3 commits - dirsrvtests/tickets ldap/schema ldap/servers
by Noriko Hosoi
dirsrvtests/tickets/ticket47838_test.py | 221 +++++++++++++++++++-------
ldap/schema/01core389.ldif | 3
ldap/servers/slapd/main.c | 42 +++--
ldap/servers/slapd/ssl.c | 262 +++++++++++++++++++-------------
4 files changed, 355 insertions(+), 173 deletions(-)
New commits:
commit 0f1a203a0fe85f3cf0440006685f63409502f093
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Sep 10 18:56:43 2014 -0700
Ticket #47895 - If no effective ciphers are available, disable security setting.
Description: If nsslapd-security is "on" and nsSSL3Ciphers is given
AND none of the ciphers are available or some syntax error is detected,
the server sets nsslapd-security "off" and starts up.
https://fedorahosted.org/389/ticket/47895
Reviewed by nkinder(a)redhat.com (Thank you, Nathan!!)
diff --git a/ldap/servers/slapd/main.c b/ldap/servers/slapd/main.c
index d577514..6bad2a0 100644
--- a/ldap/servers/slapd/main.c
+++ b/ldap/servers/slapd/main.c
@@ -3077,6 +3077,24 @@ slapd_debug_level_usage( void )
}
#endif /* LDAP_DEBUG */
+static int
+force_to_disable_security(const char *what, int *init_ssl, daemon_ports_t *ports_info)
+{
+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
+ errorbuf[0] = '\0';
+
+ LDAPDebug2Args(LDAP_DEBUG_ANY, "ERROR: %s Initialization Failed. Disabling %s.\n", what, what);
+ ports_info->s_socket = SLAPD_INVALID_SOCKET;
+ ports_info->s_port = 0;
+ *init_ssl = 0;
+ if (config_set_security(CONFIG_SECURITY_ATTRIBUTE, "off", errorbuf, 1)) {
+ LDAPDebug2Args(LDAP_DEBUG_ANY, "ERROR: Failed to disable %s: \"%s\".\n",
+ CONFIG_SECURITY_ATTRIBUTE, errorbuf[0]?errorbuf:"no error message");
+ return 1;
+ }
+ return 0;
+}
+
/*
This function does all NSS and SSL related initialization
required during startup. We use this function rather
@@ -3113,20 +3131,20 @@ slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt,
* modules can assume NSS is available
*/
if ( slapd_nss_init((slapd_exemode == SLAPD_EXEMODE_SLAPD),
- (slapd_exemode != SLAPD_EXEMODE_REFERRAL) /* have config? */ )) {
- LDAPDebug(LDAP_DEBUG_ANY,
- "ERROR: NSS Initialization Failed.\n", 0, 0, 0);
- return 1;
+ (slapd_exemode != SLAPD_EXEMODE_REFERRAL) /* have config? */ )) {
+ if (force_to_disable_security("NSS", &init_ssl, ports_info)) {
+ return 1;
+ }
}
if (slapd_exemode == SLAPD_EXEMODE_SLAPD) {
client_auth_init();
}
- if ( init_ssl && ( 0 != slapd_ssl_init())) {
- LDAPDebug(LDAP_DEBUG_ANY,
- "ERROR: SSL Initialization Failed.\n", 0, 0, 0 );
- return 1;
+ if (init_ssl && slapd_ssl_init()) {
+ if (force_to_disable_security("SSL", &init_ssl, ports_info)) {
+ return 1;
+ }
}
if ((slapd_exemode == SLAPD_EXEMODE_SLAPD) ||
@@ -3134,10 +3152,10 @@ slapd_do_all_nss_ssl_init(int slapd_exemode, int importexport_encrypt,
if ( init_ssl ) {
PRFileDesc **sock;
for (sock = ports_info->s_socket; sock && *sock; sock++) {
- if ( 0 != slapd_ssl_init2(sock, 0) ) {
- LDAPDebug(LDAP_DEBUG_ANY,
- "ERROR: SSL Initialization phase 2 Failed.\n", 0, 0, 0 );
- return 1;
+ if ( slapd_ssl_init2(sock, 0) ) {
+ if (force_to_disable_security("SSL2", &init_ssl, ports_info)) {
+ return 1;
+ }
}
}
}
commit 4fb1a04ceb9631680a9bcff844250afb4b6e5b7d
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Sep 10 18:48:07 2014 -0700
Ticket 47838,47895 - CI test: add test cases for ticket 47838 and 47895
Description:
Ticket #47838: harden the list of ciphers available by default
Adding test cases for default behaviour change of allowWeakCipher.
Ticket #47895 - If no effective ciphers are available, disable security setting.
Test case for "Even if no cipher is available, the server starts
without SSL" is added.
https://fedorahosted.org/389/ticket/47838
diff --git a/dirsrvtests/tickets/ticket47838_test.py b/dirsrvtests/tickets/ticket47838_test.py
index dedd61d..0e406f3 100644
--- a/dirsrvtests/tickets/ticket47838_test.py
+++ b/dirsrvtests/tickets/ticket47838_test.py
@@ -201,6 +201,7 @@ def test_ticket47838_init(topology):
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3', 'on'),
(ldap.MOD_REPLACE, 'nsSSLClientAuth', 'allowed'),
+ (ldap.MOD_REPLACE, 'allowWeakCipher', 'on'),
(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+all')])
topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-security', 'on'),
@@ -217,6 +218,7 @@ def test_ticket47838_run_0(topology):
"""
Check nsSSL3Ciphers: +all
All ciphers are enabled except null.
+ Note: allowWeakCipher: on
"""
_header(topology, 'Test Case 1 - Check the ciphers availability for "+all"')
@@ -226,42 +228,78 @@ def test_ticket47838_run_0(topology):
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.restart(timeout=120)
- enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog)
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
log.info("Enabled ciphers: %d" % ecount)
log.info("Disabled ciphers: %d" % dcount)
- assert ecount >= 60
- assert dcount <= 7
+ assert ecount >= 31
+ assert dcount <= 36
global plus_all_ecount
global plus_all_dcount
plus_all_ecount = ecount
plus_all_dcount = dcount
- weak = os.popen('egrep "SSL alert:" %s | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
+ weak = os.popen('egrep "SSL alert:" %s | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
wcount = int(weak.readline().rstrip())
log.info("Weak ciphers: %d" % wcount)
assert wcount <= 29
def test_ticket47838_run_1(topology):
"""
+ Check nsSSL3Ciphers: +all
+ All ciphers are enabled except null.
+ Note: allowWeakCipher: off for +all
+ """
+ _header(topology, 'Test Case 2 - Check the ciphers availability for "+all" with not allowing WeakCiphers')
+
+ topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+ topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', '64')])
+ # Make sure allowWeakCipher is not set.
+ topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_DELETE, 'allowWeakCipher', None)])
+
+ log.info("\n######################### Restarting the server ######################\n")
+ log.info("\n######################### Restarting the server ######################\n")
+ topology.standalone.stop(timeout=10)
+ os.system('mv %s %s.47838_0' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('touch %s' % (topology.standalone.errlog))
+ topology.standalone.start(timeout=120)
+
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
+ ecount = int(enabled.readline().rstrip())
+ dcount = int(disabled.readline().rstrip())
+
+ log.info("Enabled ciphers: %d" % ecount)
+ log.info("Disabled ciphers: %d" % dcount)
+ assert ecount >= 31
+ assert dcount <= 36
+ weak = os.popen('egrep "SSL alert:" %s | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
+ wcount = int(weak.readline().rstrip())
+ log.info("Weak ciphers: %d" % wcount)
+ assert wcount <= 29
+
+def test_ticket47838_run_2(topology):
+ """
Check nsSSL3Ciphers: +rsa_aes_128_sha,+rsa_aes_256_sha
rsa_aes_128_sha, tls_rsa_aes_128_sha, rsa_aes_256_sha, tls_rsa_aes_256_sha are enabled.
"""
- _header(topology, 'Test Case 2 - Check the ciphers availability for "+rsa_aes_128_sha,+rsa_aes_256_sha"')
+ _header(topology, 'Test Case 3 - Check the ciphers availability for "+rsa_aes_128_sha,+rsa_aes_256_sha"')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+ #topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+rsa_aes_128_sha,+rsa_aes_256_sha'),
+ # (ldap.MOD_REPLACE, 'allowWeakCipher', 'on')])
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+rsa_aes_128_sha,+rsa_aes_256_sha')])
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.stop(timeout=10)
- os.system('mv %s %s.47838_0' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('mv %s %s.47838_1' % (topology.standalone.errlog, topology.standalone.errlog))
os.system('touch %s' % (topology.standalone.errlog))
topology.standalone.start(timeout=120)
- enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog)
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
@@ -272,24 +310,24 @@ def test_ticket47838_run_1(topology):
assert ecount == 2
assert dcount == (plus_all_ecount + plus_all_dcount - ecount)
-def test_ticket47838_run_2(topology):
+def test_ticket47838_run_3(topology):
"""
Check nsSSL3Ciphers: -all
All ciphers are disabled.
"""
- _header(topology, 'Test Case 3 - Check the ciphers availability for "-all"')
+ _header(topology, 'Test Case 4 - Check the ciphers availability for "-all"')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '-all')])
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.stop(timeout=10)
- os.system('mv %s %s.47838_1' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('mv %s %s.47838_2' % (topology.standalone.errlog, topology.standalone.errlog))
os.system('touch %s' % (topology.standalone.errlog))
topology.standalone.start(timeout=120)
- enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog)
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
@@ -300,24 +338,24 @@ def test_ticket47838_run_2(topology):
assert ecount == 0
assert dcount == (plus_all_ecount + plus_all_dcount)
-def test_ticket47838_run_3(topology):
+def test_ticket47838_run_4(topology):
"""
Check no nsSSL3Ciphers
Default ciphers are enabled.
"""
- _header(topology, 'Test Case 4 - Check no nssSSL3Chiphers (default setting)')
+ _header(topology, 'Test Case 5 - Check no nssSSL3Chiphers (default setting)')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_DELETE, 'nsSSL3Ciphers', '-all')])
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.stop(timeout=10)
- os.system('mv %s %s.47838_2' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('mv %s %s.47838_3' % (topology.standalone.errlog, topology.standalone.errlog))
os.system('touch %s' % (topology.standalone.errlog))
topology.standalone.start(timeout=120)
- enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog)
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
@@ -327,29 +365,29 @@ def test_ticket47838_run_3(topology):
global plus_all_dcount
assert ecount == 12
assert dcount == (plus_all_ecount + plus_all_dcount - ecount)
- weak = os.popen('egrep "SSL alert:" %s | egrep enabled | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
+ weak = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
wcount = int(weak.readline().rstrip())
log.info("Weak ciphers in the default setting: %d" % wcount)
assert wcount == 0
-def test_ticket47838_run_4(topology):
+def test_ticket47838_run_5(topology):
"""
Check nsSSL3Ciphers: default
Default ciphers are enabled.
"""
- _header(topology, 'Test Case 5 - Check default nssSSL3Chiphers (default setting)')
+ _header(topology, 'Test Case 6 - Check default nssSSL3Chiphers (default setting)')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', 'default')])
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.stop(timeout=10)
- os.system('mv %s %s.47838_3' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('mv %s %s.47838_4' % (topology.standalone.errlog, topology.standalone.errlog))
os.system('touch %s' % (topology.standalone.errlog))
topology.standalone.start(timeout=120)
- enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog)
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
@@ -359,29 +397,29 @@ def test_ticket47838_run_4(topology):
global plus_all_dcount
assert ecount == 12
assert dcount == (plus_all_ecount + plus_all_dcount - ecount)
- weak = os.popen('egrep "SSL alert:" %s | egrep enabled | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
+ weak = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
wcount = int(weak.readline().rstrip())
log.info("Weak ciphers in the default setting: %d" % wcount)
assert wcount == 0
-def test_ticket47838_run_5(topology):
+def test_ticket47838_run_6(topology):
"""
Check nssSSL3Chiphers: +all,-rsa_rc4_128_md5
All ciphers are disabled.
"""
- _header(topology, 'Test Case 6 - Check nssSSL3Chiphers: +all,-rsa_rc4_128_md5')
+ _header(topology, 'Test Case 7 - Check nssSSL3Chiphers: +all,-tls_dhe_rsa_aes_128_gcm_sha')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
- topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+all,-rsa_rc4_128_md5')])
+ topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+all,-tls_dhe_rsa_aes_128_gcm_sha')])
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.stop(timeout=10)
- os.system('mv %s %s.47838_4' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('mv %s %s.47838_5' % (topology.standalone.errlog, topology.standalone.errlog))
os.system('touch %s' % (topology.standalone.errlog))
topology.standalone.start(timeout=120)
- enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog)
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
@@ -389,27 +427,29 @@ def test_ticket47838_run_5(topology):
log.info("Disabled ciphers: %d" % dcount)
global plus_all_ecount
global plus_all_dcount
+ log.info("ALL Ecount: %d" % plus_all_ecount)
+ log.info("ALL Dcount: %d" % plus_all_dcount)
assert ecount == (plus_all_ecount - 1)
assert dcount == (plus_all_dcount + 1)
-def test_ticket47838_run_6(topology):
+def test_ticket47838_run_7(topology):
"""
Check nssSSL3Chiphers: -all,+rsa_rc4_128_md5
All ciphers are disabled.
"""
- _header(topology, 'Test Case 7 - Check nssSSL3Chiphers: -all,+rsa_rc4_128_md5')
+ _header(topology, 'Test Case 8 - Check nssSSL3Chiphers: -all,+rsa_rc4_128_md5')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '-all,+rsa_rc4_128_md5')])
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.stop(timeout=10)
- os.system('mv %s %s.47838_5' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('mv %s %s.47838_6' % (topology.standalone.errlog, topology.standalone.errlog))
os.system('touch %s' % (topology.standalone.errlog))
topology.standalone.start(timeout=120)
- enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog)
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
@@ -420,25 +460,59 @@ def test_ticket47838_run_6(topology):
assert ecount == 1
assert dcount == (plus_all_ecount + plus_all_dcount - ecount)
-def test_ticket47838_run_7(topology):
+def test_ticket47838_run_8(topology):
+ """
+ Check nsSSL3Ciphers: default + allowWeakCipher: off
+ Strong Default ciphers are enabled.
+ """
+ _header(topology, 'Test Case 9 - Check default nssSSL3Chiphers (default setting + allowWeakCipher: off)')
+
+ topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+ topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', 'default'),
+ (ldap.MOD_REPLACE, 'allowWeakCipher', 'off')])
+
+ log.info("\n######################### Restarting the server ######################\n")
+ topology.standalone.stop(timeout=10)
+ os.system('mv %s %s.47838_7' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('touch %s' % (topology.standalone.errlog))
+ topology.standalone.start(timeout=120)
+
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
+ ecount = int(enabled.readline().rstrip())
+ dcount = int(disabled.readline().rstrip())
+
+ log.info("Enabled ciphers: %d" % ecount)
+ log.info("Disabled ciphers: %d" % dcount)
+ global plus_all_ecount
+ global plus_all_dcount
+ assert ecount == 12
+ assert dcount == (plus_all_ecount + plus_all_dcount - ecount)
+ weak = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
+ wcount = int(weak.readline().rstrip())
+ log.info("Weak ciphers in the default setting: %d" % wcount)
+ assert wcount == 0
+
+def test_ticket47838_run_9(topology):
"""
Check no nsSSL3Ciphers
Default ciphers are enabled.
"""
- _header(topology, 'Test Case 8 - Check no nssSSL3Chiphers (default setting) with no errorlog-level')
+ _header(topology, 'Test Case 10 - Check no nssSSL3Chiphers (default setting) with no errorlog-level')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
- topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', None)])
+ topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', None),
+ (ldap.MOD_REPLACE, 'allowWeakCipher', 'on')])
topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', None)])
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.stop(timeout=10)
- os.system('mv %s %s.47838_6' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('mv %s %s.47838_8' % (topology.standalone.errlog, topology.standalone.errlog))
os.system('touch %s' % (topology.standalone.errlog))
topology.standalone.start(timeout=120)
- enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog)
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
@@ -446,12 +520,12 @@ def test_ticket47838_run_7(topology):
log.info("Disabled ciphers: %d" % dcount)
assert ecount == 12
assert dcount == 0
- weak = os.popen('egrep "SSL alert:" %s | egrep enabled | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
+ weak = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
wcount = int(weak.readline().rstrip())
log.info("Weak ciphers in the default setting: %d" % wcount)
assert wcount == 0
-def test_ticket47838_run_8(topology):
+def test_ticket47838_run_10(topology):
"""
Check nssSSL3Chiphers: -TLS_RSA_WITH_NULL_MD5,+TLS_RSA_WITH_RC4_128_MD5,
+TLS_RSA_EXPORT_WITH_RC4_40_MD5,+TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
@@ -462,7 +536,7 @@ def test_ticket47838_run_8(topology):
-SSL_CK_RC2_128_CBC_WITH_MD5,-SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5,
-SSL_CK_DES_64_CBC_WITH_MD5,-SSL_CK_DES_192_EDE3_CBC_WITH_MD5
"""
- _header(topology, 'Test Case 9 - Check nssSSL3Chiphers: long list using the NSS Cipher Suite name')
+ _header(topology, 'Test Case 11 - Check nssSSL3Chiphers: long list using the NSS Cipher Suite name')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers',
@@ -470,12 +544,12 @@ def test_ticket47838_run_8(topology):
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.stop(timeout=10)
- os.system('mv %s %s.47838_7' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('mv %s %s.47838_9' % (topology.standalone.errlog, topology.standalone.errlog))
os.system('touch %s' % (topology.standalone.errlog))
topology.standalone.start(timeout=120)
- enabled = os.popen('egrep "SSL alert:" %s | egrep enabled | wc -l' % topology.standalone.errlog)
- disabled = os.popen('egrep "SSL alert:" %s | egrep disabled | wc -l' % topology.standalone.errlog)
+ enabled = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | wc -l' % topology.standalone.errlog)
+ disabled = os.popen('egrep "SSL alert:" %s | egrep \": disabled\" | wc -l' % topology.standalone.errlog)
ecount = int(enabled.readline().rstrip())
dcount = int(disabled.readline().rstrip())
@@ -485,32 +559,56 @@ def test_ticket47838_run_8(topology):
global plus_all_dcount
assert ecount == 9
assert dcount == 0
- weak = os.popen('egrep "SSL alert:" %s | egrep enabled | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
+ weak = os.popen('egrep "SSL alert:" %s | egrep \": enabled\" | egrep "WEAK CIPHER" | wc -l' % topology.standalone.errlog)
wcount = int(weak.readline().rstrip())
log.info("Weak ciphers in the default setting: %d" % wcount)
-def test_ticket47838_run_9(topology):
+ topology.standalone.log.info("ticket47838 was successfully verified.");
+
+def test_ticket47838_run_11(topology):
+ """
+ Check nssSSL3Chiphers: +fortezza
+ SSL_GetImplementedCiphers does not return this as a secuire cipher suite
+ """
+ _header(topology, 'Test Case 12 - Check nssSSL3Chiphers: +fortezza, which is not supported')
+
+ topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+ topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+fortezza')])
+
+ log.info("\n######################### Restarting the server ######################\n")
+ topology.standalone.stop(timeout=10)
+ os.system('mv %s %s.47838_10' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('touch %s' % (topology.standalone.errlog))
+ topology.standalone.start(timeout=120)
+
+ errmsg = os.popen('egrep "SSL alert:" %s | egrep "is not available in NSS"' % topology.standalone.errlog)
+ if errmsg != "":
+ log.info("Expected error message:")
+ log.info("%s" % errmsg.readline())
+ else:
+ log.info("Expected error message was not found")
+ assert False
+
+def test_ticket47838_run_last(topology):
"""
- NOTE: Currently, this test case is commented out since if the server fails to start,
- it repeatedly restarted.
Check nssSSL3Chiphers: all <== invalid value
All ciphers are disabled.
"""
- _header(topology, 'Test Case 10 - Check nssSSL3Chiphers: all, which is invalid')
+ _header(topology, 'Test Case 13 - Check nssSSL3Chiphers: all, which is invalid')
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', 'all')])
log.info("\n######################### Restarting the server ######################\n")
topology.standalone.stop(timeout=10)
- os.system('mv %s %s.47838_7' % (topology.standalone.errlog, topology.standalone.errlog))
+ os.system('mv %s %s.47838_10' % (topology.standalone.errlog, topology.standalone.errlog))
os.system('touch %s' % (topology.standalone.errlog))
topology.standalone.start(timeout=120)
- errmsg = os.popen('egrep "SSL alert:" %s | egrep "invalid ciphers"' % topology.standalone.errlog)
+ errmsg = os.popen('egrep "SSL alert:" %s | egrep "invalid ciphers"' % topology.standalone.errlog)
if errmsg != "":
log.info("Expected error message:")
- log.info("%s" % errmsg)
+ log.info("%s" % errmsg.readline())
else:
log.info("Expected error message was not found")
assert False
@@ -519,6 +617,9 @@ def test_ticket47838_run_9(topology):
def test_ticket47838_final(topology):
topology.standalone.simple_bind_s(DN_DM, PASSWORD)
+ topology.standalone.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-errorlog-level', None)])
+ topology.standalone.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3Ciphers', 'default'),
+ (ldap.MOD_REPLACE, 'allowWeakCipher', 'on')])
topology.standalone.stop(timeout=10)
def run_isolated():
@@ -544,7 +645,11 @@ def run_isolated():
test_ticket47838_run_6(topo)
test_ticket47838_run_7(topo)
test_ticket47838_run_8(topo)
- # test_ticket47838_run_9(topo)
+ test_ticket47838_run_9(topo)
+ test_ticket47838_run_10(topo)
+ test_ticket47838_run_11(topo)
+
+ test_ticket47838_run_last(topo)
test_ticket47838_final(topo)
commit 5f3c87e1380e56d76d4a4bef3af07633a8589891
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Sep 11 11:46:51 2014 -0700
Ticket #47838 - harden the list of ciphers available by default
Description:
1. Introducing a new attribute allowWeakCipher in "cn=encryption,cn=config".
allowWeakCipher: [on | off]
on -- allows weak ciphers.
Default setting for user specified ciphers.
off -- rejects weak ciphers.
Default setting for +all and default.
2. allowWeakCipher is applied only to the user specified cipher suites
such as "nsSSL3Ciphers: +rsa_rc4_128_md5".
If allowWeakCipher is enabled and the user specified cipher is weak,
SSL alert is logged in the error log:
SSL alert: Cipher rsa_rc4_128_md5 is weak. It is enabled since
allowWeakCipher is "on" (default setting for the backward compatibility).
We strongly recommend to set it to "off". Please replace the value of
allowWeakCipher with "off" in the encryption config entry cn=encryption,
cn=config and restart the server.
3. If specified cipher suite is not supported, ignore the cipher suite
and continue setting ciphers.
https://fedorahosted.org/389/ticket/47838
Reviewed by rmeggins(a)redhat.com (Thank you, Rich!!)
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index 1b8a70b..c7aec70 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -128,6 +128,7 @@ attributeTypes: ( nsSSL3SessionTimeout-oid NAME 'nsSSL3SessionTimeout' DESC 'Net
attributeTypes: ( nsSSL2Ciphers-oid NAME 'nsSSL2Ciphers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsSSL3Ciphers-oid NAME 'nsSSL3Ciphers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsSSLSupportedCiphers-oid NAME 'nsSSLSupportedCiphers' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
+attributeTypes: ( allowWeakCipher-oid NAME 'allowWeakCipher' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsSSLToken-oid NAME 'nsSSLToken' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsSSLPersonalitySSL-oid NAME 'nsSSLPersonalitySSL' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsSSLActivation-oid NAME 'nsSSLActivation' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
@@ -316,7 +317,7 @@ objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC
objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) MAY ( nsSaslMapPriority ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' )
-objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers) X-ORIGIN 'Netscape' )
+objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakCipher) X-ORIGIN 'Netscape' )
objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation ) X-ORIGIN 'Netscape' )
objectClasses: ( 2.16.840.1.113730.3.2.327 NAME 'rootDNPluginConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( rootdn-open-time $ rootdn-close-time $ rootdn-days-allowed $ rootdn-allow-host $ rootdn-deny-host $ rootdn-allow-ip $ rootdn-deny-ip ) X-ORIGIN 'Netscape' )
objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscape defined objectclass' SUP top MAY ( cn $ schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 'Netscape Directory Server' )
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 1a21df0..03b5904 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -119,7 +119,21 @@ static char * configDN = "cn=encryption,cn=config";
#define FILE_PATHSEP '/'
/* ----------------------- Multiple cipher support ------------------------ */
-
+/* cipher set flags */
+#define CIPHER_SET_ALL 0x1
+#define CIPHER_SET_NONE 0x0
+#define CIPHER_SET_DEFAULT 0x2
+#define CIPHER_SET_CORE (CIPHER_SET_ALL|CIPHER_SET_DEFAULT|CIPHER_SET_NONE)
+#define CIPHER_SET_ALLOWWEAKCIPHER 0x10 /* can be or'ed with other CIPHER_SET flags */
+
+#define CIPHER_SET_ISDEFAULT(flag) \
+ ((((flag)&CIPHER_SET_CORE) == CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE)
+#define CIPHER_SET_ISALL(flag) \
+ ((((flag)&CIPHER_SET_CORE) == CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE)
+#define CIPHER_SET_ALLOWSWEAKCIPHER(flag) \
+ (((flag)&CIPHER_SET_ALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE)
+#define CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flag) \
+ ((flag)&~CIPHER_SET_ALLOWWEAKCIPHER)
/* flags */
#define CIPHER_IS_DEFAULT 0x1
@@ -158,7 +172,7 @@ static lookup_cipher _lookup_cipher[] = {
{"tls_rsa_3des_sha", "TLS_RSA_WITH_3DES_EDE_CBC_SHA"},
{"rsa_fips_3des_sha", "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
{"fips_3des_sha", "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"},
- {"rsa_des_sha", "TLS_RSA_WITH_DES_CBC_SHA"},
+ {"rsa_des_sha", "SSL_RSA_WITH_DES_CBC_SHA"},
{"rsa_fips_des_sha", "SSL_RSA_FIPS_WITH_DES_CBC_SHA"},
{"fips_des_sha", "SSL_RSA_FIPS_WITH_DES_CBC_SHA"}, /* ditto */
{"rsa_rc4_40_md5", "TLS_RSA_EXPORT_WITH_RC4_40_MD5"},
@@ -339,21 +353,20 @@ _conf_init_ciphers()
return;
}
-#define CIPHER_SET_ALL 1
-#define CIPHER_SET_NONE 0
-#define CIPHER_SET_DEFAULT 2
/*
- * flag: 1 -- enable all
- * 0 -- disable all
- * 2 -- set default ciphers
+ * flag: CIPHER_SET_ALL -- enable all
+ * CIPHER_SET_NONE -- disable all
+ * CIPHER_SET_DEFAULT -- set default ciphers
+ * CIPHER_SET_ALLOW_WEAKCIPHER -- allow weak ciphers (can be or'ed with the ather CIPHER_SET flags)
*/
static void
_conf_setallciphers(int flag, char ***suplist, char ***unsuplist)
{
int x;
SECStatus rc;
- PRBool setdefault = (flag == CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE;
- PRBool enabled = (flag == CIPHER_SET_ALL) ? PR_TRUE : PR_FALSE;
+ PRBool setdefault = CIPHER_SET_ISDEFAULT(flag);
+ PRBool enabled = CIPHER_SET_ISALL(flag);
+ PRBool allowweakcipher = CIPHER_SET_ALLOWSWEAKCIPHER(flag);
PRBool setme = PR_FALSE;
const PRUint16 *implementedCiphers = SSL_GetImplementedCiphers();
@@ -361,8 +374,9 @@ _conf_setallciphers(int flag, char ***suplist, char ***unsuplist)
for (x = 0; implementedCiphers && (x < SSL_NumImplementedCiphers); x++) {
if (_conf_ciphers[x].flags & CIPHER_IS_DEFAULT) {
+ /* certainly, not the first time. */
setme = PR_TRUE;
- } else {
+ } else if (setdefault) {
/*
* SSL_CipherPrefGetDefault
* If the application has not previously set the default preference,
@@ -375,15 +389,16 @@ _conf_setallciphers(int flag, char ***suplist, char ***unsuplist)
_conf_ciphers[x].name);
continue;
}
- if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
+ if (!allowweakcipher && (_conf_ciphers[x].flags & CIPHER_IS_WEAK)) {
setme = PR_FALSE;
}
_conf_ciphers[x].flags |= setme?CIPHER_IS_DEFAULT:0;
- }
- if (setdefault) {
- /* Use the NSS default settings */
} else if (enabled && !(_conf_ciphers[x].flags & CIPHER_MUST_BE_DISABLED)) {
- setme = PR_TRUE;
+ if (!allowweakcipher && (_conf_ciphers[x].flags & CIPHER_IS_WEAK)) {
+ setme = PR_FALSE;
+ } else {
+ setme = PR_TRUE;
+ }
} else {
setme = PR_FALSE;
}
@@ -433,7 +448,7 @@ _conf_dumpciphers()
}
char *
-_conf_setciphers(char *ciphers)
+_conf_setciphers(char *ciphers, int flags)
{
char *t, err[MAGNUS_ERROR_LEN];
int x, i, active;
@@ -445,7 +460,7 @@ _conf_setciphers(char *ciphers)
/* #47838: harden the list of ciphers available by default */
/* Default is to activate all of them ==> none of them*/
if (!ciphers || (ciphers[0] == '\0') || !PL_strcasecmp(ciphers, "default")) {
- _conf_setallciphers(CIPHER_SET_DEFAULT, NULL, NULL);
+ _conf_setallciphers((CIPHER_SET_DEFAULT|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags)), NULL, NULL);
slapd_SSL_warn("Security Initialization: Enabling default cipher set.");
_conf_dumpciphers();
return NULL;
@@ -458,11 +473,11 @@ _conf_setciphers(char *ciphers)
* set of ciphers in the table. Right now there is no support for this
* from the console
*/
- _conf_setallciphers(CIPHER_SET_ALL, &suplist, NULL);
+ _conf_setallciphers(CIPHER_SET_ALL|CIPHER_SET_DISABLE_ALLOWSWEAKCIPHER(flags), &suplist, NULL);
} else {
/* If "+all" is not in nsSSL3Ciphers value, disable all first,
* then enable specified ciphers. */
- _conf_setallciphers(0 /* disabled */, NULL, NULL);
+ _conf_setallciphers(CIPHER_SET_NONE /* disabled */, NULL, NULL);
}
t = ciphers;
@@ -482,12 +497,28 @@ _conf_setciphers(char *ciphers)
if( (t = strchr(ciphers, ',')) )
*t++ = '\0';
- if(strcasecmp(ciphers, "all")) { /* if not all */
+ if (strcasecmp(ciphers, "all")) { /* if not all */
PRBool enabled = active ? PR_TRUE : PR_FALSE;
lookup = 1;
- for(x = 0; _conf_ciphers[x].name; x++) {
- if(!PL_strcasecmp(ciphers, _conf_ciphers[x].name)) {
+ for (x = 0; _conf_ciphers[x].name; x++) {
+ if (!PL_strcasecmp(ciphers, _conf_ciphers[x].name)) {
+ if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
+ if (CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
+ slapd_SSL_warn("Cipher %s is weak. It is enabled since allowWeakCipher is \"on\" "
+ "(default setting for the backward compatibility). "
+ "We strongly recommend to set it to \"off\". "
+ "Please replace the value of allowWeakCipher with \"off\" in "
+ "the encryption config entry cn=encryption,cn=config and "
+ "restart the server.", ciphers);
+ } else {
+ /* if the cipher is weak and we don't allow weak cipher,
+ disable it. */
+ enabled = PR_FALSE;
+ }
+ }
if (enabled) {
+ /* if the cipher is not weak or we allow weak cipher,
+ check fips. */
enabled = cipher_check_fips(x, NULL, &unsuplist);
}
SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled);
@@ -499,14 +530,33 @@ _conf_setciphers(char *ciphers)
for (i = 0; _lookup_cipher[i].alias; i++) {
if (!PL_strcasecmp(ciphers, _lookup_cipher[i].alias)) {
if (!_lookup_cipher[i].name[0]) {
- slapd_SSL_warn("Cipher suite %s is not available in NSS %d.%d",
- ciphers, NSS_VMAJOR, NSS_VMINOR);
- break;
+ slapd_SSL_warn("Cipher suite %s is not available in NSS %d.%d. Ignoring %s",
+ ciphers, NSS_VMAJOR, NSS_VMINOR, ciphers);
+ continue;
}
for (x = 0; _conf_ciphers[x].name; x++) {
if (!PL_strcasecmp(_lookup_cipher[i].name, _conf_ciphers[x].name)) {
if (enabled) {
- enabled = cipher_check_fips(x, NULL, &unsuplist);
+ if (_conf_ciphers[x].flags & CIPHER_IS_WEAK) {
+ if (CIPHER_SET_ALLOWSWEAKCIPHER(flags)) {
+ slapd_SSL_warn("Cipher %s is weak. "
+ "It is enabled since allowWeakCipher is \"on\" "
+ "(default setting for the backward compatibility). "
+ "We strongly recommend to set it to \"off\". "
+ "Please replace the value of allowWeakCipher with \"off\" in "
+ "the encryption config entry cn=encryption,cn=config and "
+ "restart the server.", ciphers);
+ } else {
+ /* if the cipher is weak and we don't allow weak cipher,
+ disable it. */
+ enabled = PR_FALSE;
+ }
+ }
+ if (enabled) {
+ /* if the cipher is not weak or we allow weak cipher,
+ check fips. */
+ enabled = cipher_check_fips(x, NULL, &unsuplist);
+ }
}
SSL_CipherPrefSetDefault(_conf_ciphers[x].num, enabled);
break;
@@ -1008,6 +1058,7 @@ slapd_ssl_init()
int rv = 0;
PK11SlotInfo *slot;
Slapi_Entry *entry = NULL;
+ int allowweakcipher = CIPHER_SET_ALLOWWEAKCIPHER;
/* Get general information */
@@ -1017,21 +1068,21 @@ slapd_ssl_init()
ciphers = slapi_entry_attr_get_charptr( entry, "nsssl3ciphers" );
/* We are currently using the value of sslSessionTimeout
- for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */
+ for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */
/* Note from Tom Weinstein on the meaning of the timeout:
Timeouts are in seconds. '0' means use the default, which is
- 24hrs for SSL3 and 100 seconds for SSL2.
+ 24hrs for SSL3 and 100 seconds for SSL2.
*/
if(!val) {
errorCode = PR_GetError();
slapd_SSL_warn("Security Initialization: Failed to retrieve SSL "
"configuration information ("
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s): "
- "nssslSessionTimeout: %s ",
- errorCode, slapd_pr_strerror(errorCode),
- (val ? "found" : "not found"));
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s): "
+ "nssslSessionTimeout: %s ",
+ errorCode, slapd_pr_strerror(errorCode),
+ (val ? "found" : "not found"));
slapi_ch_free((void **) &val);
slapi_ch_free((void **) &ciphers);
freeConfigEntry( &entry );
@@ -1042,79 +1093,86 @@ slapd_ssl_init()
slapi_ch_free((void **) &val);
if (svrcore_setup()) {
- freeConfigEntry( &entry );
- return -1;
+ freeConfigEntry( &entry );
+ return -1;
}
- if((family_list = getChildren(configDN))) {
- char **family;
- char *token;
- char *activation;
+ val = slapi_entry_attr_get_charptr(entry, "allowWeakCipher");
+ if (val && (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") ||
+ !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no"))) {
+ allowweakcipher = 0;
+ }
+ slapi_ch_free((void **) &val);
+
+ if ((family_list = getChildren(configDN))) {
+ char **family;
+ char *token;
+ char *activation;
- for (family = family_list; *family; family++) {
+ for (family = family_list; *family; family++) {
- token = NULL;
- activation = NULL;
+ token = NULL;
+ activation = NULL;
- freeConfigEntry( &entry );
+ freeConfigEntry( &entry );
- getConfigEntry( *family, &entry );
- if ( entry == NULL ) {
- continue;
- }
+ getConfigEntry( *family, &entry );
+ if ( entry == NULL ) {
+ continue;
+ }
- activation = slapi_entry_attr_get_charptr( entry, "nssslactivation" );
- if((!activation) || (!PL_strcasecmp(activation, "off"))) {
- /* this family was turned off, goto next */
- slapi_ch_free((void **) &activation);
- continue;
- }
+ activation = slapi_entry_attr_get_charptr( entry, "nssslactivation" );
+ if((!activation) || (!PL_strcasecmp(activation, "off"))) {
+ /* this family was turned off, goto next */
+ slapi_ch_free((void **) &activation);
+ continue;
+ }
- slapi_ch_free((void **) &activation);
-
- token = slapi_entry_attr_get_charptr( entry, "nsssltoken" );
- if( token ) {
- if( !PL_strcasecmp(token, "internal") ||
- !PL_strcasecmp(token, "internal (software)"))
- slot = slapd_pk11_getInternalKeySlot();
- else
- slot = slapd_pk11_findSlotByName(token);
- } else {
- errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Unable to get token ("
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- errorCode, slapd_pr_strerror(errorCode));
- freeChildren(family_list);
- freeConfigEntry( &entry );
- return -1;
- }
+ slapi_ch_free((void **) &activation);
- slapi_ch_free((void **) &token);
+ token = slapi_entry_attr_get_charptr( entry, "nsssltoken" );
+ if ( token ) {
+ if (!PL_strcasecmp(token, "internal") ||
+ !PL_strcasecmp(token, "internal (software)")) {
+ slot = slapd_pk11_getInternalKeySlot();
+ } else {
+ slot = slapd_pk11_findSlotByName(token);
+ }
+ } else {
+ errorCode = PR_GetError();
+ slapd_SSL_warn("Security Initialization: Unable to get token ("
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
+ errorCode, slapd_pr_strerror(errorCode));
+ freeChildren(family_list);
+ freeConfigEntry( &entry );
+ return -1;
+ }
- if (!slot) {
- errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Unable to find slot ("
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- errorCode, slapd_pr_strerror(errorCode));
- freeChildren(family_list);
- freeConfigEntry( &entry );
- return -1;
- }
- /* authenticate */
- if(slapd_pk11_authenticate(slot, PR_TRUE, NULL) != SECSuccess)
- {
- errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Unable to authenticate ("
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- errorCode, slapd_pr_strerror(errorCode));
- freeChildren(family_list);
- freeConfigEntry( &entry );
- return -1;
- }
- }
- freeChildren( family_list );
+ slapi_ch_free((void **) &token);
+
+ if (!slot) {
+ errorCode = PR_GetError();
+ slapd_SSL_warn("Security Initialization: Unable to find slot ("
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
+ errorCode, slapd_pr_strerror(errorCode));
+ freeChildren(family_list);
+ freeConfigEntry( &entry );
+ return -1;
+ }
+ /* authenticate */
+ if (slapd_pk11_authenticate(slot, PR_TRUE, NULL) != SECSuccess) {
+ errorCode = PR_GetError();
+ slapd_SSL_warn("Security Initialization: Unable to authenticate ("
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
+ errorCode, slapd_pr_strerror(errorCode));
+ freeChildren(family_list);
+ freeConfigEntry( &entry );
+ return -1;
+ }
+ }
+ freeChildren( family_list );
+ freeConfigEntry( &entry );
}
- freeConfigEntry( &entry );
/* ugaston- Cipher preferences must be set before any sslSocket is created
* for such sockets to take preferences into account.
@@ -1126,13 +1184,13 @@ slapd_ssl_init()
PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string));
slapi_ch_free((void **) &ciphers);
- if( NULL != (val = _conf_setciphers(cipher_string)) ) {
- errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Failed to set SSL cipher "
- "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- val, errorCode, slapd_pr_strerror(errorCode));
- rv = 3;
- slapi_ch_free((void **) &val);
+ if ( NULL != (val = _conf_setciphers(cipher_string, allowweakcipher)) ) {
+ errorCode = PR_GetError();
+ slapd_SSL_warn("Security Initialization: Failed to set SSL cipher "
+ "preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
+ val, errorCode, slapd_pr_strerror(errorCode));
+ rv = 3;
+ slapi_ch_free((void **) &val);
}
freeConfigEntry( &entry );
9 years, 7 months
admserv/newinst
by Mark Reynolds
admserv/newinst/src/register-ds-admin.pl.in | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
New commits:
commit 5923c77db0adeb62123e7208c8bd4695f8092e32
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Wed Sep 10 17:21:53 2014 -0400
Ticket 47860 - register-ds-admin.pl problem when following steps to replicate o=netscaperoot
Bug Description: When following the documented steps the script gets stuck in
a loop when it fails to add "o=netscaperoot". It's failing
because it already exists.
Fix Description: Break out of the loop when the update operation fails.
https://fedorahosted.org/389/ticket/47860
Reviewed by: nhosoi(Thanks!)
diff --git a/admserv/newinst/src/register-ds-admin.pl.in b/admserv/newinst/src/register-ds-admin.pl.in
index cd0f745..08c7108 100644
--- a/admserv/newinst/src/register-ds-admin.pl.in
+++ b/admserv/newinst/src/register-ds-admin.pl.in
@@ -613,12 +613,14 @@ if ( ($#admConfKeys >= 0 && ($orig_confdsid ne $new_confdsid)) ||
@errs = ();
# First, let's register the Configuration Directory itself
- $setup->{inf}->{slapd}->{RootDNPwd} = $localrootpw;
+ if(!$setup->{inf}->{slapd}->{RootDNPwd}){
+ $setup->{inf}->{slapd}->{RootDNPwd} = $localrootpw;
+ }
while (!createConfigDS($setup->{inf}, \@errs))
{
foreach my $err (@errs)
{
- if ( $err eq "suffix_already_exists" )
+ if ( $err eq "suffix_already_exists" || $err eq "error_creating_suffix_backend")
{
goto out;
}
9 years, 7 months
Branch '389-ds-base-1.2.11' - ldap/servers
by Ludwig Krispenz
ldap/servers/plugins/deref/deref.c | 30 ++++++++++++------------------
1 file changed, 12 insertions(+), 18 deletions(-)
New commits:
commit 67e4eedad933b15837cd83fb2d0d5f5d358cddce
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Wed Sep 10 13:22:06 2014 +0200
fix for 47885 did not always return a response control
reviewd by rich, thanks
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
index 50295b9..06e2df5 100644
--- a/ldap/servers/plugins/deref/deref.c
+++ b/ldap/servers/plugins/deref/deref.c
@@ -589,14 +589,13 @@ deref_values_free(Slapi_ValueSet** results, char** actual_type_name, int buffer_
slapi_vattr_values_free(results, actual_type_name, buffer_flags);
}
-static int
+static void
deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn, const char *derefattr, const char **attrs)
{
char **retattrs = NULL;
Slapi_PBlock *derefpb = NULL;
Slapi_Entry **entries = NULL;
int rc;
- int needcontrol = 0;
/* If the access check on the attributes is done without retrieveing the entry
* it cannot handle acis which need teh entry, eg to apply a targetfilter rule
@@ -626,7 +625,6 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
"The client does not have permission to read the requested "
"attributes in entry %s\n", derefdn);
} else {
- needcontrol = 1;
ber_printf(ctrlber, "{ss", derefattr, derefdn); /* begin DerefRes + derefAttr + derefVal */
for (ii = 0; retattrs[ii]; ++ii) {
Slapi_Value *sv;
@@ -701,7 +699,6 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
slapi_pblock_destroy(derefpb);
slapi_ch_free((void **)&retattrs); /* retattrs does not own the strings */
- return needcontrol;
}
static int
@@ -715,7 +712,6 @@ deref_pre_entry(Slapi_PBlock *pb)
LDAPControl *ctrl = NULL;
const LDAPControl **searchctrls = NULL;
LDAPControl **newsearchctrls = NULL;
- int needcontrol = 0;
if (!speclist) {
return 0; /* nothing to do */
@@ -759,25 +755,23 @@ deref_pre_entry(Slapi_PBlock *pb)
for (; results && sv; idx = slapi_valueset_next_value(results, idx, &sv)) {
const char *derefdn = slapi_value_get_string(sv);
- needcontrol += deref_do_deref_attr(pb, ctrlber, derefdn, spec->derefattr, (const char **)spec->attrs);
+ deref_do_deref_attr(pb, ctrlber, derefdn, spec->derefattr, (const char **)spec->attrs);
}
deref_values_free(&results, &actual_type_name, buffer_flags);
}
ber_printf(ctrlber, "}"); /* end control val */
- if (needcontrol) {
- slapi_build_control(LDAP_CONTROL_X_DEREF, ctrlber, 0, &ctrl);
- /* get the list of controls */
- slapi_pblock_get(pb, SLAPI_SEARCH_CTRLS, &searchctrls);
- /* dup them */
- slapi_add_controls(&newsearchctrls, (LDAPControl **)searchctrls, 1);
- /* add our control */
- slapi_add_control_ext(&newsearchctrls, ctrl, 0);
- ctrl = NULL; /* newsearchctrls owns it now */
- /* set the controls in the pblock */
- slapi_pblock_set(pb, SLAPI_SEARCH_CTRLS, newsearchctrls);
- }
+ slapi_build_control(LDAP_CONTROL_X_DEREF, ctrlber, 0, &ctrl);
+ /* get the list of controls */
+ slapi_pblock_get(pb, SLAPI_SEARCH_CTRLS, &searchctrls);
+ /* dup them */
+ slapi_add_controls(&newsearchctrls, (LDAPControl **)searchctrls, 1);
+ /* add our control */
+ slapi_add_control_ext(&newsearchctrls, ctrl, 0);
+ ctrl = NULL; /* newsearchctrls owns it now */
+ /* set the controls in the pblock */
+ slapi_pblock_set(pb, SLAPI_SEARCH_CTRLS, newsearchctrls);
ber_free(ctrlber, 1);
return 0;
9 years, 7 months
Branch '389-ds-base-1.3.2' - ldap/servers
by Ludwig Krispenz
ldap/servers/plugins/deref/deref.c | 30 ++++++++++++------------------
1 file changed, 12 insertions(+), 18 deletions(-)
New commits:
commit 0056b612a509b7689e4384f3f2e52f3c6e74994f
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Wed Sep 10 13:22:06 2014 +0200
fix for 47885 did not always return a response control
reviewd by rich, thanks
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
index 20b56cc..06540f5 100644
--- a/ldap/servers/plugins/deref/deref.c
+++ b/ldap/servers/plugins/deref/deref.c
@@ -598,14 +598,13 @@ deref_values_free(Slapi_ValueSet** results, char** actual_type_name, int buffer_
slapi_vattr_values_free(results, actual_type_name, buffer_flags);
}
-static int
+static void
deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn, const char *derefattr, const char **attrs)
{
char **retattrs = NULL;
Slapi_PBlock *derefpb = NULL;
Slapi_Entry **entries = NULL;
int rc;
- int needcontrol = 0;
/* If the access check on the attributes is done without retrieveing the entry
* it cannot handle acis which need teh entry, eg to apply a targetfilter rule
@@ -635,7 +634,6 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
"The client does not have permission to read the requested "
"attributes in entry %s\n", derefdn);
} else {
- needcontrol = 1;
ber_printf(ctrlber, "{ss", derefattr, derefdn); /* begin DerefRes + derefAttr + derefVal */
for (ii = 0; retattrs[ii]; ++ii) {
Slapi_Value *sv;
@@ -711,7 +709,6 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
slapi_pblock_destroy(derefpb);
slapi_ch_free((void **)&retattrs); /* retattrs does not own the strings */
- return needcontrol;
}
static int
@@ -725,7 +722,6 @@ deref_pre_entry(Slapi_PBlock *pb)
LDAPControl *ctrl = NULL;
const LDAPControl **searchctrls = NULL;
LDAPControl **newsearchctrls = NULL;
- int needcontrol = 0;
if (!speclist) {
return 0; /* nothing to do */
@@ -769,25 +765,23 @@ deref_pre_entry(Slapi_PBlock *pb)
for (; results && sv; idx = slapi_valueset_next_value(results, idx, &sv)) {
const char *derefdn = slapi_value_get_string(sv);
- needcontrol += deref_do_deref_attr(pb, ctrlber, derefdn, spec->derefattr, (const char **)spec->attrs);
+ deref_do_deref_attr(pb, ctrlber, derefdn, spec->derefattr, (const char **)spec->attrs);
}
deref_values_free(&results, &actual_type_name, buffer_flags);
}
ber_printf(ctrlber, "}"); /* end control val */
- if (needcontrol) {
- slapi_build_control(LDAP_CONTROL_X_DEREF, ctrlber, 0, &ctrl);
- /* get the list of controls */
- slapi_pblock_get(pb, SLAPI_SEARCH_CTRLS, &searchctrls);
- /* dup them */
- slapi_add_controls(&newsearchctrls, (LDAPControl **)searchctrls, 1);
- /* add our control */
- slapi_add_control_ext(&newsearchctrls, ctrl, 0);
- ctrl = NULL; /* newsearchctrls owns it now */
- /* set the controls in the pblock */
- slapi_pblock_set(pb, SLAPI_SEARCH_CTRLS, newsearchctrls);
- }
+ slapi_build_control(LDAP_CONTROL_X_DEREF, ctrlber, 0, &ctrl);
+ /* get the list of controls */
+ slapi_pblock_get(pb, SLAPI_SEARCH_CTRLS, &searchctrls);
+ /* dup them */
+ slapi_add_controls(&newsearchctrls, (LDAPControl **)searchctrls, 1);
+ /* add our control */
+ slapi_add_control_ext(&newsearchctrls, ctrl, 0);
+ ctrl = NULL; /* newsearchctrls owns it now */
+ /* set the controls in the pblock */
+ slapi_pblock_set(pb, SLAPI_SEARCH_CTRLS, newsearchctrls);
ber_free(ctrlber, 1);
return 0;
9 years, 7 months
Branch '389-ds-base-1.3.3' - ldap/servers
by Ludwig Krispenz
ldap/servers/plugins/deref/deref.c | 30 ++++++++++++------------------
1 file changed, 12 insertions(+), 18 deletions(-)
New commits:
commit 55e317f2a5d8fc488e7eeee6f2b4155298a45d25
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Wed Sep 10 13:22:06 2014 +0200
fix for 47885 did not always return a response control
reviewd by rich, thanks
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
index 96d42e6..1bab0ab 100644
--- a/ldap/servers/plugins/deref/deref.c
+++ b/ldap/servers/plugins/deref/deref.c
@@ -591,14 +591,13 @@ deref_values_free(Slapi_ValueSet** results, char** actual_type_name, int buffer_
slapi_vattr_values_free(results, actual_type_name, buffer_flags);
}
-static int
+static void
deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn, const char *derefattr, const char **attrs)
{
char **retattrs = NULL;
Slapi_PBlock *derefpb = NULL;
Slapi_Entry **entries = NULL;
int rc;
- int needcontrol = 0;
/* If the access check on the attributes is done without retrieveing the entry
* it cannot handle acis which need teh entry, eg to apply a targetfilter rule
@@ -628,7 +627,6 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
"The client does not have permission to read the requested "
"attributes in entry %s\n", derefdn);
} else {
- needcontrol = 1;
ber_printf(ctrlber, "{ss", derefattr, derefdn); /* begin DerefRes + derefAttr + derefVal */
for (ii = 0; retattrs[ii]; ++ii) {
Slapi_Value *sv;
@@ -704,7 +702,6 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
slapi_pblock_destroy(derefpb);
slapi_ch_free((void **)&retattrs); /* retattrs does not own the strings */
- return needcontrol;
}
static int
@@ -718,7 +715,6 @@ deref_pre_entry(Slapi_PBlock *pb)
LDAPControl *ctrl = NULL;
const LDAPControl **searchctrls = NULL;
LDAPControl **newsearchctrls = NULL;
- int needcontrol = 0;
if (!speclist) {
return 0; /* nothing to do */
@@ -762,25 +758,23 @@ deref_pre_entry(Slapi_PBlock *pb)
for (; results && sv; idx = slapi_valueset_next_value(results, idx, &sv)) {
const char *derefdn = slapi_value_get_string(sv);
- needcontrol += deref_do_deref_attr(pb, ctrlber, derefdn, spec->derefattr, (const char **)spec->attrs);
+ deref_do_deref_attr(pb, ctrlber, derefdn, spec->derefattr, (const char **)spec->attrs);
}
deref_values_free(&results, &actual_type_name, buffer_flags);
}
ber_printf(ctrlber, "}"); /* end control val */
- if (needcontrol) {
- slapi_build_control(LDAP_CONTROL_X_DEREF, ctrlber, 0, &ctrl);
- /* get the list of controls */
- slapi_pblock_get(pb, SLAPI_SEARCH_CTRLS, &searchctrls);
- /* dup them */
- slapi_add_controls(&newsearchctrls, (LDAPControl **)searchctrls, 1);
- /* add our control */
- slapi_add_control_ext(&newsearchctrls, ctrl, 0);
- ctrl = NULL; /* newsearchctrls owns it now */
- /* set the controls in the pblock */
- slapi_pblock_set(pb, SLAPI_SEARCH_CTRLS, newsearchctrls);
- }
+ slapi_build_control(LDAP_CONTROL_X_DEREF, ctrlber, 0, &ctrl);
+ /* get the list of controls */
+ slapi_pblock_get(pb, SLAPI_SEARCH_CTRLS, &searchctrls);
+ /* dup them */
+ slapi_add_controls(&newsearchctrls, (LDAPControl **)searchctrls, 1);
+ /* add our control */
+ slapi_add_control_ext(&newsearchctrls, ctrl, 0);
+ ctrl = NULL; /* newsearchctrls owns it now */
+ /* set the controls in the pblock */
+ slapi_pblock_set(pb, SLAPI_SEARCH_CTRLS, newsearchctrls);
ber_free(ctrlber, 1);
return 0;
9 years, 7 months
ldap/servers
by Ludwig Krispenz
ldap/servers/plugins/deref/deref.c | 30 ++++++++++++------------------
1 file changed, 12 insertions(+), 18 deletions(-)
New commits:
commit de57632cd67dd976ff4a8d0d85e739660f3fbddf
Author: Ludwig Krispenz <lkrispen(a)redhat.com>
Date: Wed Sep 10 13:22:06 2014 +0200
fix for 47885 did not always return a response control
reviewd by rich, thanks
diff --git a/ldap/servers/plugins/deref/deref.c b/ldap/servers/plugins/deref/deref.c
index 96d42e6..1bab0ab 100644
--- a/ldap/servers/plugins/deref/deref.c
+++ b/ldap/servers/plugins/deref/deref.c
@@ -591,14 +591,13 @@ deref_values_free(Slapi_ValueSet** results, char** actual_type_name, int buffer_
slapi_vattr_values_free(results, actual_type_name, buffer_flags);
}
-static int
+static void
deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn, const char *derefattr, const char **attrs)
{
char **retattrs = NULL;
Slapi_PBlock *derefpb = NULL;
Slapi_Entry **entries = NULL;
int rc;
- int needcontrol = 0;
/* If the access check on the attributes is done without retrieveing the entry
* it cannot handle acis which need teh entry, eg to apply a targetfilter rule
@@ -628,7 +627,6 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
"The client does not have permission to read the requested "
"attributes in entry %s\n", derefdn);
} else {
- needcontrol = 1;
ber_printf(ctrlber, "{ss", derefattr, derefdn); /* begin DerefRes + derefAttr + derefVal */
for (ii = 0; retattrs[ii]; ++ii) {
Slapi_Value *sv;
@@ -704,7 +702,6 @@ deref_do_deref_attr(Slapi_PBlock *pb, BerElement *ctrlber, const char *derefdn,
slapi_pblock_destroy(derefpb);
slapi_ch_free((void **)&retattrs); /* retattrs does not own the strings */
- return needcontrol;
}
static int
@@ -718,7 +715,6 @@ deref_pre_entry(Slapi_PBlock *pb)
LDAPControl *ctrl = NULL;
const LDAPControl **searchctrls = NULL;
LDAPControl **newsearchctrls = NULL;
- int needcontrol = 0;
if (!speclist) {
return 0; /* nothing to do */
@@ -762,25 +758,23 @@ deref_pre_entry(Slapi_PBlock *pb)
for (; results && sv; idx = slapi_valueset_next_value(results, idx, &sv)) {
const char *derefdn = slapi_value_get_string(sv);
- needcontrol += deref_do_deref_attr(pb, ctrlber, derefdn, spec->derefattr, (const char **)spec->attrs);
+ deref_do_deref_attr(pb, ctrlber, derefdn, spec->derefattr, (const char **)spec->attrs);
}
deref_values_free(&results, &actual_type_name, buffer_flags);
}
ber_printf(ctrlber, "}"); /* end control val */
- if (needcontrol) {
- slapi_build_control(LDAP_CONTROL_X_DEREF, ctrlber, 0, &ctrl);
- /* get the list of controls */
- slapi_pblock_get(pb, SLAPI_SEARCH_CTRLS, &searchctrls);
- /* dup them */
- slapi_add_controls(&newsearchctrls, (LDAPControl **)searchctrls, 1);
- /* add our control */
- slapi_add_control_ext(&newsearchctrls, ctrl, 0);
- ctrl = NULL; /* newsearchctrls owns it now */
- /* set the controls in the pblock */
- slapi_pblock_set(pb, SLAPI_SEARCH_CTRLS, newsearchctrls);
- }
+ slapi_build_control(LDAP_CONTROL_X_DEREF, ctrlber, 0, &ctrl);
+ /* get the list of controls */
+ slapi_pblock_get(pb, SLAPI_SEARCH_CTRLS, &searchctrls);
+ /* dup them */
+ slapi_add_controls(&newsearchctrls, (LDAPControl **)searchctrls, 1);
+ /* add our control */
+ slapi_add_control_ext(&newsearchctrls, ctrl, 0);
+ ctrl = NULL; /* newsearchctrls owns it now */
+ /* set the controls in the pblock */
+ slapi_pblock_set(pb, SLAPI_SEARCH_CTRLS, newsearchctrls);
ber_free(ctrlber, 1);
return 0;
9 years, 7 months
admserv/newinst man/man8
by Mark Reynolds
admserv/newinst/src/register-ds-admin.pl.in | 704 +++++++++++++++++++++------
admserv/newinst/src/register-ds-admin.res.in | 34 +
man/man8/register-ds-admin.pl.8 | 139 +++++
3 files changed, 713 insertions(+), 164 deletions(-)
New commits:
commit d675f8137534ee7f0aba2a0897e5bf0034d993e1
Author: Mark Reynolds <mreynolds(a)redhat.com>
Date: Wed Sep 10 09:36:50 2014 -0400
Ticket 47548 - register-ds-admin does not register into remote config ds
Bug Description: regsiter-ds-admin.pl can not register remote servers. This
means you can only administer one system with the 389-console.
Fix Description: Added ablility to register with a remote admin server, or to
register a remote server with the local configuration server.
Also added the "silent" install functionality to the script,
which was stated in the man page that it could do, but in
reality it could not. Updated man page to fully describe
how to use the silent install feature.
https://fedorahosted.org/389/ticket/47548
Reviewed by: nhosoi(Thanks!)
diff --git a/admserv/newinst/src/register-ds-admin.pl.in b/admserv/newinst/src/register-ds-admin.pl.in
index 2f92411..cd0f745 100644
--- a/admserv/newinst/src/register-ds-admin.pl.in
+++ b/admserv/newinst/src/register-ds-admin.pl.in
@@ -77,11 +77,11 @@ sub reg_get_passwd
$setup->msg(0, $key);
}
system("stty -echo");
- my $ans = <STDIN>;
+ my $answer = <STDIN>;
system("stty echo");
print "\n";
- chop($ans);
- return $ans;
+ chop($answer);
+ return $answer;
}
sub reg_get_response
@@ -92,110 +92,287 @@ sub reg_get_response
print("\n==============================================================================\n");
$setup->msg(0, $key, $value);
- my $ans = <STDIN>;
+ my $answer = <STDIN>;
print "\n";
- chop($ans);
- return $ans;
+ chop($answer);
+ return $answer;
}
+#
+# Return the bind dn and password for the matching instance (slapd-localhost)
+# Used by silent install
+#
+sub get_cred_from_inst
+{
+ my $mysetup = shift;
+ my $serverid = shift;
+
+ #
+ # Check the main config instance first
+ #
+ my @config_parts = split('::', $mysetup->{inf}->{register}->{configinst});
+ if ($#config_parts == 2 && $config_parts[0] eq $serverid){
+ return ( $config_parts[1], $config_parts[2] );
+ }
+
+ #
+ # Check the remaining instances
+ #
+ my @insts = $mysetup->{inf}->{register}->{instance};
+ if (@insts){
+ my $i = 0;
+ for (; $i <= $#insts; $i++){
+ my @inst_parts = split('::', $insts[$i]);
+ if($#inst_parts == 2 && $inst_parts[0] eq $serverid){
+ return ( $inst_parts[1], $inst_parts[2] );
+ }
+ }
+ }
+ return ("", "");
+}
+
+#
+# Globals
+#
+my $silent = "no";
+my $remote_host = "";
+my $remote_port = "";
+my $local_certdir = "";
+my $remote_binddn = "";
+my $remote_bindpw = "";
+my $remote_admindomain = "";
+my $localrootdn = "";
+my $localrootpw = "";
+my $destination = ""; # remote | local
+my %instances = ();
+my $instconfigdir;
+my @instconfigdirs;
+my $ans;
+my $passwd;
+my $rootdn;
+my $fqdn = hostname();
+my $dialogmgr;
+my @dialogs;
+my @silent_instances;
+my @config_parts;
+
+#
+# Continue with the setup...
+#
+
my $res = new Resource("@propertydir(a)/register-ds-admin.res",
"@propertydir(a)/setup-ds-admin.res",
"@propertydir(a)/setup-ds.res");
+#
+# Initialize the "setup", check for silent install
+#
my $setup = new Setup($res);
-
-$setup->msg('begin_ds_registration');
-# get existing instances
-my $instconfigdir = $setup->{configdir};
-my %instances = ();
-for my $dir (glob("$setup->{configdir}/slapd-*"))
-{
- if (-d $dir and ($dir !~ /.removed$/))
- {
- my $dname = dirname($dir);
- my $bname = basename($dir);
- push @{$instances{$dname}}, $bname;
+if ($setup->{silent}){
+ #
+ # To be silent we must have "General" & "admin", or just "register" directives
+ #
+ if ( ($setup->{inf}->{General} && $setup->{inf}->{admin}) || $setup->{inf}->{register} ){
+ $silent = "yes";
+ } else {
+ # Missing required silent install directives
+ $setup->msg($FATAL, 'error_silent_install');
+ $setup->doExit(1);
}
}
-# in case Directory Servers are installed at the unexpected location.
-my $done = 0;
-my $ans;
-while ( !$done && ($ans = reg_get_response($setup, 'subds_conf_prompt', "@instconfigdir@")) )
-{
- if ( $ans eq "" || !$ans )
- {
- $done = 1;
+$instconfigdir = $setup->{configdir};
+
+if ($setup->{inf}->{register}){
+ #
+ # We have our remote registration silent install info
+ #
+ # [register]
+ # configinst= slapd-INSTANCE::cn=directory manager::myPassword
+ # instance= slapd-INSTANCE2::cn=directory manager::myPassword
+ # instance= slapd-INSTANCE3::cn=directory manager::myPassword
+ # remotehost= remote.server.com
+ # remoteport= 389
+ # localcertdir= /etc/dirsrv/slapd-INSTANCE
+ # remotebinddn= cn=directory manager
+ # remotebindpw= password
+ # admindn= uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
+ # adminpw= password
+ # admindomain= server.com
+ # destination= local|remote
+ #
+
+ #
+ # Validate the silent registration parameters
+ #
+ if ( !$setup->{inf}->{register}->{configinst} || $setup->{inf}->{register}->{configinst} eq ""){
+ $setup->msg($FATAL, 'error_missing_parameter', "configinst");
+ $setup->doExit(1);
+ }
+ if ( !$setup->{inf}->{register}->{remotehost} || $setup->{inf}->{register}->{remotehost} eq ""){
+ $setup->msg($FATAL, 'error_missing_parameter', 'remotehost');
+ $setup->doExit(1);
+ }
+ if ( !$setup->{inf}->{register}->{remoteport} ||$setup->{inf}->{register}->{remoteport} eq ""){
+ $setup->msg($FATAL, 'error_missing_parameter', 'remoteport');
+ $setup->doExit(1);
+ }
+ if ( !$setup->{inf}->{register}->{remotebinddn} || $setup->{inf}->{register}->{remotebinddn} eq ""){
+ $setup->msg($FATAL, 'error_missing_parameter', 'remotebinddn');
+ $setup->doExit(1);
+ }
+ if ( !$setup->{inf}->{register}->{remotebindpw} || $setup->{inf}->{register}->{remotebindpw} eq ""){
+ $setup->msg($FATAL, 'error_missing_parameter', 'remotebindpw');
+ $setup->doExit(1);
+ }
+ if ( !$setup->{inf}->{register}->{admindomain} || $setup->{inf}->{register}->{admindomain} eq ""){
+ $setup->msg($FATAL, 'error_missing_parameter', 'admindomain');
+ $setup->doExit(1);
+ }
+ if ( !$setup->{inf}->{register}->{admindn} || $setup->{inf}->{register}->{admindn} eq ""){
+ $setup->msg($FATAL, 'error_missing_parameter', 'admindn');
+ $setup->doExit(1);
+ }
+ if ( !$setup->{inf}->{register}->{adminpw} || $setup->{inf}->{register}->{adminpw} eq ""){
+ $setup->msg($FATAL, 'error_missing_parameter', 'adminpw');
+ $setup->doExit(1);
+ }
+ if ( !$setup->{inf}->{register}->{destination} || $setup->{inf}->{register}->{destination} eq ""){
+ $setup->msg($FATAL, 'error_missing_parameter', 'destination');
+ $setup->doExit(1);
+ }
+
+ #
+ # Add the configuration instance to the global instance hash
+ #
+ @config_parts = split('::', $setup->{inf}->{register}->{configinst});
+ if($#config_parts < 2 || $#config_parts > 2){
+ $setup->msg($FATAL, 'error_invalid_parameter', " ($#config_parts configinst: $setup->{inf}->{register}->{configinst}");
+ $setup->doExit(1);
+ }
+
+ if ( -d "$setup->{configdir}/$config_parts[0]"){
+ push @{$instances{$setup->{configdir}}}, $config_parts[0];
+ } else {
+ # config instance not found
+ $setup->msg($FATAL, 'error_invalid_parameter', "configinst: $setup->{configdir}/$config_parts[0] does not exist");
+ $setup->doExit(1);
}
- elsif ( ! -d $ans )
+
+ #
+ # Add the other instances (if any)
+ #
+ @silent_instances = $setup->{inf}->{register}->{instance};
+ if (@silent_instances){
+ my $i = 0;
+ for (; $i <= $#silent_instances; $i++){
+ my @inst_parts = split('::', $silent_instances[$i]);
+ if($#inst_parts < 2 || $#inst_parts > 2){
+ $setup->msg($FATAL, 'error_invalid_parameter', "instance: $silent_instances[$i]");
+ $setup->doExit(1);
+ }
+ push @{$instances{$setup->{configdir}}}, $inst_parts[0];
+ }
+ }
+
+ #
+ # Fill the setup parameters
+ #
+ $setup->{inf}->{slapd}->{RootDN} = $config_parts[1];
+ $setup->{inf}->{slapd}->{RootDNPwd} = $config_parts[2];
+
+ #
+ # Set the remote registration parameters
+ #
+ $remote_host = $setup->{inf}->{register}->{remotehost};
+ $remote_port = $setup->{inf}->{register}->{remoteport};
+ $remote_binddn = $setup->{inf}->{register}->{remotebinddn};
+ $remote_bindpw = $setup->{inf}->{register}->{remotebindpw};
+ $local_certdir = $setup->{inf}->{register}->{localcertdir};
+ $remote_admindomain = $setup->{inf}->{register}->{admindomain};
+ $destination = $setup->{inf}->{register}->{destination};
+ $localrootdn = $config_parts[1];
+ $localrootpw = $config_parts[2];
+}
+
+#
+# Get existing instances (interactive mode)
+#
+$setup->msg('begin_ds_registration');
+if($silent eq "no"){
+ for my $dir (glob("$setup->{configdir}/slapd-*"))
{
- ;
+ if (-d $dir and ($dir !~ /\.removed$/)){
+ my $dname = dirname($dir);
+ my $bname = basename($dir);
+ push @{$instances{$dname}}, $bname;
+ }
}
- elsif ( (basename($ans) =~ /^slapd-/) and ($ans !~ /.removed$/) )
+}
+
+#
+# In case Directory Servers are installed at the unexpected location. (interactive mode)
+#
+if ( $silent eq "no"){
+ my $done = 0;
+ while ( !$done && ($ans = reg_get_response($setup, 'subds_conf_prompt', "@instconfigdir@")) )
{
- my $dname = dirname($ans);
- my $bname = basename($ans);
- if ( exists $instances{$dname} )
- {
- my $addit = 1;
- foreach my $thisslapd ( @{$instances{$dname}} )
- {
- if ( $thisslapd eq $bname )
+ if ( $ans eq "" || !$ans ){
+ $done = 1;
+ } elsif ( ! -d $ans ){
+ ;
+ } elsif ( (basename($ans) =~ /^slapd-/) and ($ans !~ /\.removed$/) ){
+ my $dname = dirname($ans);
+ my $bname = basename($ans);
+ if ( exists $instances{$dname} ){
+ my $addit = 1;
+ foreach my $thisslapd ( @{$instances{$dname}} )
{
- $addit = 0;
- goto out0;
+ if ( $thisslapd eq $bname ){
+ $addit = 0;
+ goto out0;
+ }
}
- }
out0:
- if ( $addit )
- {
+ if ( $addit ){
+ push @{$instances{$dname}}, $bname;
+ }
+ } else {
push @{$instances{$dname}}, $bname;
}
- }
- else
- {
- push @{$instances{$dname}}, $bname;
- }
- }
- else
- {
- $ans =~ s/^\s+//;
- $ans =~ s/[\/\s]+$//;
- my $rc = opendir(DIR, $ans);
- if ( $rc )
- {
- my $file = "";
- while ( defined($file = readdir(DIR)) )
- {
- next if ( !("$file" =~ /^slapd-/) or ($file =~ /.removed$/) );
- if ( exists $instances{$ans} )
+ } else {
+ $ans =~ s/^\s+//;
+ $ans =~ s/[\/\s]+$//;
+ my $rc = opendir(DIR, $ans);
+ if ( $rc ){
+ my $file = "";
+ while ( defined($file = readdir(DIR)) )
{
- my $addit = 1;
- foreach my $thisslapd ( @{$instances{$ans}} )
- {
- if ( $thisslapd eq $file )
+ next if ( !("$file" =~ /^slapd-/) or ($file =~ /\.removed$/) );
+ if ( exists $instances{$ans} ){
+ my $addit = 1;
+ foreach my $thisslapd ( @{$instances{$ans}} )
{
- $addit = 0;
- goto out1;
+ if ( $thisslapd eq $file ){
+ $addit = 0;
+ goto out1;
+ }
}
- }
out1:
- if ( $addit )
- {
+ if ( $addit ){
+ push @{$instances{$ans}}, $file;
+ }
+ } else {
push @{$instances{$ans}}, $file;
}
}
- else
- {
- push @{$instances{$ans}}, $file;
- }
+ closedir(DIR);
}
- closedir(DIR);
}
}
}
-my @instconfigdirs = keys %instances;
+@instconfigdirs = keys %instances;
if ( $#instconfigdirs < 0 )
{
$setup->msg($FATAL, 'error_no_ds');
@@ -212,7 +389,9 @@ foreach my $c ( @instconfigdirs )
}
}
-# see if there is already a configds
+#
+# See if there is already a configds
+#
my $admConf = AdminUtil::getAdmConf("$instconfigdir/admin-serv");
my @admConfKeys = keys %$admConf;
my $orig_confdsid = "";
@@ -220,9 +399,10 @@ my $new_confdsid = "";
my $new_confdir = "";
my $adminuid = "";
my @errs = ();
-my $fqdn = hostname();
-# set defaults
+#
+# Check for an existing Admin Server, then set the defaults
+#
if ( $#admConfKeys >= 4 ) # admserv.conf, console.conf, httpd.conf, nss.conf
{
# Admin Server is installed; that is Config DS exists, which may be
@@ -240,8 +420,18 @@ if ( $#admConfKeys >= 4 ) # admserv.conf, console.conf, httpd.conf, nss.conf
s/.*:\/\/(.*):[0-9]*\/.*/\1/;
$setup->{inf}->{admin}->{SysUser} = $admConf->{sysuser};
$adminuid = $admConf->{userdn};
+ if($silent eq "yes"){
+ if($setup->{inf}->{register}->{adminpw}){
+ $setup->{inf}->{General}->{ConfigDirectoryAdminPwd} = $setup->{inf}->{register}->{adminpw};
+ }
+ }
+ if (!$setup->{inf}->{admin}->{config_dir}){
+ $setup->{inf}->{admin}->{config_dir} = "$instconfigdir/admin-serv";
+ }
- # read additional config from config DS
+ #
+ # Read additional config from config DS
+ #
my $pset = AdminUtil::getPset($admConf);
if ($pset && %{$pset}) {
$setup->{inf}->{admin}->{Port} = $pset->{"configuration.nsserverport"};
@@ -253,76 +443,88 @@ if ( $#admConfKeys >= 4 ) # admserv.conf, console.conf, httpd.conf, nss.conf
$setup->{inf}->{admin}->{ServerAdminID} = $admpw->{ServerAdminID};
$setup->{inf}->{admin}->{ServerAdminPwd} = $admpw->{ServerAdminPwd};
}
- $setup->{reconfigas} = 1; # allow AS reconfig
-
- my $dialogmgr = new DialogManager($setup, $res, $TYPICAL);
- require RegDSDialogs;
-
- my @dialogs = RegDSDialogs->getDialogs();
-
- $dialogmgr->addDialog(@dialogs);
-
- my $rc = $dialogmgr->run();
- if ($rc)
- {
- $setup->doExit(1);
+ $setup->{reconfigas} = 1; # allow AS reconfig
+ if($silent eq "no"){
+ require RegDSDialogs;
+ my @dialogs = RegDSDialogs->getDialogs();
+ my $dialogmgr = new DialogManager($setup, $res, $TYPICAL);
+ $dialogmgr->addDialog(@dialogs);
+
+ my $rc = $dialogmgr->run();
+ if ($rc)
+ {
+ $setup->doExit(1);
+ }
}
-
$new_confdsid = $setup->{inf}->{slapd}->{ServerIdentifier};
$new_confdir = $setup->{inf}->{slapd}->{config_dir};
my $newinst = "slapd-$new_confdsid";
+
my $inf = createInfFromConfig("$instconfigdir/$newinst", $newinst);
- if ( ! $inf )
+ if ( !$inf )
{
- $setup->msg($FATAL, 'error_create_inf_from_config',
- "$instconfigdir/$newinst");
+ $setup->msg($FATAL, 'error_create_inf_from_config', "$instconfigdir/$newinst");
$setup->doExit(1);
}
-
if ( $orig_confdsid ne $new_confdsid )
{
+ #
# To switch to the new Config DS, unregister the old one
+ #
print("\n==============================================================================\n");
$setup->msg('unregister_old_confds', $orig_confdsid);
- # If we don't have it, prompt for the Admin password
+ #
+ # If we don't have it, prompt for the Admin password. Silent install should have set this
+ #
if (!$setup->{inf}->{General}->{ConfigDirectoryAdminPwd} ||
- "" eq $setup->{inf}->{General}->{ConfigDirectoryAdminPwd})
+ $setup->{inf}->{General}->{ConfigDirectoryAdminPwd} eq "" )
{
$ans = reg_get_passwd($setup, 'input_admin_passwd', $adminuid);
$setup->{inf}->{General}->{ConfigDirectoryAdminPwd} = $ans;
}
while (!unregisterDSWithConfigDS($orig_confdsid, \@errs, $setup->{inf}))
{
+ if($silent eq "yes"){
+ # silent install can not recover from this error
+ $setup->msg($FATAL, 'error_unregister_ds', $orig_confdsid);
+ $setup->doExit(1);
+ }
$setup->msg($FATAL, 'error_unregister_ds', $orig_confdsid);
$ans = reg_get_passwd($setup, 'input_admin_passwd', $adminuid);
$setup->{inf}->{General}->{ConfigDirectoryAdminPwd} = $ans;
@errs = ();
}
- # updating the port number
+ #
+ # Updating the port number
+ #
my $oldport = 0;
my $newport = $inf->{slapd}->{ServerPort};
($oldport = $setup->{inf}->{General}->{ldapurl}) =~ s/.*:([0-9]*)\/.*/\1/;
$setup->{inf}->{General}->{ldapurl} =~ s/$oldport/$newport/;
$setup->{inf}->{General}->{ConfigDirectoryLdapURL} = "ldap://" . $fqdn . ":". $newport . "/o=NetscapeRoot";
}
+ #
# Set the new inf to $setup->{inf}
+ #
$setup->{inf}->{slapd} = $inf->{slapd};
$setup->{inf}->{slapd}->{config_dir} = $instconfigdir;
$setup->{inf}->{slapd}->{Instances} = \%instances;
}
-else
+elsif($silent eq "no")
{
+ #
# Admin Server is not set up.
# %instances has more than one instance
# note: this is orig_confdsid is just a candidate...
+ #
my $orig_confdir = $instconfigdirs[0];
my @orig_confdsids = @{$instances{$orig_confdir}};
($orig_confdsid = $orig_confdsids[0]) =~ s/slapd-(.*)/\1/;
my $originst = "slapd-$orig_confdsid";
my $inf = createInfFromConfig("$orig_confdir/$originst", $originst);
- if ( ! $inf )
+ if ( !$inf )
{
$setup->msg($FATAL, 'error_create_inf_from_config',
"$orig_confdir/$originst");
@@ -333,22 +535,18 @@ else
$setup->{inf}->{slapd}->{config_dir} = $orig_confdir;
$setup->{inf}->{slapd}->{Instances} = \%instances;
- my $dialogmgr = new DialogManager($setup, $res, $TYPICAL);
-
+ $dialogmgr = new DialogManager($setup, $res, $TYPICAL);
require RegDSDialogs;
require SetupDialogs;
require ConfigDSDialogs;
require ASDialogs;
-
- my @dialogs = RegDSDialogs->getDialogs();
-
+ @dialogs = RegDSDialogs->getDialogs();
$dialogmgr->addDialog(@dialogs);
-
my $rc = $dialogmgr->run();
- if ( $rc )
- {
+ if ( $rc ){
$setup->doExit(1);
}
+
$new_confdsid = $setup->{inf}->{slapd}->{ServerIdentifier};
$new_confdir = $setup->{inf}->{slapd}->{config_dir};
if ( $orig_confdsid ne $new_confdsid )
@@ -357,43 +555,65 @@ else
$inf = createInfFromConfig("$instconfigdir/$newinst", $newinst);
if ( ! $inf )
{
- $setup->msg($FATAL, 'error_create_inf_from_config',
- "$instconfigdir/$newinst");
+ $setup->msg($FATAL, 'error_create_inf_from_config', "$instconfigdir/$newinst");
$setup->doExit(1);
}
$setup->{inf}->{slapd} = $inf->{slapd};
$setup->{inf}->{slapd}->{Instances} = \%instances;
}
- $setup->{inf}->{General}->{ConfigDirectoryLdapURL} = "ldap://" . $fqdn . ":". $setup->{inf}->{slapd}->{ServerPort} . "/o=NetscapeRoot";
+ $setup->{inf}->{General}->{ConfigDirectoryLdapURL} = "ldap://" . $fqdn . ":".
+ $setup->{inf}->{slapd}->{ServerPort} . "/o=NetscapeRoot";
$dialogmgr->resetDialog();
@dialogs = SetupDialogs->getRegDialogs();
push @dialogs, ConfigDSDialogs->getRegDialogs();
push @dialogs, ASDialogs->getDialogs();
-
$dialogmgr->addDialog(@dialogs);
-
- $rc = $dialogmgr->run();
- if ( $rc )
- {
+ my $rc = $dialogmgr->run();
+ if ( $rc ) {
$setup->doExit(1);
}
+
$adminuid = $setup->{inf}->{General}->{ConfigDirectoryAdminID};
}
+else
+{
+ #
+ # This is a silent install, fill in any remaining missing values
+ #
+ my $orig_confdir = $new_confdir = $instconfigdirs[0];
+ my @orig_confdsids = @{$instances{$orig_confdir}};
+ ($new_confdsid = $orig_confdsids[0]) =~ s/slapd-(.*)/\1/;
+ my $originst = "slapd-$new_confdsid";
+ my $inf = createInfFromConfig("$orig_confdir/$originst", $originst);
+ if ( !$inf )
+ {
+ $setup->msg($FATAL, 'error_create_inf_from_config',
+ "$orig_confdir/$originst");
+ $setup->doExit(1);
+ }
+ $setup->{inf}->{slapd} = $inf->{slapd};
+ $setup->{inf}->{slapd}->{Instances} = \%instances;
+}
-
-# Get the ConfigDS's rootDN password
+#
+# Add "o=netscaperoot" to the config DS
+#
print("\n==============================================================================\n");
$setup->msg('register_new_confds', $new_confdsid);
-$setup->{inf}->{slapd}->{RootDNPwd} =
- reg_get_passwd($setup, 'input_rootdn_passwd', $new_confdsid);
+
+if ($silent eq "no"){
+ $setup->{inf}->{slapd}->{RootDNPwd} = reg_get_passwd($setup, 'input_rootdn_passwd', $new_confdsid);
+}
if ( ($#admConfKeys >= 0 && ($orig_confdsid ne $new_confdsid)) ||
$#admConfKeys < 0 )
{
@errs = ();
# First, let's register the Configuration Directory itself
+
+ $setup->{inf}->{slapd}->{RootDNPwd} = $localrootpw;
while (!createConfigDS($setup->{inf}, \@errs))
{
foreach my $err (@errs)
@@ -403,17 +623,22 @@ if ( ($#admConfKeys >= 0 && ($orig_confdsid ne $new_confdsid)) ||
goto out;
}
}
- $setup->{inf}->{slapd}->{RootDNPwd} =
- reg_get_passwd($setup, 'input_rootdn_passwd', $new_confdsid);
+ if(!$setup->{inf}->{slapd}->{RootDNPwd} || $setup->{inf}->{slapd}->{RootDNPwd} eq ""){
+ # silent install should have set this
+ $setup->{inf}->{slapd}->{RootDNPwd} = reg_get_passwd($setup, 'input_rootdn_passwd', $new_confdsid);
+ }
@errs = ();
}
out:
}
+#
# If we don't have it, prompt for the Admin password
+#
if (!$setup->{inf}->{General}->{ConfigDirectoryAdminPwd} ||
- "" eq $setup->{inf}->{General}->{ConfigDirectoryAdminPwd})
+ $setup->{inf}->{General}->{ConfigDirectoryAdminPwd} eq "")
{
+ # silent install should have set this
$ans = reg_get_passwd($setup, 'input_admin_passwd', $adminuid);
$setup->{inf}->{General}->{ConfigDirectoryAdminPwd} = $ans;
}
@@ -421,6 +646,11 @@ if (!$setup->{inf}->{General}->{ConfigDirectoryAdminPwd} ||
@errs = ();
while (!registerDSWithConfigDS($new_confdsid, \@errs, $setup->{inf}))
{
+ if($silent eq "yes"){
+ # silent install can not recover
+ $setup->msg($FATAL, 'error_register_configds', $new_confdsid);
+ $setup->doExit(1);
+ }
$setup->msg($WARN, 'error_register_configds', $new_confdsid);
$ans = reg_get_passwd($setup, 'input_admin_passwd', $adminuid);
$setup->{inf}->{General}->{ConfigDirectoryAdminPwd} = $ans;
@@ -428,7 +658,10 @@ while (!registerDSWithConfigDS($new_confdsid, \@errs, $setup->{inf}))
}
my $hassubinst = 0;
+
+#
# Then, register the rest of the Directory Servers, if any
+#
my %subinstances = (); # hash without the Config DS
%instances = %{$setup->{inf}->{slapd}->{Instances}};
foreach my $subconfdir (keys %instances)
@@ -439,28 +672,37 @@ foreach my $subconfdir (keys %instances)
if ( ("$subinst" ne "slapd-" . $new_confdsid) ||
($subconfdir ne $new_confdir) )
{
- if ( 0 == $hassubinst )
- {
+ if ( 0 == $hassubinst){
$hassubinst = 1;
print("\n==============================================================================\n");
$setup->msg('register_subds');
}
my $subid = $subinst;
$subid =~ s/slapd-//;
- my $passwd =
- reg_get_passwd($setup, 'input_rootdn_passwd_sub', $subid, $subid);
+
+ if ($silent eq "yes"){
+ # Get the password from silent install config
+ ($rootdn, $passwd) = get_cred_from_inst($setup, $subinst);
+ if($rootdn ne ""){
+ $setup->{inf}->{slapd}->{RootDN} = $rootdn;
+ }
+ } else {
+ $passwd = reg_get_passwd($setup, 'input_rootdn_passwd_sub', $subid, $subid);
+ }
+
# if the password is not given, we don't register the server
next if ( "" eq $passwd || !$passwd );
+
my $subinf = createInfFromConfig("$subconfdir/$subinst", $subinst);
- if ( ! $subinf )
- {
- $setup->msg($FATAL, 'error_create_inf_from_config',
- "$subconfdir/$subinst");
+ if ( !$subinf ){
+ $setup->msg($FATAL, 'error_create_inf_from_config', "$subconfdir/$subinst");
}
else
{
+ #
# If we're switching the config DS, we want to force updating the
# PTA plug-in since it's configured for the old config DS.
+ #
my $force_pta = 0;
if ( $orig_confdsid ne $new_confdsid ) {
$force_pta = 1;
@@ -469,19 +711,20 @@ foreach my $subconfdir (keys %instances)
$setup->{inf}->{slapd} = $subinf->{slapd};
$setup->{inf}->{slapd}->{RootDNPwd} = $passwd;
push @{$subinstances{$subconfdir}}, $subinst;
- $done = 0;
+ my $done = 0;
while ( !$done && !createSubDS($setup->{inf}, \@errs, $force_pta) )
{
$setup->msg($FATAL, @errs);
+ if($silent eq "yes"){
+ # silent install can not recover
+ $setup->doExit(1);
+ }
$passwd = reg_get_passwd($setup, 'input_rootdn_passwd_sub',
$subid, $subid);
- if ( "" eq $passwd || !$passwd )
- {
+ if ( "" eq $passwd || !$passwd ){
$done = 1;
pop @{$subinstances{$subconfdir}};
- }
- else
- {
+ } else {
$setup->{inf}->{slapd}->{RootDNPwd} = $passwd;
}
}
@@ -502,49 +745,208 @@ foreach my $subconfdir (keys %instances)
}
my @subkeys = keys %subinstances;
-if ( $#subkeys >= 0 )
-{
+if ( $#subkeys >= 0 ){
@errs = ();
- if ( !registerScatteredDSWithConfigDS($setup->{inf}, \@errs, \%subinstances) )
- {
+ if ( !registerScatteredDSWithConfigDS($setup->{inf}, \@errs, \%subinstances) ){
$setup->msg($FATAL, @errs);
$setup->doExit(1);
}
}
+#
# Configure and register the admin server instance.
# Generate a new inf for the config DS and override
# the old slapd data from the last instance we registered.
+#
+print("\n==============================================================================\n");
$new_confdir = $setup->{inf}->{slapd}->{config_dir};
my $newinst = "slapd-$new_confdsid";
my $inf = createInfFromConfig("$instconfigdir/$newinst", $newinst);
-if ( ! $inf )
+if ( !$inf )
{
$setup->msg($FATAL, 'error_create_inf_from_config', "$instconfigdir/$newinst");
$setup->doExit(1);
}
$setup->{inf}->{slapd} = $inf->{slapd};
-# need these manually set these 2 parameters
+# need to manually set these 2 parameters
$setup->{inf}->{slapd}->{UseExistingMC} = "yes";
$setup->{inf}->{slapd}->{SlapdConfigForMC} = "yes";
if ( !$setup->{reconfigas} )
{
- if ( !createAdminServer($setup) )
- {
+ if ( !createAdminServer($setup) ){
$setup->msg($FATAL, 'error_create_adminserver');
$setup->doExit(1);
}
+} else {
+ if ( !reconfigAdminServer($setup) ){
+ $setup->msg($FATAL, 'error_reconfig_adminserver');
+ $setup->doExit(1);
+ }
}
-else
+
+#
+# Check if we are registering to a remote config, or adding a instance to our local config
+#
+if ($silent eq "no")
{
- if ( !reconfigAdminServer($setup) )
+ print("\n==============================================================================\n");
+ $setup->msg(0, 'remote_register_local_prompt');
+ my $answer;
+ chomp($answer = <>);
+ if ($answer eq "y"){
+ $destination = "local";
+ } else {
+ print("\n==============================================================================\n");
+ $setup->msg(0, 'remote_register_remote_prompt');
+ chomp($answer = <>);
+ if ($answer eq "y")
+ {
+ $destination = "remote";
+ }
+ }
+ if($destination ne "")
{
- $setup->msg($FATAL, 'error_reconfig_adminserver');
+ print "\n";
+ $setup->msg(0, 'remote_prompt', "hostname");
+ while($remote_host eq ""){
+ chomp($remote_host = <>);
+ }
+
+ $setup->msg(0, 'remote_prompt', "port");
+ while($remote_port eq ""){
+ chomp($remote_port = <>);
+ }
+
+ $setup->msg(0, 'remote_prompt', "bind DN");
+ while($remote_binddn eq ""){
+ chomp($remote_binddn = <>);
+ }
+
+ $setup->msg(0, 'remote_prompt', "bind password");
+ while($remote_bindpw eq ""){
+ chomp($remote_bindpw = <>);
+ }
+
+ $setup->msg(0, 'remote_conn_use_ssl');
+ chomp($local_certdir = <>);
+
+ $setup->msg(0, 'remote_prompt', "admin domain[$setup->{inf}->{General}->{AdminDomain}]");
+ chomp($remote_admindomain = <>);
+ if ($remote_admindomain eq ""){
+ $remote_admindomain = $setup->{inf}->{General}->{AdminDomain};
+ }
+ }
+}
+
+#
+# We are registering with a remote server(locally or remotely)
+#
+# So we search the origin o=netscaperoot (admin domain), and simply add
+# those entries to the destination config server.
+#
+if($remote_host)
+{
+ #
+ # Open connections to remote and local servers
+ #
+ my $connRemote = new Mozilla::LDAP::Conn($remote_host,
+ $remote_port,
+ $remote_binddn,
+ $remote_bindpw,
+ $local_certdir);
+ my $errstr = "Success";
+ if ($connRemote) {
+ $errstr = $connRemote->getErrorString();
+ }
+ if (!$connRemote or ($errstr ne "Success")) {
+ # error
+ if ($errstr eq "Success"){
+ $errstr = "";
+ }
+ $setup->msg($FATAL, 'error_connection', $remote_host, $errstr);
+ $setup->msg($FATAL, 'remote_register_error');
+ $setup->doExit(1);
+ }
+
+ #
+ # Open a connection to the local server
+ #
+ my $connLocal = new Mozilla::LDAP::Conn($fqdn, $inf->{slapd}->{ServerPort}, $localrootdn, $localrootpw);
+ if ($connLocal) {
+ $errstr = $connLocal->getErrorString();
+ }
+ if (!$connLocal or ($errstr ne "Success")) {
+ # error
+ if ($errstr eq "Success"){
+ $errstr = "";
+ }
+ $setup->msg($FATAL, 'error_connection', $fqdn, $errstr);
+ $setup->msg($FATAL, 'remote_register_error');
$setup->doExit(1);
}
+
+ if ($destination eq "local"){
+ #
+ # Register a remote server with our local configuration server
+ #
+ print "Searching local configuration server...\n";
+ my $entry = $connRemote->search("ou=$remote_admindomain,o=netscaperoot", "sub", "(objectclass=*)");
+ if (!$entry){
+ $setup->msg($FATAL, 'error_operation', "searching" ,"ou=$remote_admindomain,o=netscaperoot", $connLocal->getErrorString());
+ $connLocal->close();
+ $connRemote->close();
+ $setup->doExit(1);
+ } else {
+ print "Adding remote configuration entries to local configuration server...\n";
+ while ($entry){
+ $connLocal->add($entry);
+ if($connLocal->getErrorCode() != 0 && $connLocal->getErrorCode() != 68){
+ $setup->msg($FATAL, 'error_operation', 'adding', $entry->getDN(), $connLocal->getErrorString());
+ $setup->msg($FATAL, 'remote_register_error');
+ $connLocal->close();
+ $connRemote->close();
+ $setup->doExit(1);
+ }
+ $entry = $connRemote->nextEntry();
+ }
+ }
+ $setup->msg(0, 'remote_register_completed', $remote_host, $fqdn );
+ } else {
+ #
+ # Register our local server with a remote configuration server
+ #
+ print "Searching remote configuration server...\n";
+ my $entry = $connLocal->search("ou=$setup->{inf}->{General}->{AdminDomain},o=netscaperoot", "sub", "(objectclass=*)");
+ if (!$entry){
+ $setup->msg($FATAL, 'error_operation', "searching", $entry->getDN(), $connLocal->getErrorString());
+ $setup->msg($FATAL, 'remote_register_error');
+ $connLocal->close();
+ $connRemote->close();
+ $setup->doExit(1);
+ } else {
+ print "Adding local configuration entries to remote configuration server...\n";
+ while ($entry){
+ $connRemote->add($entry);
+ if($connRemote->getErrorCode() != 0 && $connRemote->getErrorCode() != 68){
+ $setup->msg($FATAL, 'error_connection', 'adding', $entry->getDN(), $connRemote->getErrorString());
+ $setup->msg($FATAL, 'remote_register_error');
+ $connLocal->close();
+ $connRemote->close();
+ $setup->doExit(1);
+ }
+ $entry = $connLocal->nextEntry();
+ }
+ }
+ $setup->msg(0, 'remote_register_completed', $setup->{inf}->{General}->{FullMachineName}, $remote_host );
+ }
+
+ # Close up our connections
+ $connLocal->close();
+ $connRemote->close();
}
-$setup->msg('end_ds_registration');
+print("\n==============================================================================\n");
+$setup->msg('end_ds_registration');
$setup->doExit(0);
diff --git a/admserv/newinst/src/register-ds-admin.res.in b/admserv/newinst/src/register-ds-admin.res.in
index df022bf..99cb3e3 100644
--- a/admserv/newinst/src/register-ds-admin.res.in
+++ b/admserv/newinst/src/register-ds-admin.res.in
@@ -1,6 +1,6 @@
-begin_ds_registration = Beginning registration of the Directory Server
+begin_ds_registration = Beginning registration of the Directory Server\n
-use_existing_configds_txt = Do you want to use this server as Configuration Directory Server?\n\n
+use_existing_configds_txt = Do you want to use this server as Configuration Directory Server? \n\n
subds_conf_prompt = The Directory Server locates its configuration file (dse.ldif) at %s/slapd-ID, by default. If you have Directory Server(s) which configuration file is put at the other location, you need to input it to register the server.\n\nIf you have such Directory Server, type the full path that stores the configuration file.\n\nIf you don't, type return.\n[configuration directory path or return]:
@@ -10,9 +10,9 @@ unregister_old_confds = Cleaning up old Config DS: %s\n
register_new_confds = Registering new Config DS: %s\n
-register_subds = Registering Sub DSes:
+register_subds = Registering Sub Directory Servers:\n
-end_ds_registration = Finished registration of the Directory Server
+end_ds_registration = Finished registration of the Directory Server\n
input_rootdn_passwd = Input the Directory Manager password on the server %s:
@@ -40,4 +40,28 @@ error_register_subds = Error: failed to register the additional server info to t
error_unregister_ds = Error: failed to clean up the configuration info from the old Configuration\nDirectory Server %s.\n
-post_create_subds = Instance '%s' was registered.\n\nYou must restart '%s' in order to complete console registration.\n
+post_create_subds = Instance '%s' was successfully registered.\n
+
+error_missing_parameter = Silent install file missing required parameter '%s'\n
+
+error_invalid_parameter = Silent install parameter '%s' is invalid\n
+
+error_connection = Error connecting to host '%s' - %s\n
+
+error_operation = Error while %s entry '%s' - %s\n
+
+error_silent_install = Silent setup misconfiguration. Must have 'General' and 'admin', or 'register' directives\n
+
+remote_register_error = The remote registration process failed!\n
+
+remote_register_local_prompt = Do you want to register a remote server with the local configuration server (y/n)?
+
+remote_register_remote_prompt = Do you want to register with a remote configuration server (y/n)?
+
+remote_register_direction = Register local servers to
+
+remote_prompt = Enter Remote %s:
+
+remote_conn_use_ssl = If using SSL, enter certificate db directory:
+
+remote_register_completed = Successfully registered host '%s' with the configuration server on '%s'.\n
diff --git a/man/man8/register-ds-admin.pl.8 b/man/man8/register-ds-admin.pl.8
index a54537c..eb85bba 100644
--- a/man/man8/register-ds-admin.pl.8
+++ b/man/man8/register-ds-admin.pl.8
@@ -21,11 +21,15 @@ register\-ds\-admin.pl \- Registers Directory Server instances with an Admin Ser
.B register-ds-admin.pl
[\fI--options\fR] \fI-- \fR[\fIargs\fR]
.SH DESCRIPTION
-Registers existing Directory Server instances with an existing Admin Server.
-This command does the set up necessary for the use of the Console to manage
-the Directory Server instances you are registering.
+Registers existing Directory Server instances with an existing Admin Server.
+This command does the set up necessary for the use of the Console to manage
+the Directory Server instances you are registering. You can register remote
+Directory Server instances to a local Admin Server, as well as register local
+Directory Server instances with a remote Admin Server - this allows a single
+console/Admin Server to manage all your Directory Servers on your network.
-Use this command with the \fB--update\fR option after an upgrade to refresh the server information (version, build number, etc.) in the Console.
+Use this command with the \fB--update\fR option after an upgrade to refresh
+ the server information (version, build number, etc.) in the Console.
Can be run in interactive mode with different levels of verbosity, or
in silent mode with parameters supplied in a .inf format file or
@@ -64,8 +68,9 @@ Update an existing installation (e.g. after upgrading packages)
.B \fB\-\-continue
(update only) keep going despite errors (also --force)
.PP
-For all options, you can also use the short name e.g. \fB\-h\fR, \fB\-d\fR, etc. For the \fB\-d\fR argument,
-specifying it more than once will increase the debug level e.g. \fB\-ddddd\fR
+For all options, you can also use the short name e.g. \fB\-h\fR, \fB\-d\fR, etc.
+For the \fB\-d\fR argument, specifying it more than once will increase the debug
+level e.g. \fB\-ddddd\fR
.PP
args:
You can supply default .inf data in this format:
@@ -78,10 +83,128 @@ General.FullMachineName=foo.example.com
.PP
or
.IP
-"slapd.Suffix=dc=example, dc=com"
+"slapd.Suffix=dc=example,dc=com"
.PP
-Values passed in this manner will override values in an .inf file given with the \fB\-f\fR argument.
+Values passed in this manner will override values in an .inf file given with
+the \fB\-f\fR argument.
+
+.SH Silent Mode (.inf file)
+.PP
+Here is an example of an .inf file that registers a local Directory Server instance with a remote server over SSL:
+.IP
+[General]
+.br
+FullMachineName= localhost.localdomain
+.br
+SuiteSpotUserID= nobody
+.br
+SuiteSpotGroup= nobody
+.br
+AdminDomain= redhat.com
+.br
+ConfigDirectoryAdminID= admin
+.br
+ConfigDirectoryAdminPwd= admin
+.br
+ConfigDirectoryLdapURL= ldap://localhost.localdomain:389/o=NetscapeRoot
+.br
+
+.br
+[admin]
+.br
+Port= 9830
+.br
+ServerIpAddress= 127.0.0.1
+.br
+ServerAdminID= admin
+.br
+ServerAdminPwd= password
+.br
+
+.br
+[register]
+.br
+configinst= slapd-localhost::cn=directory manager::password
+.br
+instance= slapd-replica::cn=directory manager::password
+.br
+remotehost= ldap.redhat.com
+.br
+remoteport= 636
+.br
+remotebinddn= cn=directory manager
+.br
+remotebindpw= password
+.br
+localcertdir= /etc/dirsrv/slapd-localhost
+.br
+admindomain= redhat.com
+.br
+admindn= uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
+.br
+adminpw= password
+.br
+destination= remote
+.br
+
+.br
+The above .inf will install a local admin server and then store its configuration (o=netscaperoot)
+in the "config" instance. The second local Directory Server instance, slapd-replica, is also
+added the configuration server. Then this server's configuration to added to the
+remote configuration server on ldap.redhat.com
+.PP
+The \fB[register]\fR directive parameter descriptions:
+.TP
+.B configinst\fR = INSTANCE::BIND_DN::PASSWORD\fR
+.br
+.IP
+.I INSTANCE\fR = The server where the existing configuration exists, or the server where you want
+to add the configuration to. The value takes the form of slapd-INSTANCE.
+.br
+.I BIND_DN\fR = The root DN, usually \*(lqcn=directory manager\*(rq, for the local configuration server.
+.br
+.I PASSWORD\fR = the root DN password.
+.TP
+.B instance\fR = INSTANCE::BIND_DN::PASSWORD\fR
+.br
+.IP
+.I INSTANCE\fR = Additional local Directory Server instance that should be added to the
+configuration server. The value takes the form of slapd-INSTANCE.
+.br
+.I BIND_DN\fR = The root DN, usually \*(lqcn=directory manager\*(rq, for the local server.
+.br
+.I PASSWORD\fR = the root DN password.
+.br
+
+This is an optional parameter for specifying other local Directory Server instances to register with the
+configuration server.
+.br
+.TP
+.B remotehost\fR = The FQDN of the remote server. This is either the rmeote server we
+registering with, or the remote server that is being registered with the local configuration
+server.
+.TP
+.B remoteport\fR = The port of the remote server.
+.TP
+.B remotebinddn\fR = The bind DN, preferrably the root DN, to connect to the remote server.
+.TP
+.B remotebinddn\fR = The password for the remotebinddn entry.
+.TP
+.B localcertdir\fR = The directory of the certificate database files (e.g. cert8.db, key3.db). This
+optional parameter is only used if connecting to the remote server over SSL.
+.TP
+.B admindomain\fR = The admin domain of the remote configuration server.
+.TP
+.B admindn\fR = The local administrator DN for o=netscaperoot
+.TP
+.B adminpw\fR = The local administrator password.
+.TP
+.B destination\fR = \fBlocal\fR, or \fBremote\fR
+.br
+.IP
+.I local\fR = Registers the remote server with the local configuration server.
.br
+.I remote\fR = Registers the local server with the remote configuration server.
.SH AUTHOR
register-ds-admin.pl was written by the 389 Project.
.SH "REPORTING BUGS"
9 years, 7 months
Branch '389-ds-base-1.3.3' - ldap/servers
by Noriko Hosoi
ldap/servers/slapd/tools/migratecred.c | 13 ++++++++++++-
ldap/servers/slapd/tools/rsearch/nametable.c | 13 ++++++++-----
2 files changed, 20 insertions(+), 6 deletions(-)
New commits:
commit aa8ff4b066243f68175f2e664239b7db8747e1d1
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue Sep 9 14:27:40 2014 -0700
Ticket #47890 - minor memory leaks in utilities
Description:
tools/rsearch/nametable.c - if nt_push fails and the strdup'ed
string is not pushed to the table,
free the string.
tools/migratecred.c - free strdup'ed strings oldpath, newpath,
prefixCred, and pluginpath at the end of
the process.
https://fedorahosted.org/389/ticket/47890
Reviewed by mreynolds(a)redhat.com (Thank you, Mark!!)
(cherry picked from commit 1279f0e0fe1d0f5456e42ef5b7a9f395f793cc9e)
diff --git a/ldap/servers/slapd/tools/migratecred.c b/ldap/servers/slapd/tools/migratecred.c
index 085a21a..c1e37bf 100644
--- a/ldap/servers/slapd/tools/migratecred.c
+++ b/ldap/servers/slapd/tools/migratecred.c
@@ -163,6 +163,10 @@ main( int argc, char **argv)
if ( !oldpath || !newpath || !cred )
{
+ free(oldpath);
+ free(newpath);
+ free(prefixCred);
+ free(pluginpath);
usage(cmd);
}
@@ -208,6 +212,10 @@ main( int argc, char **argv)
"DES Plugin", 1 /* report errors */ );
if ( fct == NULL )
{
+ free(oldpath);
+ free(newpath);
+ free(prefixCred);
+ free(pluginpath);
usage(cmd);
return(1);
}
@@ -215,7 +223,10 @@ main( int argc, char **argv)
newcred = (fct)(oldpath, newpath, cred);
fprintf(stdout, "%s", newcred);
-
+ free(oldpath);
+ free(newpath);
+ free(prefixCred);
+ free(pluginpath);
return(0);
}
diff --git a/ldap/servers/slapd/tools/rsearch/nametable.c b/ldap/servers/slapd/tools/rsearch/nametable.c
index e5d04cd..03a6ae1 100644
--- a/ldap/servers/slapd/tools/rsearch/nametable.c
+++ b/ldap/servers/slapd/tools/rsearch/nametable.c
@@ -152,11 +152,14 @@ int nt_load(NameTable *nt, const char *filename)
if (!fd) return 0;
while (PR_Available(fd) > 0) {
- char temp[4096], *s;
- if (PR_GetLine(fd, temp, sizeof(temp))) break;
- s = strdup(temp);
- if (!s) break;
- if (!nt_push(nt, s)) break;
+ char temp[4096], *s;
+ if (PR_GetLine(fd, temp, sizeof(temp))) break;
+ s = strdup(temp);
+ if (!s) break;
+ if (!nt_push(nt, s)) {
+ free(s);
+ break;
+ }
}
PR_Close(fd);
return nt->size;
9 years, 7 months
ldap/servers
by Noriko Hosoi
ldap/servers/slapd/tools/migratecred.c | 13 ++++++++++++-
ldap/servers/slapd/tools/rsearch/nametable.c | 13 ++++++++-----
2 files changed, 20 insertions(+), 6 deletions(-)
New commits:
commit 1279f0e0fe1d0f5456e42ef5b7a9f395f793cc9e
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue Sep 9 14:27:40 2014 -0700
Ticket #47890 - minor memory leaks in utilities
Description:
tools/rsearch/nametable.c - if nt_push fails and the strdup'ed
string is not pushed to the table,
free the string.
tools/migratecred.c - free strdup'ed strings oldpath, newpath,
prefixCred, and pluginpath at the end of
the process.
https://fedorahosted.org/389/ticket/47890
Reviewed by mreynolds(a)redhat.com (Thank you, Mark!!)
diff --git a/ldap/servers/slapd/tools/migratecred.c b/ldap/servers/slapd/tools/migratecred.c
index 085a21a..c1e37bf 100644
--- a/ldap/servers/slapd/tools/migratecred.c
+++ b/ldap/servers/slapd/tools/migratecred.c
@@ -163,6 +163,10 @@ main( int argc, char **argv)
if ( !oldpath || !newpath || !cred )
{
+ free(oldpath);
+ free(newpath);
+ free(prefixCred);
+ free(pluginpath);
usage(cmd);
}
@@ -208,6 +212,10 @@ main( int argc, char **argv)
"DES Plugin", 1 /* report errors */ );
if ( fct == NULL )
{
+ free(oldpath);
+ free(newpath);
+ free(prefixCred);
+ free(pluginpath);
usage(cmd);
return(1);
}
@@ -215,7 +223,10 @@ main( int argc, char **argv)
newcred = (fct)(oldpath, newpath, cred);
fprintf(stdout, "%s", newcred);
-
+ free(oldpath);
+ free(newpath);
+ free(prefixCred);
+ free(pluginpath);
return(0);
}
diff --git a/ldap/servers/slapd/tools/rsearch/nametable.c b/ldap/servers/slapd/tools/rsearch/nametable.c
index e5d04cd..03a6ae1 100644
--- a/ldap/servers/slapd/tools/rsearch/nametable.c
+++ b/ldap/servers/slapd/tools/rsearch/nametable.c
@@ -152,11 +152,14 @@ int nt_load(NameTable *nt, const char *filename)
if (!fd) return 0;
while (PR_Available(fd) > 0) {
- char temp[4096], *s;
- if (PR_GetLine(fd, temp, sizeof(temp))) break;
- s = strdup(temp);
- if (!s) break;
- if (!nt_push(nt, s)) break;
+ char temp[4096], *s;
+ if (PR_GetLine(fd, temp, sizeof(temp))) break;
+ s = strdup(temp);
+ if (!s) break;
+ if (!nt_push(nt, s)) {
+ free(s);
+ break;
+ }
}
PR_Close(fd);
return nt->size;
9 years, 7 months
Branch '389-ds-base-1.3.2' - ldap/servers
by Noriko Hosoi
ldap/servers/slapd/back-ldbm/ldbm_add.c | 59 +++++++++++++++++++++++---------
1 file changed, 43 insertions(+), 16 deletions(-)
New commits:
commit 6eec63fcee40aff22ed3555a274bcc67b42f6df6
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon Sep 8 14:29:29 2014 -0700
Ticket #47834 - Tombstone_to_glue: if parents are also converted to glue, the target entry's DN must be adjusted.
Description: Previous fix for the ticket #47834 broke the CI test case
47815.
The fix for 47815 removed the addingentry from the entry cache if
SLAPI_PLUGIN_BE_TXN_POST_ADD_FN failed. The #47834 patch accidentally
deleted the code.
Instead of adding it back, this patch moves the deletion of the entry
from the entry cache to cover both cases SLAPI_PLUGIN_BE_TXN_POST_ADD
_FN successes or fails.
https://fedorahosted.org/389/ticket/47834
Reviewed by mreynolds(a)redhat.com (Thank you, Mark!!)
(cherry picked from commit 7db4fa90caa543b59352046138f453236c0fd652)
(cherry picked from commit 78fdd6165cb2c9da4e30452ebdcdcf7aad3d30c7)
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_add.c b/ldap/servers/slapd/back-ldbm/ldbm_add.c
index 5854ebc..171a6b1 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_add.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_add.c
@@ -1158,21 +1158,6 @@ error_return:
{
next_id_return( be, addingentry->ep_id );
}
- if ( addingentry )
- {
- if (inst && cache_is_in_cache(&inst->inst_cache, addingentry)) {
- CACHE_REMOVE(&inst->inst_cache, addingentry);
- /* tell frontend not to free this entry */
- slapi_pblock_set(pb, SLAPI_ADD_ENTRY, NULL);
- }
- else if (!cache_has_otherref(&inst->inst_cache, addingentry))
- {
- if (!is_resurect_operation) { /* if resurect, tombstoneentry is dupped. */
- backentry_clear_entry(addingentry); /* e is released in the frontend */
- }
- }
- CACHE_RETURN( &inst->inst_cache, &addingentry );
- }
if (rc == DB_RUNRECOVERY) {
dblayer_remember_disk_filled(li);
ldbm_nasty("Add",80,rc);
@@ -1193,6 +1178,20 @@ error_return:
}
diskfull_return:
if (disk_full) {
+ if ( addingentry ) {
+ if (inst && cache_is_in_cache(&inst->inst_cache, addingentry)) {
+ CACHE_REMOVE(&inst->inst_cache, addingentry);
+ /* tell frontend not to free this entry */
+ slapi_pblock_set(pb, SLAPI_ADD_ENTRY, NULL);
+ }
+ else if (!cache_has_otherref(&inst->inst_cache, addingentry))
+ {
+ if (!is_resurect_operation) { /* if resurect, tombstoneentry is dupped. */
+ backentry_clear_entry(addingentry); /* e is released in the frontend */
+ }
+ }
+ CACHE_RETURN( &inst->inst_cache, &addingentry );
+ }
rc = return_on_disk_full(li);
} else {
/* It is safer not to abort when the transaction is not started. */
@@ -1226,13 +1225,41 @@ diskfull_return:
}
slapi_pblock_get(pb, SLAPI_PB_RESULT_TEXT, &ldap_result_message);
}
-
+ if ( addingentry ) {
+ if (inst && cache_is_in_cache(&inst->inst_cache, addingentry)) {
+ CACHE_REMOVE(&inst->inst_cache, addingentry);
+ /* tell frontend not to free this entry */
+ slapi_pblock_set(pb, SLAPI_ADD_ENTRY, NULL);
+ }
+ else if (!cache_has_otherref(&inst->inst_cache, addingentry))
+ {
+ if (!is_resurect_operation) { /* if resurect, tombstoneentry is dupped. */
+ backentry_clear_entry(addingentry); /* e is released in the frontend */
+ }
+ }
+ CACHE_RETURN( &inst->inst_cache, &addingentry );
+ }
/* Release SERIAL LOCK */
if (!noabort) {
dblayer_txn_abort(be, &txn); /* abort crashes in case disk full */
}
/* txn is no longer valid - reset the txn pointer to the parent */
slapi_pblock_set(pb, SLAPI_TXN, parent_txn);
+ } else {
+ if ( addingentry ) {
+ if (inst && cache_is_in_cache(&inst->inst_cache, addingentry)) {
+ CACHE_REMOVE(&inst->inst_cache, addingentry);
+ /* tell frontend not to free this entry */
+ slapi_pblock_set(pb, SLAPI_ADD_ENTRY, NULL);
+ }
+ else if (!cache_has_otherref(&inst->inst_cache, addingentry))
+ {
+ if (!is_resurect_operation) { /* if resurect, tombstoneentry is dupped. */
+ backentry_clear_entry(addingentry); /* e is released in the frontend */
+ }
+ }
+ CACHE_RETURN( &inst->inst_cache, &addingentry );
+ }
}
if (!not_an_error) {
rc = SLAPI_FAIL_GENERAL;
9 years, 7 months