Branch '389-ds-base-1.3.3' - ldap/servers
by Mark Reynolds
ldap/servers/slapd/pw.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
New commits:
commit ce0cda2bed8611e845931fd99ac40ba428455be3
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Mon Nov 17 09:46:33 2014 -0500
Ticket 47958 - Memory leak in password admin if the admin entry does not exist
Bug Description: If passwordAdminDN is set to an entry that does not exist memory
is leaked.
Fix Description: The leak occurs because we do not free the internal search results,
even when zero entries are returned.
https://fedorahosted.org/389/ticket/47958
Reviewed by: rmeggins(Thanks!)
(cherry picked from commit 6ee9a1bd3aa5014aff3b8b07a032c35a1c66d2e2)
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index 9c541c5..7f80612 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -1558,14 +1558,17 @@ pw_get_admin_users(passwdPolicy *pwp)
* Check if the DN exists and has "group" objectclasses
*/
pb = slapi_pblock_new();
- slapi_search_internal_set_pb(pb, binddn, LDAP_SCOPE_BASE,"(|(objectclass=groupofuniquenames)(objectclass=groupofnames))",
- NULL, 0, NULL, NULL, (void *) plugin_get_default_component_id(), 0);
+ slapi_search_internal_set_pb(pb, binddn, LDAP_SCOPE_BASE,
+ "(|(objectclass=groupofuniquenames)(objectclass=groupofnames))",
+ NULL, 0, NULL, NULL, (void *) plugin_get_default_component_id(), 0);
slapi_search_internal_pb(pb);
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &res);
if (res != LDAP_SUCCESS) {
+ slapi_free_search_results_internal(pb);
slapi_pblock_destroy(pb);
- LDAPDebug(LDAP_DEBUG_ANY, "pw_get_admin_users: search failed for %s: error %d - Password Policy Administrators can not be set\n",
- slapi_sdn_get_dn(sdn), res, 0);
+ LDAPDebug(LDAP_DEBUG_ANY, "pw_get_admin_users: search failed for %s: error %d - "
+ "Password Policy Administrators can not be set\n",
+ slapi_sdn_get_dn(sdn), res, 0);
return;
}
/*
@@ -1581,7 +1584,8 @@ pw_get_admin_users(passwdPolicy *pwp)
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
uniquemember_vals = slapi_entry_attr_get_charray_ext(entries[0], "uniquemember", &uniquemember_count);
member_vals = slapi_entry_attr_get_charray_ext(entries[0], "member", &member_count);
- pwp->pw_admin_user = (Slapi_DN **)slapi_ch_calloc((uniquemember_count + member_count + 1), sizeof(Slapi_DN *));
+ pwp->pw_admin_user = (Slapi_DN **)slapi_ch_calloc((uniquemember_count + member_count + 1),
+ sizeof(Slapi_DN *));
if(uniquemember_count > 0){
for(i = 0; i < uniquemember_count; i++){
pwp->pw_admin_user[count++] = slapi_sdn_new_dn_passin(uniquemember_vals[i]);
9 years, 5 months
ldap/servers
by Mark Reynolds
ldap/servers/slapd/pw.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
New commits:
commit 6ee9a1bd3aa5014aff3b8b07a032c35a1c66d2e2
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Mon Nov 17 09:46:33 2014 -0500
Ticket 47958 - Memory leak in password admin if the admin entry does not exist
Bug Description: If passwordAdminDN is set to an entry that does not exist memory
is leaked.
Fix Description: The leak occurs because we do not free the internal search results,
even when zero entries are returned.
https://fedorahosted.org/389/ticket/47958
Reviewed by: rmeggins(Thanks!)
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index 9c541c5..7f80612 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -1558,14 +1558,17 @@ pw_get_admin_users(passwdPolicy *pwp)
* Check if the DN exists and has "group" objectclasses
*/
pb = slapi_pblock_new();
- slapi_search_internal_set_pb(pb, binddn, LDAP_SCOPE_BASE,"(|(objectclass=groupofuniquenames)(objectclass=groupofnames))",
- NULL, 0, NULL, NULL, (void *) plugin_get_default_component_id(), 0);
+ slapi_search_internal_set_pb(pb, binddn, LDAP_SCOPE_BASE,
+ "(|(objectclass=groupofuniquenames)(objectclass=groupofnames))",
+ NULL, 0, NULL, NULL, (void *) plugin_get_default_component_id(), 0);
slapi_search_internal_pb(pb);
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &res);
if (res != LDAP_SUCCESS) {
+ slapi_free_search_results_internal(pb);
slapi_pblock_destroy(pb);
- LDAPDebug(LDAP_DEBUG_ANY, "pw_get_admin_users: search failed for %s: error %d - Password Policy Administrators can not be set\n",
- slapi_sdn_get_dn(sdn), res, 0);
+ LDAPDebug(LDAP_DEBUG_ANY, "pw_get_admin_users: search failed for %s: error %d - "
+ "Password Policy Administrators can not be set\n",
+ slapi_sdn_get_dn(sdn), res, 0);
return;
}
/*
@@ -1581,7 +1584,8 @@ pw_get_admin_users(passwdPolicy *pwp)
slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries);
uniquemember_vals = slapi_entry_attr_get_charray_ext(entries[0], "uniquemember", &uniquemember_count);
member_vals = slapi_entry_attr_get_charray_ext(entries[0], "member", &member_count);
- pwp->pw_admin_user = (Slapi_DN **)slapi_ch_calloc((uniquemember_count + member_count + 1), sizeof(Slapi_DN *));
+ pwp->pw_admin_user = (Slapi_DN **)slapi_ch_calloc((uniquemember_count + member_count + 1),
+ sizeof(Slapi_DN *));
if(uniquemember_count > 0){
for(i = 0; i < uniquemember_count; i++){
pwp->pw_admin_user[count++] = slapi_sdn_new_dn_passin(uniquemember_vals[i]);
9 years, 5 months
Branch '389-ds-base-1.2.11' - ldap/servers
by Mark Reynolds
ldap/servers/slapd/libglobs.c | 21 +++++++++++++++++----
ldap/servers/slapd/proto-slap.h | 1 +
2 files changed, 18 insertions(+), 4 deletions(-)
New commits:
commit 4fb2902d7c62d5da3afc082a16f9f9d5b2cdd693
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Fri Nov 14 16:57:41 2014 -0500
Ticket 47952 - PasswordAdminDN attribute is not properly returned to client
Bug Description: Searching for "passwordAdminDN" in "cn=config" returns a
garbage value. The internal value is stored in a Slapi_DN,
but the pointer to the struct is returned instead of calling
the "get function".
Fix Description: Create a get function for passwordAdminDN setting, and set the
config_get_and_set table entry so that we always call the
"get function"
https://fedorahosted.org/389/ticket/47952
Reviewed by: rmeggins(Thanks!)
(cherry picked from commit c6e10746945262015d0080c7dd0e82b6c7130920)
Conflicts:
ldap/servers/slapd/libglobs.c
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 63093e1..79ca2bd 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -397,6 +397,10 @@ static struct config_get_and_set {
NULL, 0,
(void**)&global_slapdFrontendConfig.pw_policy.pw_gracelimit,
CONFIG_INT, NULL, DEFAULT_PW_GRACELIMIT},
+ {CONFIG_PW_ADMIN_DN_ATTRIBUTE, config_set_pw_admin_dn,
+ NULL, 0,
+ NULL,
+ CONFIG_STRING, (ConfigGetFunc)config_get_pw_admin_dn, ""},
{CONFIG_ACCESSLOG_LOGROTATIONSYNCENABLED_ATTRIBUTE, NULL,
log_set_rotationsync_enabled, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_rotationsync_enabled,
@@ -421,10 +425,6 @@ static struct config_get_and_set {
NULL, 0,
(void**)&global_slapdFrontendConfig.pwpolicy_local,
CONFIG_ON_OFF, NULL, &init_pwpolicy_local},
- {CONFIG_PW_ADMIN_DN_ATTRIBUTE, config_set_pw_admin_dn,
- NULL, 0,
- (void**)&global_slapdFrontendConfig.pw_policy.pw_admin,
- CONFIG_STRING, NULL, ""},
{CONFIG_AUDITLOG_MAXLOGDISKSPACE_ATTRIBUTE, NULL,
log_set_maxdiskspace, SLAPD_AUDIT_LOG,
(void**)&global_slapdFrontendConfig.auditlog_maxdiskspace,
@@ -4447,6 +4447,19 @@ config_get_pagedsizelimit() {
}
char *
+config_get_pw_admin_dn()
+{
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+ char *retVal;
+
+ CFG_LOCK_READ(slapdFrontendConfig);
+ retVal = slapi_ch_strdup(slapi_sdn_get_dn(slapdFrontendConfig->pw_policy.pw_admin));
+ CFG_UNLOCK_READ(slapdFrontendConfig);
+
+ return retVal;
+}
+
+char *
config_get_pw_storagescheme() {
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
char *retVal = 0;
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 76489ab..ce09260 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -489,6 +489,7 @@ int config_get_groupevalnestlevel();
struct berval **config_get_defaultreferral();
char *config_get_userat();
int config_get_timelimit();
+char *config_get_pw_admin_dn();
char* config_get_useroc();
char *config_get_accesslog();
char *config_get_errorlog();
9 years, 5 months
Branch '389-ds-base-1.3.1' - ldap/servers
by Mark Reynolds
ldap/servers/slapd/libglobs.c | 17 +++++++++++++++--
ldap/servers/slapd/proto-slap.h | 1 +
2 files changed, 16 insertions(+), 2 deletions(-)
New commits:
commit 65d455f2fbc46b98eafb3a3a381c89b472a010f8
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Fri Nov 14 16:57:41 2014 -0500
Ticket 47952 - PasswordAdminDN attribute is not properly returned to client
Bug Description: Searching for "passwordAdminDN" in "cn=config" returns a
garbage value. The internal value is stored in a Slapi_DN,
but the pointer to the struct is returned instead of calling
the "get function".
Fix Description: Create a get function for passwordAdminDN setting, and set the
config_get_and_set table entry so that we always call the
"get function"
https://fedorahosted.org/389/ticket/47952
Reviewed by: rmeggins(Thanks!)
(cherry picked from commit c6e10746945262015d0080c7dd0e82b6c7130920)
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 8d48af8..28711c0 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -404,8 +404,8 @@ static struct config_get_and_set {
CONFIG_INT, NULL, DEFAULT_PW_GRACELIMIT},
{CONFIG_PW_ADMIN_DN_ATTRIBUTE, config_set_pw_admin_dn,
NULL, 0,
- (void**)&global_slapdFrontendConfig.pw_policy.pw_admin,
- CONFIG_STRING, NULL, ""},
+ NULL,
+ CONFIG_STRING, (ConfigGetFunc)config_get_pw_admin_dn, ""},
{CONFIG_ACCESSLOG_LOGROTATIONSYNCENABLED_ATTRIBUTE, NULL,
log_set_rotationsync_enabled, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_rotationsync_enabled,
@@ -4627,6 +4627,19 @@ config_get_pagedsizelimit() {
}
char *
+config_get_pw_admin_dn()
+{
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+ char *retVal;
+
+ CFG_LOCK_READ(slapdFrontendConfig);
+ retVal = slapi_ch_strdup(slapi_sdn_get_dn(slapdFrontendConfig->pw_policy.pw_admin));
+ CFG_UNLOCK_READ(slapdFrontendConfig);
+
+ return retVal;
+}
+
+char *
config_get_pw_storagescheme() {
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
char *retVal = 0;
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index bff5ad1..d854d0a 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -495,6 +495,7 @@ int config_get_groupevalnestlevel();
struct berval **config_get_defaultreferral();
char *config_get_userat();
int config_get_timelimit();
+char *config_get_pw_admin_dn();
char* config_get_useroc();
char *config_get_accesslog();
char *config_get_errorlog();
9 years, 5 months
Branch '389-ds-base-1.3.2' - ldap/servers
by Mark Reynolds
ldap/servers/slapd/libglobs.c | 17 +++++++++++++++--
ldap/servers/slapd/proto-slap.h | 1 +
2 files changed, 16 insertions(+), 2 deletions(-)
New commits:
commit f7fcb521f9c7b41bdf27fd1be691e097706f961a
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Fri Nov 14 16:57:41 2014 -0500
Ticket 47952 - PasswordAdminDN attribute is not properly returned to client
Bug Description: Searching for "passwordAdminDN" in "cn=config" returns a
garbage value. The internal value is stored in a Slapi_DN,
but the pointer to the struct is returned instead of calling
the "get function".
Fix Description: Create a get function for passwordAdminDN setting, and set the
config_get_and_set table entry so that we always call the
"get function"
https://fedorahosted.org/389/ticket/47952
Reviewed by: rmeggins(Thanks!)
(cherry picked from commit c6e10746945262015d0080c7dd0e82b6c7130920)
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 1ce1fea..806b6fe 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -411,8 +411,8 @@ static struct config_get_and_set {
CONFIG_INT, NULL, DEFAULT_PW_GRACELIMIT},
{CONFIG_PW_ADMIN_DN_ATTRIBUTE, config_set_pw_admin_dn,
NULL, 0,
- (void**)&global_slapdFrontendConfig.pw_policy.pw_admin,
- CONFIG_STRING, NULL, ""},
+ NULL,
+ CONFIG_STRING, (ConfigGetFunc)config_get_pw_admin_dn, ""},
{CONFIG_ACCESSLOG_LOGROTATIONSYNCENABLED_ATTRIBUTE, NULL,
log_set_rotationsync_enabled, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_rotationsync_enabled,
@@ -4737,6 +4737,19 @@ config_get_pagedsizelimit() {
}
char *
+config_get_pw_admin_dn()
+{
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+ char *retVal;
+
+ CFG_LOCK_READ(slapdFrontendConfig);
+ retVal = slapi_ch_strdup(slapi_sdn_get_dn(slapdFrontendConfig->pw_policy.pw_admin));
+ CFG_UNLOCK_READ(slapdFrontendConfig);
+
+ return retVal;
+}
+
+char *
config_get_pw_storagescheme() {
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
char *retVal = 0;
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index b8d563d..6328a74 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -500,6 +500,7 @@ int config_get_groupevalnestlevel();
struct berval **config_get_defaultreferral();
char *config_get_userat();
int config_get_timelimit();
+char *config_get_pw_admin_dn();
char* config_get_useroc();
char *config_get_accesslog();
char *config_get_errorlog();
9 years, 5 months
Branch '389-ds-base-1.3.3' - ldap/servers
by Mark Reynolds
ldap/servers/slapd/libglobs.c | 17 +++++++++++++++--
ldap/servers/slapd/proto-slap.h | 1 +
2 files changed, 16 insertions(+), 2 deletions(-)
New commits:
commit 99bace93881cbfd792c03baf23a56239cc1bf451
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Fri Nov 14 16:57:41 2014 -0500
Ticket 47952 - PasswordAdminDN attribute is not properly returned to client
Bug Description: Searching for "passwordAdminDN" in "cn=config" returns a
garbage value. The internal value is stored in a Slapi_DN,
but the pointer to the struct is returned instead of calling
the "get function".
Fix Description: Create a get function for passwordAdminDN setting, and set the
config_get_and_set table entry so that we always call the
"get function"
https://fedorahosted.org/389/ticket/47952
Reviewed by: rmeggins(Thanks!)
(cherry picked from commit c6e10746945262015d0080c7dd0e82b6c7130920)
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 0e2a202..c68d912 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -412,8 +412,8 @@ static struct config_get_and_set {
CONFIG_INT, NULL, DEFAULT_PW_GRACELIMIT},
{CONFIG_PW_ADMIN_DN_ATTRIBUTE, config_set_pw_admin_dn,
NULL, 0,
- (void**)&global_slapdFrontendConfig.pw_policy.pw_admin,
- CONFIG_STRING, NULL, ""},
+ NULL,
+ CONFIG_STRING, (ConfigGetFunc)config_get_pw_admin_dn, ""},
{CONFIG_ACCESSLOG_LOGROTATIONSYNCENABLED_ATTRIBUTE, NULL,
log_set_rotationsync_enabled, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_rotationsync_enabled,
@@ -4801,6 +4801,19 @@ config_get_pagedsizelimit() {
}
char *
+config_get_pw_admin_dn()
+{
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+ char *retVal;
+
+ CFG_LOCK_READ(slapdFrontendConfig);
+ retVal = slapi_ch_strdup(slapi_sdn_get_dn(slapdFrontendConfig->pw_policy.pw_admin));
+ CFG_UNLOCK_READ(slapdFrontendConfig);
+
+ return retVal;
+}
+
+char *
config_get_pw_storagescheme() {
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
char *retVal = 0;
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index c987b4a..eb926c5 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -502,6 +502,7 @@ int config_get_groupevalnestlevel();
struct berval **config_get_defaultreferral();
char *config_get_userat();
int config_get_timelimit();
+char *config_get_pw_admin_dn();
char* config_get_useroc();
char *config_get_accesslog();
char *config_get_errorlog();
9 years, 5 months
ldap/servers
by Mark Reynolds
ldap/servers/slapd/libglobs.c | 17 +++++++++++++++--
ldap/servers/slapd/proto-slap.h | 1 +
2 files changed, 16 insertions(+), 2 deletions(-)
New commits:
commit c6e10746945262015d0080c7dd0e82b6c7130920
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Fri Nov 14 16:57:41 2014 -0500
Ticket 47952 - PasswordAdminDN attribute is not properly returned to client
Bug Description: Searching for "passwordAdminDN" in "cn=config" returns a
garbage value. The internal value is stored in a Slapi_DN,
but the pointer to the struct is returned instead of calling
the "get function".
Fix Description: Create a get function for passwordAdminDN setting, and set the
config_get_and_set table entry so that we always call the
"get function"
https://fedorahosted.org/389/ticket/47952
Reviewed by: rmeggins(Thanks!)
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 0e2a202..c68d912 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -412,8 +412,8 @@ static struct config_get_and_set {
CONFIG_INT, NULL, DEFAULT_PW_GRACELIMIT},
{CONFIG_PW_ADMIN_DN_ATTRIBUTE, config_set_pw_admin_dn,
NULL, 0,
- (void**)&global_slapdFrontendConfig.pw_policy.pw_admin,
- CONFIG_STRING, NULL, ""},
+ NULL,
+ CONFIG_STRING, (ConfigGetFunc)config_get_pw_admin_dn, ""},
{CONFIG_ACCESSLOG_LOGROTATIONSYNCENABLED_ATTRIBUTE, NULL,
log_set_rotationsync_enabled, SLAPD_ACCESS_LOG,
(void**)&global_slapdFrontendConfig.accesslog_rotationsync_enabled,
@@ -4801,6 +4801,19 @@ config_get_pagedsizelimit() {
}
char *
+config_get_pw_admin_dn()
+{
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+ char *retVal;
+
+ CFG_LOCK_READ(slapdFrontendConfig);
+ retVal = slapi_ch_strdup(slapi_sdn_get_dn(slapdFrontendConfig->pw_policy.pw_admin));
+ CFG_UNLOCK_READ(slapdFrontendConfig);
+
+ return retVal;
+}
+
+char *
config_get_pw_storagescheme() {
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
char *retVal = 0;
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index c987b4a..eb926c5 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -502,6 +502,7 @@ int config_get_groupevalnestlevel();
struct berval **config_get_defaultreferral();
char *config_get_userat();
int config_get_timelimit();
+char *config_get_pw_admin_dn();
char* config_get_useroc();
char *config_get_accesslog();
char *config_get_errorlog();
9 years, 5 months
Branch '389-ds-base-1.3.3' - ldap/servers
by Mark Reynolds
ldap/servers/plugins/automember/automember.c | 8 +++++
ldap/servers/plugins/linkedattrs/linked_attrs.c | 2 +
ldap/servers/plugins/memberof/memberof.c | 1
ldap/servers/plugins/posix-winsync/posix-winsync-config.c | 1
ldap/servers/plugins/schema_reload/schema_reload.c | 2 +
ldap/servers/plugins/usn/usn.c | 1
ldap/servers/plugins/usn/usn.h | 1
ldap/servers/plugins/usn/usn_cleanup.c | 8 +++++
ldap/servers/slapd/slapi-plugin.h | 1
ldap/servers/slapd/task.c | 19 ++++++++++++++
10 files changed, 44 insertions(+)
New commits:
commit fb7eef1c08a2d15c94eaedaabec2b07e970ffb3a
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu Nov 13 17:22:24 2014 -0500
Ticket 47451 - Need to unregister tasks created by plugins
Bug Description: Tasks created by plugins are not unregistered when a plugin
is stopped or deleted. Repeated stopping/starting a plugin
that registers tasks will corrupt the dse callback linked list
and will crash the server if a task is invoked.
Fix Description: Create a plugin task unregister function, and call it in the
clsoe functions of plugins that register functions.
https://fedorahosted.org/389/ticket/47451
Reviewed by: nhosoi(Thanks!)
(cherry picked from commit 005c4c9be360a7ebba38b61f934ace94224eef3f)
diff --git a/ldap/servers/plugins/automember/automember.c b/ldap/servers/plugins/automember/automember.c
index c5bb0ae..c443a65 100644
--- a/ldap/servers/plugins/automember/automember.c
+++ b/ldap/servers/plugins/automember/automember.c
@@ -397,6 +397,14 @@ automember_close(Slapi_PBlock * pb)
slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
"--> automember_close\n");
+ /* unregister the tasks */
+ slapi_plugin_task_unregister_handler("automember rebuild membership",
+ automember_task_add);
+ slapi_plugin_task_unregister_handler("automember export updates",
+ automember_task_add_export_updates);
+ slapi_plugin_task_unregister_handler("automember map updates",
+ automember_task_add_map_entries);
+
automember_delete_config();
slapi_ch_free((void **)&g_automember_config);
slapi_sdn_free(&_PluginDN);
diff --git a/ldap/servers/plugins/linkedattrs/linked_attrs.c b/ldap/servers/plugins/linkedattrs/linked_attrs.c
index 20bb9fa..e302867 100644
--- a/ldap/servers/plugins/linkedattrs/linked_attrs.c
+++ b/ldap/servers/plugins/linkedattrs/linked_attrs.c
@@ -383,6 +383,8 @@ linked_attrs_close(Slapi_PBlock * pb)
slapi_log_error(SLAPI_LOG_TRACE, LINK_PLUGIN_SUBSYSTEM,
"--> linked_attrs_close\n");
+ slapi_plugin_task_unregister_handler("fixup linked attributes", linked_attrs_fixup_task_add);
+
linked_attrs_delete_config();
slapi_destroy_rwlock(g_config_lock);
g_config_lock = NULL;
diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c
index bd87ee9..b1c51a1 100644
--- a/ldap/servers/plugins/memberof/memberof.c
+++ b/ldap/servers/plugins/memberof/memberof.c
@@ -454,6 +454,7 @@ int memberof_postop_close(Slapi_PBlock *pb)
slapi_log_error( SLAPI_LOG_TRACE, MEMBEROF_PLUGIN_SUBSYSTEM,
"--> memberof_postop_close\n" );
+ slapi_plugin_task_unregister_handler("memberof task", memberof_task_add);
memberof_release_config();
slapi_sdn_free(&_ConfigAreaDN);
slapi_sdn_free(&_pluginDN);
diff --git a/ldap/servers/plugins/posix-winsync/posix-winsync-config.c b/ldap/servers/plugins/posix-winsync/posix-winsync-config.c
index 4234080..50e3a61 100644
--- a/ldap/servers/plugins/posix-winsync/posix-winsync-config.c
+++ b/ldap/servers/plugins/posix-winsync/posix-winsync-config.c
@@ -237,6 +237,7 @@ posix_winsync_config(Slapi_Entry *config_e)
void
posix_winsync_config_free()
{
+ slapi_plugin_task_unregister_handler("memberuid task", posix_group_task_add);
slapi_entry_free(theConfig.config_e);
theConfig.config_e = NULL;
slapi_destroy_mutex(theConfig.lock);
diff --git a/ldap/servers/plugins/schema_reload/schema_reload.c b/ldap/servers/plugins/schema_reload/schema_reload.c
index 6cf1181..3ff4c4d 100644
--- a/ldap/servers/plugins/schema_reload/schema_reload.c
+++ b/ldap/servers/plugins/schema_reload/schema_reload.c
@@ -131,6 +131,8 @@ schemareload_start(Slapi_PBlock *pb)
static int
schemareload_close(Slapi_PBlock *pb)
{
+
+ slapi_plugin_task_unregister_handler("schema reload task", schemareload_add);
PR_DestroyLock(schemareload_lock);
return 0;
diff --git a/ldap/servers/plugins/usn/usn.c b/ldap/servers/plugins/usn/usn.c
index 837dc2e..6b34bf4 100644
--- a/ldap/servers/plugins/usn/usn.c
+++ b/ldap/servers/plugins/usn/usn.c
@@ -300,6 +300,7 @@ usn_close(Slapi_PBlock *pb)
{
slapi_log_error(SLAPI_LOG_TRACE, USN_PLUGIN_SUBSYSTEM, "--> usn_close\n");
+ usn_cleanup_close();
slapi_config_remove_callback(SLAPI_OPERATION_SEARCH, DSE_FLAG_PREOP,
"", LDAP_SCOPE_BASE, "(objectclass=*)", usn_rootdse_search);
diff --git a/ldap/servers/plugins/usn/usn.h b/ldap/servers/plugins/usn/usn.h
index 8e6c5c8..4bc9e97 100644
--- a/ldap/servers/plugins/usn/usn.h
+++ b/ldap/servers/plugins/usn/usn.h
@@ -54,4 +54,5 @@ void *usn_get_identity();
/* usn_cleanup.c */
int usn_cleanup_start(Slapi_PBlock *pb);
+int usn_cleanup_close();
diff --git a/ldap/servers/plugins/usn/usn_cleanup.c b/ldap/servers/plugins/usn/usn_cleanup.c
index 2b1371d..c12dfd2 100644
--- a/ldap/servers/plugins/usn/usn_cleanup.c
+++ b/ldap/servers/plugins/usn/usn_cleanup.c
@@ -58,6 +58,14 @@ usn_cleanup_start(Slapi_PBlock *pb)
return rc;
}
+int
+usn_cleanup_close()
+{
+ int rc = slapi_plugin_task_unregister_handler("USN tombstone cleanup task",
+ usn_cleanup_add);
+ return rc;
+}
+
/*
* Task thread
*/
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index 975ad04..885e28e 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -6602,6 +6602,7 @@ int slapi_config_remove_callback(int operation, int flags, const char *base, int
int slapi_task_register_handler(const char *name, dseCallbackFn func);
int slapi_plugin_task_register_handler(const char *name, dseCallbackFn func, Slapi_PBlock *plugin_pb);
+int slapi_plugin_task_unregister_handler(const char *name, dseCallbackFn func);
void slapi_task_begin(Slapi_Task *task, int total_work);
void slapi_task_inc_progress(Slapi_Task *task);
void slapi_task_finish(Slapi_Task *task, int rc);
diff --git a/ldap/servers/slapd/task.c b/ldap/servers/slapd/task.c
index a4d85a8..62cf294 100644
--- a/ldap/servers/slapd/task.c
+++ b/ldap/servers/slapd/task.c
@@ -461,6 +461,25 @@ int slapi_task_get_refcount(Slapi_Task *task)
}
int
+slapi_plugin_task_unregister_handler(const char *name, dseCallbackFn func)
+{
+ char *base = NULL;
+ int rc = 0;
+
+ base = slapi_create_dn_string("cn=%s,%s", name, TASK_BASE_DN);
+
+ slapi_config_remove_callback(SLAPI_OPERATION_ADD, DSE_FLAG_PREOP, base,
+ LDAP_SCOPE_SUBTREE, "(objectclass=*)", func);
+ slapi_config_remove_callback(SLAPI_OPERATION_MODIFY, DSE_FLAG_PREOP,
+ base, LDAP_SCOPE_BASE, "(objectclass=*)", task_deny);
+ slapi_config_remove_callback(SLAPI_OPERATION_DELETE, DSE_FLAG_PREOP,
+ base, LDAP_SCOPE_BASE, "(objectclass=*)", task_deny);
+ slapi_ch_free_string(&base);
+
+ return rc;
+}
+
+int
slapi_plugin_task_register_handler(const char *name, dseCallbackFn func, Slapi_PBlock *plugin_pb)
{
Slapi_PBlock *add_pb = NULL;
9 years, 5 months
ldap/servers
by Mark Reynolds
ldap/servers/plugins/automember/automember.c | 8 +++++
ldap/servers/plugins/linkedattrs/linked_attrs.c | 2 +
ldap/servers/plugins/memberof/memberof.c | 1
ldap/servers/plugins/posix-winsync/posix-winsync-config.c | 1
ldap/servers/plugins/schema_reload/schema_reload.c | 2 +
ldap/servers/plugins/usn/usn.c | 1
ldap/servers/plugins/usn/usn.h | 1
ldap/servers/plugins/usn/usn_cleanup.c | 8 +++++
ldap/servers/slapd/slapi-plugin.h | 1
ldap/servers/slapd/task.c | 19 ++++++++++++++
10 files changed, 44 insertions(+)
New commits:
commit 005c4c9be360a7ebba38b61f934ace94224eef3f
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Thu Nov 13 17:22:24 2014 -0500
Ticket 47451 - Need to unregister tasks created by plugins
Bug Description: Tasks created by plugins are not unregistered when a plugin
is stopped or deleted. Repeated stopping/starting a plugin
that registers tasks will corrupt the dse callback linked list
and will crash the server if a task is invoked.
Fix Description: Create a plugin task unregister function, and call it in the
clsoe functions of plugins that register functions.
https://fedorahosted.org/389/ticket/47451
Reviewed by: nhosoi(Thanks!)
diff --git a/ldap/servers/plugins/automember/automember.c b/ldap/servers/plugins/automember/automember.c
index c5bb0ae..c443a65 100644
--- a/ldap/servers/plugins/automember/automember.c
+++ b/ldap/servers/plugins/automember/automember.c
@@ -397,6 +397,14 @@ automember_close(Slapi_PBlock * pb)
slapi_log_error(SLAPI_LOG_TRACE, AUTOMEMBER_PLUGIN_SUBSYSTEM,
"--> automember_close\n");
+ /* unregister the tasks */
+ slapi_plugin_task_unregister_handler("automember rebuild membership",
+ automember_task_add);
+ slapi_plugin_task_unregister_handler("automember export updates",
+ automember_task_add_export_updates);
+ slapi_plugin_task_unregister_handler("automember map updates",
+ automember_task_add_map_entries);
+
automember_delete_config();
slapi_ch_free((void **)&g_automember_config);
slapi_sdn_free(&_PluginDN);
diff --git a/ldap/servers/plugins/linkedattrs/linked_attrs.c b/ldap/servers/plugins/linkedattrs/linked_attrs.c
index 20bb9fa..e302867 100644
--- a/ldap/servers/plugins/linkedattrs/linked_attrs.c
+++ b/ldap/servers/plugins/linkedattrs/linked_attrs.c
@@ -383,6 +383,8 @@ linked_attrs_close(Slapi_PBlock * pb)
slapi_log_error(SLAPI_LOG_TRACE, LINK_PLUGIN_SUBSYSTEM,
"--> linked_attrs_close\n");
+ slapi_plugin_task_unregister_handler("fixup linked attributes", linked_attrs_fixup_task_add);
+
linked_attrs_delete_config();
slapi_destroy_rwlock(g_config_lock);
g_config_lock = NULL;
diff --git a/ldap/servers/plugins/memberof/memberof.c b/ldap/servers/plugins/memberof/memberof.c
index bd87ee9..b1c51a1 100644
--- a/ldap/servers/plugins/memberof/memberof.c
+++ b/ldap/servers/plugins/memberof/memberof.c
@@ -454,6 +454,7 @@ int memberof_postop_close(Slapi_PBlock *pb)
slapi_log_error( SLAPI_LOG_TRACE, MEMBEROF_PLUGIN_SUBSYSTEM,
"--> memberof_postop_close\n" );
+ slapi_plugin_task_unregister_handler("memberof task", memberof_task_add);
memberof_release_config();
slapi_sdn_free(&_ConfigAreaDN);
slapi_sdn_free(&_pluginDN);
diff --git a/ldap/servers/plugins/posix-winsync/posix-winsync-config.c b/ldap/servers/plugins/posix-winsync/posix-winsync-config.c
index 4234080..50e3a61 100644
--- a/ldap/servers/plugins/posix-winsync/posix-winsync-config.c
+++ b/ldap/servers/plugins/posix-winsync/posix-winsync-config.c
@@ -237,6 +237,7 @@ posix_winsync_config(Slapi_Entry *config_e)
void
posix_winsync_config_free()
{
+ slapi_plugin_task_unregister_handler("memberuid task", posix_group_task_add);
slapi_entry_free(theConfig.config_e);
theConfig.config_e = NULL;
slapi_destroy_mutex(theConfig.lock);
diff --git a/ldap/servers/plugins/schema_reload/schema_reload.c b/ldap/servers/plugins/schema_reload/schema_reload.c
index 6cf1181..3ff4c4d 100644
--- a/ldap/servers/plugins/schema_reload/schema_reload.c
+++ b/ldap/servers/plugins/schema_reload/schema_reload.c
@@ -131,6 +131,8 @@ schemareload_start(Slapi_PBlock *pb)
static int
schemareload_close(Slapi_PBlock *pb)
{
+
+ slapi_plugin_task_unregister_handler("schema reload task", schemareload_add);
PR_DestroyLock(schemareload_lock);
return 0;
diff --git a/ldap/servers/plugins/usn/usn.c b/ldap/servers/plugins/usn/usn.c
index 837dc2e..6b34bf4 100644
--- a/ldap/servers/plugins/usn/usn.c
+++ b/ldap/servers/plugins/usn/usn.c
@@ -300,6 +300,7 @@ usn_close(Slapi_PBlock *pb)
{
slapi_log_error(SLAPI_LOG_TRACE, USN_PLUGIN_SUBSYSTEM, "--> usn_close\n");
+ usn_cleanup_close();
slapi_config_remove_callback(SLAPI_OPERATION_SEARCH, DSE_FLAG_PREOP,
"", LDAP_SCOPE_BASE, "(objectclass=*)", usn_rootdse_search);
diff --git a/ldap/servers/plugins/usn/usn.h b/ldap/servers/plugins/usn/usn.h
index 8e6c5c8..4bc9e97 100644
--- a/ldap/servers/plugins/usn/usn.h
+++ b/ldap/servers/plugins/usn/usn.h
@@ -54,4 +54,5 @@ void *usn_get_identity();
/* usn_cleanup.c */
int usn_cleanup_start(Slapi_PBlock *pb);
+int usn_cleanup_close();
diff --git a/ldap/servers/plugins/usn/usn_cleanup.c b/ldap/servers/plugins/usn/usn_cleanup.c
index 2b1371d..c12dfd2 100644
--- a/ldap/servers/plugins/usn/usn_cleanup.c
+++ b/ldap/servers/plugins/usn/usn_cleanup.c
@@ -58,6 +58,14 @@ usn_cleanup_start(Slapi_PBlock *pb)
return rc;
}
+int
+usn_cleanup_close()
+{
+ int rc = slapi_plugin_task_unregister_handler("USN tombstone cleanup task",
+ usn_cleanup_add);
+ return rc;
+}
+
/*
* Task thread
*/
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index 975ad04..885e28e 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -6602,6 +6602,7 @@ int slapi_config_remove_callback(int operation, int flags, const char *base, int
int slapi_task_register_handler(const char *name, dseCallbackFn func);
int slapi_plugin_task_register_handler(const char *name, dseCallbackFn func, Slapi_PBlock *plugin_pb);
+int slapi_plugin_task_unregister_handler(const char *name, dseCallbackFn func);
void slapi_task_begin(Slapi_Task *task, int total_work);
void slapi_task_inc_progress(Slapi_Task *task);
void slapi_task_finish(Slapi_Task *task, int rc);
diff --git a/ldap/servers/slapd/task.c b/ldap/servers/slapd/task.c
index a4d85a8..62cf294 100644
--- a/ldap/servers/slapd/task.c
+++ b/ldap/servers/slapd/task.c
@@ -461,6 +461,25 @@ int slapi_task_get_refcount(Slapi_Task *task)
}
int
+slapi_plugin_task_unregister_handler(const char *name, dseCallbackFn func)
+{
+ char *base = NULL;
+ int rc = 0;
+
+ base = slapi_create_dn_string("cn=%s,%s", name, TASK_BASE_DN);
+
+ slapi_config_remove_callback(SLAPI_OPERATION_ADD, DSE_FLAG_PREOP, base,
+ LDAP_SCOPE_SUBTREE, "(objectclass=*)", func);
+ slapi_config_remove_callback(SLAPI_OPERATION_MODIFY, DSE_FLAG_PREOP,
+ base, LDAP_SCOPE_BASE, "(objectclass=*)", task_deny);
+ slapi_config_remove_callback(SLAPI_OPERATION_DELETE, DSE_FLAG_PREOP,
+ base, LDAP_SCOPE_BASE, "(objectclass=*)", task_deny);
+ slapi_ch_free_string(&base);
+
+ return rc;
+}
+
+int
slapi_plugin_task_register_handler(const char *name, dseCallbackFn func, Slapi_PBlock *plugin_pb)
{
Slapi_PBlock *add_pb = NULL;
9 years, 5 months
Branch '389-ds-base-1.3.3' - ldap/servers
by Noriko Hosoi
ldap/servers/slapd/fedse.c | 2 -
ldap/servers/slapd/ssl.c | 74 +++++++++++++++++++++++++--------------------
2 files changed, 43 insertions(+), 33 deletions(-)
New commits:
commit 3e7321ba1641234651fbf1e8fc01bf9fbecbc696
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Nov 13 12:14:48 2014 -0800
Ticket #47928 - Disable SSL v3, by default.
Description:
Changing the default SSL Version Min value from TLS 1.1 to TLS 1.0.
In dn: cn=encryption,cn=config,
0) Setting no SSL version attrs (using defaults); supported max is TLS1.2
==>
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
1) Setting old/new SSL version attrs; no conflict; supported max is TLS1.2
sslVersionMin: TLS1.0
sslVersionMax: TLS1.3
nsSSL3: off
nsTLS1: on
==>
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
2) Setting new SSL version attrs; supported max is TLS1.2
sslVersionMin: TLS1.0
sslVersionMax: TLS1.3
==>
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
3) Setting old/new SSL version attrs; conflict (new min is stricter); supported max is TLS1.2
nsSSL3: on
sslVersionMin: TLS1.0
==>
SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to dis
able nsSSL3 in cn=encryption,cn=config.
SSL alert: Configured range: min: TLS1.0, max: TLS1.2; but both nsSSL3 and nsTLS1
are on. Respect the supported range.
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
4) Setting old/new SSL version attrs; conflict (old min is stricter); supported max is TLS1.2
nsSSL3: off
sslVersionMin: SSL3
sslVersionMax: SSL3
==>
SSL alert: nsTLS1 is on, but the version range is lower than "TLS1.0"; Configuring
the version range as default min: TLS1.0, max: TLS1.2.
SSL Initialization - Configured SSL version range: min: TLS1.0, max: TLS1.2
5) Setting old/new SSL version attrs; no conflict; setting SSL3
nsSSL3: on
nsTLS1: off
sslVersionMin: SSL3
sslVersionMax: SSL3
==>
SSL alert: Found unsecure configuration: nsSSL3: on; We strongly recommend to disable
nsSSL3 in cn=encryption,cn=config.
SSL alert: Too low configured range: min: SSL3, max: SSL3; We strongly recommend
to set sslVersionMin higher than TLS1.0.
SSL Initialization - Configured SSL version range: min: SSL3, max: SSL3
https://fedorahosted.org/389/ticket/47928
Reviewed by mreynolds(a)redhat.com (Thank you, Mark!!)
(cherry picked from commit ad7885eae64a2085a89d516c1106b578142be502)
diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c
index 87f45a1..d10fb3e 100644
--- a/ldap/servers/slapd/fedse.c
+++ b/ldap/servers/slapd/fedse.c
@@ -110,7 +110,7 @@ static const char *internal_entries[] =
"cn:encryption\n"
"nsSSLSessionTimeout:0\n"
"nsSSLClientAuth:allowed\n"
- "sslVersionMin:tls1.1\n",
+ "sslVersionMin:TLS1.0\n",
"dn:cn=monitor\n"
"objectclass:top\n"
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 5d6919a..6b51e0c 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -87,13 +87,23 @@
/* TLS1.1 is defined in RFC4346. */
#define NSS_TLS11 1
#else
-/*
- * TLS1.0 is defined in RFC2246.
- * Close to SSL 3.0.
- */
#define NSS_TLS10 1
#endif
+/******************************************************************************
+ * Default SSL Version Rule
+ * Old SSL version attributes:
+ * nsSSL3: off -- nsSSL3 == SSL_LIBRARY_VERSION_3_0
+ * nsTLS1: on -- nsTLS1 == SSL_LIBRARY_VERSION_TLS_1_0 and greater
+ * Note: TLS1.0 is defined in RFC2246, which is close to SSL 3.0.
+ * New SSL version attributes:
+ * sslVersionMin: TLS1.0
+ * sslVersionMax: max ssl version supported by NSS
+ ******************************************************************************/
+
+#define DEFVERSION "TLS1.0"
+#define CURRENT_DEFAULT_SSL_VERSION SSL_LIBRARY_VERSION_TLS_1_0
+
extern char* slapd_SSL3ciphers;
extern symbol_t supported_ciphers[];
#if !defined(NSS_TLS10) /* NSS_TLS11 or newer */
@@ -253,12 +263,12 @@ static lookup_cipher _lookup_cipher[] = {
PRBool enableSSL2 = PR_FALSE;
/*
* nsSSL3: on -- disable SSLv3 by default.
- * Corresonding to SSL_LIBRARY_VERSION_3_0 and SSL_LIBRARY_VERSION_TLS_1_0
+ * Corresonding to SSL_LIBRARY_VERSION_3_0
*/
PRBool enableSSL3 = PR_FALSE;
/*
* nsTLS1: on -- enable TLS1 by default.
- * Corresonding to SSL_LIBRARY_VERSION_TLS_1_1 and greater.
+ * Corresonding to SSL_LIBRARY_VERSION_TLS_1_0 and greater.
*/
PRBool enableTLS1 = PR_TRUE;
@@ -927,14 +937,14 @@ restrict_SSLVersionRange(void)
slapd_SSL_warn("Found unsecure configuration: nsSSL3: on; "
"We strongly recommend to disable nsSSL3 in %s.", configDN);
if (enableTLS1) {
- if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
+ if (slapdNSSVersions.min >= CURRENT_DEFAULT_SSL_VERSION) {
slapd_SSL_warn("Configured range: min: %s, max: %s; "
"but both nsSSL3 and nsTLS1 are on. "
"Respect the supported range.",
mymin, mymax);
enableSSL3 = PR_FALSE;
}
- if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
+ if (slapdNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
slapd_SSL_warn("Configured range: min: %s, max: %s; "
"but both nsSSL3 and nsTLS1 are on. "
"Resetting the max to the supported max SSL version: %s.",
@@ -943,7 +953,7 @@ restrict_SSLVersionRange(void)
}
} else {
/* nsTLS1 is explicitly set to off. */
- if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
+ if (enabledNSSVersions.min >= CURRENT_DEFAULT_SSL_VERSION) {
slapd_SSL_warn("Supported range: min: %s, max: %s; "
"but nsSSL3 is on and nsTLS1 is off. "
"Respect the supported range.",
@@ -951,20 +961,20 @@ restrict_SSLVersionRange(void)
slapdNSSVersions.min = SSLVGreater(slapdNSSVersions.min, enabledNSSVersions.min);
enableSSL3 = PR_FALSE;
enableTLS1 = PR_TRUE;
- } else if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
+ } else if (slapdNSSVersions.min >= CURRENT_DEFAULT_SSL_VERSION) {
slapd_SSL_warn("Configured range: min: %s, max: %s; "
"but nsSSL3 is on and nsTLS1 is off. "
"Respect the configured range.",
mymin, mymax);
enableSSL3 = PR_FALSE;
enableTLS1 = PR_TRUE;
- } else if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
+ } else if (slapdNSSVersions.min < CURRENT_DEFAULT_SSL_VERSION) {
slapd_SSL_warn("Too low configured range: min: %s, max: %s; "
- "We strongly recommend to set sslVersionMax higher than %s.",
- mymin, mymax, emax);
+ "We strongly recommend to set sslVersionMin higher than %s.",
+ mymin, mymax, DEFVERSION);
} else {
/*
- * slapdNSSVersions.min <= SSL_LIBRARY_VERSION_TLS_1_0 &&
+ * slapdNSSVersions.min < SSL_LIBRARY_VERSION_TLS_1_0 &&
* slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_1
*/
slapd_SSL_warn("Configured range: min: %s, max: %s; "
@@ -976,7 +986,7 @@ restrict_SSLVersionRange(void)
}
} else {
if (enableTLS1) {
- if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
+ if (enabledNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
/* TLS1 is on, but TLS1 is not supported by NSS. */
slapd_SSL_warn("Supported range: min: %s, max: %s; "
"Setting the version range based upon the supported range.",
@@ -985,17 +995,17 @@ restrict_SSLVersionRange(void)
slapdNSSVersions.min = enabledNSSVersions.min;
enableSSL3 = PR_TRUE;
enableTLS1 = PR_FALSE;
- } else if ((slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) ||
- (slapdNSSVersions.min < SSL_LIBRARY_VERSION_TLS_1_1)) {
+ } else if ((slapdNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) ||
+ (slapdNSSVersions.min < CURRENT_DEFAULT_SSL_VERSION)) {
slapdNSSVersions.max = enabledNSSVersions.max;
- slapdNSSVersions.min = SSLVGreater(SSL_LIBRARY_VERSION_TLS_1_1, enabledNSSVersions.min);
- slapd_SSL_warn("Default SSL Version settings; "
- "Configuring the version range as min: %s, max: %s; ",
- mymin, mymax);
+ slapdNSSVersions.min = SSLVGreater(CURRENT_DEFAULT_SSL_VERSION, enabledNSSVersions.min);
+ slapd_SSL_warn("nsTLS1 is on, but the version range is lower than \"%s\"; "
+ "Configuring the version range as default min: %s, max: %s.",
+ DEFVERSION, DEFVERSION, emax);
} else {
/*
- * slapdNSSVersions.min >= SSL_LIBRARY_VERSION_TLS_1_1 &&
- * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_1
+ * slapdNSSVersions.min >= SSL_LIBRARY_VERSION_TLS_1_0 &&
+ * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_0
*/
;
}
@@ -1004,14 +1014,14 @@ restrict_SSLVersionRange(void)
"Respect the configured range.",
emin, emax);
/* nsTLS1 is explicitly set to off. */
- if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
+ if (slapdNSSVersions.min >= CURRENT_DEFAULT_SSL_VERSION) {
enableTLS1 = PR_TRUE;
- } else if (slapdNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_1) {
+ } else if (slapdNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
enableSSL3 = PR_TRUE;
} else {
/*
- * slapdNSSVersions.min <= SSL_LIBRARY_VERSION_TLS_1_0 &&
- * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_1
+ * slapdNSSVersions.min < SSL_LIBRARY_VERSION_TLS_1_0 &&
+ * slapdNSSVersions.max >= SSL_LIBRARY_VERSION_TLS_1_0
*/
enableSSL3 = PR_TRUE;
enableTLS1 = PR_TRUE;
@@ -1434,17 +1444,17 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
sscanf(vp, "%4f", &tlsv);
if (tlsv < 1.1) { /* TLS1.0 */
if (ismin) {
- if (enabledNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_0) {
+ if (enabledNSSVersions.min > CURRENT_DEFAULT_SSL_VERSION) {
slapd_SSL_warn("Security Initialization: The value of sslVersionMin "
"\"%s\" is lower than the supported version; "
"the default value \"%s\" is used.",
val, emin);
(*rval) = enabledNSSVersions.min;
} else {
- (*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
+ (*rval) = CURRENT_DEFAULT_SSL_VERSION;
}
} else {
- if (enabledNSSVersions.max < SSL_LIBRARY_VERSION_TLS_1_0) {
+ if (enabledNSSVersions.max < CURRENT_DEFAULT_SSL_VERSION) {
/* never happens */
slapd_SSL_warn("Security Initialization: The value of sslVersionMax "
"\"%s\" is higher than the supported version; "
@@ -1452,7 +1462,7 @@ set_NSS_version(char *val, PRUint16 *rval, int ismin)
val, emax);
(*rval) = enabledNSSVersions.max;
} else {
- (*rval) = SSL_LIBRARY_VERSION_TLS_1_0;
+ (*rval) = CURRENT_DEFAULT_SSL_VERSION;
}
}
} else if (tlsv < 1.2) { /* TLS1.1 */
@@ -1906,7 +1916,7 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
} else {
enableTLS1 = slapi_entry_attr_get_bool( e, "nsTLS1" );
}
- } else if (enabledNSSVersions.max > SSL_LIBRARY_VERSION_TLS_1_0) {
+ } else if (enabledNSSVersions.max >= CURRENT_DEFAULT_SSL_VERSION) {
enableTLS1 = PR_TRUE; /* If available, enable TLS1 */
}
slapi_ch_free_string( &val );
9 years, 5 months