August 2013 - 389-commits - Fedora Mailing-Lists

by Noriko Hosoi

ldap/servers/plugins/replication/repl5_agmtlist.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) New commits: commit b6b8d7bbda8b4fb0cf9e18011111e28f43e86cbd Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Fri Aug 16 16:36:04 2013 -0700 Ticket #609 - nsDS5BeginReplicaRefresh attribute accepts any value and it doesn't throw any error when server restarts. Bug description: If an invalid value is set to ds5BeginReplicaRefresh in an agreement, it does not affect the behaviour, but it does not get purged from the agreement and causes an error if "ds5BeginReplicaRefresh: start" is added. Fix description: Adding an invalid ds5BeginReplicaRefresh is rejected with "DSA is unwilling to perform" and the following error is returned: ldap_modify: additional info: Invalid value (junk_value123) value supplied for attr (nsds5BeginReplicaRefresh); Ignoring ... Reviewed by Rich (Thank you!!) https://fedorahosted.org/389/ticket/609 diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c index 1167b0c..e4ef66b 100644 --- a/ldap/servers/plugins/replication/repl5_agmtlist.c +++ b/ldap/servers/plugins/replication/repl5_agmtlist.c @@ -275,7 +275,7 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry break; } - /* Start replica initialization */ + /* Start replica initialization */ if (val == NULL) { PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "No value supplied for attr (%s)", mods[i]->mod_type); @@ -300,9 +300,12 @@ agmtlist_modify_callback(Slapi_PBlock *pb, Slapi_Entry *entryBefore, Slapi_Entry } else { - PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Invalid value (%s) value supplied for attr (%s)", - val, mods[i]->mod_type); + PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, + "Invalid value (%s) value supplied for attr (%s); Ignoring ...", + val, mods[i]->mod_type); slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: %s\n", errortext); + *returncode = LDAP_UNWILLING_TO_PERFORM; + rc = SLAPI_DSE_CALLBACK_ERROR; } slapi_ch_free ((void**)&val); }

10 years, 8 months

1
0
0 / 0

ldap/servers

by Noriko Hosoi

ldap/servers/plugins/replication/windows_connection.c | 3 + ldap/servers/plugins/replication/windows_private.c | 30 ++++++++++++--- ldap/servers/plugins/replication/windows_protocol_util.c | 19 +++++++++ 3 files changed, 46 insertions(+), 6 deletions(-) New commits: commit b00b8acca54267560c6d7ec614bc52cfe541200a Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Fri Aug 16 14:04:27 2013 -0700 Ticket #48 - Active Directory has certain uids which are reserved and will cause a Directory Server replica initialization of an AD server to abort. Bug description: Some account names (e.g. "service") is reserved in Active Directory. If DS has an entry having such an NT user ID and the entry is synchronized to the AD, it fails with LDAP_ALREADY_ EXISTS, but the error is gracefully ignored. In the total update, updating Account Control bit follows the failed add, which fails since the AD entry WinSync expects does not exist and it aborts the total update. Fix description: If adding a DS entry to AD fails and the updating Account Control bit also fails, the following note is logged in the error log and the total update continues: windows_process_total_add: Creating AD entry "cn=service service, cn=Users,dc=EXAMPLE,dc=COM" from DS entry "uid=service,ou=People, dc=example,dc=com" failed. AD reserves the account name. Ignoring the error... In addition, in windows_parse_config_entry, f the attribute values in the agreement is retrieved before the agreement is started, the following error is logged, which is not necessary. This patch stops logging it if the agreement does not set "protocol" yet. Replication agreement for agmt="cn=WinSync" could not be updated. For replication to take place, please enable the suffix and restart the server. Reviewed by Rich (Thank you!!) https://fedorahosted.org/389/ticket/48 diff --git a/ldap/servers/plugins/replication/windows_connection.c b/ldap/servers/plugins/replication/windows_connection.c index 7418768..e6bd062 100644 --- a/ldap/servers/plugins/replication/windows_connection.c +++ b/ldap/servers/plugins/replication/windows_connection.c @@ -425,7 +425,8 @@ windows_perform_operation(Repl_Connection *conn, int optype, const char *dn, } else if (err == LDAP_ALREADY_EXISTS && optype == CONN_ADD) { - conn->last_ldap_error = LDAP_SUCCESS; + /* Caller (windows_process_total_add) needs the ALREADY EXISTS info */ + conn->last_ldap_error = err; return_value = CONN_OPERATION_SUCCESS; } else if (err == LDAP_NO_SUCH_OBJECT && optype == CONN_DELETE) diff --git a/ldap/servers/plugins/replication/windows_private.c b/ldap/servers/plugins/replication/windows_private.c index d108d1b..51e959a 100644 --- a/ldap/servers/plugins/replication/windows_private.c +++ b/ldap/servers/plugins/replication/windows_private.c @@ -183,7 +183,11 @@ windows_parse_config_entry(Repl_Agmt *ra, const char *type, Slapi_Entry *e) windows_private_set_create_users(ra, PR_FALSE); } slapi_ch_free((void**)&tmpstr); - prot_notify_agmt_changed(agmt_get_protocol(ra), (char *)agmt_get_long_name(ra)); + /* If protocol is NULL; the agreement is not started yet. + * So, no need to notify. */ + if (agmt_get_protocol(ra)) { + prot_notify_agmt_changed(agmt_get_protocol(ra), (char *)agmt_get_long_name(ra)); + } retval = 1; } if (type == NULL || slapi_attr_types_equivalent(type,type_nsds7CreateNewGroups)) @@ -198,7 +202,11 @@ windows_parse_config_entry(Repl_Agmt *ra, const char *type, Slapi_Entry *e) windows_private_set_create_groups(ra, PR_FALSE); } slapi_ch_free((void**)&tmpstr); - prot_notify_agmt_changed(agmt_get_protocol(ra), (char *)agmt_get_long_name(ra)); + /* If protocol is NULL; the agreement is not started yet. + * So, no need to notify. */ + if (agmt_get_protocol(ra)) { + prot_notify_agmt_changed(agmt_get_protocol(ra), (char *)agmt_get_long_name(ra)); + } retval = 1; } if (type == NULL || slapi_attr_types_equivalent(type,type_nsds7WindowsDomain)) @@ -218,7 +226,11 @@ windows_parse_config_entry(Repl_Agmt *ra, const char *type, Slapi_Entry *e) if (NULL != tmpstr) { windows_private_set_sync_interval(ra,tmpstr); - prot_notify_agmt_changed(agmt_get_protocol(ra), (char *)agmt_get_long_name(ra)); + /* If protocol is NULL; the agreement is not started yet. + * So, no need to notify. */ + if (agmt_get_protocol(ra)) { + prot_notify_agmt_changed(agmt_get_protocol(ra), (char *)agmt_get_long_name(ra)); + } } slapi_ch_free_string(&tmpstr); retval = 1; @@ -245,7 +257,11 @@ windows_parse_config_entry(Repl_Agmt *ra, const char *type, Slapi_Entry *e) windows_private_set_one_way(ra, ONE_WAY_SYNC_DISABLED); } slapi_ch_free((void**)&tmpstr); - prot_notify_agmt_changed(agmt_get_protocol(ra), (char *)agmt_get_long_name(ra)); + /* If protocol is NULL; the agreement is not started yet. + * So, no need to notify. */ + if (agmt_get_protocol(ra)) { + prot_notify_agmt_changed(agmt_get_protocol(ra), (char *)agmt_get_long_name(ra)); + } retval = 1; } if (type == NULL || slapi_attr_types_equivalent(type,type_winsyncMoveAction)) @@ -272,7 +288,11 @@ windows_parse_config_entry(Repl_Agmt *ra, const char *type, Slapi_Entry *e) windows_private_set_move_action(ra, MOVE_DOES_NOTHING); } slapi_ch_free((void**)&tmpstr); - prot_notify_agmt_changed(agmt_get_protocol(ra), (char *)agmt_get_long_name(ra)); + /* If protocol is NULL; the agreement is not started yet. + * So, no need to notify. */ + if (agmt_get_protocol(ra)) { + prot_notify_agmt_changed(agmt_get_protocol(ra), (char *)agmt_get_long_name(ra)); + } retval = 1; } diff --git a/ldap/servers/plugins/replication/windows_protocol_util.c b/ldap/servers/plugins/replication/windows_protocol_util.c index 8e92de2..02ac783 100644 --- a/ldap/servers/plugins/replication/windows_protocol_util.c +++ b/ldap/servers/plugins/replication/windows_protocol_util.c @@ -1220,6 +1220,10 @@ process_replay_add(Private_Repl_Protocol *prp, Slapi_Entry *add_entry, Slapi_Ent windows_log_add_entry_remote(local_dn, remote_dn); return_value = windows_conn_send_add(prp->conn, slapi_sdn_get_dn(remote_dn), entryattrs, NULL, NULL); + if (LDAP_ALREADY_EXISTS == ldap_result_code) { + /* Igoring ALREADY EXIST case. */ + ldap_result_code = LDAP_SUCCESS; + } windows_conn_get_error(prp->conn, &ldap_op, &ldap_result_code); if ((return_value != CONN_OPERATION_SUCCESS) && !ldap_result_code) { /* op failed but no ldap error code ??? */ @@ -5080,9 +5084,15 @@ windows_process_total_add(Private_Repl_Protocol *prp,Slapi_Entry *e, Slapi_DN* r { int ldap_op = 0; int ldap_result_code = 0; + int alreadyexists = 0; windows_log_add_entry_remote(local_dn, remote_dn); retval = windows_conn_send_add(prp->conn, slapi_sdn_get_dn(remote_dn), entryattrs, NULL, NULL /* returned controls */); windows_conn_get_error(prp->conn, &ldap_op, &ldap_result_code); + /* special treatment for ALREADY EXISTS */ + if (LDAP_ALREADY_EXISTS == ldap_result_code) { + alreadyexists = 1; + ldap_result_code = LDAP_SUCCESS; + } if ((retval != CONN_OPERATION_SUCCESS) && !ldap_result_code) { /* op failed but no ldap error code ??? */ ldap_result_code = LDAP_OPERATIONS_ERROR; @@ -5111,6 +5121,15 @@ windows_process_total_add(Private_Repl_Protocol *prp,Slapi_Entry *e, Slapi_DN* r if ((retval == 0) && is_user) { /* set the account control bits only for users */ retval = send_accountcontrol_modify(remote_dn, prp, missing_entry); + if (alreadyexists) { + slapi_log_error(SLAPI_LOG_FATAL, windows_repl_plugin_name, + "%s: windows_process_total_add: " + "Creating AD entry \"%s\" from DS entry \"%s\" failed. " + "AD reserves the account name. Ignoring the error...\n", + agmt_get_long_name(prp->agmt), slapi_sdn_get_dn(remote_dn), + slapi_sdn_get_dn(local_dn)); + retval = 0; + } } } } else

10 years, 8 months

1
0
0 / 0

ldap/schema ldap/servers

by thierry bordaz

ldap/schema/02common.ldif | 3 + ldap/servers/plugins/roles/roles_cache.c | 58 +++++++++++++++++++++++++++---- ldap/servers/plugins/roles/roles_cache.h | 2 + 3 files changed, 55 insertions(+), 8 deletions(-) New commits: commit 839c46c8124e6dabc40b568dc90968db9761cf98 Author: Thierry bordaz (tbordaz) <tbordaz(a)redhat.com> Date: Fri Jun 28 14:30:59 2013 +0200 Ticket 208 - [RFE] Roles with explicit scoping in RHDS Bug Description: A limitation of the application using the role mechanism is that the scope of a role is the subtree where the role is defined. That means the role definitions are often mixed with the entries they are dealing with. Usually configuration info are seperated from the data. This RFE aims to separate the role definitions from the DIT subtree where are stored the entries Fix Description: This RFE introduces a new configuration attribute 'nsRoleScopeDN' in the role definition. This attribute specifies the subtree where the role apply. See http://directory.fedoraproject.org/wiki/Creation_of_an_explicit_scoping_f... https://fedorahosted.org/389/ticket/208 Reviewed by: Noriko Hosoi (thanks Noriko !) Platforms tested: Fedora 17 Flag Day: no Doc impact: yes A role definition (entry with Objectclass=nsRoleDefinition), may contain an optional single valued attribute 'nsRoleScopeDN'. In that case, the role does not apply to the subtree where it is defined but to the subtree referred by 'nsRoleScopeDN'. 'nsRoleScopeDN' is a DN syntax attribute. To be taken into account, its value must be a subtree under the suffix where the role is defined. If not present or with invalid value, the role will apply to the subtree where it is defined. diff --git a/ldap/schema/02common.ldif b/ldap/schema/02common.ldif index fa604c6..b67ec8d 100644 --- a/ldap/schema/02common.ldif +++ b/ldap/schema/02common.ldif @@ -146,6 +146,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.1004 NAME 'nsds7WindowsDomain' DESC 'Net attributeTypes: ( 2.16.840.1.113730.3.1.1005 NAME 'nsds7DirsyncCookie' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) attributeTypes: ( 2.16.840.1.113730.3.1.1099 NAME 'winSyncInterval' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) attributeTypes: ( 2.16.840.1.113730.3.1.1100 NAME 'oneWaySync' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.1101 NAME 'nsRoleScopeDN' DESC 'Scope of a role' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE X-ORIGIN '389 Directory Server' ) attributeTypes: ( 2.16.840.1.113730.3.1.2139 NAME 'winSyncMoveAction' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) attributeTypes: ( 1.3.6.1.1.4 NAME 'vendorName' EQUALITY 1.3.6.1.4.1.1466.109.114.1 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation X-ORIGIN 'RFC 3045' ) attributeTypes: ( 1.3.6.1.1.5 NAME 'vendorVersion' EQUALITY 1.3.6.1.4.1.1466.109.114.1 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation X-ORIGIN 'RFC 3045' ) @@ -171,7 +172,7 @@ objectClasses: ( 2.16.840.1.113730.3.2.32 NAME 'netscapeMachineData' DESC 'Netsc objectClasses: ( 2.16.840.1.113730.3.2.38 NAME 'vlvSearch' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ vlvBase $ vlvScope $ vlvFilter ) MAY ( multiLineDescription ) X-ORIGIN 'Netscape Directory Server' ) objectClasses: ( 2.16.840.1.113730.3.2.42 NAME 'vlvIndex' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ vlvSort ) MAY ( vlvEnabled $ vlvUses ) X-ORIGIN 'Netscape Directory Server' ) objectClasses: ( 2.16.840.1.113730.3.2.84 NAME 'cosDefinition' DESC 'Netscape defined objectclass' SUP top MAY ( costargettree $ costemplatedn $ cosspecifier $ cosattribute $ aci $ cn $ uid ) X-ORIGIN 'Netscape Directory Server' ) -objectClasses: ( 2.16.840.1.113730.3.2.93 NAME 'nsRoleDefinition' DESC 'Netscape defined objectclass' SUP ldapSubEntry MAY ( description ) X-ORIGIN 'Netscape Directory Server' ) +objectClasses: ( 2.16.840.1.113730.3.2.93 NAME 'nsRoleDefinition' DESC 'Netscape defined objectclass' SUP ldapSubEntry MAY ( description $ nsRoleScopeDN ) X-ORIGIN 'Netscape Directory Server' ) objectClasses: ( 2.16.840.1.113730.3.2.94 NAME 'nsSimpleRoleDefinition' DESC 'Netscape defined objectclass' SUP nsRoleDefinition X-ORIGIN 'Netscape Directory Server' ) objectClasses: ( 2.16.840.1.113730.3.2.95 NAME 'nsComplexRoleDefinition' DESC 'Netscape defined objectclass' SUP nsRoleDefinition X-ORIGIN 'Netscape Directory Server' ) objectClasses: ( 2.16.840.1.113730.3.2.96 NAME 'nsManagedRoleDefinition' DESC 'Netscape defined objectclass' SUP nsSimpleRoleDefinition X-ORIGIN 'Netscape Directory Server' ) diff --git a/ldap/servers/plugins/roles/roles_cache.c b/ldap/servers/plugins/roles/roles_cache.c index 89acc59..664ced1 100644 --- a/ldap/servers/plugins/roles/roles_cache.c +++ b/ldap/servers/plugins/roles/roles_cache.c @@ -88,6 +88,7 @@ typedef struct _role_object_nested { /* Role object structure */ typedef struct _role_object { Slapi_DN *dn; /* dn of a role entry */ + Slapi_DN *rolescopedn; /* if set, this role will apply to any entry in the scope of this dn */ int type; /* ROLE_TYPE_MANAGED|ROLE_TYPE_FILTERED|ROLE_TYPE_NESTED */ Slapi_Filter *filter; /* if ROLE_TYPE_FILTERED */ Avlnode *avl_tree; /* if ROLE_TYPE_NESTED: tree of nested DNs (avl_data is a role_object_nested struct) */ @@ -181,7 +182,7 @@ static int roles_is_entry_member_of_object_ext(vattr_context *c, caddr_t data, c static int roles_check_managed(Slapi_Entry *entry_to_check, role_object *role, int *present); static int roles_check_filtered(vattr_context *c, Slapi_Entry *entry_to_check, role_object *role, int *present); static int roles_check_nested(caddr_t data, caddr_t arg); -static int roles_is_inscope(Slapi_Entry *entry_to_check, Slapi_DN *role_dn); +static int roles_is_inscope(Slapi_Entry *entry_to_check, role_object *this_role); static void berval_set_string(struct berval *bv, const char* string); static void roles_cache_role_def_delete(roles_cache_def *role_def); static void roles_cache_role_def_free(roles_cache_def *role_def); @@ -1110,6 +1111,7 @@ static int roles_cache_create_object_from_entry(Slapi_Entry *role_entry, role_ob int rc = 0; int type = 0; role_object *this_role = NULL; + char *rolescopeDN = NULL; slapi_log_error(SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, "--> roles_cache_create_object_from_entry\n"); @@ -1164,6 +1166,41 @@ static int roles_cache_create_object_from_entry(Slapi_Entry *role_entry, role_ob this_role->dn = slapi_sdn_new(); slapi_sdn_copy(slapi_entry_get_sdn(role_entry),this_role->dn); + + rolescopeDN = slapi_entry_attr_get_charptr(role_entry, ROLE_SCOPE_DN); + if (rolescopeDN) { + Slapi_DN *rolescopeSDN; + Slapi_DN *top_rolescopeSDN, *top_this_roleSDN; + + /* Before accepting to use this scope, first check if it belongs to the same suffix */ + rolescopeSDN = slapi_sdn_new_dn_byref(rolescopeDN); + if ((strlen((char *) slapi_sdn_get_ndn(rolescopeSDN)) > 0) && + (slapi_dn_syntax_check(NULL, (char *) slapi_sdn_get_ndn(rolescopeSDN), 1) == 0)) { + top_rolescopeSDN = roles_cache_get_top_suffix(rolescopeSDN); + top_this_roleSDN = roles_cache_get_top_suffix(this_role->dn); + if (slapi_sdn_compare(top_rolescopeSDN, top_this_roleSDN) == 0) { + /* rolescopeDN belongs to the same suffix as the role, we can use this scope */ + this_role->rolescopedn = rolescopeSDN; + } else { + slapi_log_error(SLAPI_LOG_FATAL, ROLES_PLUGIN_SUBSYSTEM, + "%s: invalid %s - %s not in the same suffix. Scope skipped.\n", + (char*) slapi_sdn_get_dn(this_role->dn), + ROLE_SCOPE_DN, + rolescopeDN); + slapi_sdn_free(&rolescopeSDN); + } + slapi_sdn_free(&top_rolescopeSDN); + slapi_sdn_free(&top_this_roleSDN); + } else { + /* this is an invalid DN, just ignore this parameter*/ + slapi_log_error(SLAPI_LOG_FATAL, ROLES_PLUGIN_SUBSYSTEM, + "%s: invalid %s - %s not a valid DN. Scope skipped.\n", + (char*) slapi_sdn_get_dn(this_role->dn), + ROLE_SCOPE_DN, + rolescopeDN); + slapi_sdn_free(&rolescopeSDN); + } + } /* Depending upon role type, pull out the remaining information we need */ switch (this_role->type) @@ -1776,7 +1813,7 @@ static int roles_is_entry_member_of_object_ext(vattr_context *c, caddr_t data, c goto done; } - if (!roles_is_inscope(entry_to_check, this_role->dn)) + if (!roles_is_inscope(entry_to_check, this_role)) { slapi_log_error(SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, "roles_is_entry_member_of_object-> entry not in scope of role\n"); @@ -1955,7 +1992,7 @@ static int roles_check_nested(caddr_t data, caddr_t arg) return rc; } /* get the role_object data associated to that dn */ - if ( roles_is_inscope(get_nsrole->is_entry_member_of, this_role->dn) ) + if ( roles_is_inscope(get_nsrole->is_entry_member_of, this_role) ) { /* The list of nested roles is contained in the role definition */ roles_is_entry_member_of_object((caddr_t)this_role, (caddr_t)get_nsrole); @@ -1974,17 +2011,23 @@ static int roles_check_nested(caddr_t data, caddr_t arg) ---------------------- Tells us if a presented role is in scope with respect to the presented entry */ -static int roles_is_inscope(Slapi_Entry *entry_to_check, Slapi_DN *role_dn) +static int roles_is_inscope(Slapi_Entry *entry_to_check, role_object *this_role) { int rc; - Slapi_DN role_parent; + Slapi_DN role_parent; + Slapi_DN *scope_dn = NULL; slapi_log_error(SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, "--> roles_is_inscope\n"); + if (this_role->rolescopedn) { + scope_dn = this_role->rolescopedn; + } else { + scope_dn = this_role->dn; + } slapi_sdn_init(&role_parent); - slapi_sdn_get_parent(role_dn,&role_parent); + slapi_sdn_get_parent(scope_dn,&role_parent); rc = slapi_sdn_scope_test(slapi_entry_get_sdn( entry_to_check ), &role_parent, @@ -2000,7 +2043,7 @@ static int roles_is_inscope(Slapi_Entry *entry_to_check, Slapi_DN *role_dn) slapi_log_error(SLAPI_LOG_PLUGIN, ROLES_PLUGIN_SUBSYSTEM, "<-- roles_is_inscope: entry %s role %s result %d\n", - slapi_entry_get_dn_const(entry_to_check),(char*)slapi_sdn_get_ndn(role_dn), rc); + slapi_entry_get_dn_const(entry_to_check),(char*)slapi_sdn_get_ndn(scope_dn), rc); return (rc); } @@ -2127,6 +2170,7 @@ static void roles_cache_role_object_free(role_object *this_role) } slapi_sdn_free(&this_role->dn); + slapi_sdn_free(&this_role->rolescopedn); /* Free the object */ slapi_ch_free((void**)&this_role); diff --git a/ldap/servers/plugins/roles/roles_cache.h b/ldap/servers/plugins/roles/roles_cache.h index 870f5a0..3a1e26c 100644 --- a/ldap/servers/plugins/roles/roles_cache.h +++ b/ldap/servers/plugins/roles/roles_cache.h @@ -62,6 +62,8 @@ #define ROLE_MANAGED_ATTR_NAME "nsRoleDN" #define ROLE_NESTED_ATTR_NAME "nsRoleDN" +#define ROLE_SCOPE_DN "nsRoleScopeDN" + #define SLAPI_ROLE_ERROR_NO_FILTER_SPECIFIED -1 #define SLAPI_ROLE_ERROR_FILTER_BAD -2 #define SLAPI_ROLE_DEFINITION_DOESNT_EXIST -3

10 years, 8 months

1
0
0 / 0

ldap/schema ldap/servers

by Nathan Kinder

ldap/schema/01core389.ldif | 16 -------- ldap/servers/slapd/plugin.c | 85 +------------------------------------------- 2 files changed, 3 insertions(+), 98 deletions(-) New commits: commit 33da8586d71c625711c4079d5c83ad11241e236c Author: Nathan Kinder <nkinder(a)redhat.com> Date: Sun Aug 18 18:48:40 2013 -0700 Revert "Ticket #47431 - Duplicate values for the attribute nsslapd-pluginarg are not handled correctly" This reverts commit d2c5b35e20578043117f84e928d96d296bdfc046. This commit caused a regression by introducing a hard-coded limit to the number of plug-in arguments for some plug-ins. This needs to be solved in a different way that doesn't limit the number of arguments. diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif index 8c49918..8ef702d 100644 --- a/ldap/schema/01core389.ldif +++ b/ldap/schema/01core389.ldif @@ -153,22 +153,6 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2152 NAME 'nsds5ReplicaProtocolTimeout' attributeTypes: ( 2.16.840.1.113730.3.1.2154 NAME 'nsds5ReplicaBackoffMin' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) attributeTypes: ( 2.16.840.1.113730.3.1.2155 NAME 'nsds5ReplicaBackoffMax' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) attributeTypes: ( 2.16.840.1.113730.3.1.2156 NAME 'nsslapd-sasl-max-buffer-size' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -attributeTypes: ( 2.16.840.1.113730.3.1.2161 NAME 'nsslapd-pluginArg0' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -attributeTypes: ( 2.16.840.1.113730.3.1.2162 NAME 'nsslapd-pluginArg1' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -attributeTypes: ( 2.16.840.1.113730.3.1.2163 NAME 'nsslapd-pluginArg2' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -attributeTypes: ( 2.16.840.1.113730.3.1.2164 NAME 'nsslapd-pluginArg3' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -attributeTypes: ( 2.16.840.1.113730.3.1.2165 NAME 'nsslapd-pluginArg4' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -attributeTypes: ( 2.16.840.1.113730.3.1.2166 NAME 'nsslapd-pluginArg5' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -attributeTypes: ( 2.16.840.1.113730.3.1.2167 NAME 'nsslapd-pluginArg6' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -attributeTypes: ( 2.16.840.1.113730.3.1.2168 NAME 'nsslapd-pluginArg7' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -attributeTypes: ( 2.16.840.1.113730.3.1.2169 NAME 'nsslapd-pluginArg8' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -attributeTypes: ( 2.16.840.1.113730.3.1.2170 NAME 'nsslapd-pluginArg9' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -attributeTypes: ( 2.16.840.1.113730.3.1.2171 NAME 'nsslapd-pluginArg10' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -attributeTypes: ( 2.16.840.1.113730.3.1.2172 NAME 'nsslapd-pluginArg11' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -attributeTypes: ( 2.16.840.1.113730.3.1.2173 NAME 'nsslapd-pluginArg12' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -attributeTypes: ( 2.16.840.1.113730.3.1.2174 NAME 'nsslapd-pluginArg13' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -attributeTypes: ( 2.16.840.1.113730.3.1.2175 NAME 'nsslapd-pluginArg14' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) -attributeTypes: ( 2.16.840.1.113730.3.1.2176 NAME 'nsslapd-pluginArg15' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) # # objectclasses # diff --git a/ldap/servers/slapd/plugin.c b/ldap/servers/slapd/plugin.c index 5430a1c..aa33b02 100644 --- a/ldap/servers/slapd/plugin.c +++ b/ldap/servers/slapd/plugin.c @@ -54,11 +54,6 @@ #define ROOT_BIND "directory manager" #define ANONYMOUS_BIND "anonymous" -/* This defines the maximum number that an nsslapd-pluginArg attribute can have. - * A plugin can have 16 arguments nsslapd-pluginArg0 to nsslapd-pluginArg15 - */ -#define MAX_PLUGINARG_NUM 15 - /* Forward Declarations */ static int plugin_call_list (struct slapdplugin *list, int operation, Slapi_PBlock *pb); static int plugin_call_one (struct slapdplugin *list, int operation, Slapi_PBlock *pb); @@ -2106,19 +2101,8 @@ plugin_setup(Slapi_Entry *plugin_entry, struct slapi_componentid *group, int status = 0; int enabled = 1; char *configdir = 0; - int diff = 0; - int index_prev = 0; - char attr_prev[BUFSIZ]; - int rc = 0; - int num_args = 0; - Slapi_Attr *newattr = 0; - int arg_length = 0; - char *attrnamenum = NULL; - char *attr_prevnum = NULL; - int numsize = 0; attrname[0] = '\0'; - attr_prev[0] = '\0'; if (!slapi_entry_get_sdn_const(plugin_entry)) { @@ -2298,78 +2282,15 @@ plugin_setup(Slapi_Entry *plugin_entry, struct slapi_componentid *group, } /* add the plugin arguments */ - rc = 0; - arg_length = strlen(ATTR_PLUGIN_ARG); - - for (rc = slapi_entry_first_attr(plugin_entry, &newattr); !rc && newattr; rc = slapi_entry_next_attr(plugin_entry, newattr, &newattr)) - { - char *type = NULL; - slapi_attr_get_type(newattr, &type); - if (strncasecmp(type, ATTR_PLUGIN_ARG, arg_length) == 0) - { - char *ptr = type; - ptr += arg_length; - int numdigits = 0; - char *ptr_num = ptr; - if ((*ptr == '\0') || ((*ptr == '0') && (*(ptr+1) != '\0'))) - { - slapi_log_error( SLAPI_LOG_FATAL, plugin->plg_dn, "Invalid Plugin argument: %s. Argument ignored\n", type); - continue; - } - while(*ptr != '\0') - { - if (!isdigit(*ptr)) - { - slapi_log_error( SLAPI_LOG_FATAL, plugin->plg_dn, "Invalid Plugin argument: %s. Argument ignored\n", type); - break; - } - numdigits++; - ptr++; - } - if (*ptr == '\0') - { - if ((numdigits < 3) && (atoi(ptr_num) <= MAX_PLUGINARG_NUM)) - num_args++; - else - { - slapi_log_error( SLAPI_LOG_FATAL, plugin->plg_dn, "Plugin argument value nsslapd-pluginArg%s exceeded maximum allowed value nsslapd-pluginArg%d\n", ptr_num, MAX_PLUGINARG_NUM); - status = -1; - goto PLUGIN_CLEANUP; - } - } - } - } - - PR_snprintf(attrname, sizeof(attrname), "%s", ATTR_PLUGIN_ARG); - PR_snprintf(attr_prev, sizeof(attr_prev), "%s", ATTR_PLUGIN_ARG); - attrnamenum = attrname + sizeof(ATTR_PLUGIN_ARG) -1; - attr_prevnum = attr_prev + sizeof(ATTR_PLUGIN_ARG) -1; - numsize = sizeof(attrname) - sizeof(ATTR_PLUGIN_ARG); value = 0; ii = 0; - while (plugin->plg_argc < num_args) + PR_snprintf(attrname, sizeof(attrname), "%s%d", ATTR_PLUGIN_ARG, ii); + while ((value = slapi_entry_attr_get_charptr(plugin_entry, attrname)) != NULL) { - PR_snprintf(attrnamenum, numsize, "%d", ii); - if (diff == 0) - { - strcpy(attr_prev, attrname); - index_prev = ii; - } - while ((value = slapi_entry_attr_get_charptr(plugin_entry, attrname)) == NULL) - { - PR_snprintf(attrnamenum, numsize, "%d", ++ii); - } - - if(strcmp(attrname, attr_prev) != 0) - { - slapi_entry_add_string(plugin_entry, attr_prev, value); - slapi_entry_attr_delete(plugin_entry, attrname); - diff = 1; - PR_snprintf(attr_prevnum, numsize, "%d", ++index_prev); - } charray_add(&plugin->plg_argv, value); plugin->plg_argc++; ++ii; + PR_snprintf(attrname, sizeof(attrname), "%s%d", ATTR_PLUGIN_ARG, ii); } memset((char *)&pb, '\0', sizeof(pb));

10 years, 8 months

1
0
0 / 0

ldap/servers

by Noriko Hosoi

ldap/servers/plugins/posix-winsync/posix-group-func.c | 30 ++++++++++-------- ldap/servers/plugins/posix-winsync/posix-winsync.c | 6 +-- 2 files changed, 20 insertions(+), 16 deletions(-) New commits: commit 9093f582b410c27e197fc122c479c33c0a76fb62 Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Wed Aug 14 16:09:48 2013 -0700 Ticket #47310 - Attribute "dsOnlyMemberUid" not allowed when syncing nested posix groups from AD with posixWinsync Bug description: When Posix Winsync API plug-in is configured with posixWinsyncMapMemberUid and posixWinsyncMapNestedGrouping enabled (true), Posix Group added to AD is synchronized to DS with mapped dsOnlyMemberUid and memberUid. When adding a Posix Group with the nested group member, addGroupMembership function adds "dynamicGroup" to objectClass to allow the Posix Group entry to have dsOnlyMemberUid. The add should be made against the entry in the memory since the entry is not yet stored in the database, but it was trying to modify against the backend. Fix description: This patch directly adds "dynamicGroup" to the objectclass valueset, by which the attribute "dsOnlyMemberUid" is allowed to add to the entry. In addition, 1) when reflecting the mapped memberUid on DS to AD, the logic was corrected to "if dsOnlyMemberUid matches memberUid", 2) when the Posix Group is nested in the multiple levels, the mapped memberUid was not retrieved. The code was added. Reviewed by Rich (Thank you!!) https://fedorahosted.org/389/ticket/47310 diff --git a/ldap/servers/plugins/posix-winsync/posix-group-func.c b/ldap/servers/plugins/posix-winsync/posix-group-func.c index aa76d6c..4e2dae5 100644 --- a/ldap/servers/plugins/posix-winsync/posix-group-func.c +++ b/ldap/servers/plugins/posix-winsync/posix-group-func.c @@ -59,18 +59,8 @@ addDynamicGroupIfNecessary(Slapi_Entry *entry, Slapi_Mods *smods) { if (slapi_attr_value_find(oc_attr, slapi_value_get_berval(voc)) != 0) { if (smods) { slapi_mods_add_string(smods, LDAP_MOD_ADD, "objectClass", "dynamicGroup"); - } - else { - smods = slapi_mods_new(); - slapi_mods_add_string(smods, LDAP_MOD_ADD, "objectClass", "dynamicGroup"); - - Slapi_PBlock *mod_pb = slapi_pblock_new(); - slapi_modify_internal_set_pb_ext(mod_pb, slapi_entry_get_sdn(entry), slapi_mods_get_ldapmods_passout(smods), 0, 0, - posix_winsync_get_plugin_identity(), 0); - slapi_modify_internal_pb(mod_pb); - slapi_pblock_destroy(mod_pb); - - slapi_mods_free(&smods); + } else { + slapi_entry_add_string(entry, "objectClass", "dynamicGroup"); } } @@ -392,7 +382,7 @@ getMembershipFromDownward(Slapi_Entry *entry, Slapi_ValueSet *muid_vs, Slapi_Val } else { /* PosixGroups except for the top one are already fully mapped out */ - if ((!hasObjectClass(entry, "posixGroup") || depth == 0) && + if ((!hasObjectClass(entry, "posixGroup") || (depth == 0)) && (hasObjectClass(child, "ntGroup") || hasObjectClass(child, "posixGroup"))) { /* Recurse downward */ @@ -413,6 +403,20 @@ getMembershipFromDownward(Slapi_Entry *entry, Slapi_ValueSet *muid_vs, Slapi_Val slapi_valueset_add_value(muid_nested_vs, v); } } + } else if (hasObjectClass(child, "posixGroup")) { + Slapi_Attr *uid_attr = NULL; + Slapi_Value *v = NULL; + if (slapi_entry_attr_find(child, "memberuid", &uid_attr) == 0) { + slapi_attr_first_value(uid_attr, &v); + + if (v && !slapi_valueset_find(uid_attr, muid_vs, v)) { + slapi_log_error(SLAPI_LOG_PLUGIN, POSIX_WINSYNC_PLUGIN_NAME, + "getMembershipFromDownward: adding member: %s\n", + slapi_value_get_string(v)); + slapi_valueset_add_value(muid_vs, v); + slapi_valueset_add_value(muid_nested_vs, v); + } + } } slapi_entry_free(child); } diff --git a/ldap/servers/plugins/posix-winsync/posix-winsync.c b/ldap/servers/plugins/posix-winsync/posix-winsync.c index 5b3d6e7..a9a3b44 100644 --- a/ldap/servers/plugins/posix-winsync/posix-winsync.c +++ b/ldap/servers/plugins/posix-winsync/posix-winsync.c @@ -694,7 +694,8 @@ posix_winsync_pre_ad_mod_group_cb(void *cbdata, const Slapi_Entry *rawentry, Sla int j; for (j = slapi_attr_first_value(attr, &v); j != -1; j = slapi_attr_next_value(attr, i, &v)) { - if (!slapi_valueset_find(dsmuid_attr, dsmuid_vs, v)) { + /* If dsOnlyMemberUid matches memberUid, add it to AD */ + if (slapi_valueset_find(dsmuid_attr, dsmuid_vs, v)) { slapi_valueset_add_value(vs, v); } } @@ -726,8 +727,7 @@ posix_winsync_pre_ad_mod_group_cb(void *cbdata, const Slapi_Entry *rawentry, Sla valueset_get_valuearray(vs)); *do_modify = 1; } - } else { - + } else if (!slapi_valueset_isempty(vs)) { slapi_mods_add_mod_values(smods, LDAP_MOD_ADD, ad_type, valueset_get_valuearray(vs)); if (0 == slapi_attr_type_cmp(type, "gidNumber", SLAPI_TYPE_CMP_SUBTYPE)) {

10 years, 8 months

1
0
0 / 0

ldap/servers

by Noriko Hosoi

ldap/servers/plugins/posix-winsync/posix-winsync.c | 13 + ldap/servers/plugins/replication/windows_connection.c | 175 +++++++++++++++--- ldap/servers/plugins/replication/windows_private.c | 72 +++++++ ldap/servers/plugins/replication/windowsrepl.h | 5 ldap/servers/slapd/entry.c | 69 +++---- 5 files changed, 266 insertions(+), 68 deletions(-) New commits: commit 7f1631efe45a1a0e7f228206386b2fe7d04fbc78 Author: Noriko Hosoi <nhosoi(a)redhat.com> Date: Fri Aug 16 14:58:50 2013 -0700 Ticket #47314 - Winsync should support range retrieval Bug description: AD returns up to MaxValRange number of multi- valued attribute values in one search. If more attribute values exist, subtype ";range=0-(MaxValRange?-1)" is added to the type. AD Client (DS in this case) has to repeat the search with ";range=MaxValRange?-*" then ";range=(2*MaxValRange?)-*" and so on until the values with the subtype ";range=low-*" are returned. Windows Sync plugin did not support the range search. Fix description: This patch implements the range search for the multi-valued attribute. In addition, 1) For the search request, AD returns an attribute with no values if it was deleted on the AD side even if the delete is one of the multi-valued attributes. Windows Sync code was always adding the attribute to the entry's e_deleted_attr list. This patch stops it if there are more attributes having the same type existing in the entry. 2) slapi_entry_attr_get_* APIs call slapi_entry_attr_find and set the return value from the function to the value to return from the APIs. slapi_entry_attr_find returns -1 if it fails to find the attribute, which was returned if the type did not exist in the entry. This patch stops it and let slapi_entry_attr_get_* APIs return the default return value 0 in case slapi_entry_attr_find fails to find the type. Reviewed by Rich (Thank you!!) https://fedorahosted.org/389/ticket/47314 diff --git a/ldap/servers/plugins/posix-winsync/posix-winsync.c b/ldap/servers/plugins/posix-winsync/posix-winsync.c index 38450f5..5b3d6e7 100644 --- a/ldap/servers/plugins/posix-winsync/posix-winsync.c +++ b/ldap/servers/plugins/posix-winsync/posix-winsync.c @@ -773,12 +773,19 @@ posix_winsync_pre_ds_mod_user_cb(void *cbdata, const Slapi_Entry *rawentry, Slap windows_attribute_map *attr_map = user_attribute_map; PRBool posixval = PR_TRUE; - if (posix_winsync_config_get_msSFUSchema()) - attr_map = user_mssfu_attribute_map; - slapi_log_error(SLAPI_LOG_PLUGIN, posix_winsync_plugin_name, "--> _pre_ds_mod_user_cb -- begin\n"); + if ((NULL == rawentry) || (NULL == ad_entry) || (NULL == ds_entry)) { + slapi_log_error(SLAPI_LOG_PLUGIN, posix_winsync_plugin_name, + "<-- _pre_ds_mod_user_cb -- Empty %s entry.\n", + (NULL==rawentry)?"rawentry":(NULL==ad_entry)?"ad entry":"ds entry"); + return; + } + + if (posix_winsync_config_get_msSFUSchema()) + attr_map = user_mssfu_attribute_map; + /* check all of the required attributes are in the ad_entry: * MUST (cn $ uid $ uidNumber $ gidNumber $ homeDirectory). * If any of the required attributes are missing, drop them before adding diff --git a/ldap/servers/plugins/replication/windows_connection.c b/ldap/servers/plugins/replication/windows_connection.c index 3063e34..7418768 100644 --- a/ldap/servers/plugins/replication/windows_connection.c +++ b/ldap/servers/plugins/replication/windows_connection.c @@ -523,14 +523,27 @@ windows_perform_operation(Repl_Connection *conn, int optype, const char *dn, } /* Copied from the chaining backend*/ +/* + * exattrs: exceeded attribute list + * If attr value pair exceeds MaxValRange, AD returns, e.g., + * <attr>;range=0-<maxValRange-1>: <value> + * We need to repeat the search with "<attr>;range=1500-*" + * until it returns + * <attr>;range=<num>-* + */ static Slapi_Entry * -windows_LDAPMessage2Entry(Repl_Connection *conn, LDAPMessage * msg, int attrsonly) { +windows_LDAPMessage2Entry(Slapi_Entry *e, Repl_Connection *conn, + LDAPMessage * msg, int attrsonly, char ***exattrs) +{ Slapi_Entry *rawentry = NULL; - Slapi_Entry *e = NULL; char *a = NULL; BerElement * ber = NULL; LDAP *ld = conn->ld; + int exattrlen = 0; + int exattridx = 0; + char **deletedattrs = NULL; + char **dap; windows_private_set_raw_entry(conn->agmt, NULL); /* clear it first */ @@ -543,9 +556,10 @@ windows_LDAPMessage2Entry(Repl_Connection *conn, LDAPMessage * msg, int attrsonl * attribute type and values ARE allocated */ - e = slapi_entry_alloc(); - if ( e == NULL ) return NULL; - slapi_entry_set_dn( e, ldap_get_dn( ld, msg ) ); + if (NULL == e) { + e = slapi_entry_alloc(); + slapi_entry_set_dn( e, ldap_get_dn( ld, msg ) ); + } rawentry = slapi_entry_alloc(); if ( rawentry == NULL ) { slapi_entry_free(e); @@ -575,13 +589,59 @@ windows_LDAPMessage2Entry(Repl_Connection *conn, LDAPMessage * msg, int attrsonl slapi_entry_add_value(e, a, (Slapi_Value *)NULL); } else { +#define SUBTYPERANGE "range=" char *type_to_use = NULL; + char *dupa = slapi_ch_strdup(a); + char *newa = NULL; /* dup of 'a' with next range */ + char *p, *wp, *pp; /* work pointers */ + char *iter; + int high = 0; + int sizea = strlen(a) + 2; + /* handling subtype(s) */ + ldap_utf8strtok_r(dupa, ";", &iter); /* primry type */ + p = ldap_utf8strtok_r(NULL, ";", &iter); /* subtype, if any */ + while (p) { + if (0 == strncasecmp(p, SUBTYPERANGE, sizeof(SUBTYPERANGE) - 1)) { + /* get rid of range */ + if (!newa) { /* first time for range= */ + /* Cannot use strdup, + * since 'a' could be "<attr>;range=0-9"; + * then newa is <attr>;10-*; newa is 1 char longer than a. */ + newa = (char *)slapi_ch_malloc(sizea); + PR_snprintf(newa, sizea, "%s", a); + *(newa + (p - dupa) - 1) = '\0'; + } + /* get the last count (high + 1) */ + /* range=low-high */ + pp = strchr(p, '-'); + if (*++pp == '*') { + high = 0; /* high is *; done! */ + } else { + high = strtol(pp, &p, 10); + if (high > 0) { + /* next low == high + 1 */ + high++; + } + } + } else { /* subtype except "range=low-high" */ + if (newa) { + int sizenewa = strlen(newa); + /* range= appeared before, copy this subtype */ + wp = newa + sizenewa; + /* append ;<subtype> */ + PR_snprintf(wp, sizea - sizenewa, ";%s", p); + } + } + p = ldap_utf8strtok_r(NULL, ";", &iter); + } + slapi_ch_free_string(&dupa); + /* Work around the fact that we alias street and streetaddress, while Microsoft do not */ - if (0 == strcasecmp(a,"streetaddress")) - { + if (0 == strcasecmp(a, "streetaddress")) { type_to_use = FAKE_STREET_ATTR_NAME; - } else - { + } else if (newa) { + type_to_use = newa; + } else { type_to_use = a; } @@ -591,13 +651,38 @@ windows_LDAPMessage2Entry(Repl_Connection *conn, LDAPMessage * msg, int attrsonl if (aVal == NULL) { /* Windows will send us an attribute with no values if it was deleted * on the AD side. Add this attribute to the deleted attributes list */ - Slapi_Attr *attr = slapi_attr_new(); - slapi_attr_init(attr, type_to_use); - entry_add_deleted_attribute_wsi(e, attr); + /* Set it to the deleted attribute list only if the attribute does + * not exist in the entry. For the multi-valued attribute (e.g., + * member), if there are multiple member attributes in an entry, + * and one of them is deleted, this no value member is sent. But + * if there are more member attributes in the entry, we should not + * set member to the deleted attribute. */ + if (!charray_inlist(deletedattrs, type_to_use)) { + charray_add(&deletedattrs, slapi_ch_strdup(type_to_use)); + } } else { - slapi_entry_add_values( e, type_to_use, aVal); + slapi_entry_add_values(e, type_to_use, aVal); } - + + /* if the addr for exattrs is given and next range retrieval is needed */ + if (exattrs && (high > 0)) { + if (exattrlen == exattridx) { + if (!*exattrs) { + exattrlen = 4; + exattridx = 0; + *exattrs = (char **)slapi_ch_calloc(exattrlen, sizeof(char *)); + } else { + *exattrs = (char **)slapi_ch_realloc((char *)*exattrs, exattrlen * 2 * sizeof(char *)); + memset(*exattrs + exattrlen, '\0', exattrlen * sizeof(char *)); + exattrlen *= 2; + } + PR_snprintf(newa + strlen(newa), strlen(a) + 2 - strlen(newa), + ";%s%d-*", SUBTYPERANGE, high); + (*exattrs)[exattridx++] = newa; + } + } else if (newa) { + slapi_ch_free_string(&newa); + } } } ldap_memfree(a); @@ -607,6 +692,18 @@ windows_LDAPMessage2Entry(Repl_Connection *conn, LDAPMessage * msg, int attrsonl { ber_free( ber, 0 ); } + /* Windows will send us an attribute with no values if it was deleted + * on the AD side. Add this attribute to the deleted attributes list */ + /* Set to e_deleted_attrs only if there is no attribute of the type. */ + for (dap = deletedattrs; dap && *dap; dap++) { + Slapi_Attr *attr = NULL; + if (slapi_entry_attr_find(e, *dap, &attr)) { /* not found */ + attr = slapi_attr_new(); + slapi_attr_init(attr, *dap); + entry_add_deleted_attribute_wsi(e, attr); + } + } + charray_free(deletedattrs); windows_private_set_raw_entry(conn->agmt, rawentry); /* windows private now owns rawentry */ @@ -643,6 +740,7 @@ windows_search_entry_ext(Repl_Connection *conn, char* searchbase, char *filter, char *searchbase_copy = slapi_ch_strdup(searchbase); char *filter_copy = slapi_ch_strdup(filter); char **attrs = NULL; + char **exattrs = NULL; LDAPControl **serverctrls_copy = NULL; slapi_add_controls(&serverctrls_copy, serverctrls, 1 /* make a copy we can free */); @@ -651,7 +749,7 @@ windows_search_entry_ext(Repl_Connection *conn, char* searchbase, char *filter, winsync_plugin_call_pre_ad_search_cb(conn->agmt, NULL, &searchbase_copy, &scope, &filter_copy, &attrs, &serverctrls_copy); - +next: ldap_rc = ldap_search_ext_s(conn->ld, searchbase_copy, scope, filter_copy, attrs, 0 /* attrsonly */, serverctrls_copy , NULL /* client controls */, @@ -665,16 +763,8 @@ windows_search_entry_ext(Repl_Connection *conn, char* searchbase, char *filter, ldap_err2string(ldap_rc)); } - slapi_ch_free_string(&searchbase_copy); - slapi_ch_free_string(&filter_copy); slapi_ch_array_free(attrs); attrs = NULL; - ldap_controls_free(serverctrls_copy); - serverctrls_copy = NULL; - - /* clear it here in case the search fails and - we are left with a bogus old entry */ - windows_private_set_raw_entry(conn->agmt, NULL); if (LDAP_SUCCESS == ldap_rc) { LDAPMessage *message = ldap_first_entry(conn->ld, res); @@ -690,9 +780,18 @@ windows_search_entry_ext(Repl_Connection *conn, char* searchbase, char *filter, nummessages, numentries, numreferences ); } - if (NULL != entry) - { - *entry = windows_LDAPMessage2Entry(conn,message,0); + if (entry) { + exattrs = NULL; + *entry = windows_LDAPMessage2Entry(*entry, conn, message, 0, &exattrs); + if (exattrs) { + /* some attribute returned "<attr>;range=low-high" */ + attrs = exattrs; + if (res) { + ldap_msgfree(res); + res = NULL; + } + goto next; + } } /* See if there are any more entries : if so then that's an error * but we still need to get them to avoid gumming up the connection @@ -710,6 +809,14 @@ windows_search_entry_ext(Repl_Connection *conn, char* searchbase, char *filter, { return_value = CONN_OPERATION_FAILED; } + slapi_ch_free_string(&searchbase_copy); + slapi_ch_free_string(&filter_copy); + ldap_controls_free(serverctrls_copy); + serverctrls_copy = NULL; + + /* clear it here in case the search fails and + we are left with a bogus old entry */ + windows_private_set_raw_entry(conn->agmt, NULL); conn->last_ldap_error = ldap_rc; if (NULL != res) { @@ -745,6 +852,7 @@ send_dirsync_search(Repl_Connection *conn) /* need to strip the dn down to dc= */ const char *old_dn = slapi_sdn_get_ndn( windows_private_get_windows_subtree(conn->agmt) ); char *dn = slapi_ch_strdup(strstr(old_dn, "dc=")); + char **exattrs = NULL; if (conn->supports_dirsync == 0) { @@ -764,6 +872,9 @@ send_dirsync_search(Repl_Connection *conn) winsync_plugin_call_dirsync_search_params_cb(conn->agmt, old_dn, &dn, &scope, &filter, &attrs, &server_controls); + exattrs = windows_private_get_range_attrs(conn->agmt); + charray_merge(&attrs, exattrs, 0 /* pass in */); + slapi_ch_free((void **)&exattrs); /* strings are passed in */ LDAPDebug( LDAP_DEBUG_REPL, "Sending dirsync search request\n", 0, 0, 0 ); @@ -924,10 +1035,20 @@ Slapi_Entry * windows_conn_get_search_result(Repl_Connection *conn) { if (( dn = ldap_get_dn( conn->ld, res )) != NULL ) { + char **exattrs = NULL; slapi_log_error(SLAPI_LOG_REPL, windows_repl_plugin_name,"received entry from dirsync: %s\n", dn); lm = ldap_first_entry( conn->ld, res ); - e = windows_LDAPMessage2Entry(conn,lm,0); + e = windows_private_get_curr_entry(conn->agmt); /* if range search, e != NULL */ + e = windows_LDAPMessage2Entry(e, conn, lm, 0, &exattrs); ldap_memfree(dn); + if (exattrs) { + /* some attribute returned "<attr>;range=low-high" */ + windows_private_set_curr_entry(conn->agmt, e); + windows_private_set_range_attrs(conn->agmt, exattrs); + } else { + windows_private_set_curr_entry(conn->agmt, NULL); + windows_private_set_range_attrs(conn->agmt, NULL); + } } } break; diff --git a/ldap/servers/plugins/replication/windows_private.c b/ldap/servers/plugins/replication/windows_private.c index 26c965c..d108d1b 100644 --- a/ldap/servers/plugins/replication/windows_private.c +++ b/ldap/servers/plugins/replication/windows_private.c @@ -77,6 +77,8 @@ struct windowsprivate { time_t sync_interval; /* how often to run the dirsync search, in seconds */ int one_way; /* Indicates if this is a one-way agreement and which direction it is */ int move_action; /* Indicates what to do with DS entry if AD entry is moved out of scope */ + Slapi_Entry *curr_entry; /* entry being retrieved; used for the range retrieval */ + char **range_attrs; /* next attributes for the range retrieval */ }; static void windows_private_set_windows_domain(const Repl_Agmt *ra, char *domain); @@ -1170,6 +1172,76 @@ windows_private_set_move_action(const Repl_Agmt *ra, int value) LDAPDebug0Args( LDAP_DEBUG_TRACE, "<= windows_private_set_move_action\n" ); } +/* Get entry being retrieved; used for the range retrieval */ +Slapi_Entry * +windows_private_get_curr_entry(const Repl_Agmt *ra) +{ + Dirsync_Private *dp; + + LDAPDebug0Args( LDAP_DEBUG_TRACE, "=> windows_private_get_curr_entry\n" ); + + PR_ASSERT(ra); + + dp = (Dirsync_Private *) agmt_get_priv(ra); + PR_ASSERT (dp); + + LDAPDebug0Args( LDAP_DEBUG_TRACE, "<= windows_private_get_curr_entry\n" ); + + return dp->curr_entry; +} + +/* Set entry being retrieved; used for the range retrieval */ +void +windows_private_set_curr_entry(const Repl_Agmt *ra, Slapi_Entry *e) +{ + Dirsync_Private *dp; + + LDAPDebug0Args( LDAP_DEBUG_TRACE, "=> windows_private_set_curr_entry\n" ); + + PR_ASSERT(ra); + + dp = (Dirsync_Private *) agmt_get_priv(ra); + PR_ASSERT (dp); + dp->curr_entry = e; + + LDAPDebug0Args( LDAP_DEBUG_TRACE, "<= windows_private_set_curr_entry\n" ); +} + +/* Get next range retrieval attributes */ +char ** +windows_private_get_range_attrs(const Repl_Agmt *ra) +{ + Dirsync_Private *dp; + + LDAPDebug0Args( LDAP_DEBUG_TRACE, "=> windows_private_get_range_attrs\n" ); + + PR_ASSERT(ra); + + dp = (Dirsync_Private *) agmt_get_priv(ra); + PR_ASSERT (dp); + + LDAPDebug0Args( LDAP_DEBUG_TRACE, "<= windows_private_get_range_attrs\n" ); + + return dp->range_attrs; +} + +/* Set next range retrieval attributes */ +void +windows_private_set_range_attrs(const Repl_Agmt *ra, char **attrs) +{ + Dirsync_Private *dp; + + LDAPDebug0Args( LDAP_DEBUG_TRACE, "=> windows_private_set_move_action\n" ); + + PR_ASSERT(ra); + + dp = (Dirsync_Private *) agmt_get_priv(ra); + PR_ASSERT (dp); + dp->range_attrs = attrs; + + LDAPDebug0Args( LDAP_DEBUG_TRACE, "<= windows_private_set_move_action\n" ); +} + static PRCallOnceType winsync_callOnce = {0,0}; struct winsync_plugin { diff --git a/ldap/servers/plugins/replication/windowsrepl.h b/ldap/servers/plugins/replication/windowsrepl.h index 6047fef..9279179 100644 --- a/ldap/servers/plugins/replication/windowsrepl.h +++ b/ldap/servers/plugins/replication/windowsrepl.h @@ -89,6 +89,11 @@ void windows_private_set_one_way(const Repl_Agmt *ra, PRBool value); int windows_private_get_move_action(const Repl_Agmt *ra); void windows_private_set_move_action(const Repl_Agmt *ra, int value); +Slapi_Entry *windows_private_get_curr_entry(const Repl_Agmt *ra); +void windows_private_set_curr_entry(const Repl_Agmt *ra, Slapi_Entry *e); +char **windows_private_get_range_attrs(const Repl_Agmt *ra); +void windows_private_set_range_attrs(const Repl_Agmt *ra, char **attrs); + /* in windows_connection.c */ ConnResult windows_conn_connect(Repl_Connection *conn); void windows_conn_disconnect(Repl_Connection *conn); diff --git a/ldap/servers/slapd/entry.c b/ldap/servers/slapd/entry.c index 4b119aa..6cab9b8 100644 --- a/ldap/servers/slapd/entry.c +++ b/ldap/servers/slapd/entry.c @@ -2678,8 +2678,8 @@ slapi_entry_attr_get_charray_ext( const Slapi_Entry* e, const char *type, int *n { char **parray = NULL; Slapi_Attr* attr = NULL; - slapi_entry_attr_find(e, type, &attr); int count = 0; + slapi_entry_attr_find(e, type, &attr); if(numVals == NULL){ return NULL; @@ -2711,29 +2711,28 @@ char * slapi_entry_attr_get_charptr( const Slapi_Entry* e, const char *type) { char *p= NULL; - Slapi_Attr* attr; - slapi_entry_attr_find(e, type, &attr); - if(attr!=NULL) - { - Slapi_Value *v; + Slapi_Attr* attr = NULL; + slapi_entry_attr_find(e, type, &attr); + if(attr!=NULL) + { + Slapi_Value *v; const struct berval *bvp; - slapi_valueset_first_value( &attr->a_present_values, &v); + slapi_valueset_first_value( &attr->a_present_values, &v); bvp = slapi_value_get_berval(v); p= slapi_ch_malloc(bvp->bv_len + 1); memcpy(p, bvp->bv_val, bvp->bv_len); p[bvp->bv_len]= '\0'; - } + } return p; } +/* returned value: attribute value as an integer type */ int slapi_entry_attr_get_int( const Slapi_Entry* e, const char *type) { - int r= 0; - Slapi_Attr* attr; - slapi_entry_attr_find(e, type, &attr); - if (attr!=NULL) - { + int r = 0; + Slapi_Attr* attr = NULL; + if ((0 == slapi_entry_attr_find(e, type, &attr)) && attr) { Slapi_Value *v; slapi_valueset_first_value( &attr->a_present_values, &v); r= slapi_value_get_int(v); @@ -2741,14 +2740,13 @@ slapi_entry_attr_get_int( const Slapi_Entry* e, const char *type) return r; } +/* returned value: attribute value as an unsigned integer type */ unsigned int slapi_entry_attr_get_uint( const Slapi_Entry* e, const char *type) { - unsigned int r= 0; - Slapi_Attr* attr; - slapi_entry_attr_find(e, type, &attr); - if (attr!=NULL) - { + unsigned int r = 0; + Slapi_Attr* attr = NULL; + if ((0 == slapi_entry_attr_find(e, type, &attr)) && attr) { Slapi_Value *v; slapi_valueset_first_value( &attr->a_present_values, &v); r= slapi_value_get_uint(v); @@ -2756,14 +2754,13 @@ slapi_entry_attr_get_uint( const Slapi_Entry* e, const char *type) return r; } +/* returned value: attribute value as a long integer type */ long slapi_entry_attr_get_long( const Slapi_Entry* e, const char *type) { long r = 0; - Slapi_Attr* attr; - slapi_entry_attr_find(e, type, &attr); - if (attr!=NULL) - { + Slapi_Attr* attr = NULL; + if ((0 == slapi_entry_attr_find(e, type, &attr)) && attr) { Slapi_Value *v; slapi_valueset_first_value( &attr->a_present_values, &v); r = slapi_value_get_long(v); @@ -2771,14 +2768,13 @@ slapi_entry_attr_get_long( const Slapi_Entry* e, const char *type) return r; } +/* returned value: attribute value as an unsigned long integer type */ unsigned long slapi_entry_attr_get_ulong( const Slapi_Entry* e, const char *type) { unsigned long r = 0; - Slapi_Attr* attr; - slapi_entry_attr_find(e, type, &attr); - if (attr!=NULL) - { + Slapi_Attr* attr = NULL; + if ((0 == slapi_entry_attr_find(e, type, &attr)) && attr) { Slapi_Value *v; slapi_valueset_first_value( &attr->a_present_values, &v); r = slapi_value_get_ulong(v); @@ -2786,14 +2782,13 @@ slapi_entry_attr_get_ulong( const Slapi_Entry* e, const char *type) return r; } +/* returned value: attribute value as a long long integer type */ long long slapi_entry_attr_get_longlong( const Slapi_Entry* e, const char *type) { long long r = 0; - Slapi_Attr* attr; - slapi_entry_attr_find(e, type, &attr); - if (attr!=NULL) - { + Slapi_Attr* attr = NULL; + if ((0 == slapi_entry_attr_find(e, type, &attr)) && attr) { Slapi_Value *v; slapi_valueset_first_value( &attr->a_present_values, &v); r = slapi_value_get_longlong(v); @@ -2801,14 +2796,13 @@ slapi_entry_attr_get_longlong( const Slapi_Entry* e, const char *type) return r; } +/* returned value: attribute value as an unsigned long long integer type */ unsigned long long slapi_entry_attr_get_ulonglong( const Slapi_Entry* e, const char *type) { unsigned long long r = 0; - Slapi_Attr* attr; - slapi_entry_attr_find(e, type, &attr); - if (attr!=NULL) - { + Slapi_Attr* attr = NULL; + if ((0 == slapi_entry_attr_find(e, type, &attr)) && attr) { Slapi_Value *v; slapi_valueset_first_value( &attr->a_present_values, &v); r = slapi_value_get_ulonglong(v); @@ -2816,14 +2810,13 @@ slapi_entry_attr_get_ulonglong( const Slapi_Entry* e, const char *type) return r; } +/* returned value: attribute value as a boolean type */ PRBool slapi_entry_attr_get_bool( const Slapi_Entry* e, const char *type) { PRBool r = PR_FALSE; /* default if no attr */ - Slapi_Attr* attr; - slapi_entry_attr_find(e, type, &attr); - if (attr!=NULL) - { + Slapi_Attr* attr = NULL; + if ((0 == slapi_entry_attr_find(e, type, &attr)) && attr) { Slapi_Value *v; const struct berval *bvp;

10 years, 8 months

1
0
0 / 0

help/en

by Nathan Kinder

help/en/help/add_crl_ckl.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) New commits: commit 9ef26b819910cfc54d77541ed57b0605743a27fa Author: Nathan Kinder <nkinder(a)redhat.com> Date: Wed Aug 14 14:11:25 2013 -0700 Ticket 47467 - Improve online help for Add CRL dialog This improves the online help page for the Console Add CRL/CKL dialog. The help now specifies the required format for the CRL/CKL as well as mentioning that a path should not be specified. diff --git a/help/en/help/add_crl_ckl.html b/help/en/help/add_crl_ckl.html index 458fb7f..5245d0b 100644 --- a/help/en/help/add_crl_ckl.html +++ b/help/en/help/add_crl_ckl.html @@ -6,7 +6,7 @@ Add CRL/CKL Use this dialog box to add a Certificate Revocation List (CRL) or a Compromised Key List (CKL) to the trust database. -Enter CRL/CKL file. Provide the name of the file containing the CRL or CKL. This file must exist in the same directory as your key and cert database. +Enter CRL/CKL file. Provide the name of the file containing the CRL or CKL. The file must be in PEM format (base64 encoded DER). This file must exist in the same directory as your key and cert database. You must only specify the file name, not an absolute or relative path. File contains a Certificate Revocation List (CRL). Select this option if the file contains a CRL.

10 years, 8 months

1
0
0 / 0

admserv/cgi-src40

by Nathan Kinder

admserv/cgi-src40/security.properties | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) New commits: commit 0de39490d43897ea3e53e7128b1dab02f36b7506 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Wed Aug 14 11:30:28 2013 -0700 Ticket 47467 - Improve CRL import error messages The error messages returned by the security CGI when failing to import a CRL aren't helpful. Specifically, we don't indicate that the CRL file must be specifed as a plain filename that exists in the server security directory. When we fail to find a valid CRL, we don't indicate that the expected format is PEM. This patch improves the error messages that are returned for display in the Console. diff --git a/admserv/cgi-src40/security.properties b/admserv/cgi-src40/security.properties index 183bad0..289eef5 100644 --- a/admserv/cgi-src40/security.properties +++ b/admserv/cgi-src40/security.properties @@ -58,7 +58,7 @@ security43 { "Unable to delete the certificate specified." } security44 { "Unable to delete the CRL or CKL specified." } security45 { "Unable to find the CRL or CKL specified." } //#/* module operation */ -security50 { "Could not open file %s. File does not exist or filename is invalid." } +security50 { "Could not open file %s. File does not exist or filename is invalid. A filename that exists in the server security directory must be specified. Absolute or relative paths should not be specified." } security51 { "Could not add module found in file %s." } security52 { "The module has been successfully added. Please restart the console for changes to take effect." } security53 { "No file specified. Enter the full path of a file." } @@ -96,7 +96,7 @@ security103 { "Unable to init the internal (software) token." } security110 { "Error decoding the CRL/CKL file. Please make sure it is valid." } security111 { "Error deleting the existing CRL/CKL in replacement process." } security112 { "Error writing the new CRL/CKL into the certificate database." } -security113 { "The file %s does not contain a valid CRL/CKL" } +security113 { "The file %s does not contain a valid CRL/CKL. Please make sure it is in the PEM format (base64 encoded DER)." } //#/* key/cert migration */ security120 { "Alias" } security121 { "Key or Certificate database doesn't exist in the old server root specified" }

10 years, 8 months

1
0
0 / 0

help/en

by Nathan Kinder

help/en/help/certificate_request_wizard_key_signing_information.html | 13 ++++++++++ help/en/tokens.map | 1 2 files changed, 14 insertions(+) New commits: commit 91568bdc5a2ef6124f86b92f94d87b8c0e00ca20 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Tue Aug 13 18:43:40 2013 -0700 Ticket 362 - Directory Console generates insufficient key strength This patch adds an online help page for a new panel that is being added to the Console's certificate request wizard. This new panel has 2 combo boxes that allow the key size and signing algorithms to be selected. The new help page describes what these combo boxes control. diff --git a/help/en/help/certificate_request_wizard_key_signing_information.html b/help/en/help/certificate_request_wizard_key_signing_information.html new file mode 100644 index 0000000..40b7265 --- /dev/null +++ b/help/en/help/certificate_request_wizard_key_signing_information.html @@ -0,0 +1,13 @@ + +Certificate Request Wizard - Key and Signing Information + + + +The cryptographic strength for SSL/TLS connections can be controlled by selecting the RSA key size that you would like to generate. The algorithm used to sign the generated certificate signing request can also be selected. + + +RSA Key Size. Select the size of the RSA key to generate (in bits). + + +Signing Algorithm. Select the algorithm to use to sign the certificate request. + diff --git a/help/en/tokens.map b/help/en/tokens.map index a9cea8f..f377bde 100644 --- a/help/en/tokens.map +++ b/help/en/tokens.map @@ -130,6 +130,7 @@ CertificateDetailDialogPath-help = help/certificate_information_certification_ ;CERTIFICATE REQUEST WIZARD CertRequestWizard-help = help/certificate_request_wizard_introduction.html CertRequestInfoPage-help = help/certificate_request_wizard_requestor_information.html +CertRequestKeyPage-help = help/certificate_request_wizard_key_signing_information.html TokenPasswordPage-help = help/certificate_request_install_wizard_token_password.html CertRequestSubmissionPage-help = help/certificate_request_wizard_request_submission.html

10 years, 8 months

1
0
0 / 0

admserv/cgi-src40

by Nathan Kinder

admserv/cgi-src40/security.c | 34 +++++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 9 deletions(-) New commits: commit 4555aff338e70d646d4867460f37cfdd49b7f456 Author: Nathan Kinder <nkinder(a)redhat.com> Date: Tue Aug 13 15:47:47 2013 -0700 Ticket 362 - Directory Console generates insufficient key strength The security CGI that is called by the Console is limited terms of key generation and the signing algorithm used for the request. The RSA key size is limited to 1024 bit or less, and the signing algorithm is hardcoded to MD5. This patch increases the maximum RSA key size to 4096 and uses a default of 2048 if the caller doesn't specify a key size. The default signing algorithm is changed to SHA-1, and a new CGI parameter has been added to allow the caller to alternatively choose SHA-256, SHA-384, or SHA-512. diff --git a/admserv/cgi-src40/security.c b/admserv/cgi-src40/security.c index 1cee29d..3664d70 100644 --- a/admserv/cgi-src40/security.c +++ b/admserv/cgi-src40/security.c @@ -73,11 +73,8 @@ extern "C" { } #endif -#ifdef NS_DOMESTIC -#define MAX_KEY_BITS 1024/*2048*/ -#else -#define MAX_KEY_BITS 512/*1024*/ -#endif +#define DEFAULT_KEY_BITS 2048 +#define MAX_KEY_BITS 4096 #define SUBJECT_NEW "Certificate request" #define SUBJECT_OLD "Certificate renewal" @@ -1064,6 +1061,8 @@ generateCertificateRequest(SECKEYPrivateKey* privateKey, SECKEYPublicKey* pubKey PRArenaPool *arena = NULL; PRBool error = PR_FALSE; char *line; + char *sSignAlgo = NULL; + int signAlgo = 0; /*DebugBreak();*/ /* convert subject name(DN) */ certName = CERT_AsciiToName(subjectName); @@ -1101,8 +1100,25 @@ generateCertificateRequest(SECKEYPrivateKey* privateKey, SECKEYPublicKey* pubKey /* Encode the result will get a "request blob" */ der = (SECItem *)SEC_ASN1EncodeItem(arena, result, request, SEC_ASN1_GET(CERT_CertificateRequestTemplate)); + /* Determine the signing algorithm to use. We default + * to SHA-1 and support SHA-256, SHA-384, and SHA-512. */ + sSignAlgo = get_cgi_var("signingalgo", NULL, NULL); + + if (!sSignAlgo || !PORT_Strcmp(sSignAlgo, "SHA-1")) { + signAlgo = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION; + } else if (!PORT_Strcmp(sSignAlgo, "SHA-256")) { + signAlgo = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION; + } else if (!PORT_Strcmp(sSignAlgo, "SHA-384")) { + signAlgo = SEC_OID_PKCS1_SHA384_WITH_RSA_ENCRYPTION; + } else if (!PORT_Strcmp(sSignAlgo, "SHA-512")) { + signAlgo = SEC_OID_PKCS1_SHA512_WITH_RSA_ENCRYPTION; + } else { + /* Unknown algorithm, so just use the default. */ + signAlgo = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION; + } + /* Sign certificate request(the blob) with private key */ - if (SEC_DerSignData(arena, result, der->data, der->len, privateKey, SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION) != SECSuccess) { + if (SEC_DerSignData(arena, result, der->data, der->len, privateKey, signAlgo) != SECSuccess) { rpt_err(GENERAL_FAILURE, getResourceString(DBT_INTERNAL_ERROR), getResourceString(DBT_CSR_GEN_FAIL), @@ -1172,16 +1188,16 @@ generateKey(SECKEYPublicKey** publicKey, char* tokenName) /* generate key pair */ { - char *sKeySize = get_cgi_var("keysize", NULL, NULL); int keySize = 0; if (sKeySize) { keySize = atoi(sKeySize); } - - if ((keySize > MAX_KEY_BITS) || (keySize <=0)) { + if (keySize > MAX_KEY_BITS) { params.keySizeInBits = MAX_KEY_BITS; + } else if (keySize <= 0) { + params.keySizeInBits = DEFAULT_KEY_BITS; } else { params.keySizeInBits = keySize; }

10 years, 8 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

389-commits August 2013