLIMIT "cn=resource limits,"COMPONENT_BASE_DN
#define COMPONENT_PWPOLICY "cn=password policy,"COMPONENT_BASE_DN
#define COMPONENT_CERT_AUTH "cn=certificate-based authentication,"COMPONENT_BASE_DN
+#define COMPONENT_SASL "cn=sasl,"COMPONENT_BASE_DN
/* Component names for logging */
#define SLAPI_COMPONENT_NAME_NSPR "Netscape Portable Runtime"
Index: util.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/util.c,v
retrieving revision 1.17
retrieving revision 1.18
diff -u -r1.17 -r1.18
--- util.c 4 Nov 2008 18:23:08 -0000 1.17
+++ util.c 5 Nov 2008 18:21:06 -0000 1.18
@@ -974,7 +974,17 @@
ssl_strength = LDAPSSL_AUTH_CERT;
}
- if (ldapssl_set_strength(ld, ssl_strength) != 0) {
+ /* Can only use ldapssl_set_strength on and LDAP* already
+ initialized for SSL - this is not the case when using
+ startTLS, so we use NULL to set the default for all
+ new connections */
+ if (secure == 1) {
+ rc = ldapssl_set_strength(ld, ssl_strength);
+ } else {
+ rc = ldapssl_set_strength(NULL, ssl_strength);
+ }
+
+ if (rc != 0) {
int prerr = PR_GetError();
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext",
@@ -1052,6 +1062,7 @@
const char *mech, /* name of mechanism */
LDAPControl **serverctrls, /* additional controls to send */
LDAPControl ***returnedctrls, /* returned controls */
+ struct timeval *timeout, /* timeout */
int *msgidp /* pass in non-NULL for async handling */
)
{
@@ -1125,8 +1136,8 @@
if (msgidp) { /* let caller process result */
*msgidp = mymsgid;
} else { /* process results */
- if (ldap_result(ld, mymsgid, LDAP_MSG_ALL,
- (struct timeval *)0, &result) == -1) {
+ rc = ldap_result(ld, mymsgid, LDAP_MSG_ALL, timeout, &result);
+ if (-1 == rc) { /* error */
rc = ldap_get_lderrno(ld, NULL, NULL);
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
"Error reading bind response for id "
@@ -1135,8 +1146,18 @@
mech ? mech : "SIMPLE",
rc, ldap_err2string(rc));
goto done;
- }
-
+ } else if (rc == 0) { /* timeout */
+ rc = LDAP_TIMEOUT;
+ slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
+ "Error: timeout after [%d.%d] seconds reading "
+ "bind response for [%s] mech [%s]\n",
+ timeout ? timeout->tv_sec : 0,
+ timeout ? timeout->tv_usec : 0,
+ bindid ? bindid : "(anon)",
+ mech ? mech : "SIMPLE");
+ goto done;
+ }
+ /* if we got here, we were able to read success result */
/* Get the controls sent by the server if requested */
if (returnedctrls) {
if ((rc = ldap_parse_result(ld, result, &rc, NULL, NULL,
15 years, 4 months
[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication repl5_connection.c, 1.10, 1.11
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12377/ldapserver/ldap/servers/plugins/replication
Modified Files:
repl5_connection.c
Log Message:
Resolves: bug 469261
Bug Description: Support server-to-server SASL - part 2
Reviewed by: nhosoi (Thanks!)
Fix Description: This part focuses on chaining backend - allowing the mux server to use SASL to connect to the farm server, and allowing SASL authentication to chain. I had to add two new config parameters for chaining:
nsUseStartTLS - on or off - tell connection to use startTLS - default is off
nsBindMechanism - if absent, will just use simple auth. If present, this must be one of the supported mechanisms (EXTERNAL, GSSAPI, DIGEST-MD5) - default is absent (simple bind)
The chaining code uses a timeout, so I had to add a timeout to slapi_ldap_bind, and correct the replication code to pass in a NULL for the timeout parameter.
Fixed a bug in the starttls code in slapi_ldap_init_ext.
The sasl code uses an internal search to find the entry corresponding to the sasl user id. This search could not be chained due to the way it was coded. So I added a new chainable component called cn=sasl and changed the sasl internal search code to use this component ID. This allows the sasl code to work with a chained backend. In order to use chaining with sasl, this component must be set in the chaining configuration nsActiveChainingComponents. I also discovered that password policy must be configured too, in order for the sasl code to determine if the account is locked out.
I fixed a bug in the sasl mapping debug trace code.
Still to come - sasl mappings to work with all of this new code - kerberos code improvements - changes to pta and dna
Platforms tested: Fedora 8, Fedora 9
Flag Day: yes
Doc impact: yes
Index: repl5_connection.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5_connection.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- repl5_connection.c 4 Nov 2008 18:23:08 -0000 1.10
+++ repl5_connection.c 5 Nov 2008 18:21:05 -0000 1.11
@@ -1563,7 +1563,7 @@
const char *mech = bind_method_to_mech(conn->bindmethod);
rc = slapi_ldap_bind(conn->ld, binddn, password, mech, NULL,
- &ctrls, NULL);
+ &ctrls, NULL, NULL);
if ( rc == LDAP_SUCCESS )
{
15 years, 4 months
[Fedora-directory-commits] ldapserver/ldap/servers/plugins/chainingdb cb.h, 1.5, 1.6 cb_conn_stateless.c, 1.8, 1.9 cb_instance.c, 1.10, 1.11
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/chainingdb
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12377/ldapserver/ldap/servers/plugins/chainingdb
Modified Files:
cb.h cb_conn_stateless.c cb_instance.c
Log Message:
Resolves: bug 469261
Bug Description: Support server-to-server SASL - part 2
Reviewed by: nhosoi (Thanks!)
Fix Description: This part focuses on chaining backend - allowing the mux server to use SASL to connect to the farm server, and allowing SASL authentication to chain. I had to add two new config parameters for chaining:
nsUseStartTLS - on or off - tell connection to use startTLS - default is off
nsBindMechanism - if absent, will just use simple auth. If present, this must be one of the supported mechanisms (EXTERNAL, GSSAPI, DIGEST-MD5) - default is absent (simple bind)
The chaining code uses a timeout, so I had to add a timeout to slapi_ldap_bind, and correct the replication code to pass in a NULL for the timeout parameter.
Fixed a bug in the starttls code in slapi_ldap_init_ext.
The sasl code uses an internal search to find the entry corresponding to the sasl user id. This search could not be chained due to the way it was coded. So I added a new chainable component called cn=sasl and changed the sasl internal search code to use this component ID. This allows the sasl code to work with a chained backend. In order to use chaining with sasl, this component must be set in the chaining configuration nsActiveChainingComponents. I also discovered that password policy must be configured too, in order for the sasl code to determine if the account is locked out.
I fixed a bug in the sasl mapping debug trace code.
Still to come - sasl mappings to work with all of this new code - kerberos code improvements - changes to pta and dna
Platforms tested: Fedora 8, Fedora 9
Flag Day: yes
Doc impact: yes
Index: cb.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/chainingdb/cb.h,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- cb.h 10 Nov 2006 23:44:50 -0000 1.5
+++ cb.h 5 Nov 2008 18:21:05 -0000 1.6
@@ -114,8 +114,10 @@
#define CB_CONFIG_SIZELIMIT "nsslapd-sizelimit"
#define CB_CONFIG_TIMELIMIT "nsslapd-timelimit"
#define CB_CONFIG_HOSTURL "nsFarmServerURL"
+#define CB_CONFIG_STARTTLS "nsUseStartTLS"
#define CB_CONFIG_BINDUSER "nsMultiplexorBindDn"
+#define CB_CONFIG_BINDMECH "nsBindMechanism"
#define CB_CONFIG_USERPASSWORD "nsMultiplexorCredentials"
#define CB_CONFIG_MAXBINDCONNECTIONS "nsBindConnectionsLimit"
#define CB_CONFIG_MAXCONNECTIONS "nsOperationConnectionsLimit"
@@ -163,6 +165,8 @@
#define CB_DEF_HOPLIMIT "10" /* CB_CONFIG_HOPLIMIT */
#define CB_DEF_MAX_IDLE_TIME "60" /* CB_CONFIG_MAX_IDLE_TIME */
#define CB_DEF_MAX_TEST_TIME "15" /* CB_CONFIG_MAX_TEST_TIME */
+#define CB_DEF_STARTTLS "off" /* CB_CONFIG_STARTTLS */
+#define CB_DEF_BINDMECH LDAP_SASL_SIMPLE /* CB_CONFIG_BINDMECH */
typedef void *cb_config_get_fn_t(void *arg);
typedef int cb_config_set_fn_t(void *arg, void *value, char *errorbuf, int phase, int apply);
@@ -290,6 +294,8 @@
/* To protect the config set by LDAP */
PRRWLock * rwl_config_lock;
+ int starttls; /* use starttls with connection */
+ char *mech; /* plain, external, or a sasl mech */
} cb_conn_pool;
Index: cb_conn_stateless.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/chainingdb/cb_conn_stateless.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- cb_conn_stateless.c 15 Oct 2008 06:29:54 -0000 1.8
+++ cb_conn_stateless.c 5 Nov 2008 18:21:05 -0000 1.9
@@ -164,6 +164,7 @@
char *password,*binddn,*hostname;
unsigned int port;
int secure;
+ char *mech = NULL;;
static char *error1="Can't contact remote server : %s";
static char *error2="Can't bind to remote server : %s";
int isMultiThread = ENABLE_MULTITHREAD_PER_CONN ; /* by default, we enable multiple operations per connection */
@@ -199,6 +200,10 @@
hostname=pool->hostname;
port=pool->port;
secure=pool->secure;
+ if (pool->starttls) {
+ secure = 2;
+ }
+ mech=pool->mech;
PR_RWLock_Unlock(pool->rwl_config_lock);
@@ -348,12 +353,8 @@
/* For now, bind even if no user to detect error */
/* earlier */
if (pool->bindit) {
- int msgid;
- LDAPMessage *res=NULL;
- int parse_rc;
PRErrorCode prerr = 0;
LDAPControl **serverctrls=NULL;
- char **referrals=NULL;
char *plain = NULL;
int ret = -1;
@@ -381,14 +382,21 @@
}
/* Password-based client authentication */
+ rc = slapi_ldap_bind(ld, binddn, plain, mech, NULL, &serverctrls,
+ &bind_to, NULL);
- if (( msgid = ldap_simple_bind( ld, binddn, plain)) <0) {
- rc=ldap_get_lderrno( ld, NULL, NULL );
- prerr=PR_GetError();
- }
if ( ret == 0 ) slapi_ch_free_string(&plain); /* free plain only if it has been duplicated */
- if ( rc != LDAP_SUCCESS ) {
+ if ( rc == LDAP_TIMEOUT ) {
+ if (cb_debug_on()) {
+ slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,
+ "Can't bind to server <%s> port <%d>. (%s)\n",
+ hostname, port, "time-out expired");
+ }
+ rc = LDAP_CONNECT_ERROR;
+ goto unlock_and_return;
+ } else if ( rc != LDAP_SUCCESS ) {
+ prerr=PR_GetError();
if (cb_debug_on()) {
slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,
"Can't bind to server <%s> port <%d>. "
@@ -405,67 +413,11 @@
goto unlock_and_return;
}
- rc = ldap_result( ld, msgid, 0, &bind_to, &res );
- switch (rc) {
- case -1:
- rc = ldap_get_lderrno( ld, NULL, NULL );
- if (cb_debug_on()) {
- slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,
- "Can't bind to server <%s> port <%d>. "
- "(LDAP error %d - %s; "
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s)\n",
- hostname, port, rc,
- ldap_err2string(rc),
- prerr, slapd_pr_strerror(prerr));
- }
- if ( errmsg ) {
- *errmsg = PR_smprintf(error2,ldap_err2string(rc));
- }
- rc = LDAP_CONNECT_ERROR;
- goto unlock_and_return;
- case 0:
- if (cb_debug_on()) {
- slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,
- "Can't bind to server <%s> port <%d>. (%s)\n",
- hostname, port, "time-out expired");
- }
- rc = LDAP_CONNECT_ERROR;
- goto unlock_and_return;
- default:
-
- parse_rc = ldap_parse_result( ld, res, &rc, NULL,
- NULL, &referrals, &serverctrls, 1 );
-
- if ( parse_rc != LDAP_SUCCESS ) {
- if (cb_debug_on()) {
- slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,
- "Can't bind to server <%s> port <%d>. (%s)\n",
- hostname, port, ldap_err2string(parse_rc));
- }
- if ( errmsg ) {
- *errmsg = PR_smprintf(error2,ldap_err2string(parse_rc));
- }
- rc = parse_rc;
- goto unlock_and_return;
- }
-
- if ( rc != LDAP_SUCCESS ) {
- if (cb_debug_on()) {
- slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM,
- "Can't bind to server <%s> port <%d>. (%s)\n",
- hostname, port, ldap_err2string(rc));
- }
- if ( errmsg ) {
- *errmsg = PR_smprintf(error2, ldap_err2string(rc));
- }
- goto unlock_and_return;
- }
-
- if ( serverctrls )
+ if ( serverctrls )
+ {
+ int i;
+ for( i = 0; serverctrls[ i ] != NULL; ++i )
{
- int i;
- for( i = 0; serverctrls[ i ] != NULL; ++i )
- {
if ( !(strcmp( serverctrls[ i ]->ldctl_oid, LDAP_CONTROL_PWEXPIRED)) )
{
/* Bind is successful but password has expired */
@@ -487,12 +439,8 @@
binddn, hostname, port, password_expiring);
}
}
- }
- ldap_controls_free(serverctrls);
- }
-
- if (referrals)
- charray_free(referrals);
+ }
+ ldap_controls_free(serverctrls);
}
}
@@ -896,6 +844,7 @@
LDAP *ld;
LDAPMessage *result;
time_t now;
+ int secure;
if (cb->max_idle_time <=0) /* Heart-beat disabled */
return LDAP_SUCCESS;
@@ -904,8 +853,12 @@
now = current_time();
if (end_time && ((now <= end_time) || (end_time <0))) return LDAP_SUCCESS;
-
- ld=slapi_ldap_init(cb->pool->hostname,cb->pool->port,cb->pool->secure,0);
+
+ secure = cb->pool->secure;
+ if (cb->pool->starttls) {
+ secure = 2;
+ }
+ ld=slapi_ldap_init(cb->pool->hostname,cb->pool->port,secure,0);
if (NULL == ld) {
cb_update_failed_conn_cpt( cb );
return LDAP_SERVER_DOWN;
@@ -914,6 +867,8 @@
timeout.tv_sec=cb->max_test_time;
timeout.tv_usec=0;
+ /* NOTE: This will fail if we implement the ability to disable
+ anonymous bind */
rc=ldap_search_ext_s(ld ,NULL,LDAP_SCOPE_BASE,"objectclass=*",attrs,1,NULL,
NULL, &timeout, 1,&result);
if ( LDAP_SUCCESS != rc ) {
Index: cb_instance.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/chainingdb/cb_instance.c,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- cb_instance.c 8 Oct 2008 17:29:01 -0000 1.10
+++ cb_instance.c 5 Nov 2008 18:21:05 -0000 1.11
@@ -53,7 +53,9 @@
/* Get functions */
static void *cb_instance_hosturl_get(void *arg);
+static void *cb_instance_starttls_get(void *arg);
static void *cb_instance_binduser_get(void *arg);
+static void *cb_instance_bindmech_get(void *arg);
static void *cb_instance_userpassword_get(void *arg);
static void *cb_instance_maxbconn_get(void *arg);
static void *cb_instance_maxconn_get(void *arg);
@@ -77,7 +79,9 @@
/* Set functions */
static int cb_instance_hosturl_set(void *arg, void *value, char *errorbuf, int phase, int apply);
+static int cb_instance_starttls_set(void *arg, void *value, char *errorbuf, int phase, int apply);
static int cb_instance_binduser_set(void *arg, void *value, char *errorbuf, int phase, int apply);
+static int cb_instance_bindmech_set(void *arg, void *value, char *errorbuf, int phase, int apply);
static int cb_instance_userpassword_set(void *arg, void *value, char *errorbuf, int phase, int apply);
static int cb_instance_maxbconn_set(void *arg, void *value, char *errorbuf, int phase, int apply);
static int cb_instance_maxconn_set(void *arg, void *value, char *errorbuf, int phase, int apply);
@@ -120,6 +124,8 @@
{CB_CONFIG_HOPLIMIT,CB_CONFIG_TYPE_INT,CB_DEF_HOPLIMIT,&cb_instance_hoplimit_get, &cb_instance_hoplimit_set,CB_ALWAYS_SHOW},
{CB_CONFIG_MAX_IDLE_TIME,CB_CONFIG_TYPE_INT,CB_DEF_MAX_IDLE_TIME,&cb_instance_max_idle_get, &cb_instance_max_idle_set,CB_ALWAYS_SHOW},
{CB_CONFIG_MAX_TEST_TIME,CB_CONFIG_TYPE_INT,CB_DEF_MAX_TEST_TIME,&cb_instance_max_test_get, &cb_instance_max_test_set,CB_ALWAYS_SHOW},
+{CB_CONFIG_STARTTLS,CB_CONFIG_TYPE_ONOFF,CB_DEF_STARTTLS,&cb_instance_starttls_get, &cb_instance_starttls_set,CB_ALWAYS_SHOW},
+{CB_CONFIG_BINDMECH,CB_CONFIG_TYPE_STRING,CB_DEF_BINDMECH,&cb_instance_bindmech_get, &cb_instance_bindmech_set,CB_ALWAYS_SHOW},
{NULL, 0, NULL, NULL, NULL, 0}
};
@@ -256,9 +262,9 @@
slapi_destroy_mutex(inst->pool->conn.conn_list_mutex);
slapi_destroy_mutex(inst->monitor_availability.cpt_lock);
slapi_destroy_mutex(inst->monitor_availability.lock_timeLimit);
- slapi_ch_free((void **) &inst->configDn);
- slapi_ch_free((void **) &inst->monitorDn);
- slapi_ch_free((void **) &inst->inst_name);
+ slapi_ch_free_string(&inst->configDn);
+ slapi_ch_free_string(&inst->monitorDn);
+ slapi_ch_free_string(&inst->inst_name);
charray_free(inst->every_attribute);
slapi_ch_free((void **) &inst->bind_pool);
@@ -1324,6 +1330,66 @@
}
+static void *cb_instance_starttls_get(void *arg)
+{
+ cb_backend_instance * inst=(cb_backend_instance *) arg;
+ uintptr_t data;
+
+ PR_RWLock_Rlock(inst->rwl_config_lock);
+ data=inst->pool->starttls;
+ PR_RWLock_Unlock(inst->rwl_config_lock);
+ return (void *) data;
+}
+
+static int cb_instance_starttls_set(void *arg, void *value, char *errorbuf, int phase, int apply)
+{
+ cb_backend_instance * inst=(cb_backend_instance *) arg;
+ int rc = LDAP_SUCCESS;
+
+ if (apply) {
+ PR_RWLock_Wlock(inst->rwl_config_lock);
+ inst->pool->starttls=(int) ((uintptr_t)value);
+ PR_RWLock_Unlock(inst->rwl_config_lock);
+ if (( phase != CB_CONFIG_PHASE_INITIALIZATION ) &&
+ ( phase != CB_CONFIG_PHASE_STARTUP )) {
+ rc=CB_REOPEN_CONN; /* reconnect with the new starttls setting */
+ }
+ }
+ return rc;
+}
+
+static void *cb_instance_bindmech_get(void *arg)
+{
+ cb_backend_instance * inst=(cb_backend_instance *) arg;
+ char * data;
+
+ PR_RWLock_Rlock(inst->rwl_config_lock);
+ data = slapi_ch_strdup(inst->pool->mech);
+ PR_RWLock_Unlock(inst->rwl_config_lock);
+ return data;
+}
+
+static int cb_instance_bindmech_set(void *arg, void *value, char *errorbuf, int phase, int apply)
+{
+ cb_backend_instance * inst=(cb_backend_instance *) arg;
+ int rc=LDAP_SUCCESS;
+
+ if (apply) {
+ PR_RWLock_Wlock(inst->rwl_config_lock);
+ if (( phase != CB_CONFIG_PHASE_INITIALIZATION ) &&
+ ( phase != CB_CONFIG_PHASE_STARTUP )) {
+
+ /* Dynamic modif */
+ charray_add(&inst->pool->waste_basket,inst->pool->mech);
+ rc=CB_REOPEN_CONN;
+ }
+
+ inst->pool->mech=slapi_ch_strdup((char *) value);
+ PR_RWLock_Unlock(inst->rwl_config_lock);
+ }
+ return rc;
+}
+
/* Finds an entry in a config_info array with the given name. Returns
15 years, 4 months
[Fedora-directory-commits] ldapserver/ldap/ldif template-dse.ldif.in, 1.9, 1.10
by Richard Allen Megginson
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/ldif
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12377/ldapserver/ldap/ldif
Modified Files:
template-dse.ldif.in
Log Message:
Resolves: bug 469261
Bug Description: Support server-to-server SASL - part 2
Reviewed by: nhosoi (Thanks!)
Fix Description: This part focuses on chaining backend - allowing the mux server to use SASL to connect to the farm server, and allowing SASL authentication to chain. I had to add two new config parameters for chaining:
nsUseStartTLS - on or off - tell connection to use startTLS - default is off
nsBindMechanism - if absent, will just use simple auth. If present, this must be one of the supported mechanisms (EXTERNAL, GSSAPI, DIGEST-MD5) - default is absent (simple bind)
The chaining code uses a timeout, so I had to add a timeout to slapi_ldap_bind, and correct the replication code to pass in a NULL for the timeout parameter.
Fixed a bug in the starttls code in slapi_ldap_init_ext.
The sasl code uses an internal search to find the entry corresponding to the sasl user id. This search could not be chained due to the way it was coded. So I added a new chainable component called cn=sasl and changed the sasl internal search code to use this component ID. This allows the sasl code to work with a chained backend. In order to use chaining with sasl, this component must be set in the chaining configuration nsActiveChainingComponents. I also discovered that password policy must be configured too, in order for the sasl code to determine if the account is locked out.
I fixed a bug in the sasl mapping debug trace code.
Still to come - sasl mappings to work with all of this new code - kerberos code improvements - changes to pta and dna
Platforms tested: Fedora 8, Fedora 9
Flag Day: yes
Doc impact: yes
Index: template-dse.ldif.in
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/ldif/template-dse.ldif.in,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- template-dse.ldif.in 1 Jul 2008 22:30:05 -0000 1.9
+++ template-dse.ldif.in 5 Nov 2008 18:21:05 -0000 1.10
@@ -752,6 +752,9 @@
nsTransmittedControls: 1.3.6.1.4.1.1466.29539.12
nsPossibleChainingComponents: cn=resource limits,cn=components,cn=config
nsPossibleChainingComponents: cn=certificate-based authentication,cn=components,cn=config
+nsPossibleChainingComponents: cn=password policy,cn=components,cn=config
+nsPossibleChainingComponents: cn=sasl,cn=components,cn=config
+nsPossibleChainingComponents: cn=roles,cn=components,cn=config
nsPossibleChainingComponents: cn=ACL Plugin,cn=plugins,cn=config
nsPossibleChainingComponents: cn=old plugin,cn=plugins,cn=config
nsPossibleChainingComponents: cn=referential integrity postoperation,cn=plugins,cn=config
15 years, 4 months