Branch '389-ds-base-1.3.4' - dirsrvtests/tests ldap/schema ldap/servers
by William Brown
dirsrvtests/tests/tickets/ticket48798_test.py | 141 ++++++++++++++++++++++++++
ldap/schema/01core389.ldif | 3
ldap/servers/slapd/ssl.c | 77 ++++++++++++++
3 files changed, 220 insertions(+), 1 deletion(-)
New commits:
commit d8fefaadc328a7f9882cffba9798f1bf993134ff
Author: William Brown <firstyear(a)redhat.com>
Date: Thu Apr 21 13:36:28 2016 +1000
Ticket 48798 - Enable DS to offer weaker DH params in NSS
Bug Description: Java is unable to handle DH param's greater than 1024 bit.
As of NSS 2.20 and higher, nss defaults to params of 2048 bit. This breaks
all java clients.
Fix Description: This adds a new option, allowWeakDHParams that allows
nss to generate and use insecure DH params that Java would be capable of
using.
This test case shows the ability to allow weak params, and
that they are indeed 1024 bits
https://fedorahosted.org/389/ticket/48798
Author: wibrown
Review by: nhosoi
diff --git a/dirsrvtests/tests/tickets/ticket48798_test.py b/dirsrvtests/tests/tickets/ticket48798_test.py
new file mode 100644
index 0000000..7289453
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket48798_test.py
@@ -0,0 +1,141 @@
+import os
+import sys
+import time
+import ldap
+import logging
+import pytest
+
+import nss
+
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+
+from subprocess import check_output
+
+logging.getLogger(__name__).setLevel(logging.DEBUG)
+log = logging.getLogger(__name__)
+
+
+class TopologyStandalone(object):
+ def __init__(self, standalone):
+ standalone.open()
+ self.standalone = standalone
+
+
+(a)pytest.fixture(scope="module")
+def topology(request):
+ # Creating standalone instance ...
+ standalone = DirSrv(verbose=True)
+ args_instance[SER_HOST] = HOST_STANDALONE
+ args_instance[SER_PORT] = PORT_STANDALONE
+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+ args_standalone = args_instance.copy()
+ standalone.allocate(args_standalone)
+ instance_standalone = standalone.exists()
+ if instance_standalone:
+ standalone.delete()
+ standalone.create()
+ standalone.open()
+
+ # Delete each instance in the end
+ def fin():
+ pass
+ #standalone.delete()
+ request.addfinalizer(fin)
+
+ # Clear out the tmp dir
+ #standalone.clearTmpDir(__file__)
+
+ return TopologyStandalone(standalone)
+
+def check_socket_dh_param_size(hostname, port):
+ ### You know why we have to do this?
+ # Because TLS and SSL suck. Hard. They are impossible. It's all terrible, burn it all down.
+ cmd = "echo quit | openssl s_client -connect {HOSTNAME}:{PORT} -msg -cipher DH | grep -A 1 ServerKeyExchange".format(
+ HOSTNAME=hostname,
+ PORT=port)
+ output = check_output(cmd, shell=True)
+ dhheader = output.split('\n')[1]
+ # Get rid of all the other whitespace.
+ dhheader = dhheader.replace(' ', '')
+ # Example is 0c00040b0100ffffffffffffffffadf8
+ # We need the bits 0100 here. Which means 256 bytes aka 256 * 8, for 2048 bit.
+ dhheader = dhheader[8:12]
+ # make it an int, and times 8
+ i = int(dhheader, 16) * 8
+ return i
+
+
+def test_ticket48798(topology):
+ """
+ Test DH param sizes offered by DS.
+
+ """
+
+ # Create a CA
+ # This is a trick. The nss db that ships with DS is broken fundamentally.
+ ## THIS ASSUMES old nss format. SQLite will bite us!
+ for f in ('key3.db', 'cert8.db', 'key4.db', 'cert9.db', 'secmod.db', 'pkcs11.txt'):
+ try:
+ os.remove("%s/%s" % (topology.standalone.confdir, f ))
+ except:
+ pass
+
+ # Check if the db exists. Should be false.
+ assert(topology.standalone.nss_ssl._db_exists() is False)
+ # Create it. Should work.
+ assert(topology.standalone.nss_ssl.reinit() is True)
+ # Check if the db exists. Should be true
+ assert(topology.standalone.nss_ssl._db_exists() is True)
+
+ # Check if ca exists. Should be false.
+ assert(topology.standalone.nss_ssl._rsa_ca_exists() is False)
+ # Create it. Should work.
+ assert(topology.standalone.nss_ssl.create_rsa_ca() is True)
+ # Check if ca exists. Should be true
+ assert(topology.standalone.nss_ssl._rsa_ca_exists() is True)
+
+ # Check if we have a server cert / key. Should be false.
+ assert(topology.standalone.nss_ssl._rsa_key_and_cert_exists() is False)
+ # Create it. Should work.
+ assert(topology.standalone.nss_ssl.create_rsa_key_and_cert() is True)
+ # Check if server cert and key exist. Should be true.
+ assert(topology.standalone.nss_ssl._rsa_key_and_cert_exists() is True)
+
+ topology.standalone.config.enable_ssl(secport=DEFAULT_SECURE_PORT, secargs={'nsSSL3Ciphers': '+all'} )
+
+ topology.standalone.restart(30)
+
+ # Confirm that we have a connection, and that it has DH
+
+ # Open a socket to the port.
+ # Check the security settings.
+ size = check_socket_dh_param_size(topology.standalone.host, DEFAULT_SECURE_PORT)
+
+ assert(size == 2048)
+
+ # Now toggle the settings.
+ mod = [(ldap.MOD_REPLACE, 'allowWeakDHParam', 'on')]
+ dn_enc = 'cn=encryption,cn=config'
+ topology.standalone.modify_s(dn_enc, mod)
+
+ topology.standalone.restart(30)
+
+ # Check the DH params are less than 1024.
+ size = check_socket_dh_param_size(topology.standalone.host, DEFAULT_SECURE_PORT)
+
+ assert(size == 1024)
+
+ log.info('Test complete')
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index aebdb5a..409ebc0 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -278,6 +278,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2311 NAME 'nsds5ReplicaFlowControlPause'
attributeTypes: ( 2.16.840.1.113730.3.1.2313 NAME 'nsslapd-changelogtrim-interval' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
attributeTypes: ( 2.16.840.1.113730.3.1.2314 NAME 'nsslapd-changelogcompactdb-interval' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
attributeTypes: ( 2.16.840.1.113730.3.1.2315 NAME 'nsDS5ReplicaWaitForAsyncResults' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2332 NAME 'allowWeakDHParam' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )
#
# objectclasses
#
@@ -293,7 +294,7 @@ objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC
objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) MAY ( nsSaslMapPriority ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' )
-objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakCipher) X-ORIGIN 'Netscape' )
+objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakCipher $ allowWeakDHParam ) X-ORIGIN 'Netscape' )
objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation ) X-ORIGIN 'Netscape' )
objectClasses: ( 2.16.840.1.113730.3.2.327 NAME 'rootDNPluginConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( rootdn-open-time $ rootdn-close-time $ rootdn-days-allowed $ rootdn-allow-host $ rootdn-deny-host $ rootdn-allow-ip $ rootdn-deny-ip ) X-ORIGIN 'Netscape' )
objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscape defined objectclass' SUP top MAY ( cn $ schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 'Netscape Directory Server' )
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 6a23f80..60212e7 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -49,6 +49,10 @@
#define NSS_TLS10 1
#endif
+#if NSS_VMAJOR * 100 + NSS_VMINOR >= 320
+#define HAVE_NSS_DHE 1
+#endif
+
/******************************************************************************
* Default SSL Version Rule
* Old SSL version attributes:
@@ -87,6 +91,7 @@ static int stimeout;
static char *ciphers = NULL;
static char * configDN = "cn=encryption,cn=config";
+
/* Copied from libadmin/libadmin.h public/nsapi.h */
#define SERVER_KEY_NAME "Server-Key"
#define MAGNUS_ERROR_LEN 1024
@@ -103,6 +108,12 @@ static char * configDN = "cn=encryption,cn=config";
#define CIPHER_SET_ALLOWWEAKCIPHER 0x20 /* allowWeakCipher is on */
#define CIPHER_SET_DISALLOWWEAKCIPHER 0x40 /* allowWeakCipher is off */
+#ifdef HAVE_NSS_DHE
+#define CIPHER_SET_DEFAULTWEAKDHPARAM 0x100 /* allowWeakDhParam is not set in cn=encryption */
+#define CIPHER_SET_ALLOWWEAKDHPARAM 0x200 /* allowWeakDhParam is on */
+#define CIPHER_SET_DISALLOWWEAKDHPARAM 0x400 /* allowWeakDhParam is off */
+#endif
+
#define CIPHER_SET_ISDEFAULT(flag) \
(((flag)&CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE)
#define CIPHER_SET_ISALL(flag) \
@@ -114,6 +125,7 @@ static char * configDN = "cn=encryption,cn=config";
(((flag)&CIPHER_SET_ALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE)
#define ALLOWWEAK_ISOFF(flag) \
(((flag)&CIPHER_SET_DISALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE)
+
/*
* If ISALL or ISDEFAULT, allowWeakCipher is true only if CIPHER_SET_ALLOWWEAKCIPHER.
* Otherwise (user specified cipher list), allowWeakCipher is true
@@ -132,6 +144,12 @@ static char * configDN = "cn=encryption,cn=config";
#define CIPHER_MUST_BE_DISABLED 0x2
#define CIPHER_IS_WEAK 0x4
#define CIPHER_IS_DEPRECATED 0x8
+
+#ifdef HAVE_NSS_DHE
+static int allowweakdhparam = CIPHER_SET_DEFAULTWEAKDHPARAM;
+#endif
+
+
static char **cipher_names = NULL;
static char **enabled_cipher_names = NULL;
typedef struct {
@@ -289,6 +307,33 @@ getSupportedCiphers()
return cipher_names;
}
+#ifdef HAVE_NSS_DHE
+int
+get_allow_weak_dh_param(Slapi_Entry *e)
+{
+ /* Check if the user wants weak params */
+ int allow = CIPHER_SET_DEFAULTWEAKDHPARAM;
+ char *val;
+ val = slapi_entry_attr_get_charptr(e, "allowWeakDHParam");
+ if (val) {
+ if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") ||
+ !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) {
+ allow = CIPHER_SET_DISALLOWWEAKDHPARAM;
+ } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") ||
+ !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) {
+ allow = CIPHER_SET_ALLOWWEAKDHPARAM;
+ slapd_SSL_warn("The value of allowWeakDHParam is set to %s. THIS EXPOSES YOU TO CVE-2015-4000.", val);
+ } else {
+ slapd_SSL_warn("The value of allowWeakDHParam \"%s\" is invalid.",
+ "Ignoring it and set it to default.", val);
+ }
+ }
+ slapi_ch_free((void **) &val);
+ return allow;
+}
+#endif
+
+
char **
getEnabledCiphers()
{
@@ -1153,6 +1198,9 @@ slapd_ssl_init()
char *val = NULL;
PK11SlotInfo *slot;
Slapi_Entry *entry = NULL;
+#ifdef HAVE_NSS_DHE
+ SECStatus rv = SECFailure;
+#endif
/* Get general information */
@@ -1161,6 +1209,17 @@ slapd_ssl_init()
val = slapi_entry_attr_get_charptr( entry, "nssslSessionTimeout" );
ciphers = slapi_entry_attr_get_charptr( entry, "nsssl3ciphers" );
+#ifdef HAVE_NSS_DHE
+ allowweakdhparam = get_allow_weak_dh_param(entry);
+ if (allowweakdhparam & CIPHER_SET_ALLOWWEAKDHPARAM) {
+ slapd_SSL_warn("notice, generating new WEAK DH param");
+ rv = SSL_EnableWeakDHEPrimeGroup(NULL, PR_TRUE);
+ if (rv != SECSuccess) {
+ slapd_SSL_warn("Warning, unable to generate weak dh parameters");
+ }
+ }
+#endif
+
/* We are currently using the value of sslSessionTimeout
for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */
/* Note from Tom Weinstein on the meaning of the timeout:
@@ -1707,6 +1766,24 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
}
if (SECSuccess == rv) {
+
+#ifdef HAVE_NSS_DHE
+ /* Step If we want weak dh params, flag it on the socket now! */
+
+ rv = SSL_OptionSet(*fd, SSL_ENABLE_SERVER_DHE, PR_TRUE);
+ if (rv != SECSuccess) {
+ slapd_SSL_warn("Warning, unable to start DHE");
+ }
+
+ if (allowweakdhparam & CIPHER_SET_ALLOWWEAKDHPARAM) {
+ slapd_SSL_warn("notice, allowing weak parameters on socket.");
+ rv = SSL_EnableWeakDHEPrimeGroup(*fd, PR_TRUE);
+ if (rv != SECSuccess) {
+ slapd_SSL_warn("Warning, unable to allow weak DH params on socket.");
+ }
+ }
+#endif
+
if( slapd_pk11_fortezzaHasKEA(cert) == PR_TRUE ) {
rv = SSL_ConfigSecureServer(*fd, cert, key, kt_fortezza);
}
7 years, 7 months
- 1
- 0
configure configure.ac Makefile.am Makefile.in
by William Brown
Makefile.am | 6 +++++-
Makefile.in | 6 +++---
configure | 19 ++++++++++++++++---
configure.ac | 6 +++---
4 files changed, 27 insertions(+), 10 deletions(-)
New commits:
commit 2b38becf4b76106ff868cb41901a32a505440add
Author: William Brown <firstyear(a)redhat.com>
Date: Wed Apr 6 14:00:05 2016 +1000
Ticket 48447 - with-initddir should accept no
Bug Description: When porting to other platforms we should not install RH style
init scripts.
Fix Description: Allow setting "no" to initddir which will prevent creation of
any init scripts.
https://fedorahosted.org/389/ticket/48447
Author: wibrown
Review by: nhosoi (Thanks!)
diff --git a/Makefile.am b/Makefile.am
index 57b6b52..0e9939a 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -695,16 +695,20 @@ systemdsystemunit_DATA = wrappers/$(PACKAGE_NAME)@.service \
wrappers/$(systemdgroupname) \
wrappers/$(PACKAGE_NAME)-snmp.service
else
+if INITDDIR
init_SCRIPTS = wrappers/$(PACKAGE_NAME) \
wrappers/$(PACKAGE_NAME)-snmp
endif
+endif
if SYSTEMD
initconfig_DATA = ldap/admin/src/$(PACKAGE_NAME) \
wrappers/$(PACKAGE_NAME).systemd
-else
+else
+if INITDDIR
initconfig_DATA = ldap/admin/src/$(PACKAGE_NAME)
endif
+endif
inf_DATA = ldap/admin/src/slapd.inf \
ldap/admin/src/scripts/dscreate.map \
diff --git a/Makefile.in b/Makefile.in
index e7e7403..0752ff1 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -2112,10 +2112,10 @@ task_SCRIPTS = ldap/admin/src/scripts/template-bak2db \
@SYSTEMD_TRUE@ wrappers/$(systemdgroupname) \
@SYSTEMD_TRUE@ wrappers/$(PACKAGE_NAME)-snmp.service
-@SYSTEMD_FALSE@init_SCRIPTS = wrappers/$(PACKAGE_NAME) \
-@SYSTEMD_FALSE@ wrappers/$(PACKAGE_NAME)-snmp
+@INITDDIR_TRUE@@SYSTEMD_FALSE@init_SCRIPTS = wrappers/$(PACKAGE_NAME) \
+@INITDDIR_TRUE@@SYSTEMD_FALSE@ wrappers/$(PACKAGE_NAME)-snmp
-@SYSTEMD_FALSE@initconfig_DATA = ldap/admin/src/$(PACKAGE_NAME)
+@INITDDIR_TRUE@@SYSTEMD_FALSE@initconfig_DATA = ldap/admin/src/$(PACKAGE_NAME)
@SYSTEMD_TRUE@initconfig_DATA = ldap/admin/src/$(PACKAGE_NAME) \
@SYSTEMD_TRUE@ wrappers/$(PACKAGE_NAME).systemd
diff --git a/configure b/configure
index 1cf5ecb..7dc8c3e 100755
--- a/configure
+++ b/configure
@@ -724,6 +724,8 @@ LIBNSL
LIBSOCKET
LIBCRYPT
THREADLIB
+INITDDIR_FALSE
+INITDDIR_TRUE
WINNT_FALSE
WINNT_TRUE
instconfigdir
@@ -18358,9 +18360,6 @@ $as_echo_n "checking for --with-initddir... " >&6; }
# Check whether --with-initddir was given.
if test "${with_initddir+set}" = set; then :
withval=$with_initddir;
- if test "$withval" = yes -o "$withval" = no ; then
- as_fn_error $? "Please specify a full path with --with-initddir" "$LINENO" 5
- fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $withval" >&5
$as_echo "$withval" >&6; }
@@ -18371,6 +18370,15 @@ $as_echo "no" >&6; }
fi
+
+ if test -n "$with_initddir" -a "$with_initddir" != "no"; then
+ INITDDIR_TRUE=
+ INITDDIR_FALSE='#'
+else
+ INITDDIR_TRUE='#'
+ INITDDIR_FALSE=
+fi
+
# on most platforms, we will just use perl from PATH
# On some platforms, we cannot. Why not just use any old
# perl? Because of perldap. We use a perldap that is
@@ -18649,6 +18657,7 @@ esac
if test -n "$with_initddir" ; then
initdir="$with_initddir"
fi
+
# sysv init scripts not used when systemd is used
@@ -21696,6 +21705,10 @@ if test -z "${WINNT_TRUE}" && test -z "${WINNT_FALSE}"; then
as_fn_error $? "conditional \"WINNT\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
+if test -z "${INITDDIR_TRUE}" && test -z "${INITDDIR_FALSE}"; then
+ as_fn_error $? "conditional \"INITDDIR\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
if test -z "${HPUX_TRUE}" && test -z "${HPUX_FALSE}"; then
as_fn_error $? "conditional \"HPUX\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
diff --git a/configure.ac b/configure.ac
index 4be4613..9544bbc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -463,14 +463,13 @@ AC_ARG_WITH(initddir,
AS_HELP_STRING([--with-initddir=/path],
[Absolute path (not relative like some of the other options) that should contain the SysV init scripts (default '$(sysconfdir)/rc.d')]),
[
- if test "$withval" = yes -o "$withval" = no ; then
- AC_ERROR([Please specify a full path with --with-initddir])
- fi
AC_MSG_RESULT($withval)
],
[
AC_MSG_RESULT(no)
])
+
+AM_CONDITIONAL([INITDDIR], [test -n "$with_initddir" -a "$with_initddir" != "no"])
# on most platforms, we will just use perl from PATH
# On some platforms, we cannot. Why not just use any old
# perl? Because of perldap. We use a perldap that is
@@ -618,6 +617,7 @@ esac
if test -n "$with_initddir" ; then
initdir="$with_initddir"
fi
+
# sysv init scripts not used when systemd is used
AC_SUBST(initdir)
AC_SUBST(perlexec)
7 years, 7 months
- 1
- 0
dirsrvtests/tests ldap/schema ldap/servers
by William Brown
dirsrvtests/tests/tickets/ticket48798_test.py | 141 ++++++++++++++++++++++++++
ldap/schema/01core389.ldif | 3
ldap/servers/slapd/ssl.c | 77 ++++++++++++++
3 files changed, 220 insertions(+), 1 deletion(-)
New commits:
commit b2022ca83a5c56a525f4ebfad6b7f96debfad718
Author: William Brown <firstyear(a)redhat.com>
Date: Thu Apr 21 13:36:28 2016 +1000
Ticket 48798 - Enable DS to offer weaker DH params in NSS
Bug Description: Java is unable to handle DH param's greater than 1024 bit.
As of NSS 2.20 and higher, nss defaults to params of 2048 bit. This breaks
all java clients.
Fix Description: This adds a new option, allowWeakDHParams that allows
nss to generate and use insecure DH params that Java would be capable of
using.
This test case shows the ability to allow weak params, and
that they are indeed 1024 bits
https://fedorahosted.org/389/ticket/48798
Author: wibrown
Review by: nhosoi
diff --git a/dirsrvtests/tests/tickets/ticket48798_test.py b/dirsrvtests/tests/tickets/ticket48798_test.py
new file mode 100644
index 0000000..7289453
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket48798_test.py
@@ -0,0 +1,141 @@
+import os
+import sys
+import time
+import ldap
+import logging
+import pytest
+
+import nss
+
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+
+from subprocess import check_output
+
+logging.getLogger(__name__).setLevel(logging.DEBUG)
+log = logging.getLogger(__name__)
+
+
+class TopologyStandalone(object):
+ def __init__(self, standalone):
+ standalone.open()
+ self.standalone = standalone
+
+
+(a)pytest.fixture(scope="module")
+def topology(request):
+ # Creating standalone instance ...
+ standalone = DirSrv(verbose=True)
+ args_instance[SER_HOST] = HOST_STANDALONE
+ args_instance[SER_PORT] = PORT_STANDALONE
+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+ args_standalone = args_instance.copy()
+ standalone.allocate(args_standalone)
+ instance_standalone = standalone.exists()
+ if instance_standalone:
+ standalone.delete()
+ standalone.create()
+ standalone.open()
+
+ # Delete each instance in the end
+ def fin():
+ pass
+ #standalone.delete()
+ request.addfinalizer(fin)
+
+ # Clear out the tmp dir
+ #standalone.clearTmpDir(__file__)
+
+ return TopologyStandalone(standalone)
+
+def check_socket_dh_param_size(hostname, port):
+ ### You know why we have to do this?
+ # Because TLS and SSL suck. Hard. They are impossible. It's all terrible, burn it all down.
+ cmd = "echo quit | openssl s_client -connect {HOSTNAME}:{PORT} -msg -cipher DH | grep -A 1 ServerKeyExchange".format(
+ HOSTNAME=hostname,
+ PORT=port)
+ output = check_output(cmd, shell=True)
+ dhheader = output.split('\n')[1]
+ # Get rid of all the other whitespace.
+ dhheader = dhheader.replace(' ', '')
+ # Example is 0c00040b0100ffffffffffffffffadf8
+ # We need the bits 0100 here. Which means 256 bytes aka 256 * 8, for 2048 bit.
+ dhheader = dhheader[8:12]
+ # make it an int, and times 8
+ i = int(dhheader, 16) * 8
+ return i
+
+
+def test_ticket48798(topology):
+ """
+ Test DH param sizes offered by DS.
+
+ """
+
+ # Create a CA
+ # This is a trick. The nss db that ships with DS is broken fundamentally.
+ ## THIS ASSUMES old nss format. SQLite will bite us!
+ for f in ('key3.db', 'cert8.db', 'key4.db', 'cert9.db', 'secmod.db', 'pkcs11.txt'):
+ try:
+ os.remove("%s/%s" % (topology.standalone.confdir, f ))
+ except:
+ pass
+
+ # Check if the db exists. Should be false.
+ assert(topology.standalone.nss_ssl._db_exists() is False)
+ # Create it. Should work.
+ assert(topology.standalone.nss_ssl.reinit() is True)
+ # Check if the db exists. Should be true
+ assert(topology.standalone.nss_ssl._db_exists() is True)
+
+ # Check if ca exists. Should be false.
+ assert(topology.standalone.nss_ssl._rsa_ca_exists() is False)
+ # Create it. Should work.
+ assert(topology.standalone.nss_ssl.create_rsa_ca() is True)
+ # Check if ca exists. Should be true
+ assert(topology.standalone.nss_ssl._rsa_ca_exists() is True)
+
+ # Check if we have a server cert / key. Should be false.
+ assert(topology.standalone.nss_ssl._rsa_key_and_cert_exists() is False)
+ # Create it. Should work.
+ assert(topology.standalone.nss_ssl.create_rsa_key_and_cert() is True)
+ # Check if server cert and key exist. Should be true.
+ assert(topology.standalone.nss_ssl._rsa_key_and_cert_exists() is True)
+
+ topology.standalone.config.enable_ssl(secport=DEFAULT_SECURE_PORT, secargs={'nsSSL3Ciphers': '+all'} )
+
+ topology.standalone.restart(30)
+
+ # Confirm that we have a connection, and that it has DH
+
+ # Open a socket to the port.
+ # Check the security settings.
+ size = check_socket_dh_param_size(topology.standalone.host, DEFAULT_SECURE_PORT)
+
+ assert(size == 2048)
+
+ # Now toggle the settings.
+ mod = [(ldap.MOD_REPLACE, 'allowWeakDHParam', 'on')]
+ dn_enc = 'cn=encryption,cn=config'
+ topology.standalone.modify_s(dn_enc, mod)
+
+ topology.standalone.restart(30)
+
+ # Check the DH params are less than 1024.
+ size = check_socket_dh_param_size(topology.standalone.host, DEFAULT_SECURE_PORT)
+
+ assert(size == 1024)
+
+ log.info('Test complete')
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index e620e74..35d7c4c 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -296,6 +296,7 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2327 NAME 'nsslapd-auditfaillog' DESC 'N
attributeTypes: ( 2.16.840.1.113730.3.1.2328 NAME 'nsslapd-auditfaillog-list' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )
attributeTypes: ( 2.16.840.1.113730.3.1.2330 NAME 'nsslapd-logging-backend' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )
attributeTypes: ( 2.16.840.1.113730.3.1.2331 NAME 'nsslapd-logging-hr-timestamps-enabled' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )
+attributeTypes: ( 2.16.840.1.113730.3.1.2332 NAME 'allowWeakDHParam' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' )
#
# objectclasses
#
@@ -311,7 +312,7 @@ objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC
objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) MAY ( nsSaslMapPriority ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' )
-objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakCipher $ CACertExtractFile ) X-ORIGIN 'Netscape' )
+objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakCipher $ CACertExtractFile $ allowWeakDHParam ) X-ORIGIN 'Netscape' )
objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation $ ServerKeyExtractFile $ ServerCertExtractFile ) X-ORIGIN 'Netscape' )
objectClasses: ( 2.16.840.1.113730.3.2.327 NAME 'rootDNPluginConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( rootdn-open-time $ rootdn-close-time $ rootdn-days-allowed $ rootdn-allow-host $ rootdn-deny-host $ rootdn-allow-ip $ rootdn-deny-ip ) X-ORIGIN 'Netscape' )
objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscape defined objectclass' SUP top MAY ( cn $ schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 'Netscape Directory Server' )
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index fd17c28..7da18f0 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -49,6 +49,10 @@
#define NSS_TLS10 1
#endif
+#if NSS_VMAJOR * 100 + NSS_VMINOR >= 320
+#define HAVE_NSS_DHE 1
+#endif
+
/******************************************************************************
* Default SSL Version Rule
* Old SSL version attributes:
@@ -87,6 +91,7 @@ static int stimeout;
static char *ciphers = NULL;
static char * configDN = "cn=encryption,cn=config";
+
/* Copied from libadmin/libadmin.h public/nsapi.h */
#define SERVER_KEY_NAME "Server-Key"
#define MAGNUS_ERROR_LEN 1024
@@ -103,6 +108,12 @@ static char * configDN = "cn=encryption,cn=config";
#define CIPHER_SET_ALLOWWEAKCIPHER 0x20 /* allowWeakCipher is on */
#define CIPHER_SET_DISALLOWWEAKCIPHER 0x40 /* allowWeakCipher is off */
+#ifdef HAVE_NSS_DHE
+#define CIPHER_SET_DEFAULTWEAKDHPARAM 0x100 /* allowWeakDhParam is not set in cn=encryption */
+#define CIPHER_SET_ALLOWWEAKDHPARAM 0x200 /* allowWeakDhParam is on */
+#define CIPHER_SET_DISALLOWWEAKDHPARAM 0x400 /* allowWeakDhParam is off */
+#endif
+
#define CIPHER_SET_ISDEFAULT(flag) \
(((flag)&CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE)
#define CIPHER_SET_ISALL(flag) \
@@ -114,6 +125,7 @@ static char * configDN = "cn=encryption,cn=config";
(((flag)&CIPHER_SET_ALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE)
#define ALLOWWEAK_ISOFF(flag) \
(((flag)&CIPHER_SET_DISALLOWWEAKCIPHER) ? PR_TRUE : PR_FALSE)
+
/*
* If ISALL or ISDEFAULT, allowWeakCipher is true only if CIPHER_SET_ALLOWWEAKCIPHER.
* Otherwise (user specified cipher list), allowWeakCipher is true
@@ -132,6 +144,12 @@ static char * configDN = "cn=encryption,cn=config";
#define CIPHER_MUST_BE_DISABLED 0x2
#define CIPHER_IS_WEAK 0x4
#define CIPHER_IS_DEPRECATED 0x8
+
+#ifdef HAVE_NSS_DHE
+static int allowweakdhparam = CIPHER_SET_DEFAULTWEAKDHPARAM;
+#endif
+
+
static char **cipher_names = NULL;
static char **enabled_cipher_names = NULL;
typedef struct {
@@ -302,6 +320,33 @@ getSupportedCiphers()
return cipher_names;
}
+#ifdef HAVE_NSS_DHE
+int
+get_allow_weak_dh_param(Slapi_Entry *e)
+{
+ /* Check if the user wants weak params */
+ int allow = CIPHER_SET_DEFAULTWEAKDHPARAM;
+ char *val;
+ val = slapi_entry_attr_get_charptr(e, "allowWeakDHParam");
+ if (val) {
+ if (!PL_strcasecmp(val, "off") || !PL_strcasecmp(val, "false") ||
+ !PL_strcmp(val, "0") || !PL_strcasecmp(val, "no")) {
+ allow = CIPHER_SET_DISALLOWWEAKDHPARAM;
+ } else if (!PL_strcasecmp(val, "on") || !PL_strcasecmp(val, "true") ||
+ !PL_strcmp(val, "1") || !PL_strcasecmp(val, "yes")) {
+ allow = CIPHER_SET_ALLOWWEAKDHPARAM;
+ slapd_SSL_warn("The value of allowWeakDHParam is set to %s. THIS EXPOSES YOU TO CVE-2015-4000.", val);
+ } else {
+ slapd_SSL_warn("The value of allowWeakDHParam \"%s\" is invalid.",
+ "Ignoring it and set it to default.", val);
+ }
+ }
+ slapi_ch_free((void **) &val);
+ return allow;
+}
+#endif
+
+
char **
getEnabledCiphers()
{
@@ -1281,6 +1326,9 @@ slapd_ssl_init()
char *val = NULL;
PK11SlotInfo *slot;
Slapi_Entry *entry = NULL;
+#ifdef HAVE_NSS_DHE
+ SECStatus rv = SECFailure;
+#endif
/* Get general information */
@@ -1289,6 +1337,17 @@ slapd_ssl_init()
val = slapi_entry_attr_get_charptr( entry, "nssslSessionTimeout" );
ciphers = slapi_entry_attr_get_charptr( entry, "nsssl3ciphers" );
+#ifdef HAVE_NSS_DHE
+ allowweakdhparam = get_allow_weak_dh_param(entry);
+ if (allowweakdhparam & CIPHER_SET_ALLOWWEAKDHPARAM) {
+ slapd_SSL_warn("notice, generating new WEAK DH param");
+ rv = SSL_EnableWeakDHEPrimeGroup(NULL, PR_TRUE);
+ if (rv != SECSuccess) {
+ slapd_SSL_warn("Warning, unable to generate weak dh parameters");
+ }
+ }
+#endif
+
/* We are currently using the value of sslSessionTimeout
for ssl3SessionTimeout, see SSL_ConfigServerSessionIDCache() */
/* Note from Tom Weinstein on the meaning of the timeout:
@@ -1856,6 +1915,24 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
}
if (SECSuccess == rv) {
+
+#ifdef HAVE_NSS_DHE
+ /* Step If we want weak dh params, flag it on the socket now! */
+
+ rv = SSL_OptionSet(*fd, SSL_ENABLE_SERVER_DHE, PR_TRUE);
+ if (rv != SECSuccess) {
+ slapd_SSL_warn("Warning, unable to start DHE");
+ }
+
+ if (allowweakdhparam & CIPHER_SET_ALLOWWEAKDHPARAM) {
+ slapd_SSL_warn("notice, allowing weak parameters on socket.");
+ rv = SSL_EnableWeakDHEPrimeGroup(*fd, PR_TRUE);
+ if (rv != SECSuccess) {
+ slapd_SSL_warn("Warning, unable to allow weak DH params on socket.");
+ }
+ }
+#endif
+
if( slapd_pk11_fortezzaHasKEA(cert) == PR_TRUE ) {
rv = SSL_ConfigSecureServer(*fd, cert, key, kt_fortezza);
}
7 years, 7 months
- 1
- 0
admserv/newinst
by Noriko Hosoi
admserv/newinst/src/AdminServer.pm.in | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
New commits:
commit 9f8398ce98f45f80944de3850e23aeda1a8fc32e
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Fri Apr 22 14:20:37 2016 -0700
Ticket #48409 - RHDS upgrade change Ownership of certificate files upon upgrade.
Description: The fix for the ticket #47891 "Admin Server reconfig
breaks SSL config" backs up the SSL key/cert db files before the
upgrade and restores them when the upgrade is done. In the backup,
"copy" is used, which does not keep the ownership and mode of the
files. This patch uses move instead of copy to preserve them.
https://fedorahosted.org/389/ticket/48409
Reviewed by mreynolds(a)redhat.com (Thank you, Mark!!)
diff --git a/admserv/newinst/src/AdminServer.pm.in b/admserv/newinst/src/AdminServer.pm.in
index eb80d19..3e31e70 100644
--- a/admserv/newinst/src/AdminServer.pm.in
+++ b/admserv/newinst/src/AdminServer.pm.in
@@ -530,7 +530,8 @@ sub reconfig_backup_secfiles
}
foreach my $savefile (@reconfigsavefiles) {
if ( -e "$configdir/$savefile"){
- copy ("$configdir/$savefile", "$secfile_backup_dir/$savefile");
+ # To keep the ownership and modes, use move for backup.
+ move ("$configdir/$savefile", "$secfile_backup_dir/$savefile");
debug(1, "Backing up $configdir/$savefile to $secfile_backup_dir/$savefile\n");
if (! -e "$secfile_backup_dir/$savefile"){
debug(0, "Backup file $secfile_backup_dir/$savefile not found, error $!\n");
@@ -590,6 +591,12 @@ sub createAdminServer {
if ($reconfig) {
$setup->msg('begin_reconfig_adminserver');
if (!reconfig_backup_secfiles($configdir)) {
+ foreach my $savefile (@reconfigsavefiles) {
+ if (-e "$secfile_backup_dir/$savefile") {
+ move ("$secfile_backup_dir/$savefile" ,"$configdir/$savefile");
+ debug(1, "Restoring $configdir/$savefile with $secfile_backup_dir/$savefile\n");
+ }
+ }
return 0;
}
} else {
7 years, 7 months
- 1
- 0
ldap/servers
by Noriko Hosoi
ldap/servers/plugins/acctpolicy/acct_util.c | 2 +-
ldap/servers/plugins/acl/acl.c | 6 +++---
ldap/servers/plugins/acl/acleffectiverights.c | 2 +-
ldap/servers/plugins/replication/repl5_plugins.c | 2 +-
ldap/servers/slapd/back-ldbm/ldif2ldbm.c | 2 +-
ldap/servers/slapd/bind.c | 6 +++---
ldap/servers/slapd/csngen.c | 8 ++++----
ldap/servers/slapd/filter.c | 2 +-
ldap/servers/slapd/mapping_tree.c | 2 +-
9 files changed, 16 insertions(+), 16 deletions(-)
New commits:
commit 6881e0a5850ca452802654ece3ffab99634a10a3
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon Apr 25 13:16:07 2016 -0700
Ticket #48802 - Compilation warnings from clang
Description: Fixing the errors reported by clang.
https://fedorahosted.org/389/ticket/48802
Reviewed by mreynolds(a)redhat.com (Thank you, Mark!!)
diff --git a/ldap/servers/plugins/acctpolicy/acct_util.c b/ldap/servers/plugins/acctpolicy/acct_util.c
index cff0176..319e61c 100644
--- a/ldap/servers/plugins/acctpolicy/acct_util.c
+++ b/ldap/servers/plugins/acctpolicy/acct_util.c
@@ -221,7 +221,7 @@ gentimeToEpochtime( char *gentimestr ) {
/* Find the local offset from GMT */
cur_gm_time = (struct tm*)slapi_ch_calloc( 1, sizeof( struct tm ) );
- cur_local_epochtime = time( (time_t)0 );
+ cur_local_epochtime = time( (time_t *)0 );
gmtime_r( &cur_local_epochtime, cur_gm_time );
cur_gm_epochtime = mktime( cur_gm_time );
free( cur_gm_time );
diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c
index 829fd7d..be2b805 100644
--- a/ldap/servers/plugins/acl/acl.c
+++ b/ldap/servers/plugins/acl/acl.c
@@ -218,7 +218,7 @@ acl_access_allowed(
int rv;
int err;
int ret_val;
- const char *right;
+ const char *right = NULL;
struct acl_pblock *aclpb = NULL;
AclAttrEval *c_attrEval = NULL;
int got_reader_locked = 0;
@@ -2924,7 +2924,7 @@ acl__TestRights(Acl_PBlock *aclpb,int access, const char **right, const char **
acleval = aclpb->aclpb_acleval;
testRights[0] = *right;
- testRights[1] = '\0';
+ testRights[1] = NULL;
/*
** START PROCESSING DENY HANDLES
@@ -4191,7 +4191,7 @@ acl__recompute_acl ( Acl_PBlock *aclpb,
ACL_EvalSetACL(NULL, aclpb->aclpb_acleval, aci->aci_handle);
testRight[0] = acl_access2str ( access );
- testRight[1] = '\0';
+ testRight[1] = NULL;
aclpb->aclpb_curr_aci = aci;
result_status = ACL_EvalTestRights (NULL, aclpb->aclpb_acleval, testRight,
ds_map_generic, &unused_str1,
diff --git a/ldap/servers/plugins/acl/acleffectiverights.c b/ldap/servers/plugins/acl/acleffectiverights.c
index 2b246c1..f3e00f0 100644
--- a/ldap/servers/plugins/acl/acleffectiverights.c
+++ b/ldap/servers/plugins/acl/acleffectiverights.c
@@ -1029,7 +1029,7 @@ acl_get_effective_rights (
int iscritical = 0; /* critical may be missing or false http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08 */
int rc = LDAP_SUCCESS;
- *errbuf = '\0';
+ *errbuf = NULL;
if (NULL == e) /* create a template entry from SLAPI_SEARCH_GERATTRS */
{
diff --git a/ldap/servers/plugins/replication/repl5_plugins.c b/ldap/servers/plugins/replication/repl5_plugins.c
index bb43b9b..3ef3f5f 100644
--- a/ldap/servers/plugins/replication/repl5_plugins.c
+++ b/ldap/servers/plugins/replication/repl5_plugins.c
@@ -647,7 +647,7 @@ multimaster_ruv_search(Slapi_PBlock *pb)
static void
purge_entry_state_information (Slapi_PBlock *pb)
{
- CSN *purge_csn;
+ CSN *purge_csn = NULL;
Object *repl_obj;
Replica *replica;
diff --git a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
index 150a008..c59d559 100644
--- a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
+++ b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
@@ -1056,7 +1056,7 @@ bail:
int
ldbm_back_ldbm2ldif( Slapi_PBlock *pb )
{
- backend *be;
+ backend *be = NULL;
struct ldbminfo *li = NULL;
DB *db = NULL;
DBC *dbc = NULL;
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 0a630ac..00795c4 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -165,7 +165,7 @@ do_bind( Slapi_PBlock *pb )
slapi_sdn_free(&sdn);
return;
}
- LDAPDebug( LDAP_DEBUG_TRACE, "BIND dn=\"%s\" method=%d version=%d\n",
+ LDAPDebug( LDAP_DEBUG_TRACE, "BIND dn=\"%s\" method=%" BERTAG_T " version=%d\n",
dn?dn:"empty", method, version );
/* target spec is used to decide which plugins are applicable for the operation */
@@ -916,13 +916,13 @@ log_bind_access (
} else if (msg) {
slapi_log_access( LDAP_DEBUG_STATS,
"conn=%" NSPRIu64 " op=%d BIND dn=\"%s\" "
- "method=%ld version=%d, %s\n",
+ "method=%" BERTAG_T " version=%d, %s\n",
pb->pb_conn->c_connid, pb->pb_op->o_opid, dn,
method, version, msg );
} else {
slapi_log_access( LDAP_DEBUG_STATS,
"conn=%" NSPRIu64 " op=%d BIND dn=\"%s\" "
- "method=%ld version=%d\n",
+ "method=%" BERTAG_T " version=%d\n",
pb->pb_conn->c_connid, pb->pb_op->o_opid, dn,
method, version );
}
diff --git a/ldap/servers/slapd/csngen.c b/ldap/servers/slapd/csngen.c
index 1c413d6..29fcd84 100644
--- a/ldap/servers/slapd/csngen.c
+++ b/ldap/servers/slapd/csngen.c
@@ -682,16 +682,16 @@ _csngen_adjust_local_time (CSNGen *gen, time_t cur_time)
gen->state.remote_offset);
}
- if (!ignore_time_skew && (abs (time_diff) > CSN_MAX_TIME_ADJUST))
+ if (!ignore_time_skew && (labs (time_diff) > CSN_MAX_TIME_ADJUST))
{
slapi_log_error (SLAPI_LOG_FATAL, NULL, "_csngen_adjust_local_time: "
- "adjustment limit exceeded; value - %d, limit - %d\n",
- abs (time_diff), CSN_MAX_TIME_ADJUST);
+ "adjustment limit exceeded; value - %ld, limit - %d\n",
+ labs (time_diff), CSN_MAX_TIME_ADJUST);
return CSN_LIMIT_EXCEEDED;
}
gen->state.sampled_time = cur_time;
- gen->state.local_offset = MAX_VAL (gen->state.local_offset, abs (time_diff));
+ gen->state.local_offset = MAX_VAL (gen->state.local_offset, labs (time_diff));
gen->state.seq_num = 0;
if (slapi_is_loglevel_set(SLAPI_LOG_REPL)) {
diff --git a/ldap/servers/slapd/filter.c b/ldap/servers/slapd/filter.c
index d63cac8..0c31bff 100644
--- a/ldap/servers/slapd/filter.c
+++ b/ldap/servers/slapd/filter.c
@@ -822,7 +822,7 @@ slapi_filter_join_ex( int ftype, struct slapi_filter *f1, struct slapi_filter *f
struct slapi_filter *fjoin;
struct slapi_filter *add_to;
struct slapi_filter *add_this;
- struct slapi_filter *return_this;
+ struct slapi_filter *return_this = NULL;
int insert = 0;
if ((NULL == f1) || (NULL == f2)) {
diff --git a/ldap/servers/slapd/mapping_tree.c b/ldap/servers/slapd/mapping_tree.c
index 08d2da6..ed0b510 100644
--- a/ldap/servers/slapd/mapping_tree.c
+++ b/ldap/servers/slapd/mapping_tree.c
@@ -2657,7 +2657,7 @@ static int mtn_get_be(mapping_tree_node *target_node, Slapi_PBlock *pb,
if (referral) {
*referral = NULL;
}
- if ((target_node == mapping_tree_root) ){
+ if (target_node == mapping_tree_root) {
/* If we got here, then we couldn't find a matching node
* for the target. We'll use the default backend. Once
* we fully support the NULL suffix, we should do something more
7 years, 7 months
- 1
- 0
5 commits - dirsrvtests/tests ldap/admin ldap/schema ldap/servers
by Noriko Hosoi
dirsrvtests/tests/tickets/ticket47536_test.py | 528 +++++++++
dirsrvtests/tests/tickets/ticket48784_test.py | 434 +++++++
ldap/admin/src/scripts/DSUtil.pm.in | 13
ldap/schema/01core389.ldif | 7
ldap/servers/plugins/acl/acllas.c | 64 -
ldap/servers/plugins/acl/aclutil.c | 52
ldap/servers/plugins/replication/repl5_connection.c | 14
ldap/servers/plugins/replication/windows_connection.c | 14
ldap/servers/plugins/retrocl/retrocl.c | 22
ldap/servers/plugins/syntaxes/string.c | 13
ldap/servers/slapd/add.c | 6
ldap/servers/slapd/attr.c | 19
ldap/servers/slapd/back-ldbm/import-threads.c | 23
ldap/servers/slapd/back-ldbm/ldbm_config.c | 110 -
ldap/servers/slapd/back-ldbm/ldbm_instance_config.c | 19
ldap/servers/slapd/bind.c | 10
ldap/servers/slapd/compare.c | 2
ldap/servers/slapd/config.c | 4
ldap/servers/slapd/daemon.c | 3
ldap/servers/slapd/delete.c | 2
ldap/servers/slapd/detach.c | 5
ldap/servers/slapd/dn.c | 6
ldap/servers/slapd/ldaputil.c | 162 ++
ldap/servers/slapd/libglobs.c | 578 ++++------
ldap/servers/slapd/log.c | 78 -
ldap/servers/slapd/mapping_tree.c | 54
ldap/servers/slapd/modify.c | 7
ldap/servers/slapd/modrdn.c | 3
ldap/servers/slapd/opshared.c | 3
ldap/servers/slapd/proto-slap.h | 2
ldap/servers/slapd/pw.c | 60 -
ldap/servers/slapd/saslbind.c | 3
ldap/servers/slapd/schema.c | 16
ldap/servers/slapd/slap.h | 4
ldap/servers/slapd/slapi-plugin.h | 23
ldap/servers/slapd/slapi-private.h | 12
ldap/servers/slapd/ssl.c | 1009 +++++++++++++++---
ldap/servers/slapd/util.c | 138 +-
38 files changed, 2673 insertions(+), 849 deletions(-)
New commits:
commit fa620fc7911d824048909b83125259743378f6a6
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Apr 20 17:21:20 2016 -0700
Ticket #48800 - Cleaning up error buffers
Description: The changes in this patch is mainly one of these,
1. unifying error buffer size to SLAPI_DSE_RETURNTEXT_SIZE.
An error buf is filled either in config, mapping-tree, log, pass-
word code, where the size SLAPI_DSE_RETURNTEXT_SIZE is expected,
while some callers declare BUFSIZ array and pass it.
Note: SLAPI_DSE_RETURNTEXT_SIZE is defined as 512 in slapi-plugin.h.
2. replacing PR_snprintf with slapi_create_errormsg.
slapi_create_errormsg is almost the same as PR_snprintf except
2-1 the former does not do anything if the place to write the error
message is NULL. With this change, we can skip returning an
error message if it is not needed.
2-2 If buffer size 0 is given, sizeof(buffer) is used as the size
of buffer. The strict size is supposed to be passed only when
the error buffer is allocated on the heap.
3. Avoiding unnecessary array.
Caller sometimes declares an error buffer even though it does not
use it. This patch removed such error buffer declaration or moved
it in the local block where it is being used.
https://fedorahosted.org/389/ticket/48800
Reviewed by wibrown(a)redhat.com (Thank you, William!!)
diff --git a/ldap/servers/plugins/acl/acllas.c b/ldap/servers/plugins/acl/acllas.c
index 8ab6f58..ff9b450 100644
--- a/ldap/servers/plugins/acl/acllas.c
+++ b/ldap/servers/plugins/acl/acllas.c
@@ -1306,9 +1306,7 @@ DS_LASUserDnAttrEval(NSErr_t *errp, char *attr_name, CmpOp_t comparator,
/* Wow it matches */
slapi_log_error( SLAPI_LOG_ACL, plugin_name,
"%s matches(%s, %s) level (%d)\n", attr_name,
- val,
- ACL_ESCAPE_STRING_WITH_PUNCTUATION (lasinfo.clientDn, ebuf),
- 0);
+ val, ACL_ESCAPE_STRING_WITH_PUNCTUATION (lasinfo.clientDn, ebuf), 0);
matched = ACL_TRUE;
slapi_ch_free ( (void **) &val);
break;
@@ -2844,7 +2842,6 @@ acllas__eval_memberGroupDnAttr (char *attrName, Slapi_Entry *e,
char *str, *s_str, *base, *groupattr = NULL;
int i,j,k,matched, enumerate_groups;
aclUserGroup *u_group;
- char ebuf [ BUFSIZ ];
Slapi_Value *sval=NULL;
const struct berval *attrVal;
@@ -2967,14 +2964,18 @@ acllas__eval_memberGroupDnAttr (char *attrName, Slapi_Entry *e,
slapi_ch_free_string(&filter_str_ptr);
- if (tt == info.lu_idx) {
- slapi_log_error( SLAPI_LOG_ACL, plugin_name, "currDn:(%s) \n\tNO MEMBER ADDED\n",
- ACL_ESCAPE_STRING_WITH_PUNCTUATION (curMemberDn, ebuf));
- } else {
- for (i=tt; i < info.lu_idx; i++)
- slapi_log_error( SLAPI_LOG_ACL, plugin_name,
- "currDn:(%s) \n\tADDED MEMBER[%d]=%s\n",
- ACL_ESCAPE_STRING_WITH_PUNCTUATION (curMemberDn, ebuf), i, info.member[i]);
+ if (slapi_is_loglevel_set(SLAPI_LOG_ACL)) {
+ char ebuf[BUFSIZ];
+ if (tt == info.lu_idx) {
+ slapi_log_error(SLAPI_LOG_ACL, plugin_name, "currDn:(%s) \n\tNO MEMBER ADDED\n",
+ ACL_ESCAPE_STRING_WITH_PUNCTUATION (curMemberDn, ebuf));
+ } else {
+ for (i=tt; i < info.lu_idx; i++) {
+ slapi_log_error(SLAPI_LOG_ACL, plugin_name,
+ "currDn:(%s) \n\tADDED MEMBER[%d]=%s\n",
+ ACL_ESCAPE_STRING_WITH_PUNCTUATION (curMemberDn, ebuf), i, info.member[i]);
+ }
+ }
}
if (info.c_idx >= info.lu_idx) {
@@ -3019,10 +3020,14 @@ acllas__eval_memberGroupDnAttr (char *attrName, Slapi_Entry *e,
}
}
- for (j=0; j < u_group->aclug_numof_member_group; j++)
- slapi_log_error( SLAPI_LOG_ACL, plugin_name,
- "acllas__eval_memberGroupDnAttr:GROUP[%d] IN CACHE:%s\n",
- j, ACL_ESCAPE_STRING_WITH_PUNCTUATION (u_group->aclug_member_groups[j], ebuf));
+ if (slapi_is_loglevel_set(SLAPI_LOG_ACL)) {
+ char ebuf[BUFSIZ];
+ for (j = 0; j < u_group->aclug_numof_member_group; j++) {
+ slapi_log_error(SLAPI_LOG_ACL, plugin_name,
+ "acllas__eval_memberGroupDnAttr:GROUP[%d] IN CACHE:%s\n",
+ j, ACL_ESCAPE_STRING_WITH_PUNCTUATION (u_group->aclug_member_groups[j], ebuf));
+ }
+ }
matched = ACL_FALSE;
slapi_entry_attr_find( e, groupattr, &attr);
@@ -4467,7 +4472,6 @@ acllas_eval_one_role(char *role, lasInfo *lasinfo) {
Slapi_DN *roleDN = NULL;
int rc = ACL_FALSE;
- char ebuf [ BUFSIZ ];
/*
* See if lasinfo.clientDn has role rolebuf.
@@ -4478,26 +4482,24 @@ acllas_eval_one_role(char *role, lasInfo *lasinfo) {
roleDN = slapi_sdn_new_dn_byval(role);
if (role) {
- rc = acllas__user_has_role(
- lasinfo->aclpb,
- roleDN,
- lasinfo->aclpb->aclpb_authorization_sdn);
+ rc = acllas__user_has_role(lasinfo->aclpb, roleDN, lasinfo->aclpb->aclpb_authorization_sdn);
} else { /* The user does not have the empty role */
rc = ACL_FALSE;
}
slapi_sdn_free(&roleDN );
/* Some useful logging */
- if (rc == ACL_TRUE ) {
- slapi_log_error( SLAPI_LOG_ACL, plugin_name,
- "role evaluation: user '%s' does have role '%s'\n",
- ACL_ESCAPE_STRING_WITH_PUNCTUATION (lasinfo->clientDn, ebuf),
- role);
- } else {
- slapi_log_error( SLAPI_LOG_ACL, plugin_name,
- "role evaluation: user '%s' does NOT have role '%s'\n",
- ACL_ESCAPE_STRING_WITH_PUNCTUATION (lasinfo->clientDn, ebuf),
- role);
+ if (slapi_is_loglevel_set(SLAPI_LOG_ACL)) {
+ char ebuf[BUFSIZ];
+ if (rc == ACL_TRUE ) {
+ slapi_log_error(SLAPI_LOG_ACL, plugin_name,
+ "role evaluation: user '%s' does have role '%s'\n",
+ ACL_ESCAPE_STRING_WITH_PUNCTUATION (lasinfo->clientDn, ebuf), role);
+ } else {
+ slapi_log_error(SLAPI_LOG_ACL, plugin_name,
+ "role evaluation: user '%s' does NOT have role '%s'\n",
+ ACL_ESCAPE_STRING_WITH_PUNCTUATION (lasinfo->clientDn, ebuf), role);
+ }
}
return(rc);
}
diff --git a/ldap/servers/plugins/acl/aclutil.c b/ldap/servers/plugins/acl/aclutil.c
index 308cf8b..b0e9d71 100644
--- a/ldap/servers/plugins/acl/aclutil.c
+++ b/ldap/servers/plugins/acl/aclutil.c
@@ -165,14 +165,13 @@ void
aclutil_print_err (int rv , const Slapi_DN *sdn, const struct berval* val,
char **errbuf)
{
- char ebuf [BUFSIZ];
+ char ebuf[BUFSIZ];
/*
* The maximum size of line is ebuf_size + the log message
* itself (less than 200 characters for all but potentially ACL_INVALID_TARGET)
*/
- char line [BUFSIZ + 200];
- char str [1024];
- const char *dn;
+ char line[BUFSIZ + 200];
+ char str[1024];
char *lineptr = line;
char *newline = NULL;
@@ -185,68 +184,71 @@ aclutil_print_err (int rv , const Slapi_DN *sdn, const struct berval* val,
str[0] = '\0';
}
- dn = slapi_sdn_get_dn ( sdn );
- if (dn && (rv == ACL_INVALID_TARGET) && ((strlen(dn) + strlen(str)) > BUFSIZ)) {
- /*
- * if (str_length + dn_length + 200 char message) > (BUFSIZ + 200) line
- * we have to make space for a bigger line...
- */
- newline = slapi_ch_malloc(strlen(dn) + strlen(str) + 200);
- lineptr = newline;
- }
-
switch (rv) {
case ACL_TARGET_FILTER_ERR:
- sprintf (line, "ACL Internal Error(%d): "
+ sprintf (lineptr, "ACL Internal Error(%d): "
"Error in generating the target filter for the ACL(%s)\n",
rv, escape_string_with_punctuation (str, ebuf));
break;
case ACL_TARGETATTR_FILTER_ERR:
- sprintf (line, "ACL Internal Error(%d): "
+ sprintf (lineptr, "ACL Internal Error(%d): "
"Error in generating the targetattr filter for the ACL(%s)\n",
rv, escape_string_with_punctuation (str, ebuf));
break;
case ACL_TARGETFILTER_ERR:
- sprintf (line, "ACL Internal Error(%d): "
+ sprintf (lineptr, "ACL Internal Error(%d): "
"Error in generating the targetfilter filter for the ACL(%s)\n",
rv, escape_string_with_punctuation (str, ebuf));
break;
case ACL_SYNTAX_ERR:
- sprintf (line, "ACL Syntax Error(%d):%s\n",
+ sprintf (lineptr, "ACL Syntax Error(%d):%s\n",
rv, escape_string_with_punctuation (str, ebuf));
break;
case ACL_ONEACL_TEXT_ERR:
- sprintf (line, "ACL Syntax Error in the Bind Rules(%d):%s\n",
+ sprintf (lineptr, "ACL Syntax Error in the Bind Rules(%d):%s\n",
rv, escape_string_with_punctuation (str, ebuf));
break;
case ACL_ERR_CONCAT_HANDLES:
- sprintf (line, "ACL Internal Error(%d): "
+ sprintf (lineptr, "ACL Internal Error(%d): "
"Error in Concatenating List handles\n",
rv);
break;
case ACL_INVALID_TARGET:
+ {
+ size_t newsize;
+ const char *dn = slapi_sdn_get_dn(sdn);
+ newsize = strlen(dn) + strlen(str) + 200;
+ if (dn && (newsize > sizeof(line))) {
+ /*
+ * if (str_length + dn_length + 200 char message) > (BUFSIZ + 200) line
+ * we have to make space for a bigger line...
+ */
+ newline = slapi_ch_malloc(newsize);
+ lineptr = newline;
+ }
sprintf (lineptr, "ACL Invalid Target Error(%d): "
"Target is beyond the scope of the ACL(SCOPE:%s)",
rv, dn ? escape_string_with_punctuation (dn, ebuf) : "NULL");
sprintf (lineptr + strlen(lineptr), " %s\n", escape_string_with_punctuation (str, ebuf));
break;
+ }
case ACL_INVALID_AUTHMETHOD:
- sprintf (line, "ACL Multiple auth method Error(%d):"
+ sprintf (lineptr, "ACL Multiple auth method Error(%d):"
"Multiple Authentication Metod in the ACL(%s)\n",
rv, escape_string_with_punctuation (str, ebuf));
break;
case ACL_INVALID_AUTHORIZATION:
- sprintf (line, "ACL Syntax Error(%d):"
+ sprintf (lineptr, "ACL Syntax Error(%d):"
"Invalid Authorization statement in the ACL(%s)\n",
rv, escape_string_with_punctuation (str, ebuf));
break;
case ACL_INCORRECT_ACI_VERSION:
- sprintf (line, "ACL Syntax Error(%d):"
+ sprintf (lineptr, "ACL Syntax Error(%d):"
"Incorrect version Number in the ACL(%s)\n",
rv, escape_string_with_punctuation (str, ebuf));
break;
default:
- sprintf (line, "ACL Internal Error(%d):"
+ sprintf (lineptr, "ACL Internal Error(%d):"
"ACL generic error (%s)\n",
rv, escape_string_with_punctuation (str, ebuf));
break;
@@ -254,7 +256,7 @@ aclutil_print_err (int rv , const Slapi_DN *sdn, const struct berval* val,
if (errbuf) {
/* If a buffer is provided, then copy the error */
- aclutil_str_append(errbuf, lineptr );
+ aclutil_str_append(errbuf, lineptr);
}
slapi_log_error( SLAPI_LOG_FATAL, plugin_name, "%s", lineptr);
diff --git a/ldap/servers/plugins/replication/repl5_connection.c b/ldap/servers/plugins/replication/repl5_connection.c
index 88f2a1d..1a491ef 100644
--- a/ldap/servers/plugins/replication/repl5_connection.c
+++ b/ldap/servers/plugins/replication/repl5_connection.c
@@ -2190,7 +2190,6 @@ static void
repl5_stop_debug_timeout(Slapi_Eq_Context eqctx, int *setlevel)
{
char buf[20];
- char msg[SLAPI_DSE_RETURNTEXT_SIZE];
if (eqctx && !*setlevel) {
(void)slapi_eq_cancel(eqctx);
@@ -2199,7 +2198,7 @@ repl5_stop_debug_timeout(Slapi_Eq_Context eqctx, int *setlevel)
if (s_debug_timeout && s_debug_level && *setlevel) {
void config_set_errorlog_level(const char *type, char *buf, char *msg, int apply);
sprintf(buf, "%d", 0);
- config_set_errorlog_level("nsslapd-errorlog-level", buf, msg, 1);
+ config_set_errorlog_level("nsslapd-errorlog-level", buf, NULL, 1);
}
}
@@ -2209,11 +2208,10 @@ repl5_debug_timeout_callback(time_t when, void *arg)
int *setlevel = (int *)arg;
void config_set_errorlog_level(const char *type, char *buf, char *msg, int apply);
char buf[20];
- char msg[SLAPI_DSE_RETURNTEXT_SIZE];
*setlevel = 1;
sprintf(buf, "%d", s_debug_level);
- config_set_errorlog_level("nsslapd-errorlog-level", buf, msg, 1);
+ config_set_errorlog_level("nsslapd-errorlog-level", buf, NULL, 1);
slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name,
"repl5_debug_timeout_callback: set debug level to %d at %ld\n",
diff --git a/ldap/servers/plugins/replication/windows_connection.c b/ldap/servers/plugins/replication/windows_connection.c
index cab3715..1ac753d 100644
--- a/ldap/servers/plugins/replication/windows_connection.c
+++ b/ldap/servers/plugins/replication/windows_connection.c
@@ -2029,7 +2029,6 @@ static void
repl5_stop_debug_timeout(Slapi_Eq_Context eqctx, int *setlevel)
{
char buf[20];
- char msg[SLAPI_DSE_RETURNTEXT_SIZE];
LDAPDebug( LDAP_DEBUG_TRACE, "=> repl5_stop_debug_timeout\n", 0, 0, 0 );
@@ -2040,7 +2039,7 @@ repl5_stop_debug_timeout(Slapi_Eq_Context eqctx, int *setlevel)
if (s_debug_timeout && s_debug_level && *setlevel) {
/* No longer needed as we are including the one in slap.h */
sprintf(buf, "%d", 0);
- config_set_errorlog_level("nsslapd-errorlog-level", buf, msg, 1);
+ config_set_errorlog_level("nsslapd-errorlog-level", buf, NULL, 1);
}
LDAPDebug( LDAP_DEBUG_TRACE, "<= repl5_stop_debug_timeout\n", 0, 0, 0 );
@@ -2052,13 +2051,12 @@ repl5_debug_timeout_callback(time_t when, void *arg)
int *setlevel = (int *)arg;
/* No longer needed as we are including the one in slap.h */
char buf[20];
- char msg[SLAPI_DSE_RETURNTEXT_SIZE];
LDAPDebug( LDAP_DEBUG_TRACE, "=> repl5_debug_timeout_callback\n", 0, 0, 0 );
*setlevel = 1;
sprintf(buf, "%d", s_debug_level);
- config_set_errorlog_level("nsslapd-errorlog-level", buf, msg, 1);
+ config_set_errorlog_level("nsslapd-errorlog-level", buf, NULL, 1);
slapi_log_error(SLAPI_LOG_FATAL, windows_repl_plugin_name,
"repl5_debug_timeout_callback: set debug level to %d at %ld\n",
diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c
index 4bcbb38..427448a 100644
--- a/ldap/servers/plugins/retrocl/retrocl.c
+++ b/ldap/servers/plugins/retrocl/retrocl.c
@@ -189,7 +189,7 @@ static int retrocl_select_backend(void)
Slapi_Backend *be = NULL;
Slapi_Entry *referral = NULL;
Slapi_Operation *op = NULL;
- char errbuf[BUFSIZ];
+ char errbuf[SLAPI_DSE_RETURNTEXT_SIZE];
pb = slapi_pblock_new();
@@ -204,19 +204,19 @@ static int retrocl_select_backend(void)
slapi_pblock_set(pb,SLAPI_OPERATION, op);
err = slapi_mapping_tree_select(pb,&be,&referral,errbuf);
- slapi_entry_free(referral);
+ slapi_entry_free(referral);
if (err != LDAP_SUCCESS || be == NULL || be == defbackend_get_backend()) {
- LDAPDebug2Args(LDAP_DEBUG_TRACE,"Mapping tree select failed (%d) %s.\n",
- err,errbuf);
-
- /* could not find the backend for cn=changelog, either because
- * it doesn't exist
- * mapping tree not registered.
- */
- err = retrocl_create_config();
+ slapi_log_error(SLAPI_LOG_FATAL, RETROCL_PLUGIN_NAME,
+ "Mapping tree select failed (%d) %s.\n", err, errbuf);
+
+ /* could not find the backend for cn=changelog, either because
+ * it doesn't exist
+ * mapping tree not registered.
+ */
+ err = retrocl_create_config();
- if (err != LDAP_SUCCESS) return err;
+ if (err != LDAP_SUCCESS) return err;
} else {
retrocl_be_changelog = be;
}
diff --git a/ldap/servers/plugins/syntaxes/string.c b/ldap/servers/plugins/syntaxes/string.c
index 666016f..149663b 100644
--- a/ldap/servers/plugins/syntaxes/string.c
+++ b/ldap/servers/plugins/syntaxes/string.c
@@ -196,7 +196,6 @@ string_filter_sub( Slapi_PBlock *pb, char *initial, char **any, char *final,
size_t tmpbufsize;
char pat[BUFSIZ];
char buf[BUFSIZ];
- char ebuf[BUFSIZ];
time_t curtime = 0;
time_t time_up = 0;
time_t optime = 0; /* time op was initiated */
@@ -327,9 +326,9 @@ string_filter_sub( Slapi_PBlock *pb, char *initial, char **any, char *final,
pat, p, re_result?re_result:"unknown" );
rc = LDAP_OPERATIONS_ERROR;
goto bailout;
- } else {
- LDAPDebug( LDAP_DEBUG_TRACE, "re_comp (%s)\n",
- escape_string( p, ebuf ), 0, 0 );
+ } else if (slapi_is_loglevel_set(SLAPI_LOG_TRACE)) {
+ char ebuf[BUFSIZ];
+ LDAPDebug(LDAP_DEBUG_TRACE, "re_comp (%s)\n", escape_string(p, ebuf), 0, 0);
}
}
@@ -375,8 +374,10 @@ string_filter_sub( Slapi_PBlock *pb, char *initial, char **any, char *final,
tmprc = slapi_re_exec( re, realval, time_up );
}
- LDAPDebug( LDAP_DEBUG_TRACE, "re_exec (%s) %i\n",
- escape_string( realval, ebuf ), tmprc, 0 );
+ if (slapi_is_loglevel_set(SLAPI_LOG_TRACE)) {
+ char ebuf[BUFSIZ];
+ LDAPDebug(LDAP_DEBUG_TRACE, "re_exec (%s) %i\n", escape_string(realval, ebuf), tmprc, 0);
+ }
if ( tmprc == 1 ) {
rc = 0;
break;
diff --git a/ldap/servers/slapd/add.c b/ldap/servers/slapd/add.c
index 5e50025..1d34d95 100644
--- a/ldap/servers/slapd/add.c
+++ b/ldap/servers/slapd/add.c
@@ -150,9 +150,9 @@ do_add( Slapi_PBlock *pb )
normtype = slapi_attr_syntax_normalize(type);
if ( !normtype || !*normtype ) {
- char ebuf[ BUFSIZ ];
+ char ebuf[SLAPI_DSE_RETURNTEXT_SIZE];
rc = LDAP_INVALID_SYNTAX;
- PR_snprintf (ebuf, BUFSIZ, "invalid type '%s'", type);
+ slapi_create_errormsg(ebuf, 0, "invalid type '%s'", type);
op_shared_log_error_access (pb, "ADD", slapi_sdn_get_dn (slapi_entry_get_sdn_const(e)), ebuf);
send_ldap_result( pb, rc, NULL, ebuf, 0, NULL );
slapi_ch_free_string(&type);
@@ -423,7 +423,7 @@ static void op_shared_add (Slapi_PBlock *pb)
char *pwdtype = NULL;
Slapi_Attr *attr = NULL;
Slapi_Entry *referral;
- char errorbuf[BUFSIZ];
+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
struct slapdplugin *p = NULL;
char *proxydn = NULL;
char *proxystr = NULL;
diff --git a/ldap/servers/slapd/attr.c b/ldap/servers/slapd/attr.c
index 2b319f0..06fa6a4 100644
--- a/ldap/servers/slapd/attr.c
+++ b/ldap/servers/slapd/attr.c
@@ -942,14 +942,13 @@ attr_check_onoff ( const char *attr_name, char *value, long minval, long maxval,
{
int retVal = LDAP_SUCCESS;
- if ( strcasecmp ( value, "on" ) != 0 &&
- strcasecmp ( value, "off") != 0 &&
- strcasecmp ( value, "1" ) != 0 &&
- strcasecmp ( value, "0" ) != 0 &&
- strcasecmp ( value, "true" ) != 0 &&
- strcasecmp ( value, "false" ) != 0 ) {
- PR_snprintf ( errorbuf, BUFSIZ,
- "%s: invalid value \"%s\".", attr_name, value );
+ if (strcasecmp ( value, "on" ) != 0 &&
+ strcasecmp ( value, "off") != 0 &&
+ strcasecmp ( value, "1" ) != 0 &&
+ strcasecmp ( value, "0" ) != 0 &&
+ strcasecmp ( value, "true" ) != 0 &&
+ strcasecmp ( value, "false" ) != 0 ) {
+ slapi_create_errormsg(errorbuf, 0, "%s: invalid value \"%s\".", attr_name, value);
retVal = LDAP_CONSTRAINT_VIOLATION;
}
@@ -965,9 +964,7 @@ attr_check_minmax ( const char *attr_name, char *value, long minval, long maxval
val = strtol(value, NULL, 0);
if ( (minval != -1 ? (val < minval ? 1 : 0) : 0) ||
(maxval != -1 ? (val > maxval ? 1 : 0) : 0) ) {
- PR_snprintf ( errorbuf, BUFSIZ,
- "%s: invalid value \"%s\".",
- attr_name, value );
+ slapi_create_errormsg(errorbuf, 0, "%s: invalid value \"%s\".", attr_name, value);
retVal = LDAP_CONSTRAINT_VIOLATION;
}
diff --git a/ldap/servers/slapd/back-ldbm/import-threads.c b/ldap/servers/slapd/back-ldbm/import-threads.c
index ae603bc..d279056 100644
--- a/ldap/servers/slapd/back-ldbm/import-threads.c
+++ b/ldap/servers/slapd/back-ldbm/import-threads.c
@@ -1761,7 +1761,7 @@ upgradedn_producer(void *param)
if (NULL == dn_norm_sp_conflicts) {
char buf[BUFSIZ];
int my_max = 8;
- while (fgets(buf, BUFSIZ-1, job->upgradefd)) {
+ while (fgets(buf, sizeof(buf)-1, job->upgradefd)) {
/* search "OID0: OID1 OID2 ... */
if (!isdigit(*buf) || (NULL == PL_strchr(buf, ':'))) {
continue;
@@ -3535,7 +3535,7 @@ dse_conf_backup_core(struct ldbminfo *li, char *dest_dir, char *file_name, char
LDAPDebug(LDAP_DEBUG_TRACE, "\ndn: %s\n",
slapi_entry_get_dn_const(*ep), 0, 0);
- if (l <= BUFSIZ)
+ if (l <= sizeof(tmpbuf))
tp = tmpbuf;
else
tp = (char *)slapi_ch_malloc(l); /* should be very rare ... */
@@ -3547,11 +3547,11 @@ dse_conf_backup_core(struct ldbminfo *li, char *dest_dir, char *file_name, char
"dse_conf_backup(%s): write %s failed: %d (%s)\n",
filter, PR_GetError(), slapd_pr_strerror(PR_GetError()));
rval = -1;
- if (l > BUFSIZ)
+ if (l > sizeof(tmpbuf))
slapi_ch_free_string(&tp);
goto out;
}
- if (l > BUFSIZ)
+ if (l > sizeof(tmpbuf))
slapi_ch_free_string(&tp);
for (slapi_entry_first_attr(*ep, &attr); attr;
@@ -3574,7 +3574,7 @@ dse_conf_backup_core(struct ldbminfo *li, char *dest_dir, char *file_name, char
l = strlen(attr_val->bv_val) + attr_name_len + 3; /* : \n" */
LDAPDebug(LDAP_DEBUG_TRACE, "%s: %s\n", attr_name,
attr_val->bv_val, 0);
- if (l <= BUFSIZ)
+ if (l <= sizeof(tmpbuf))
tp = tmpbuf;
else
tp = (char *)slapi_ch_malloc(l);
@@ -3586,11 +3586,11 @@ dse_conf_backup_core(struct ldbminfo *li, char *dest_dir, char *file_name, char
"dse_conf_backup(%s): write %s failed: %d (%s)\n",
filter, PR_GetError(), slapd_pr_strerror(PR_GetError()));
rval = -1;
- if (l > BUFSIZ)
+ if (l > sizeof(tmpbuf))
slapi_ch_free_string(&tp);
goto out;
}
- if (l > BUFSIZ)
+ if (l > sizeof(tmpbuf))
slapi_ch_free_string(&tp);
}
}
@@ -3980,19 +3980,18 @@ _get_import_entryusn(ImportJob *job, Slapi_Value **usn_value)
/* import_init value is not digit.
* Use the counter which stores the old DB's
* next entryusn. */
- PR_snprintf(counter_buf, USN_COUNTER_BUF_LEN,
- "%" NSPRIu64,
- slapi_counter_get_value(be->be_usn_counter));
+ PR_snprintf(counter_buf, sizeof(counter_buf),
+ "%" NSPRIu64, slapi_counter_get_value(be->be_usn_counter));
} else {
/* import_init value is digit.
* Initialize the entryusn values with the digit */
- PR_snprintf(counter_buf, USN_COUNTER_BUF_LEN, "%s", usn_init_str);
+ PR_snprintf(counter_buf, sizeof(counter_buf), "%s", usn_init_str);
}
slapi_ch_free_string(&usn_init_str);
} else {
/* nsslapd-entryusn-import-init is not defined */
/* Initialize to 0 by default */
- PR_snprintf(counter_buf, USN_COUNTER_BUF_LEN, "0");
+ PR_snprintf(counter_buf, sizeof(counter_buf), "0");
}
usn_berval.bv_val = counter_buf;
usn_berval.bv_len = strlen(usn_berval.bv_val);
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.c b/ldap/servers/slapd/back-ldbm/ldbm_config.c
index 341fdff..58ab9a0 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_config.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_config.c
@@ -73,11 +73,9 @@ int ldbm_config_add_dse_entries(struct ldbminfo *li, char **entries, char *strin
rc = slapi_add_internal_pb(util_pb);
slapi_pblock_get(util_pb, SLAPI_PLUGIN_INTOP_RESULT, &result);
if (!rc && (result == LDAP_SUCCESS)) {
- LDAPDebug(LDAP_DEBUG_CONFIG, "Added database config entry [%s]\n",
- ebuf, 0, 0);
+ LDAPDebug1Arg(LDAP_DEBUG_CONFIG, "Added database config entry [%s]\n", ebuf);
} else if (result == LDAP_ALREADY_EXISTS) {
- LDAPDebug(LDAP_DEBUG_TRACE, "Database config entry [%s] already exists - skipping\n",
- ebuf, 0, 0);
+ LDAPDebug1Arg(LDAP_DEBUG_TRACE, "Database config entry [%s] already exists - skipping\n", ebuf);
} else {
LDAPDebug(LDAP_DEBUG_ANY, "Unable to add config entry [%s] to the DSE: %d %d\n",
ebuf, result, rc);
@@ -294,7 +292,9 @@ static int ldbm_config_directory_set(void *arg, void *value, char *errorbuf, int
char *val = (char *) value;
char tmpbuf[BUFSIZ];
- errorbuf[0] = '\0';
+ if (errorbuf) {
+ errorbuf[0] = '\0';
+ }
if (!apply) {
/* we should really do some error checking here. */
@@ -425,10 +425,8 @@ static int ldbm_config_dbcachesize_set(void *arg, void *value, char *errorbuf, i
} else if (val > li->li_dbcachesize) {
delta = val - li->li_dbcachesize;
if (!util_is_cachesize_sane(&delta)){
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "Error: dbcachememsize value is too large.");
- LDAPDebug( LDAP_DEBUG_ANY,"Error: dbcachememsize value is too large.\n",
- 0, 0, 0);
+ slapi_create_errormsg(errorbuf, 0, "Error: dbcachememsize value is too large.");
+ LDAPDebug0Args(LDAP_DEBUG_ANY,"Error: dbcachememsize value is too large.\n");
return LDAP_UNWILLING_TO_PERFORM;
}
}
@@ -499,10 +497,8 @@ static int ldbm_config_dbncache_set(void *arg, void *value, char *errorbuf, int
if (val > li->li_dbncache) {
delta = val - li->li_dbncache;
if (!util_is_cachesize_sane(&delta)){
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "Error: dbncache size value is too large.");
- LDAPDebug( LDAP_DEBUG_ANY,"Error: dbncache size value is too large.\n",
- val, 0, 0);
+ slapi_create_errormsg(errorbuf, 0, "Error: dbncache size value is too large.");
+ LDAPDebug1Arg(LDAP_DEBUG_ANY,"Error: dbncache size value is too large.\n", val);
return LDAP_UNWILLING_TO_PERFORM;
}
}
@@ -784,7 +780,7 @@ static int ldbm_config_db_old_idl_maxids_set(void *arg, void *value, char *error
if(val >= 0){
li->li_old_idl_maxids = val;
} else {
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
+ slapi_create_errormsg(errorbuf, 0,
"Error: Invalid value for %s (%d). Value must be equal or greater than zero.",
CONFIG_DB_OLD_IDL_MAXIDS, val);
return LDAP_UNWILLING_TO_PERFORM;
@@ -848,10 +844,11 @@ static int ldbm_config_db_trickle_percentage_set(void *arg, void *value, char *e
int val = (int) ((uintptr_t)value);
if (val < 0 || val > 100) {
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "Error: Invalid value for %s (%d). Must be between 0 and 100\n", CONFIG_DB_TRICKLE_PERCENTAGE, val);
- LDAPDebug(LDAP_DEBUG_ANY, "%s", errorbuf, 0, 0);
- return LDAP_UNWILLING_TO_PERFORM;
+ slapi_create_errormsg(errorbuf, 0, "Error: Invalid value for %s (%d). Must be between 0 and 100\n",
+ CONFIG_DB_TRICKLE_PERCENTAGE, val);
+ LDAPDebug2Args(LDAP_DEBUG_ANY, "Error: Invalid value for %s (%d). Must be between 0 and 100\n",
+ CONFIG_DB_TRICKLE_PERCENTAGE, val);
+ return LDAP_UNWILLING_TO_PERFORM;
}
if (apply) {
@@ -1081,10 +1078,8 @@ static int ldbm_config_db_cache_set(void *arg, void *value, char *errorbuf, int
if (val > li->li_dblayer_private->dblayer_cache_config) {
delta = val - li->li_dblayer_private->dblayer_cache_config;
if (!util_is_cachesize_sane(&delta)){
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "Error: db cachesize value is too large");
- LDAPDebug( LDAP_DEBUG_ANY,"Error: db cachesize value is too large.\n",
- val, 0, 0);
+ slapi_create_errormsg(errorbuf, 0, "Error: db cachesize value is too large");
+ LDAPDebug1Arg(LDAP_DEBUG_ANY,"Error: db cachesize value is too large.\n", val);
return LDAP_UNWILLING_TO_PERFORM;
}
}
@@ -1214,10 +1209,8 @@ static int ldbm_config_import_cachesize_set(void *arg, void *value, char *errorb
if (val > li->li_import_cachesize) {
delta = val - li->li_import_cachesize;
if (!util_is_cachesize_sane(&delta)){
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "Error: import cachesize value is too large.");
- LDAPDebug( LDAP_DEBUG_ANY,"Error: import cachesize value is too large.\n",
- 0, 0, 0);
+ slapi_create_errormsg(errorbuf, 0, "Error: import cachesize value is too large.");
+ LDAPDebug0Args(LDAP_DEBUG_ANY,"Error: import cachesize value is too large.\n");
return LDAP_UNWILLING_TO_PERFORM;
}
}
@@ -1478,17 +1471,19 @@ static int ldbm_config_db_deadlock_policy_set(void *arg, void *value, char *erro
u_int32_t val = (u_int32_t) ((uintptr_t)value);
if (val > DB_LOCK_YOUNGEST) {
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
+ slapi_create_errormsg(errorbuf, 0,
"Error: Invalid value for %s (%d). Must be between %d and %d inclusive",
CONFIG_DB_DEADLOCK_POLICY, val, DB_LOCK_DEFAULT, DB_LOCK_YOUNGEST);
- LDAPDebug1Arg(LDAP_DEBUG_ANY, "%s\n", errorbuf);
+ LDAPDebug(LDAP_DEBUG_ANY, "Error: Invalid value for deadlock policy (%d). Must be between %d and %d inclusive",
+ val, DB_LOCK_DEFAULT, DB_LOCK_YOUNGEST);
return LDAP_UNWILLING_TO_PERFORM;
}
if (val == DB_LOCK_NORUN) {
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
+ slapi_create_errormsg(errorbuf, 0,
"Warning: Setting value for %s to (%d) will disable deadlock detection",
CONFIG_DB_DEADLOCK_POLICY, val);
- LDAPDebug1Arg(LDAP_DEBUG_ANY, "%s\n", errorbuf);
+ LDAPDebug2Args(LDAP_DEBUG_ANY, "Warning: Setting value for %s to (%d) will disable deadlock detection",
+ CONFIG_DB_DEADLOCK_POLICY, val);
}
if (apply) {
@@ -1907,15 +1902,15 @@ int ldbm_config_set(void *arg, char *attr_name, config_info *config_array, struc
config = get_config_info(config_array, attr_name);
if (NULL == config) {
LDAPDebug(LDAP_DEBUG_CONFIG, "Unknown config attribute %s\n", attr_name, 0, 0);
- PR_snprintf(err_buf, SLAPI_DSE_RETURNTEXT_SIZE, "Unknown config attribute %s\n", attr_name);
+ slapi_create_errormsg(err_buf, 0, "Unknown config attribute %s\n", attr_name);
return LDAP_SUCCESS; /* Ignore unknown attributes */
}
/* Some config attrs can't be changed while the server is running. */
if (phase == CONFIG_PHASE_RUNNING &&
!(config->config_flags & CONFIG_FLAG_ALLOW_RUNNING_CHANGE)) {
- PR_snprintf(err_buf, SLAPI_DSE_RETURNTEXT_SIZE, "%s can't be modified while the server is running.\n", attr_name);
- LDAPDebug(LDAP_DEBUG_ANY, "%s", err_buf, 0, 0);
+ LDAPDebug1Arg(LDAP_DEBUG_ANY, "%s can't be modified while the server is running.\n", attr_name);
+ slapi_create_errormsg(err_buf, 0, "%s can't be modified while the server is running.\n", attr_name);
return LDAP_UNWILLING_TO_PERFORM;
}
@@ -1933,9 +1928,7 @@ int ldbm_config_set(void *arg, char *attr_name, config_info *config_array, struc
previously set to a non-default value */
if (SLAPI_IS_MOD_ADD(mod_op) && apply_mod &&
(config->config_flags & CONFIG_FLAG_PREVIOUSLY_SET)) {
- PR_snprintf(err_buf, SLAPI_DSE_RETURNTEXT_SIZE,
- "cannot add a value to single valued attribute %s.\n",
- attr_name);
+ slapi_create_errormsg(err_buf, 0, "cannot add a value to single valued attribute %s.\n", attr_name);
return LDAP_OBJECT_CLASS_VIOLATION;
}
}
@@ -1946,9 +1939,8 @@ int ldbm_config_set(void *arg, char *attr_name, config_info *config_array, struc
char buf[BUFSIZ];
ldbm_config_get(arg, config, buf);
if (PL_strncmp(buf, bval->bv_val, bval->bv_len)) {
- PR_snprintf(err_buf, SLAPI_DSE_RETURNTEXT_SIZE,
- "value [%s] for attribute %s does not match existing value [%s].\n",
- bval->bv_val, attr_name, buf);
+ slapi_create_errormsg(err_buf, 0,
+ "value [%s] for attribute %s does not match existing value [%s].\n", bval->bv_val, attr_name, buf);
return LDAP_NO_SUCH_ATTRIBUTE;
}
}
@@ -1964,21 +1956,22 @@ int ldbm_config_set(void *arg, char *attr_name, config_info *config_array, struc
llval = db_atoi(str_val, &err);
/* check for parsing error (e.g. not a number) */
if (err) {
- PR_snprintf(err_buf, SLAPI_DSE_RETURNTEXT_SIZE, "Error: value %s for attr %s is not a number\n",
- str_val, attr_name);
- LDAPDebug(LDAP_DEBUG_ANY, "%s", err_buf, 0, 0);
+ slapi_create_errormsg(err_buf, 0, "Error: value %s for attr %s is not a number\n", str_val, attr_name);
+ LDAPDebug2Args(LDAP_DEBUG_ANY, "Error: value %s for attr %s is not a number\n", str_val, attr_name);
return LDAP_UNWILLING_TO_PERFORM;
/* check for overflow */
} else if (LL_CMP(llval, >, llmaxint)) {
- PR_snprintf(err_buf, SLAPI_DSE_RETURNTEXT_SIZE, "Error: value %s for attr %s is greater than the maximum %d\n",
+ slapi_create_errormsg(err_buf, 0, "Error: value %s for attr %s is greater than the maximum %d\n",
+ str_val, attr_name, maxint);
+ LDAPDebug(LDAP_DEBUG_ANY, "Error: value %s for attr %s is greater than the maximum %d\n",
str_val, attr_name, maxint);
- LDAPDebug(LDAP_DEBUG_ANY, "%s", err_buf, 0, 0);
return LDAP_UNWILLING_TO_PERFORM;
/* check for underflow */
} else if (LL_CMP(llval, <, llminint)) {
- PR_snprintf(err_buf, SLAPI_DSE_RETURNTEXT_SIZE, "Error: value %s for attr %s is less than the minimum %d\n",
+ slapi_create_errormsg(err_buf, 0, "Error: value %s for attr %s is less than the minimum %d\n",
+ str_val, attr_name, minint);
+ LDAPDebug(LDAP_DEBUG_ANY, "Error: value %s for attr %s is less than the minimum %d\n",
str_val, attr_name, minint);
- LDAPDebug(LDAP_DEBUG_ANY, "%s", err_buf, 0, 0);
return LDAP_UNWILLING_TO_PERFORM;
}
/* convert 64 bit value to 32 bit value */
@@ -2003,21 +1996,24 @@ int ldbm_config_set(void *arg, char *attr_name, config_info *config_array, struc
llval = db_atoi(str_val, &err);
/* check for parsing error (e.g. not a number) */
if (err) {
- PR_snprintf(err_buf, SLAPI_DSE_RETURNTEXT_SIZE, "Error: value %s for attr %s is not a number\n",
+ slapi_create_errormsg(err_buf, 0, "Error: value %s for attr %s is not a number\n",
+ str_val, attr_name);
+ LDAPDebug2Args(LDAP_DEBUG_ANY, "Error: value %s for attr %s is not a number\n",
str_val, attr_name);
- LDAPDebug(LDAP_DEBUG_ANY, "%s", err_buf, 0, 0);
return LDAP_UNWILLING_TO_PERFORM;
/* check for overflow */
} else if (LL_CMP(llval, >, llmaxint)) {
- PR_snprintf(err_buf, SLAPI_DSE_RETURNTEXT_SIZE, "Error: value %s for attr %s is greater than the maximum %d\n",
+ slapi_create_errormsg(err_buf, 0, "Error: value %s for attr %s is greater than the maximum %d\n",
+ str_val, attr_name, maxint);
+ LDAPDebug(LDAP_DEBUG_ANY, "Error: value %s for attr %s is greater than the maximum %d\n",
str_val, attr_name, maxint);
- LDAPDebug(LDAP_DEBUG_ANY, "%s", err_buf, 0, 0);
return LDAP_UNWILLING_TO_PERFORM;
/* check for underflow */
} else if (LL_CMP(llval, <, llminint)) {
- PR_snprintf(err_buf, SLAPI_DSE_RETURNTEXT_SIZE, "Error: value %s for attr %s is less than the minimum %d\n",
+ slapi_create_errormsg(err_buf, 0, "Error: value %s for attr %s is less than the minimum %d\n",
+ str_val, attr_name, minint);
+ LDAPDebug(LDAP_DEBUG_ANY, "Error: value %s for attr %s is less than the minimum %d\n",
str_val, attr_name, minint);
- LDAPDebug(LDAP_DEBUG_ANY, "%s", err_buf, 0, 0);
return LDAP_UNWILLING_TO_PERFORM;
}
/* convert 64 bit value to 32 bit value */
@@ -2036,15 +2032,17 @@ int ldbm_config_set(void *arg, char *attr_name, config_info *config_array, struc
/* check for parsing error (e.g. not a number) */
if (err == EINVAL) {
- PR_snprintf(err_buf, SLAPI_DSE_RETURNTEXT_SIZE, "Error: value %s for attr %s is not a number\n",
+ slapi_create_errormsg(err_buf, 0, "Error: value %s for attr %s is not a number\n",
+ str_val, attr_name);
+ LDAPDebug2Args(LDAP_DEBUG_ANY, "Error: value %s for attr %s is not a number\n",
str_val, attr_name);
- LDAPDebug(LDAP_DEBUG_ANY, "%s", err_buf, 0, 0);
return LDAP_UNWILLING_TO_PERFORM;
/* check for overflow */
} else if (err == ERANGE) {
- PR_snprintf(err_buf, SLAPI_DSE_RETURNTEXT_SIZE, "Error: value %s for attr %s is outside the range of representable values\n",
+ slapi_create_errormsg(err_buf, 0, "Error: value %s for attr %s is outside the range of representable values\n",
+ str_val, attr_name);
+ LDAPDebug2Args(LDAP_DEBUG_ANY, "Error: value %s for attr %s is outside the range of representable values\n",
str_val, attr_name);
- LDAPDebug(LDAP_DEBUG_ANY, "%s", err_buf, 0, 0);
return LDAP_UNWILLING_TO_PERFORM;
}
retval = config->config_set_fn(arg, (void *) sz_val, err_buf, phase, apply_mod);
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
index e469414..2506261 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c
@@ -109,10 +109,8 @@ ldbm_instance_config_cachememsize_set(void *arg, void *value, char *errorbuf, in
if (val > inst->inst_cache.c_maxsize) {
delta = val - inst->inst_cache.c_maxsize;
if (!util_is_cachesize_sane(&delta)){
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "Error: cachememsize value is too large.");
- LDAPDebug( LDAP_DEBUG_ANY,"Error: cachememsize value is too large.\n",
- 0, 0, 0);
+ slapi_create_errormsg(errorbuf, 0, "Error: cachememsize value is too large.");
+ LDAPDebug0Args(LDAP_DEBUG_ANY, "Error: cachememsize value is too large.\n");
return LDAP_UNWILLING_TO_PERFORM;
}
}
@@ -153,10 +151,8 @@ ldbm_instance_config_dncachememsize_set(void *arg, void *value, char *errorbuf,
if (val > inst->inst_dncache.c_maxsize) {
delta = val - inst->inst_dncache.c_maxsize;
if (!util_is_cachesize_sane(&delta)){
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "Error: dncachememsize value is too large.");
- LDAPDebug( LDAP_DEBUG_ANY,"Error: dncachememsize value is too large.\n",
- 0, 0, 0);
+ slapi_create_errormsg(errorbuf, 0, "Error: dncachememsize value is too large.");
+ LDAPDebug0Args(LDAP_DEBUG_ANY,"Error: dncachememsize value is too large.\n");
return LDAP_UNWILLING_TO_PERFORM;
}
}
@@ -311,10 +307,9 @@ void
ldbm_instance_config_setup_default(ldbm_instance *inst)
{
config_info *config;
- char err_buf[BUFSIZ];
for (config = ldbm_instance_config; config->config_name != NULL; config++) {
- ldbm_config_set((void *)inst, config->config_name, ldbm_instance_config, NULL /* use default */, err_buf, CONFIG_PHASE_INITIALIZATION, 1 /* apply */, LDAP_MOD_REPLACE);
+ ldbm_config_set((void *)inst, config->config_name, ldbm_instance_config, NULL /* use default */, NULL, CONFIG_PHASE_INITIALIZATION, 1 /* apply */, LDAP_MOD_REPLACE);
}
}
@@ -440,7 +435,7 @@ parse_ldbm_instance_config_entry(ldbm_instance *inst, Slapi_Entry *e, config_inf
char *attr_name = NULL;
Slapi_Value *sval = NULL;
struct berval *bval;
- char err_buf[BUFSIZ];
+ char err_buf[SLAPI_DSE_RETURNTEXT_SIZE];
slapi_attr_get_type(attr, &attr_name);
@@ -833,7 +828,7 @@ out:
void
ldbm_instance_config_internal_set(ldbm_instance *inst, char *attrname, char *value)
{
- char err_buf[BUFSIZ];
+ char err_buf[SLAPI_DSE_RETURNTEXT_SIZE];
struct berval bval;
bval.bv_val = value;
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index f81edfb..0a630ac 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -100,7 +100,7 @@ do_bind( Slapi_PBlock *pb )
Slapi_DN *sdn = NULL;
int bind_sdn_in_pb = 0; /* is sdn set in the pb? */
Slapi_Entry *referral;
- char errorbuf[BUFSIZ];
+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE] = {0};
char **supported, **pmech;
char authtypebuf[256]; /* >26 (strlen(SLAPD_AUTH_SASL)+SASL_MECHNAMEMAX+1) */
Slapi_Entry *bind_target_entry = NULL;
@@ -655,7 +655,7 @@ do_bind( Slapi_PBlock *pb )
}
/* We could be serving multiple database backends. Select the appropriate one */
- if (slapi_mapping_tree_select(pb, &be, &referral, errorbuf) != LDAP_SUCCESS) {
+ if (slapi_mapping_tree_select(pb, &be, &referral, NULL) != LDAP_SUCCESS) {
send_nobackend_ldap_result( pb );
be = NULL;
goto free_and_return;
@@ -685,7 +685,7 @@ do_bind( Slapi_PBlock *pb )
Slapi_DN *pb_sdn;
slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &pb_sdn);
if (!pb_sdn) {
- PR_snprintf(errorbuf, sizeof(errorbuf), "Pre-bind plug-in set NULL dn\n");
+ slapi_create_errormsg(errorbuf, 0, "Pre-bind plug-in set NULL dn\n");
send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, errorbuf, 0, NULL);
goto free_and_return;
} else if ((pb_sdn != sdn) || (sdn_updated = slapi_sdn_compare(original_sdn, pb_sdn))) {
@@ -696,7 +696,7 @@ do_bind( Slapi_PBlock *pb )
sdn = pb_sdn;
dn = slapi_sdn_get_dn(sdn);
if (!dn) {
- PR_snprintf(errorbuf, sizeof(errorbuf), "Pre-bind plug-in set corrupted dn\n");
+ slapi_create_errormsg(errorbuf, 0, "Pre-bind plug-in set corrupted dn\n");
send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, errorbuf, 0, NULL);
goto free_and_return;
}
@@ -710,7 +710,7 @@ do_bind( Slapi_PBlock *pb )
slapi_be_Rlock(be);
slapi_pblock_set( pb, SLAPI_BACKEND, be );
} else {
- PR_snprintf(errorbuf, sizeof(errorbuf), "No matching backend for %s\n", dn);
+ slapi_create_errormsg(errorbuf, 0, "No matching backend for %s\n", dn);
send_ldap_result(pb, LDAP_OPERATIONS_ERROR, NULL, errorbuf, 0, NULL);
goto free_and_return;
}
diff --git a/ldap/servers/slapd/compare.c b/ldap/servers/slapd/compare.c
index 88b803c..36a5be8 100644
--- a/ldap/servers/slapd/compare.c
+++ b/ldap/servers/slapd/compare.c
@@ -41,7 +41,7 @@ do_compare( Slapi_PBlock *pb )
int err;
Slapi_DN sdn;
Slapi_Entry *referral = NULL;
- char errorbuf[BUFSIZ];
+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
LDAPDebug( LDAP_DEBUG_TRACE, "do_compare\n", 0, 0, 0 );
diff --git a/ldap/servers/slapd/config.c b/ldap/servers/slapd/config.c
index c25a586..fd31b7b 100644
--- a/ldap/servers/slapd/config.c
+++ b/ldap/servers/slapd/config.c
@@ -122,7 +122,7 @@ slapd_bootstrap_config(const char *configdir)
int done = 0;
PRInt32 nr = 0;
PRFileDesc *prfd = 0;
- char returntext[SLAPI_DSE_RETURNTEXT_SIZE] = "";
+ char returntext[SLAPI_DSE_RETURNTEXT_SIZE] = {0};
char *buf = 0;
char *lastp = 0;
char *entrystr = 0;
@@ -198,7 +198,7 @@ slapd_bootstrap_config(const char *configdir)
slapi_sdn_init_ndn_byref(&plug_dn, PLUGIN_BASE_DN);
while ((entrystr = dse_read_next_entry(buf, &lastp)) != NULL)
{
- char errorbuf[BUFSIZ];
+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
/*
* XXXmcs: it would be better to also pass
* SLAPI_STR2ENTRY_REMOVEDUPVALS in the flags, but
diff --git a/ldap/servers/slapd/daemon.c b/ldap/servers/slapd/daemon.c
index 91ad13e..b6113c8 100644
--- a/ldap/servers/slapd/daemon.c
+++ b/ldap/servers/slapd/daemon.c
@@ -442,7 +442,6 @@ disk_mon_check_diskspace(char **dirs, PRUint64 threshold, PRUint64 *disk_space)
void
disk_monitoring_thread(void *nothing)
{
- char errorbuf[BUFSIZ];
char **dirs = NULL;
char *dirstr = NULL;
PRUint64 previous_mark = 0;
@@ -553,7 +552,7 @@ disk_monitoring_thread(void *nothing)
/* Setting the log level back to zero, actually sets the value to LDAP_DEBUG_ANY */
config_set_errorlog_level(CONFIG_LOGLEVEL_ATTRIBUTE,
STRINGIFYDEFINE(SLAPD_DEFAULT_ERRORLOG_LEVEL),
- errorbuf, CONFIG_APPLY);
+ NULL, CONFIG_APPLY);
continue;
}
/*
diff --git a/ldap/servers/slapd/delete.c b/ldap/servers/slapd/delete.c
index d3c4d8a..b2d8408 100644
--- a/ldap/servers/slapd/delete.c
+++ b/ldap/servers/slapd/delete.c
@@ -225,7 +225,7 @@ static void op_shared_delete (Slapi_PBlock *pb)
Slapi_Operation *operation;
Slapi_Entry *referral;
Slapi_Entry *ecopy = NULL;
- char errorbuf[BUFSIZ];
+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
int err;
char *proxydn = NULL;
char *proxystr = NULL;
diff --git a/ldap/servers/slapd/detach.c b/ldap/servers/slapd/detach.c
index f7750f1..b5af952 100644
--- a/ldap/servers/slapd/detach.c
+++ b/ldap/servers/slapd/detach.c
@@ -52,7 +52,6 @@ detach( int slapd_exemode, int importexport_encrypt,
char *workingdir = 0;
char *errorlog = 0;
char *ptr = 0;
- char errorbuf[BUFSIZ];
extern char *config_get_errorlog(void);
if ( should_detach ) {
@@ -92,12 +91,12 @@ detach( int slapd_exemode, int importexport_encrypt,
*ptr = 0;
}
(void) chdir( errorlog );
- config_set_workingdir(CONFIG_WORKINGDIR_ATTRIBUTE, errorlog, errorbuf, 1);
+ config_set_workingdir(CONFIG_WORKINGDIR_ATTRIBUTE, errorlog, NULL, 1);
slapi_ch_free_string(&errorlog);
}
} else {
/* calling config_set_workingdir to check for validity of directory, don't apply */
- if (config_set_workingdir(CONFIG_WORKINGDIR_ATTRIBUTE, workingdir, errorbuf, 0) == LDAP_OPERATIONS_ERROR) {
+ if (config_set_workingdir(CONFIG_WORKINGDIR_ATTRIBUTE, workingdir, NULL, 0) == LDAP_OPERATIONS_ERROR) {
return 1;
}
(void) chdir( workingdir );
diff --git a/ldap/servers/slapd/dn.c b/ldap/servers/slapd/dn.c
index a972f00..5f795cc 100644
--- a/ldap/servers/slapd/dn.c
+++ b/ldap/servers/slapd/dn.c
@@ -2804,8 +2804,6 @@ ndn_cache_init()
void
ndn_cache_destroy()
{
- char *errorbuf = NULL;
-
if(!ndn_started){
return;
}
@@ -2818,11 +2816,11 @@ ndn_cache_destroy()
ndn_cache_lock = NULL;
}
if(ndn_cache_hashtable){
- ndn_cache_free();
+ ndn_cache_free();
PL_HashTableDestroy(ndn_cache_hashtable);
ndn_cache_hashtable = NULL;
}
- config_set_ndn_cache_enabled(CONFIG_NDN_CACHE, "off", errorbuf, 1 );
+ config_set_ndn_cache_enabled(CONFIG_NDN_CACHE, "off", NULL, 1 );
slapi_counter_destroy(&ndn_cache->cache_hits);
slapi_counter_destroy(&ndn_cache->cache_tries);
slapi_counter_destroy(&ndn_cache->cache_misses);
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 7bbf10e..dffd67e 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -1814,8 +1814,7 @@ config_value_is_null( const char *attrname, const char *value, char *errorbuf,
int or_zero_length )
{
if ( NULL == value || ( or_zero_length && *value == '\0' )) {
- PR_snprintf( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: deleting the value is not allowed.", attrname );
+ slapi_create_errormsg(errorbuf, 0, "%s: deleting the value is not allowed.", attrname);
return 1;
}
@@ -1870,9 +1869,9 @@ config_set_disk_threshold( const char *attrname, char *value, char *errorbuf, in
errno = 0;
threshold = strtoll(value, &endp, 10);
if ( *endp != '\0' || threshold <= 4096 || errno == ERANGE ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: \"%s\" is invalid, threshold must be greater than 4096 and less then %lld",
- attrname, value, (long long int)LONG_MAX );
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: \"%s\" is invalid, threshold must be greater than 4096 and less then %lld",
+ attrname, value, (long long int)LONG_MAX);
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
}
@@ -1911,8 +1910,8 @@ config_set_disk_grace_period( const char *attrname, char *value, char *errorbuf,
period = strtol(value, &endp, 10);
if ( *endp != '\0' || period < 1 || errno == ERANGE ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: \"%s\" is invalid, grace period must be at least 1 minute",
- attrname, value);
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: \"%s\" is invalid, grace period must be at least 1 minute", attrname, value);
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
}
@@ -1948,8 +1947,7 @@ config_set_ndn_cache_max_size(const char *attrname, char *value, char *errorbuf,
size = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE){
retVal = LDAP_OPERATIONS_ERROR;
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "(%s) value (%s) "
- "is invalid\n",attrname, value);
+ slapi_create_errormsg(errorbuf, 0, "(%s) value (%s) is invalid\n", attrname, value);
return retVal;
}
@@ -1957,8 +1955,8 @@ config_set_ndn_cache_max_size(const char *attrname, char *value, char *errorbuf,
size = 0; /* same as -1 */
}
if(size > 0 && size < 1024000){
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "ndn_cache_max_size too low(%d), changing to "
- "%d bytes.\n",(int)size, NDN_DEFAULT_SIZE);
+ slapi_create_errormsg(errorbuf, 0,
+ "ndn_cache_max_size too low(%d), changing to %d bytes.\n",(int)size, NDN_DEFAULT_SIZE);
size = NDN_DEFAULT_SIZE;
}
if(apply){
@@ -1982,14 +1980,14 @@ config_set_sasl_maxbufsize(const char *attrname, char *value, char *errorbuf, in
size = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE){
retVal = LDAP_OPERATIONS_ERROR;
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "(%s) value (%s) "
- "is invalid\n",attrname, value);
+ slapi_create_errormsg(errorbuf, 0, "(%s) value (%s) is invalid\n", attrname, value);
return retVal;
}
if(size < default_size){
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "nsslapd-sasl-max-buffer-size is too low (%ld), "
- "setting to default value (%ld).\n",size, default_size);
+ slapi_create_errormsg(errorbuf, 0,
+ "nsslapd-sasl-max-buffer-size is too low (%ld), setting to default value (%ld).\n",
+ size, default_size);
size = default_size;
}
if(apply){
@@ -2027,10 +2025,9 @@ config_set_port( const char *attrname, char *port, char *errorbuf, int apply ) {
nPort = strtol(port, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || nPort > LDAP_PORT_MAX || nPort < 0 ) {
retVal = LDAP_OPERATIONS_ERROR;
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: \"%s\" is invalid, ports must range from 0 to %d",
- attrname, port, LDAP_PORT_MAX );
- return retVal;
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: \"%s\" is invalid, ports must range from 0 to %d", attrname, port, LDAP_PORT_MAX);
+ return retVal;
}
if ( nPort == 0 ) {
@@ -2063,9 +2060,8 @@ config_set_secureport( const char *attrname, char *port, char *errorbuf, int app
nPort = strtol(port, &endp, 10);
if (*endp != '\0' || errno == ERANGE || nPort > LDAP_PORT_MAX || nPort <= 0 ) {
retVal = LDAP_OPERATIONS_ERROR;
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: \"%s\" is invalid, ports must range from 1 to %d",
- attrname, port, LDAP_PORT_MAX );
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: \"%s\" is invalid, ports must range from 1 to %d", attrname, port, LDAP_PORT_MAX);
}
if (apply) {
@@ -2077,7 +2073,7 @@ config_set_secureport( const char *attrname, char *port, char *errorbuf, int app
}
return retVal;
}
-
+
int
config_set_SSLclientAuth( const char *attrname, char *value, char *errorbuf, int apply ) {
@@ -2093,9 +2089,7 @@ config_set_SSLclientAuth( const char *attrname, char *value, char *errorbuf, int
strcasecmp (value, "allowed") != 0 &&
strcasecmp (value, "required")!= 0 ) {
retVal = LDAP_OPERATIONS_ERROR;
- if( errorbuf )
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: unsupported value: %s", attrname, value );
+ slapi_create_errormsg(errorbuf, 0, "%s: unsupported value: %s", attrname, value);
return retVal;
}
else if ( !apply ) {
@@ -2116,9 +2110,7 @@ config_set_SSLclientAuth( const char *attrname, char *value, char *errorbuf, int
}
else {
retVal = LDAP_OPERATIONS_ERROR;
- if( errorbuf )
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: unsupported value: %s", attrname, value );
+ slapi_create_errormsg(errorbuf, 0, "%s: unsupported value: %s", attrname, value);
}
CFG_UNLOCK_WRITE(slapdFrontendConfig);
@@ -2198,9 +2190,10 @@ config_set_snmp_index(const char *attrname, char *value, char *errorbuf, int app
snmp_index = strtol(value, &endp, 10);
if (*endp != '\0' || errno == ERANGE || snmp_index < snmp_index_disable) {
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: invalid value \"%s\", %s must be greater or equal to %lu (%lu means disabled)",
- attrname, value, CONFIG_SNMP_INDEX_ATTRIBUTE, snmp_index_disable, snmp_index_disable);
- retVal = LDAP_OPERATIONS_ERROR;
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: invalid value \"%s\", %s must be greater or equal to %lu (%lu means disabled)",
+ attrname, value, CONFIG_SNMP_INDEX_ATTRIBUTE, snmp_index_disable, snmp_index_disable);
+ retVal = LDAP_OPERATIONS_ERROR;
}
}
@@ -2461,7 +2454,7 @@ config_set_sizelimit( const char *attrname, char *value, char *errorbuf, int app
sizelimit = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || sizelimit < -1 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: \"%s\" is invalid, sizelimit must range from -1 to %lld",
+ slapi_create_errormsg(errorbuf, 0, "%s: \"%s\" is invalid, sizelimit must range from -1 to %lld",
attrname, value, (long long int)LONG_MAX );
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
@@ -2505,8 +2498,9 @@ config_set_pagedsizelimit( const char *attrname, char *value, char *errorbuf, in
pagedsizelimit = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || pagedsizelimit < -1 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: \"%s\" is invalid, pagedsizelimit must range from -1 to %lld",
- attrname, value, (long long int)LONG_MAX );
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: \"%s\" is invalid, pagedsizelimit must range from -1 to %lld",
+ attrname, value, (long long int)LONG_MAX );
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
}
@@ -2545,16 +2539,14 @@ config_set_pw_storagescheme( const char *attrname, char *value, char *errorbuf,
new_scheme = pw_name2scheme(value);
if ( new_scheme == NULL) {
- if ( scheme_list != NULL ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid scheme - %s. Valid schemes are: %s",
- attrname, value, scheme_list );
- } else {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid scheme - %s (no pwdstorage scheme"
- " plugin loaded)",
- attrname, value);
- }
+ if ( scheme_list != NULL ) {
+ slapi_create_errormsg(errorbuf, 0, "%s: invalid scheme - %s. Valid schemes are: %s",
+ attrname, value, scheme_list );
+ } else {
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: invalid scheme - %s (no pwdstorage scheme plugin loaded)",
+ attrname, value);
+ }
retVal = LDAP_OPERATIONS_ERROR;
slapi_ch_free_string(&scheme_list);
return retVal;
@@ -2566,9 +2558,9 @@ config_set_pw_storagescheme( const char *attrname, char *value, char *errorbuf,
directory already encrypted. The scheme cannot and don't encrypt password if
they are in clear. We don't take it */
- if ( scheme_list != NULL ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "pw_storagescheme: invalid encoding scheme - %s\nValid values are: %s\n", value, scheme_list );
+ if (scheme_list) {
+ slapi_create_errormsg(errorbuf, 0,
+ "pw_storagescheme: invalid encoding scheme - %s\nValid values are: %s\n", value, scheme_list);
}
retVal = LDAP_UNWILLING_TO_PERFORM;
slapi_ch_free_string(&scheme_list);
@@ -2728,16 +2720,14 @@ config_set_pw_minlength( const char *attrname, char *value, char *errorbuf, int
minLength = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || minLength < 2 || minLength > 512 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "password minimum length \"%s\" is invalid. "
- "The minimum length must range from 2 to 512.",
- value );
+ slapi_create_errormsg(errorbuf, 0,
+ "password minimum length \"%s\" is invalid. The minimum length must range from 2 to 512.", value);
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
}
if ( apply ) {
- CFG_LOCK_WRITE(slapdFrontendConfig);
+ CFG_LOCK_WRITE(slapdFrontendConfig);
slapdFrontendConfig->pw_policy.pw_minlength = minLength;
@@ -2763,12 +2753,11 @@ config_set_pw_mindigits( const char *attrname, char *value, char *errorbuf, int
minDigits = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || minDigits < 0 || minDigits > 64 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "password minimum number of digits \"%s\" is invalid. "
- "The minimum number of digits must range from 0 to 64.",
- value );
- retVal = LDAP_OPERATIONS_ERROR;
- return retVal;
+ slapi_create_errormsg(errorbuf, 0,
+ "password minimum number of digits \"%s\" is invalid. "
+ "The minimum number of digits must range from 0 to 64.", value);
+ retVal = LDAP_OPERATIONS_ERROR;
+ return retVal;
}
if ( apply ) {
@@ -2798,12 +2787,11 @@ config_set_pw_minalphas( const char *attrname, char *value, char *errorbuf, int
minAlphas = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || minAlphas < 0 || minAlphas > 64 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "password minimum number of alphas \"%s\" is invalid. "
- "The minimum number of alphas must range from 0 to 64.",
- value );
- retVal = LDAP_OPERATIONS_ERROR;
- return retVal;
+ slapi_create_errormsg(errorbuf, 0,
+ "password minimum number of alphas \"%s\" is invalid. "
+ "The minimum number of alphas must range from 0 to 64.", value);
+ retVal = LDAP_OPERATIONS_ERROR;
+ return retVal;
}
if ( apply ) {
@@ -2832,13 +2820,12 @@ config_set_pw_minuppers( const char *attrname, char *value, char *errorbuf, int
errno = 0;
minUppers = strtol(value, &endp, 10);
- if ( *endp != '\0' || errno == ERANGE || minUppers < 0 || minUppers > 64 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "password minimum number of uppercase characters \"%s\" is invalid. "
- "The minimum number of uppercase characters must range from 0 to 64.",
- value );
- retVal = LDAP_OPERATIONS_ERROR;
- return retVal;
+ if ( *endp != '\0' || errno == ERANGE || minUppers < 0 || minUppers > 64 ) {
+ slapi_create_errormsg(errorbuf, 0,
+ "password minimum number of uppercase characters \"%s\" is invalid. "
+ "The minimum number of uppercase characters must range from 0 to 64.", value);
+ retVal = LDAP_OPERATIONS_ERROR;
+ return retVal;
}
if ( apply ) {
@@ -2868,12 +2855,11 @@ config_set_pw_minlowers( const char *attrname, char *value, char *errorbuf, int
minLowers = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || minLowers < 0 || minLowers > 64 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "password minimum number of lowercase characters \"%s\" is invalid. "
- "The minimum number of lowercase characters must range from 0 to 64.",
- value );
- retVal = LDAP_OPERATIONS_ERROR;
- return retVal;
+ slapi_create_errormsg(errorbuf, 0,
+ "password minimum number of lowercase characters \"%s\" is invalid. "
+ "The minimum number of lowercase characters must range from 0 to 64.", value);
+ retVal = LDAP_OPERATIONS_ERROR;
+ return retVal;
}
if ( apply ) {
@@ -2903,12 +2889,11 @@ config_set_pw_minspecials( const char *attrname, char *value, char *errorbuf, in
minSpecials = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || minSpecials < 0 || minSpecials > 64 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "password minimum number of special characters \"%s\" is invalid. "
- "The minimum number of special characters must range from 0 to 64.",
- value );
- retVal = LDAP_OPERATIONS_ERROR;
- return retVal;
+ slapi_create_errormsg(errorbuf, 0,
+ "password minimum number of special characters \"%s\" is invalid. "
+ "The minimum number of special characters must range from 0 to 64.", value);
+ retVal = LDAP_OPERATIONS_ERROR;
+ return retVal;
}
if ( apply ) {
@@ -2938,12 +2923,11 @@ config_set_pw_min8bit( const char *attrname, char *value, char *errorbuf, int ap
min8bit = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || min8bit < 0 || min8bit > 64 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "password minimum number of 8-bit characters \"%s\" is invalid. "
- "The minimum number of 8-bit characters must range from 0 to 64.",
- value );
- retVal = LDAP_OPERATIONS_ERROR;
- return retVal;
+ slapi_create_errormsg(errorbuf, 0,
+ "password minimum number of 8-bit characters \"%s\" is invalid. "
+ "The minimum number of 8-bit characters must range from 0 to 64.", value);
+ retVal = LDAP_OPERATIONS_ERROR;
+ return retVal;
}
if ( apply ) {
@@ -2973,12 +2957,11 @@ config_set_pw_maxrepeats( const char *attrname, char *value, char *errorbuf, int
maxRepeats = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || maxRepeats < 0 || maxRepeats > 64 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "password maximum number of repeated characters \"%s\" is invalid. "
- "The maximum number of repeated characters must range from 0 to 64.",
- value );
- retVal = LDAP_OPERATIONS_ERROR;
- return retVal;
+ slapi_create_errormsg(errorbuf, 0,
+ "password maximum number of repeated characters \"%s\" is invalid. "
+ "The maximum number of repeated characters must range from 0 to 64.", value);
+ retVal = LDAP_OPERATIONS_ERROR;
+ return retVal;
}
if ( apply ) {
@@ -3008,12 +2991,11 @@ config_set_pw_mincategories( const char *attrname, char *value, char *errorbuf,
minCategories = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || minCategories < 1 || minCategories > 5 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "password minimum number of categories \"%s\" is invalid. "
- "The minimum number of categories must range from 1 to 5.",
- value );
- retVal = LDAP_OPERATIONS_ERROR;
- return retVal;
+ slapi_create_errormsg(errorbuf, 0,
+ "password minimum number of categories \"%s\" is invalid. "
+ "The minimum number of categories must range from 1 to 5.", value);
+ retVal = LDAP_OPERATIONS_ERROR;
+ return retVal;
}
if ( apply ) {
@@ -3043,12 +3025,11 @@ config_set_pw_mintokenlength( const char *attrname, char *value, char *errorbuf,
minTokenLength = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || minTokenLength < 1 || minTokenLength > 64 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "password minimum token length \"%s\" is invalid. "
- "The minimum token length must range from 1 to 64.",
- value );
- retVal = LDAP_OPERATIONS_ERROR;
- return retVal;
+ slapi_create_errormsg(errorbuf, 0,
+ "password minimum token length \"%s\" is invalid. "
+ "The minimum token length must range from 1 to 64.", value);
+ retVal = LDAP_OPERATIONS_ERROR;
+ return retVal;
}
if ( apply ) {
@@ -3078,10 +3059,8 @@ config_set_pw_maxfailure( const char *attrname, char *value, char *errorbuf, int
maxFailure = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || maxFailure <= 0 || maxFailure > 32767 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "password maximum retry \"%s\" is invalid. "
- "Password maximum failure must range from 1 to 32767",
- value );
+ slapi_create_errormsg(errorbuf, 0,
+ "password maximum retry \"%s\" is invalid. Password maximum failure must range from 1 to 32767", value);
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
}
@@ -3115,10 +3094,8 @@ config_set_pw_inhistory( const char *attrname, char *value, char *errorbuf, int
history = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || history < 1 || history > 24 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "password history length \"%s\" is invalid. "
- "The password history must range from 1 to 24",
- value );
+ slapi_create_errormsg(errorbuf, 0,
+ "password history length \"%s\" is invalid. The password history must range from 1 to 24", value);
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
}
@@ -3151,9 +3128,7 @@ config_set_pw_lockduration( const char *attrname, char *value, char *errorbuf, i
duration = parse_duration(value);
if ( errno == ERANGE || duration <= 0 || duration > (MAX_ALLOWED_TIME_IN_SECS - current_time()) ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "password lockout duration \"%s\" is invalid. ",
- value );
+ slapi_create_errormsg(errorbuf, 0, "password lockout duration \"%s\" is invalid. ", value);
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
}
@@ -3182,9 +3157,7 @@ config_set_pw_resetfailurecount( const char *attrname, char *value, char *errorb
duration = parse_duration(value);
if ( errno == ERANGE || duration < 0 || duration > (MAX_ALLOWED_TIME_IN_SECS - current_time()) ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "password reset count duration \"%s\" is invalid. ",
- value );
+ slapi_create_errormsg(errorbuf, 0, "password reset count duration \"%s\" is invalid. ", value);
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
}
@@ -3326,9 +3299,9 @@ config_set_pw_gracelimit( const char *attrname, char *value, char *errorbuf, int
gracelimit = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || gracelimit < 0 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "password grace limit \"%s\" is invalid, password grace limit must range from 0 to %lld",
- value , (long long int)LONG_MAX );
+ slapi_create_errormsg(errorbuf, 0,
+ "password grace limit \"%s\" is invalid, password grace limit must range from 0 to %lld",
+ value , (long long int)LONG_MAX);
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
}
@@ -3549,9 +3522,8 @@ config_set_onoff(const char *attrname, char *value, int *configvalue, char *erro
CFG_ONOFF_LOCK_WRITE(slapdFrontendConfig);
if (strcasecmp(value, "on") && strcasecmp(value, "off")) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid value \"%s\". Valid values are \"on\" or \"off\".",
- attrname, value );
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: invalid value \"%s\". Valid values are \"on\" or \"off\".", attrname, value);
retVal = LDAP_OPERATIONS_ERROR;
}
@@ -3753,10 +3725,9 @@ config_set_rootpw( const char *attrname, char *value, char *errorbuf, int apply
/* pwd enc func returns slapi_ch_malloc memory */
slapdFrontendConfig->rootpw = (slapdFrontendConfig->rootpwstoragescheme->pws_enc)(value);
} else {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: password scheme mismatch (passwd scheme is %s; "
- "password is clear text)", attrname,
- slapdFrontendConfig->rootpwstoragescheme->pws_name);
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: password scheme mismatch (passwd scheme is %s; password is clear text)",
+ attrname, slapdFrontendConfig->rootpwstoragescheme->pws_name);
retVal = LDAP_PARAM_ERROR;
}
@@ -3769,25 +3740,25 @@ int
config_set_rootpwstoragescheme( const char *attrname, char *value, char *errorbuf, int apply ) {
int retVal = LDAP_SUCCESS;
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
- struct pw_scheme *new_scheme = NULL;
+ struct pw_scheme *new_scheme = NULL;
if ( config_value_is_null( attrname, value, errorbuf, 0 )) {
return LDAP_OPERATIONS_ERROR;
}
- new_scheme = pw_name2scheme ( value );
+ new_scheme = pw_name2scheme ( value );
if (new_scheme == NULL ) {
+ if (errorbuf) {
char * scheme_list = plugin_get_pwd_storage_scheme_list(PLUGIN_LIST_PWD_STORAGE_SCHEME);
- if ( scheme_list != NULL ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid scheme - %s. Valid schemes are: %s",
+ if ( scheme_list ) {
+ slapi_create_errormsg(errorbuf, 0, "%s: invalid scheme - %s. Valid schemes are: %s",
attrname, value, scheme_list );
} else {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid scheme - %s (no pwdstorage scheme"
- " plugin loaded)", attrname, value);
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: invalid scheme - %s (no pwdstorage scheme plugin loaded)", attrname, value);
}
slapi_ch_free_string(&scheme_list);
+ }
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
}
@@ -3863,12 +3834,12 @@ config_set_workingdir( const char *attrname, char *value, char *errorbuf, int ap
}
if ( PR_Access ( value, PR_ACCESS_EXISTS ) != 0 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Working directory \"%s\" does not exist.", value );
+ slapi_create_errormsg(errorbuf, 0, "Working directory \"%s\" does not exist.", value);
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
}
if ( PR_Access ( value, PR_ACCESS_WRITE_OK ) != 0 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Working directory \"%s\" is not writeable.", value );
+ slapi_create_errormsg(errorbuf, 0, "Working directory \"%s\" is not writeable.", value);
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
}
@@ -3918,7 +3889,8 @@ config_set_threadnumber( const char *attrname, char *value, char *errorbuf, int
threadnum = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || threadnum < 1 || threadnum > 65535 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: invalid value \"%s\", maximum thread number must range from 1 to 65535", attrname, value );
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: invalid value \"%s\", maximum thread number must range from 1 to 65535", attrname, value);
retVal = LDAP_OPERATIONS_ERROR;
}
@@ -3947,7 +3919,9 @@ config_set_maxthreadsperconn( const char *attrname, char *value, char *errorbuf,
maxthreadnum = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || maxthreadnum < 1 || maxthreadnum > 65535 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: invalid value \"%s\", maximum thread number per connection must range from 1 to 65535", attrname, value );
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: invalid value \"%s\", maximum thread number per connection must range from 1 to 65535",
+ attrname, value);
retVal = LDAP_OPERATIONS_ERROR;
}
@@ -3973,7 +3947,7 @@ config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, in
char *endp = NULL;
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-
+
if ( config_value_is_null( attrname, value, errorbuf, 0 )) {
return LDAP_OPERATIONS_ERROR;
}
@@ -3986,15 +3960,15 @@ config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, in
nValue = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || nValue < 1 || nValue > maxVal ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: invalid value \"%s\", maximum "
- "file descriptors must range from 1 to %d (the current process limit). "
- "Server will use a setting of %d.", attrname, value, maxVal, maxVal);
- if ( nValue > maxVal ) {
- nValue = maxVal;
- retVal = LDAP_UNWILLING_TO_PERFORM;
- } else {
- retVal = LDAP_OPERATIONS_ERROR;
- }
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: invalid value \"%s\", maximum file descriptors must range from 1 to %d (the current process limit). "
+ "Server will use a setting of %d.", attrname, value, maxVal, maxVal);
+ if ( nValue > maxVal ) {
+ nValue = maxVal;
+ retVal = LDAP_UNWILLING_TO_PERFORM;
+ } else {
+ retVal = LDAP_OPERATIONS_ERROR;
+ }
}
if (apply) {
@@ -4014,7 +3988,7 @@ config_set_conntablesize( const char *attrname, char *value, char *errorbuf, int
char *endp = NULL;
struct rlimit rlp;
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-
+
if ( config_value_is_null( attrname, value, errorbuf, 0 )) {
return LDAP_OPERATIONS_ERROR;
}
@@ -4027,15 +4001,15 @@ config_set_conntablesize( const char *attrname, char *value, char *errorbuf, int
nValue = strtol(value, &endp, 0);
if ( *endp != '\0' || errno == ERANGE || nValue < 1 || nValue > maxVal ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: invalid value \"%s\", connection table "
- "size must range from 1 to %d (the current process maxdescriptors limit). "
- "Server will use a setting of %d.", attrname, value, maxVal, maxVal );
- if ( nValue > maxVal) {
- nValue = maxVal;
- retVal = LDAP_UNWILLING_TO_PERFORM;
- } else {
- retVal = LDAP_OPERATIONS_ERROR;
- }
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: invalid value \"%s\", connection table size must range from 1 to %d (the current process maxdescriptors limit). "
+ "Server will use a setting of %d.", attrname, value, maxVal, maxVal );
+ if ( nValue > maxVal) {
+ nValue = maxVal;
+ retVal = LDAP_UNWILLING_TO_PERFORM;
+ } else {
+ retVal = LDAP_OPERATIONS_ERROR;
+ }
}
if (apply) {
@@ -4069,15 +4043,15 @@ config_set_reservedescriptors( const char *attrname, char *value, char *errorbuf
nValue = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || nValue < 1 || nValue > maxVal ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: invalid value \"%s\", reserved file "
- "descriptors must range from 1 to %d (the current process maxdescriptors limit). "
- "Server will use a setting of %d.", attrname, value, maxVal, maxVal );
- if ( nValue > maxVal) {
- nValue = maxVal;
- retVal = LDAP_UNWILLING_TO_PERFORM;
- } else {
- retVal = LDAP_OPERATIONS_ERROR;
- }
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: invalid value \"%s\", reserved file descriptors must range from 1 to %d (the current process maxdescriptors limit). "
+ "Server will use a setting of %d.", attrname, value, maxVal, maxVal);
+ if ( nValue > maxVal) {
+ nValue = maxVal;
+ retVal = LDAP_UNWILLING_TO_PERFORM;
+ } else {
+ retVal = LDAP_OPERATIONS_ERROR;
+ }
}
if (apply) {
@@ -4089,8 +4063,6 @@ config_set_reservedescriptors( const char *attrname, char *value, char *errorbuf
}
-
-
int
config_set_ioblocktimeout( const char *attrname, char *value, char *errorbuf, int apply ) {
int retVal = LDAP_SUCCESS;
@@ -4107,10 +4079,10 @@ config_set_ioblocktimeout( const char *attrname, char *value, char *errorbuf, in
nValue = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || nValue < 0 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: invalid value \"%s\", I/O block timeout must range from 0 to %lld",
- attrname, value, (long long int)LONG_MAX );
- retVal = LDAP_OPERATIONS_ERROR;
- return retVal;
+ slapi_create_errormsg(errorbuf, 0, "%s: invalid value \"%s\", I/O block timeout must range from 0 to %lld",
+ attrname, value, (long long int)LONG_MAX);
+ retVal = LDAP_OPERATIONS_ERROR;
+ return retVal;
}
if ( apply ) {
@@ -4134,7 +4106,7 @@ config_set_idletimeout( const char *attrname, char *value, char *errorbuf, int a
char *endp = NULL;
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-
+
if ( config_value_is_null( attrname, value, errorbuf, 0 )) {
return LDAP_OPERATIONS_ERROR;
}
@@ -4143,10 +4115,10 @@ config_set_idletimeout( const char *attrname, char *value, char *errorbuf, int a
nValue = strtol(value, &endp, 10);
if (*endp != '\0' || errno == ERANGE || nValue < 0 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: invalid value \"%s\", idle timeout must range from 0 to %lld",
- attrname, value, (long long int)LONG_MAX );
- retVal = LDAP_OPERATIONS_ERROR;
- return retVal;
+ slapi_create_errormsg(errorbuf, 0, "%s: invalid value \"%s\", idle timeout must range from 0 to %lld",
+ attrname, value, (long long int)LONG_MAX);
+ retVal = LDAP_OPERATIONS_ERROR;
+ return retVal;
}
if (apply) {
@@ -4167,7 +4139,7 @@ config_set_groupevalnestlevel( const char *attrname, char * value, char *errorbu
char *endp = NULL;
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
-
+
if ( config_value_is_null( attrname, value, errorbuf, 0 )) {
return LDAP_OPERATIONS_ERROR;
}
@@ -4176,11 +4148,10 @@ config_set_groupevalnestlevel( const char *attrname, char * value, char *errorbu
nValue = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || nValue < 0 || nValue > 5 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid value \"%s\", group eval nest level must range from 0 to 5",
- attrname, value );
- retVal = LDAP_OPERATIONS_ERROR;
- return retVal;
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: invalid value \"%s\", group eval nest level must range from 0 to 5", attrname, value);
+ retVal = LDAP_OPERATIONS_ERROR;
+ return retVal;
}
if (apply) {
CFG_LOCK_WRITE(slapdFrontendConfig);
@@ -4235,8 +4206,6 @@ config_set_timelimit( const char *attrname, char *value, char *errorbuf, int app
Slapi_Backend *be = NULL;
char *cookie;
- *errorbuf = 0;
-
if ( config_value_is_null( attrname, value, errorbuf, 1 )) {
return LDAP_OPERATIONS_ERROR;
}
@@ -4245,11 +4214,11 @@ config_set_timelimit( const char *attrname, char *value, char *errorbuf, int app
nVal = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || nVal < -1 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid value \"%s\", time limit must range from -1 to %lld",
- attrname, value, (long long int)LONG_MAX );
- retVal = LDAP_OPERATIONS_ERROR;
- return retVal;
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: invalid value \"%s\", time limit must range from -1 to %lld",
+ attrname, value, (long long int)LONG_MAX );
+ retVal = LDAP_OPERATIONS_ERROR;
+ return retVal;
}
if ( apply ) {
@@ -4260,7 +4229,7 @@ config_set_timelimit( const char *attrname, char *value, char *errorbuf, int app
while (be) {
be->be_timelimit = slapdFrontendConfig->timelimit;
be = slapi_get_next_backend (cookie);
- }
+ }
CFG_UNLOCK_WRITE(slapdFrontendConfig);
slapi_ch_free ((void **)&cookie);
@@ -4298,10 +4267,9 @@ config_set_accesslog( const char *attrname, char *value, char *errorbuf, int app
retVal = log_update_accesslogdir ( value, apply );
- if ( retVal != LDAP_SUCCESS ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "Cannot open accesslog directory \"%s\", client accesses will "
- "not be logged.", value );
+ if (retVal != LDAP_SUCCESS) {
+ slapi_create_errormsg(errorbuf, 0,
+ "Cannot open accesslog directory \"%s\", client accesses will not be logged.", value);
}
if ( apply ) {
@@ -4325,12 +4293,10 @@ config_set_errorlog( const char *attrname, char *value, char *errorbuf, int appl
retVal = log_update_errorlogdir ( value, apply );
if ( retVal != LDAP_SUCCESS ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "Cannot open errorlog file \"%s\", errors cannot be logged. Exiting...",
- value );
+ slapi_create_errormsg(errorbuf, 0,
+ "Cannot open errorlog file \"%s\", errors cannot be logged. Exiting...", value);
syslog(LOG_ERR,
- "Cannot open errorlog file \"%s\", errors cannot be logged. Exiting...",
- value );
+ "Cannot open errorlog file \"%s\", errors cannot be logged. Exiting...", value);
g_set_shutdown( SLAPI_SHUTDOWN_EXIT );
}
@@ -4354,9 +4320,8 @@ config_set_auditlog( const char *attrname, char *value, char *errorbuf, int appl
retVal = log_update_auditlogdir ( value, apply );
- if ( retVal != LDAP_SUCCESS ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "Cannot open auditlog directory \"%s\"", value );
+ if (retVal != LDAP_SUCCESS) {
+ slapi_create_errormsg(errorbuf, 0, "Cannot open auditlog directory \"%s\"", value);
}
if ( apply ) {
@@ -4379,9 +4344,8 @@ config_set_auditfaillog( const char *attrname, char *value, char *errorbuf, int
retVal = log_update_auditfaillogdir ( value, apply );
- if ( retVal != LDAP_SUCCESS ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "Cannot open auditfaillog directory \"%s\"", value );
+ if (retVal != LDAP_SUCCESS) {
+ slapi_create_errormsg(errorbuf, 0, "Cannot open auditfaillog directory \"%s\"", value);
}
if ( apply ) {
@@ -4409,9 +4373,7 @@ config_set_pw_maxage( const char *attrname, char *value, char *errorbuf, int app
age = parse_duration(value);
if ( age <= 0 || age > (MAX_ALLOWED_TIME_IN_SECS - current_time()) ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: password maximum age \"%s\" is invalid. ",
- attrname, value );
+ slapi_create_errormsg(errorbuf, 0, "%s: password maximum age \"%s\" is invalid.", attrname, value);
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
}
@@ -4436,9 +4398,7 @@ config_set_pw_minage( const char *attrname, char *value, char *errorbuf, int app
/* age in seconds */
age = parse_duration(value);
if ( age < 0 || age > (MAX_ALLOWED_TIME_IN_SECS - current_time()) ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: password minimum age \"%s\" is invalid. ",
- attrname, value );
+ slapi_create_errormsg(errorbuf, 0, "%s: password minimum age \"%s\" is invalid.", attrname, value);
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
}
@@ -4465,10 +4425,10 @@ config_set_pw_warning( const char *attrname, char *value, char *errorbuf, int ap
sec = parse_duration(value);
if (errno == ERANGE || sec < 0) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: password warning age \"%s\" is invalid, password warning "
- "age must range from 0 to %lld seconds",
- attrname, value, (long long int)LONG_MAX );
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: password warning age \"%s\" is invalid, password warning "
+ "age must range from 0 to %lld seconds",
+ attrname, value, (long long int)LONG_MAX );
retVal = LDAP_OPERATIONS_ERROR;
return retVal;
}
@@ -4497,11 +4457,11 @@ config_set_errorlog_level( const char *attrname, char *value, char *errorbuf, in
level = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || level < 0 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: error log level \"%s\" is invalid,"
- " error log level must range from 0 to %lld",
- attrname, value, (long long int)LONG_MAX );
- retVal = LDAP_OPERATIONS_ERROR;
- return retVal;
+ slapi_create_errormsg(errorbuf, 0, "%s: error log level \"%s\" is invalid,"
+ " error log level must range from 0 to %lld",
+ attrname, value, (long long int)LONG_MAX);
+ retVal = LDAP_OPERATIONS_ERROR;
+ return retVal;
}
if ( apply ) {
@@ -4532,11 +4492,11 @@ config_set_accesslog_level( const char *attrname, char *value, char *errorbuf, i
level = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE || level < 0 ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "%s: access log level \"%s\" is invalid,"
- " access log level must range from 0 to %lld",
- attrname, value, (long long int)LONG_MAX );
- retVal = LDAP_OPERATIONS_ERROR;
- return retVal;
+ slapi_create_errormsg(errorbuf, 0, "%s: access log level \"%s\" is invalid,"
+ " access log level must range from 0 to %lld",
+ attrname, value, (long long int)LONG_MAX);
+ retVal = LDAP_OPERATIONS_ERROR;
+ return retVal;
}
if ( apply ) {
@@ -4553,17 +4513,17 @@ int config_set_referral_mode(const char *attrname, char *url, char *errorbuf, in
{
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
- slapdFrontendConfig->refer_mode=REFER_MODE_OFF;
+ slapdFrontendConfig->refer_mode=REFER_MODE_OFF;
if ((!url) || (!url[0])) {
- strcpy(errorbuf, "referral url must have a value");
- return LDAP_OPERATIONS_ERROR;
+ slapi_create_errormsg(errorbuf, 0, "referral url must have a value");
+ return LDAP_OPERATIONS_ERROR;
}
if (apply) {
- CFG_LOCK_WRITE(slapdFrontendConfig);
- slapdFrontendConfig->refer_url = slapi_ch_strdup(url);
- slapdFrontendConfig->refer_mode = REFER_MODE_ON;
- CFG_UNLOCK_WRITE(slapdFrontendConfig);
+ CFG_LOCK_WRITE(slapdFrontendConfig);
+ slapdFrontendConfig->refer_url = slapi_ch_strdup(url);
+ slapdFrontendConfig->refer_mode = REFER_MODE_ON;
+ CFG_UNLOCK_WRITE(slapdFrontendConfig);
}
return LDAP_SUCCESS;
}
@@ -4573,8 +4533,8 @@ config_set_versionstring( const char *attrname, char *version, char *errorbuf, i
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
if ((!version) || (!version[0])) {
- PL_strncpyz(errorbuf, "versionstring must have a value", SLAPI_DSE_RETURNTEXT_SIZE);
- return LDAP_OPERATIONS_ERROR;
+ slapi_create_errormsg(errorbuf, 0, "versionstring must have a value");
+ return LDAP_OPERATIONS_ERROR;
}
if (apply) {
CFG_LOCK_WRITE(slapdFrontendConfig);
@@ -5949,9 +5909,8 @@ config_set_maxbersize( const char *attrname, char *value, char *errorbuf, int ap
errno = 0;
size = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE){
+ slapi_create_errormsg(errorbuf, 0, "(%s) value (%s) is invalid\n",attrname, value);
retVal = LDAP_OPERATIONS_ERROR;
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "(%s) value (%s) "
- "is invalid\n",attrname, value);
return retVal;
}
@@ -6015,9 +5974,9 @@ config_set_maxsasliosize( const char *attrname, char *value, char *errorbuf, int
}
if (retVal != LDAP_SUCCESS) {
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: \"%s\" is invalid. Value must range from -1 to %lld",
- attrname, value, (long long int)LONG_MAX );
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: \"%s\" is invalid. Value must range from -1 to %lld",
+ attrname, value, (long long int)LONG_MAX);
} else if (apply) {
CFG_LOCK_WRITE(slapdFrontendConfig);
slapdFrontendConfig->maxsasliosize = maxsasliosize;
@@ -6069,9 +6028,8 @@ config_set_localssf( const char *attrname, char *value, char *errorbuf, int appl
}
if (retVal != LDAP_SUCCESS) {
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: \"%s\" is invalid. Value must range from 0 to %d",
- attrname, value, INT_MAX );
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: \"%s\" is invalid. Value must range from 0 to %d", attrname, value, INT_MAX);
} else if (apply) {
CFG_LOCK_WRITE(slapdFrontendConfig);
slapdFrontendConfig->localssf = localssf;
@@ -6112,9 +6070,8 @@ config_set_minssf( const char *attrname, char *value, char *errorbuf, int apply
}
if (retVal != LDAP_SUCCESS) {
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: \"%s\" is invalid. Value must range from 0 to %d",
- attrname, value, INT_MAX );
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: \"%s\" is invalid. Value must range from 0 to %d", attrname, value, INT_MAX);
} else if (apply) {
CFG_LOCK_WRITE(slapdFrontendConfig);
slapdFrontendConfig->minssf = minssf;
@@ -6190,9 +6147,8 @@ config_set_max_filter_nest_level( const char *attrname, char *value,
errno = 0;
level = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE){
+ slapi_create_errormsg(errorbuf, 0, "(%s) value (%s) " "is invalid\n",attrname, value);
retVal = LDAP_OPERATIONS_ERROR;
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "(%s) value (%s) "
- "is invalid\n",attrname, value);
return retVal;
}
@@ -6880,9 +6836,7 @@ config_set_schemareplace( const char *attrname, char *value, char *errorbuf, int
0 != strcasecmp( value, CONFIG_SCHEMAREPLACE_STR_ON ) &&
0 != strcasecmp( value, CONFIG_SCHEMAREPLACE_STR_REPLICATION_ONLY )) {
retVal = LDAP_OPERATIONS_ERROR;
- if( errorbuf ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "unsupported value: %s", value );
- }
+ slapi_create_errormsg(errorbuf, 0, "unsupported value: %s", value);
}
}
@@ -6914,8 +6868,7 @@ config_set_outbound_ldap_io_timeout( const char *attrname, char *value,
errno = 0;
timeout = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE){
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "(%s) value (%s) "
- "is invalid\n",attrname, value);
+ slapi_create_errormsg(errorbuf, 0, "(%s) value (%s) is invalid\n",attrname, value);
return LDAP_OPERATIONS_ERROR;
}
@@ -6973,9 +6926,8 @@ config_set_anon_access_switch( const char *attrname, char *value,
if ((strcasecmp(value, "on") != 0) && (strcasecmp(value, "off") != 0) &&
(strcasecmp(value, "rootdse") != 0)) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid value \"%s\". Valid values are \"on\", "
- "\"off\", or \"rootdse\".", attrname, value);
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: invalid value \"%s\". Valid values are \"on\", \"off\", or \"rootdse\".", attrname, value);
retVal = LDAP_OPERATIONS_ERROR;
}
@@ -7011,9 +6963,8 @@ config_set_validate_cert_switch( const char *attrname, char *value,
if ((strcasecmp(value, "on") != 0) && (strcasecmp(value, "off") != 0) &&
(strcasecmp(value, "warn") != 0)) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid value \"%s\". Valid values are \"on\", "
- "\"off\", or \"warn\".", attrname, value);
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: invalid value \"%s\". Valid values are \"on\", \"off\", or \"warn\".", attrname, value);
retVal = LDAP_OPERATIONS_ERROR;
}
@@ -7266,10 +7217,7 @@ config_set_default_naming_context(const char *attrname,
int in_init = 0;
suffix = slapi_create_dn_string("%s", value);
if (NULL == suffix) {
- if (errorbuf) {
- PR_snprintf (errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s is not a valid suffix.", value);
- }
+ slapi_create_errormsg(errorbuf, 0, "%s is not a valid suffix.", value);
return LDAP_INVALID_DN_SYNTAX;
}
sdn = slapi_get_first_suffix(&node, 0);
@@ -7284,10 +7232,7 @@ config_set_default_naming_context(const char *attrname,
sdn = slapi_get_next_suffix(&node, 0);
}
if (!in_init && (NULL == sdn)) { /* not in startup && no match */
- if (errorbuf) {
- PR_snprintf (errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s is not an existing suffix.", value);
- }
+ slapi_create_errormsg(errorbuf, 0, "%s is not an existing suffix.", value);
slapi_ch_free_string(&suffix);
return LDAP_NO_SUCH_OBJECT;
}
@@ -7328,9 +7273,8 @@ config_set_unhashed_pw_switch(const char *attrname, char *value,
if ((strcasecmp(value, "on") != 0) && (strcasecmp(value, "off") != 0) &&
(strcasecmp(value, "nolog") != 0)) {
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid value \"%s\". Valid values are \"on\", "
- "\"off\", or \"nolog\".", attrname, value);
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: invalid value \"%s\". Valid values are \"on\", \"off\", or \"nolog\".", attrname, value);
retVal = LDAP_OPERATIONS_ERROR;
}
@@ -7520,9 +7464,8 @@ config_set_connection_buffer( const char *attrname, char *value,
if ((strcasecmp(value, "0") != 0) && (strcasecmp(value, "1") != 0) &&
(strcasecmp(value, "2") != 0)) {
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid value \"%s\". Valid values are \"0\", "
- "\"1\", or \"2\".", attrname, value);
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: invalid value \"%s\". Valid values are \"0\", \"1\", or \"2\".", attrname, value);
retVal = LDAP_OPERATIONS_ERROR;
}
@@ -7549,8 +7492,7 @@ config_set_listen_backlog_size( const char *attrname, char *value,
errno = 0;
size = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE){
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "(%s) value (%s) "
- "is invalid\n",attrname, value);
+ slapi_create_errormsg(errorbuf, 0, "(%s) value (%s) is invalid\n", attrname, value);
return LDAP_OPERATIONS_ERROR;
}
@@ -7631,8 +7573,8 @@ config_set(const char *attr, struct berval **values, char *errorbuf, int apply)
#if 0
debugHashTable(attr);
#endif
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "Unknown attribute %s will be ignored", attr);
- slapi_log_error(SLAPI_LOG_FATAL, "config", "%s\n", errorbuf);
+ slapi_create_errormsg(errorbuf, 0, "Unknown attribute %s will be ignored", attr);
+ slapi_log_error(SLAPI_LOG_FATAL, "config_set", "Unknown attribute %s will be ignored", attr);
return LDAP_NO_SUCH_ATTRIBUTE;
}
@@ -7993,9 +7935,11 @@ config_allowed_to_delete_attrs(const char *attr_type)
}
void
-config_set_accesslog_enabled(int value){
+config_set_accesslog_enabled(int value)
+{
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
- char errorbuf[BUFSIZ];
+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
+ errorbuf[0] = '\0';
CFG_ONOFF_LOCK_WRITE(slapdFrontendConfig);
slapdFrontendConfig->accesslog_logging_enabled = (int)value;
@@ -8005,12 +7949,16 @@ config_set_accesslog_enabled(int value){
log_set_logging(CONFIG_ACCESSLOG_LOGGING_ENABLED_ATTRIBUTE, "off", SLAPD_ACCESS_LOG, errorbuf, CONFIG_APPLY);
}
CFG_ONOFF_UNLOCK_WRITE(slapdFrontendConfig);
+ if (errorbuf[0] != '\0') {
+ slapi_log_error(SLAPI_LOG_FATAL, "config", "config_set_accesslog_enabled: %s\n", errorbuf);
+ }
}
void
config_set_auditlog_enabled(int value){
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
- char errorbuf[BUFSIZ];
+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
+ errorbuf[0] = '\0';
CFG_ONOFF_LOCK_WRITE(slapdFrontendConfig);
slapdFrontendConfig->auditlog_logging_enabled = (int)value;
@@ -8020,12 +7968,16 @@ config_set_auditlog_enabled(int value){
log_set_logging(CONFIG_AUDITLOG_LOGGING_ENABLED_ATTRIBUTE, "off", SLAPD_AUDIT_LOG, errorbuf, CONFIG_APPLY);
}
CFG_ONOFF_UNLOCK_WRITE(slapdFrontendConfig);
+ if (errorbuf[0] != '\0') {
+ slapi_log_error(SLAPI_LOG_FATAL, "config", "config_set_auditlog_enabled: %s\n", errorbuf);
+ }
}
void
config_set_auditfaillog_enabled(int value){
slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
- char errorbuf[BUFSIZ];
+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
+ errorbuf[0] = '\0';
CFG_ONOFF_LOCK_WRITE(slapdFrontendConfig);
slapdFrontendConfig->auditfaillog_logging_enabled = (int)value;
@@ -8035,6 +7987,9 @@ config_set_auditfaillog_enabled(int value){
log_set_logging(CONFIG_AUDITFAILLOG_LOGGING_ENABLED_ATTRIBUTE, "off", SLAPD_AUDITFAIL_LOG, errorbuf, CONFIG_APPLY);
}
CFG_ONOFF_UNLOCK_WRITE(slapdFrontendConfig);
+ if (errorbuf[0] != '\0') {
+ slapi_log_error(SLAPI_LOG_FATAL, "config", "config_set_auditfaillog_enabled: %s\n", errorbuf);
+ }
}
int
@@ -8052,10 +8007,8 @@ config_set_maxsimplepaged_per_conn( const char *attrname, char *value, char *err
errno = 0;
size = strtol(value, &endp, 10);
if ( *endp != '\0' || errno == ERANGE){
- retVal = LDAP_OPERATIONS_ERROR;
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "(%s) value (%s) is invalid\n",
- attrname, value);
- return retVal;
+ slapi_create_errormsg(errorbuf, 0, "(%s) value (%s) is invalid\n", attrname, value);
+ return LDAP_OPERATIONS_ERROR;
}
if ( !apply ) {
@@ -8115,9 +8068,8 @@ config_set_malloc_mxfast(const char *attrname, char *value, char *errorbuf, int
errno = 0;
mxfast = strtol(value, &endp, 10);
if ((*endp != '\0') || (errno == ERANGE)) {
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "limit \"%s\" is invalid, %s must range from 0 to %d",
- value, CONFIG_MALLOC_MXFAST, max);
+ slapi_create_errormsg(errorbuf, 0, "limit \"%s\" is invalid, %s must range from 0 to %d",
+ value, CONFIG_MALLOC_MXFAST, max);
return LDAP_OPERATIONS_ERROR;
}
CFG_ONOFF_LOCK_WRITE(slapdFrontendConfig);
@@ -8157,9 +8109,8 @@ config_set_malloc_trim_threshold(const char *attrname, char *value, char *errorb
errno = 0;
trim_threshold = strtol(value, &endp, 10);
if ((*endp != '\0') || (errno == ERANGE)) {
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "limit \"%s\" is invalid, %s must range from 0 to %lld",
- value, CONFIG_MALLOC_TRIM_THRESHOLD, (long long int)LONG_MAX);
+ slapi_create_errormsg(errorbuf, 0, "limit \"%s\" is invalid, %s must range from 0 to %lld",
+ value, CONFIG_MALLOC_TRIM_THRESHOLD, (long long int)LONG_MAX);
return LDAP_OPERATIONS_ERROR;
}
@@ -8207,9 +8158,8 @@ config_set_malloc_mmap_threshold(const char *attrname, char *value, char *errorb
errno = 0;
mmap_threshold = strtol(value, &endp, 10);
if ((*endp != '\0') || (errno == ERANGE)) {
- PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "limit \"%s\" is invalid, %s must range from 0 to %d",
- value, CONFIG_MALLOC_MMAP_THRESHOLD, max);
+ slapi_create_errormsg(errorbuf, 0, "limit \"%s\" is invalid, %s must range from 0 to %d",
+ value, CONFIG_MALLOC_MMAP_THRESHOLD, max);
return LDAP_OPERATIONS_ERROR;
}
diff --git a/ldap/servers/slapd/log.c b/ldap/servers/slapd/log.c
index 13f98bb..d26b8ac 100644
--- a/ldap/servers/slapd/log.c
+++ b/ldap/servers/slapd/log.c
@@ -310,9 +310,7 @@ log_set_logging(const char *attrname, char *value, int logtype, char *errorbuf,
slapdFrontendConfig_t *fe_cfg = getFrontendConfig();
if ( NULL == value ) {
- PR_snprintf( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: NULL value; valid values "
- "are \"on\" or \"off\"", attrname );
+ slapi_create_errormsg(errorbuf, 0, "%s: NULL value; valid values are \"on\" or \"off\"", attrname);
return LDAP_OPERATIONS_ERROR;
}
@@ -323,12 +321,11 @@ log_set_logging(const char *attrname, char *value, int logtype, char *errorbuf,
v = 0;
}
else {
- PR_snprintf( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid value \"%s\", valid values "
- "are \"on\" or \"off\"", attrname, value );
+ slapi_create_errormsg(errorbuf, 0, "%s: invalid value \"%s\", valid values are \"on\" or \"off\"",
+ attrname, value);
return LDAP_OPERATIONS_ERROR;
}
-
+
if ( !apply ){
return LDAP_SUCCESS;
}
@@ -762,10 +759,9 @@ log_set_mode (const char *attrname, char *value, int logtype, char *errorbuf, in
slapdFrontendConfig_t *fe_cfg = getFrontendConfig();
if ( NULL == value ) {
- PR_snprintf( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: null value; valid values "
- "are are of the format \"yz-yz-yz-\" where y could be 'r' or '-',"
- " and z could be 'w' or '-'", attrname );
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: null value; valid values are are of the format \"yz-yz-yz-\" where y could be 'r' or '-',"
+ " and z could be 'w' or '-'", attrname );
return LDAP_OPERATIONS_ERROR;
}
@@ -781,9 +777,9 @@ log_set_mode (const char *attrname, char *value, int logtype, char *errorbuf, in
if (loginfo.log_access_file &&
( chmod( loginfo.log_access_file, v ) != 0) ) {
int oserr = errno;
- PR_snprintf( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: Failed to chmod access log file to %s: errno %d (%s)",
- attrname, value, oserr, slapd_system_strerror(oserr) );
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: Failed to chmod access log file to %s: errno %d (%s)",
+ attrname, value, oserr, slapd_system_strerror(oserr));
retval = LDAP_UNWILLING_TO_PERFORM;
} else { /* only apply the changes if no file or if successful */
slapi_ch_free ( (void **) &fe_cfg->accesslog_mode );
@@ -797,9 +793,9 @@ log_set_mode (const char *attrname, char *value, int logtype, char *errorbuf, in
if (loginfo.log_error_file &&
( chmod( loginfo.log_error_file, v ) != 0) ) {
int oserr = errno;
- PR_snprintf( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: Failed to chmod error log file to %s: errno %d (%s)",
- attrname, value, oserr, slapd_system_strerror(oserr) );
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: Failed to chmod error log file to %s: errno %d (%s)",
+ attrname, value, oserr, slapd_system_strerror(oserr));
retval = LDAP_UNWILLING_TO_PERFORM;
} else { /* only apply the changes if no file or if successful */
slapi_ch_free ( (void **) &fe_cfg->errorlog_mode );
@@ -813,9 +809,9 @@ log_set_mode (const char *attrname, char *value, int logtype, char *errorbuf, in
if (loginfo.log_audit_file &&
( chmod( loginfo.log_audit_file, v ) != 0) ) {
int oserr = errno;
- PR_snprintf( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: Failed to chmod audit log file to %s: errno %d (%s)",
- attrname, value, oserr, slapd_system_strerror(oserr) );
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: Failed to chmod audit log file to %s: errno %d (%s)",
+ attrname, value, oserr, slapd_system_strerror(oserr));
retval = LDAP_UNWILLING_TO_PERFORM;
} else { /* only apply the changes if no file or if successful */
slapi_ch_free ( (void **) &fe_cfg->auditlog_mode );
@@ -1018,9 +1014,8 @@ log_set_rotationsync_enabled(const char *attrname, char *value, int logtype, cha
slapdFrontendConfig_t *fe_cfg = getFrontendConfig();
if ( NULL == value ) {
- PR_snprintf( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: NULL value; valid values "
- "are \"on\" or \"off\"", attrname );
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: NULL value; valid values are \"on\" or \"off\"", attrname);
return LDAP_OPERATIONS_ERROR;
}
@@ -1031,9 +1026,8 @@ log_set_rotationsync_enabled(const char *attrname, char *value, int logtype, cha
v = LDAP_OFF;
}
else {
- PR_snprintf( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid value \"%s\", valid values "
- "are \"on\" or \"off\"", attrname, value );
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: invalid value \"%s\", valid values are \"on\" or \"off\"", attrname, value);
return LDAP_OPERATIONS_ERROR;
}
@@ -1310,8 +1304,7 @@ int log_set_rotationtimeunit(const char *attrname, char *runit, int logtype, cha
logtype != SLAPD_ERROR_LOG &&
logtype != SLAPD_AUDIT_LOG &&
logtype != SLAPD_AUDITFAIL_LOG ) {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid log type: %d", attrname, logtype );
+ slapi_create_errormsg(errorbuf, 0, "%s: invalid log type: %d", attrname, logtype);
return LDAP_OPERATIONS_ERROR;
}
@@ -1322,8 +1315,7 @@ int log_set_rotationtimeunit(const char *attrname, char *runit, int logtype, cha
(strcasecmp(runit, "minute") == 0)) {
/* all good values */
} else {
- PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: unknown unit \"%s\"", attrname, runit );
+ slapi_create_errormsg(errorbuf, 0, "%s: unknown unit \"%s\"", attrname, runit);
rv = LDAP_OPERATIONS_ERROR;
}
@@ -1431,8 +1423,7 @@ log_set_maxdiskspace(const char *attrname, char *maxdiskspace_str, int logtype,
logtype != SLAPD_ERROR_LOG &&
logtype != SLAPD_AUDIT_LOG &&
logtype != SLAPD_AUDITFAIL_LOG ) {
- PR_snprintf( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid log type: %d", attrname, logtype );
+ slapi_create_errormsg(errorbuf, 0, "%s: invalid log type: %d", attrname, logtype);
return LDAP_OPERATIONS_ERROR;
}
@@ -1465,9 +1456,9 @@ log_set_maxdiskspace(const char *attrname, char *maxdiskspace_str, int logtype,
maxdiskspace = -1;
} else if (maxdiskspace < mlogsize) {
rv = LDAP_OPERATIONS_ERROR;
- PR_snprintf( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: \"%d (MB)\" is less than max log size \"%d (MB)\"",
- attrname, s_maxdiskspace, (int)(mlogsize/LOG_MB_IN_BYTES) );
+ slapi_create_errormsg(errorbuf, 0,
+ "%s: \"%d (MB)\" is less than max log size \"%d (MB)\"",
+ attrname, s_maxdiskspace, (int)(mlogsize/LOG_MB_IN_BYTES));
}
switch (logtype) {
@@ -1522,8 +1513,7 @@ log_set_mindiskspace(const char *attrname, char *minfreespace_str, int logtype,
logtype != SLAPD_ERROR_LOG &&
logtype != SLAPD_AUDIT_LOG &&
logtype != SLAPD_AUDITFAIL_LOG ) {
- PR_snprintf( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid log type: %d", attrname, logtype );
+ slapi_create_errormsg(errorbuf, 0, "%s: invalid log type: %d", attrname, logtype);
rv = LDAP_OPERATIONS_ERROR;
}
@@ -1588,8 +1578,7 @@ log_set_expirationtime(const char *attrname, char *exptime_str, int logtype, cha
logtype != SLAPD_ERROR_LOG &&
logtype != SLAPD_AUDIT_LOG &&
logtype != SLAPD_AUDITFAIL_LOG ) {
- PR_snprintf( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid log type: %d", attrname, logtype );
+ slapi_create_errormsg(errorbuf, 0, "%s: invalid log type: %d", attrname, logtype);
rv = LDAP_OPERATIONS_ERROR;
}
@@ -1695,24 +1684,21 @@ log_set_expirationtimeunit(const char *attrname, char *expunit, int logtype, cha
logtype != SLAPD_ERROR_LOG &&
logtype != SLAPD_AUDIT_LOG &&
logtype != SLAPD_AUDITFAIL_LOG ) {
- PR_snprintf( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid log type: %d", attrname, logtype );
+ slapi_create_errormsg(errorbuf, 0, "%s: invalid log type: %d", attrname, logtype);
return LDAP_OPERATIONS_ERROR;
}
if ( NULL == expunit ) {
- PR_snprintf( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: NULL value", attrname );
+ slapi_create_errormsg(errorbuf, 0, "%s: NULL value", attrname);
return LDAP_OPERATIONS_ERROR;
}
if ( (strcasecmp(expunit, "month") == 0) ||
(strcasecmp(expunit, "week") == 0) ||
(strcasecmp(expunit, "day") == 0)) {
- /* we have good values */
+ /* we have good values */
} else {
- PR_snprintf( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
- "%s: invalid time unit \"%s\"", attrname, expunit );
+ slapi_create_errormsg(errorbuf, 0, "%s: invalid time unit \"%s\"", attrname, expunit);
rv = LDAP_OPERATIONS_ERROR;;
}
diff --git a/ldap/servers/slapd/mapping_tree.c b/ldap/servers/slapd/mapping_tree.c
index 20c2cc3..08d2da6 100644
--- a/ldap/servers/slapd/mapping_tree.c
+++ b/ldap/servers/slapd/mapping_tree.c
@@ -1600,17 +1600,16 @@ done:
CONFIG_DEFAULT_NAMING_CONTEXT, rc);
}
if (LDAP_SUCCESS == rc) {
- char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE] = {0};
/* Removing defaultNamingContext from cn=config entry
* was successful. The remove does not reset the
* global parameter. We need to reset it separately. */
if (config_set_default_naming_context(
CONFIG_DEFAULT_NAMING_CONTEXT,
NULL, errorbuf, CONFIG_APPLY)) {
- LDAPDebug2Args(LDAP_DEBUG_ANY,
- "mapping_tree_entry_delete_callback: "
- "setting NULL to %s failed. %s\n",
- CONFIG_DEFAULT_NAMING_CONTEXT, errorbuf);
+ slapi_log_error(SLAPI_LOG_FATAL, "mapping_tree",
+ "mapping_tree_entry_delete_callback: setting NULL to %s failed. %s\n",
+ CONFIG_DEFAULT_NAMING_CONTEXT, errorbuf);
}
}
}
@@ -2128,7 +2127,7 @@ int slapi_dn_write_needs_referral(Slapi_DN *target_sdn, Slapi_Entry **referral)
* referral is an output param that will be set to the selected referral.
* errorbuf is a pointer to a buffer that an error string will be written to
* if there is an error. The caller is responsible for passing in a big
- * enough chunk of memory. BUFSIZ should be fine. If errorbuf is NULL,
+ * enough chunk of memory. SLAPI_DSE_RETURNTEXT_SIZE should be fine. If errorbuf is NULL,
* no error string is written to it. The string returned in errorbuf
* would be a good candidate for sending back to the client to describe the
* error.
@@ -2226,10 +2225,11 @@ int slapi_mapping_tree_select(Slapi_PBlock *pb, Slapi_Backend **be, Slapi_Entry
(op_type != SLAPI_OPERATION_BIND) &&
(op_type != SLAPI_OPERATION_UNBIND))
{
+ if (errorbuf) {
+ PL_strncpyz(errorbuf, slapi_config_get_readonly() ?
+ "Server is read-only" : "database is read-only", sizeof(errorbuf));
+ }
ret = LDAP_UNWILLING_TO_PERFORM;
- PL_strncpyz(errorbuf, slapi_config_get_readonly() ?
- "Server is read-only" :
- "database is read-only", BUFSIZ);
slapi_be_Unlock(*be);
*be = NULL;
}
@@ -2335,10 +2335,11 @@ int slapi_mapping_tree_select_all(Slapi_PBlock *pb, Slapi_Backend **be_list,
if (be && !be_isdeleted(be))
{
if (be_index == BE_LIST_SIZE) { /* error - too many backends */
+ slapi_create_errormsg(errorbuf, 0,
+ "Error: too many backends match search request - cannot proceed");
+ slapi_log_error(SLAPI_LOG_FATAL, "mapping_tree",
+ "Error: too many backends match search request - cannot proceed");
ret_code = LDAP_ADMINLIMIT_EXCEEDED;
- PR_snprintf(errorbuf, BUFSIZ-1,
- "Error: too many backends match search request - cannot proceed");
- slapi_log_error(SLAPI_LOG_FATAL, NULL, "%s\n", errorbuf);
break;
} else {
be_list[be_index++]=be;
@@ -2469,10 +2470,9 @@ int slapi_mapping_tree_select_and_check(Slapi_PBlock *pb,char *newdn, Slapi_Back
const Slapi_DN *suffix = slapi_get_suffix_by_dn(target_sdn);
if ((*be != def_be) && (NULL == suffix))
{
+ slapi_create_errormsg(errorbuf, 0,
+ "Target entry \"%s\" does not exist\n", slapi_sdn_get_dn(target_sdn));
ret = LDAP_NO_SUCH_OBJECT;
- PR_snprintf(errorbuf, BUFSIZ,
- "Target entry \"%s\" does not exist\n",
- slapi_sdn_get_dn(target_sdn));
goto unlock_and_return;
}
if (suffix && (0 == slapi_sdn_compare(target_sdn, suffix)))
@@ -2484,30 +2484,26 @@ int slapi_mapping_tree_select_and_check(Slapi_PBlock *pb,char *newdn, Slapi_Back
if (!slapi_be_exist((const Slapi_DN *)&dn_newdn))
{
/* new_be is an empty backend */
+ slapi_create_errormsg(errorbuf, 0, "Backend for suffix \"%s\" does not exist\n", newdn);
ret = LDAP_NO_SUCH_OBJECT;
- PR_snprintf(errorbuf, BUFSIZ,
- "Backend for suffix \"%s\" does not exist\n", newdn);
goto unlock_and_return;
}
if (0 == slapi_sdn_compare(&dn_newdn, new_suffix))
{
ret = LDAP_ALREADY_EXISTS;
- PR_snprintf(errorbuf, BUFSIZ,
- "Suffix \"%s\" already exists\n", newdn);
+ slapi_create_errormsg(errorbuf, 0, "Suffix \"%s\" already exists\n", newdn);
goto unlock_and_return;
}
ret = LDAP_NAMING_VIOLATION;
- PR_snprintf(errorbuf, BUFSIZ, "Cannot rename suffix \"%s\"\n",
- slapi_sdn_get_dn(target_sdn));
+ slapi_create_errormsg(errorbuf, 0, "Cannot rename suffix \"%s\"\n", slapi_sdn_get_dn(target_sdn));
goto unlock_and_return;
}
else
{
if ((*be != new_be) || mtn_sdn_has_child(target_sdn))
{
+ slapi_create_errormsg(errorbuf, 0, "Cannot move entries across backends\n");
ret = LDAP_AFFECTS_MULTIPLE_DSAS;
- PR_snprintf(errorbuf, BUFSIZ,
- "Cannot move entries across backends\n");
goto unlock_and_return;
}
}
@@ -2637,11 +2633,9 @@ static int mtn_get_be(mapping_tree_node *target_node, Slapi_PBlock *pb,
target_sdn = operation_get_target_spec (op);
if (target_node->mtn_state == MTN_DISABLED) {
- if (errorbuf) {
- PR_snprintf(errorbuf, BUFSIZ,
+ slapi_create_errormsg(errorbuf, 0,
"Warning: Operation attempted on a disabled node : %s\n",
slapi_sdn_get_dn(target_node->mtn_subtree));
- }
result = LDAP_OPERATIONS_ERROR;
return result;
}
@@ -2773,12 +2767,8 @@ static int mtn_get_be(mapping_tree_node *target_node, Slapi_PBlock *pb,
}
(*index)++;
if (NULL == target_node->mtn_referral_entry) {
- if (errorbuf) {
- PR_snprintf(errorbuf, BUFSIZ,
- "Mapping tree node for %s is set to return a referral,"
- " but no referral is configured for it",
- slapi_sdn_get_ndn(target_node->mtn_subtree));
- }
+ slapi_create_errormsg(errorbuf, 0, "Mapping tree node for %s is set to return a referral,"
+ " but no referral is configured for it", slapi_sdn_get_ndn(target_node->mtn_subtree));
result = LDAP_OPERATIONS_ERROR;
} else {
result = LDAP_SUCCESS;
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index 7465e1e..e0d9cd7 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -219,8 +219,8 @@ do_modify( Slapi_PBlock *pb )
mod->mod_op = mod_op;
mod->mod_type = slapi_attr_syntax_normalize(type);
if ( !mod->mod_type || !*mod->mod_type ) {
- char ebuf[BUFSIZ];
- PR_snprintf (ebuf, BUFSIZ, "invalid type '%s'", type);
+ char ebuf[SLAPI_DSE_RETURNTEXT_SIZE];
+ PR_snprintf (ebuf, sizeof(ebuf), "invalid type '%s'", type);
op_shared_log_error_access (pb, "MOD", rawdn, ebuf);
send_ldap_result( pb, LDAP_INVALID_SYNTAX, NULL, ebuf, 0, NULL );
slapi_ch_free((void **)&type);
@@ -628,7 +628,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
int repl_op, internal_op, lastmod, skip_modified_attrs;
char *unhashed_pw_attr = NULL;
Slapi_Operation *operation;
- char errorbuf[BUFSIZ];
+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
int err;
LDAPMod *lc_mod = NULL;
struct slapdplugin *p = NULL;
@@ -710,6 +710,7 @@ static void op_shared_modify (Slapi_PBlock *pb, int pw_change, char *old_pw)
* We could be serving multiple database backends. Select the
* appropriate one.
*/
+ errorbuf[0] = '\0';
if ((err = slapi_mapping_tree_select(pb, &be, &referral, errorbuf)) != LDAP_SUCCESS) {
send_ldap_result(pb, err, NULL, errorbuf, 0, NULL);
be = NULL;
diff --git a/ldap/servers/slapd/modrdn.c b/ldap/servers/slapd/modrdn.c
index d0ef1b1..4edd07e 100644
--- a/ldap/servers/slapd/modrdn.c
+++ b/ldap/servers/slapd/modrdn.c
@@ -395,7 +395,7 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args)
int internal_op, repl_op, lastmod;
Slapi_Operation *operation;
Slapi_Entry *referral;
- char errorbuf[BUFSIZ];
+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
int err;
char *proxydn = NULL;
char *proxystr = NULL;
@@ -571,6 +571,7 @@ op_shared_rename(Slapi_PBlock *pb, int passin_args)
*/
/* slapi_mapping_tree_select_and_check ignores the case of newdn
* which is generated using newrdn above. */
+ errorbuf[0] = '\0';
if ((err = slapi_mapping_tree_select_and_check(pb, newdn, &be, &referral, errorbuf)) != LDAP_SUCCESS)
{
send_ldap_result(pb, err, NULL, errorbuf, 0, NULL);
diff --git a/ldap/servers/slapd/opshared.c b/ldap/servers/slapd/opshared.c
index 41a1b37..98505e9 100644
--- a/ldap/servers/slapd/opshared.c
+++ b/ldap/servers/slapd/opshared.c
@@ -225,7 +225,6 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
char *proxystr = NULL;
int proxy_err = LDAP_SUCCESS;
char *errtext = NULL;
- char errorbuf[BUFSIZ];
int nentries,pnentries;
int flag_search_base_found = 0;
int flag_no_such_object = 0;
@@ -434,8 +433,10 @@ op_shared_search (Slapi_PBlock *pb, int send_result)
}
if (be_name == NULL) {
+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE];
/* no specific backend was requested, use the mapping tree
*/
+ errorbuf[0] = '\0';
err_code = slapi_mapping_tree_select_all(pb, be_list, referral_list, errorbuf);
if (((err_code != LDAP_SUCCESS) && (err_code != LDAP_OPERATIONS_ERROR) && (err_code != LDAP_REFERRAL))
|| ((err_code == LDAP_OPERATIONS_ERROR) && (be_list[0] == NULL))) {
diff --git a/ldap/servers/slapd/pw.c b/ldap/servers/slapd/pw.c
index f728e10..a0975ac 100644
--- a/ldap/servers/slapd/pw.c
+++ b/ldap/servers/slapd/pw.c
@@ -791,9 +791,9 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
char *dn= (char*)slapi_sdn_get_ndn(sdn); /* jcm - Had to cast away const */
char *pwd = NULL;
char *p = NULL;
- char errormsg[ BUFSIZ ];
passwdPolicy *pwpolicy = NULL;
Slapi_Operation *operation = NULL;
+ char errormsg[SLAPI_DSE_RETURNTEXT_SIZE] = {0};
/*
* check_pw_syntax_ext could be called with mod_op == LDAP_MOD_DELETE.
@@ -838,11 +838,9 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
if (!is_replication && !config_get_allow_hashed_pw() &&
((internal_op && pb->pb_conn && !slapi_dn_isroot(pb->pb_conn->c_dn)) ||
(!internal_op && !pw_is_pwp_admin(pb, pwpolicy)))) {
- PR_snprintf( errormsg, BUFSIZ,
- "invalid password syntax - passwords with storage scheme are not allowed");
+ PR_snprintf( errormsg, sizeof(errormsg) - 1, "invalid password syntax - passwords with storage scheme are not allowed");
if ( pwresponse_req == 1 ) {
- slapi_pwpolicy_make_response_control ( pb, -1, -1,
- LDAP_PWPOLICY_INVALIDPWDSYNTAX );
+ slapi_pwpolicy_make_response_control ( pb, -1, -1, LDAP_PWPOLICY_INVALIDPWDSYNTAX );
}
pw_send_ldap_result ( pb, LDAP_CONSTRAINT_VIOLATION, NULL, errormsg, 0, NULL );
return( 1 );
@@ -870,8 +868,7 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
if ( pwpolicy->pw_minlength >
ldap_utf8characters((char *)slapi_value_get_string( vals[i] )) )
{
- PR_snprintf( errormsg, BUFSIZ,
- "invalid password syntax - password must be at least %d characters long",
+ PR_snprintf( errormsg, sizeof(errormsg) - 1, "invalid password syntax - password must be at least %d characters long",
pwpolicy->pw_minlength );
if ( pwresponse_req == 1 ) {
slapi_pwpolicy_make_response_control ( pb, -1, -1,
@@ -944,42 +941,42 @@ check_pw_syntax_ext ( Slapi_PBlock *pb, const Slapi_DN *sdn, Slapi_Value **vals,
/* check for character based syntax limits */
if ( pwpolicy->pw_mindigits > num_digits ) {
syntax_violation = 1;
- PR_snprintf ( errormsg, BUFSIZ,
- "invalid password syntax - password must contain at least %d digit characters",
- pwpolicy->pw_mindigits );
+ PR_snprintf ( errormsg, sizeof(errormsg) - 1,
+ "invalid password syntax - password must contain at least %d digit characters",
+ pwpolicy->pw_mindigits );
} else if ( pwpolicy->pw_minalphas > num_alphas ) {
syntax_violation = 1;
- PR_snprintf ( errormsg, BUFSIZ,
+ PR_snprintf ( errormsg, sizeof(errormsg) - 1,
"invalid password syntax - password must contain at least %d alphabetic characters",
pwpolicy->pw_minalphas );
} else if ( pwpolicy->pw_minuppers > num_uppers ) {
syntax_violation = 1;
- PR_snprintf ( errormsg, BUFSIZ,
+ PR_snprintf ( errormsg, sizeof(errormsg) - 1,
"invalid password syntax - password must contain at least %d uppercase characters",
pwpolicy->pw_minuppers );
} else if ( pwpolicy->pw_minlowers > num_lowers ) {
syntax_violation = 1;
- PR_snprintf ( errormsg, BUFSIZ,
+ PR_snprintf ( errormsg, sizeof(errormsg) - 1,
"invalid password syntax - password must contain at least %d lowercase characters",
- pwpolicy->pw_minlowers );
+ pwpolicy->pw_minlowers );
} else if ( pwpolicy->pw_minspecials > num_specials ) {
syntax_violation = 1;
- PR_snprintf ( errormsg, BUFSIZ,
+ PR_snprintf ( errormsg, sizeof(errormsg) - 1,
"invalid password syntax - password must contain at least %d special characters",
pwpolicy->pw_minspecials );
} else if ( pwpolicy->pw_min8bit > num_8bit ) {
syntax_violation = 1;
- PR_snprintf ( errormsg, BUFSIZ,
+ PR_snprintf ( errormsg, sizeof(errormsg) - 1,
"invalid password syntax - password must contain at least %d 8-bit characters",
pwpolicy->pw_min8bit );
} else if ( (pwpolicy->pw_maxrepeats != 0) && (pwpolicy->pw_maxrepeats < (max_repeated + 1)) ) {
syntax_violation = 1;
- PR_snprintf ( errormsg, BUFSIZ,
+ PR_snprintf ( errormsg, sizeof(errormsg) - 1,
"invalid password syntax - a character cannot be repeated more than %d times",
(pwpolicy->pw_maxrepeats + 1) );
} else if ( pwpolicy->pw_mincategories > num_categories ) {
syntax_violation = 1;
- PR_snprintf ( errormsg, BUFSIZ,
+ PR_snprintf ( errormsg, sizeof(errormsg) - 1,
"invalid password syntax - password must contain at least %d character "
"categories (valid categories are digit, uppercase, lowercase, special, and 8-bit characters)",
pwpolicy->pw_mincategories );
@@ -2179,16 +2176,14 @@ check_pw_duration_value( const char *attr_name, char *value,
age = parse_duration(value);
if (-1 == age) {
- PR_snprintf ( errorbuf, BUFSIZ,
- "password minimum age \"%s\" is invalid. ", value );
+ slapi_create_errormsg(errorbuf, 0, "password minimum age \"%s\" is invalid. ", value);
retVal = LDAP_CONSTRAINT_VIOLATION;
} else if (0 == strcasecmp(CONFIG_PW_LOCKDURATION_ATTRIBUTE, attr_name)) {
if ( (age <= 0) ||
(age > (MAX_ALLOWED_TIME_IN_SECS - current_time())) ||
((-1 != minval) && (age < minval)) ||
((-1 != maxval) && (age > maxval))) {
- PR_snprintf ( errorbuf, BUFSIZ, "%s: \"%s\" seconds is invalid. ",
- attr_name, value );
+ slapi_create_errormsg(errorbuf, 0, "%s: \"%s\" seconds is invalid. ", attr_name, value);
retVal = LDAP_CONSTRAINT_VIOLATION;
}
} else {
@@ -2196,8 +2191,7 @@ check_pw_duration_value( const char *attr_name, char *value,
(age > (MAX_ALLOWED_TIME_IN_SECS - current_time())) ||
((-1 != minval) && (age < minval)) ||
((-1 != maxval) && (age > maxval))) {
- PR_snprintf ( errorbuf, BUFSIZ, "%s: \"%s\" seconds is invalid. ",
- attr_name, value );
+ slapi_create_errormsg(errorbuf, 0, "%s: \"%s\" seconds is invalid. ", attr_name, value);
retVal = LDAP_CONSTRAINT_VIOLATION;
}
}
@@ -2214,9 +2208,7 @@ check_pw_resetfailurecount_value( const char *attr_name, char *value, long minva
/* in seconds */
duration = strtol (value, NULL, 0);
if ( duration < 0 || duration > (MAX_ALLOWED_TIME_IN_SECS - current_time()) ) {
- PR_snprintf ( errorbuf, BUFSIZ,
- "password reset count duration \"%s\" seconds is invalid. ",
- value );
+ slapi_create_errormsg(errorbuf, 0, "password reset count duration \"%s\" seconds is invalid.", value);
retVal = LDAP_CONSTRAINT_VIOLATION;
}
@@ -2234,16 +2226,13 @@ check_pw_storagescheme_value( const char *attr_name, char *value, long minval, l
new_scheme = pw_name2scheme(value);
if ( new_scheme == NULL) {
if ( scheme_list != NULL ) {
- PR_snprintf ( errorbuf, BUFSIZ,
- "%s: invalid scheme - %s. Valid schemes are: %s",
+ slapi_create_errormsg(errorbuf, 0, "%s: invalid scheme - %s. Valid schemes are: %s",
CONFIG_PW_STORAGESCHEME_ATTRIBUTE, value, scheme_list );
} else {
- PR_snprintf ( errorbuf, BUFSIZ,
- "%s: invalid scheme - %s (no pwdstorage scheme"
- " plugin loaded)",
+ slapi_create_errormsg(errorbuf, 0, "%s: invalid scheme - %s (no pwdstorage scheme plugin loaded)",
CONFIG_PW_STORAGESCHEME_ATTRIBUTE, value);
}
- retVal = LDAP_CONSTRAINT_VIOLATION;
+ retVal = LDAP_CONSTRAINT_VIOLATION;
}
else if ( new_scheme->pws_enc == NULL )
{
@@ -2253,9 +2242,8 @@ check_pw_storagescheme_value( const char *attr_name, char *value, long minval, l
and won't encrypt passwords if they are in clear. We don't take it
*/
- if ( scheme_list != NULL ) {
- PR_snprintf ( errorbuf, BUFSIZ,
- "%s: invalid encoding scheme - %s\nValid values are: %s\n",
+ if (scheme_list) {
+ slapi_create_errormsg(errorbuf, 0, "%s: invalid encoding scheme - %s\nValid values are: %s\n",
CONFIG_PW_STORAGESCHEME_ATTRIBUTE, value, scheme_list );
}
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index 76294ac..6528a93 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -756,7 +756,6 @@ void ids_sasl_check_bind(Slapi_PBlock *pb)
char authtype[256]; /* >26 (strlen(SLAPD_AUTH_SASL)+SASL_MECHNAMEMAX+1) */
Slapi_Entry *bind_target_entry = NULL, *referral = NULL;
Slapi_Backend *be = NULL;
- char errorbuf[BUFSIZ];
LDAPDebug( LDAP_DEBUG_TRACE, "=> ids_sasl_check_bind\n", 0, 0, 0 );
@@ -956,7 +955,7 @@ sasl_check_result:
slapi_add_auth_response_control(pb, normdn);
}
- if (slapi_mapping_tree_select(pb, &be, &referral, errorbuf) != LDAP_SUCCESS) {
+ if (slapi_mapping_tree_select(pb, &be, &referral, NULL) != LDAP_SUCCESS) {
send_nobackend_ldap_result( pb );
be = NULL;
LDAPDebug( LDAP_DEBUG_TRACE, "<= ids_sasl_check_bind\n", 0, 0, 0 );
diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c
index 806c38d..52c1495 100644
--- a/ldap/servers/slapd/schema.c
+++ b/ldap/servers/slapd/schema.c
@@ -5345,13 +5345,13 @@ init_schema_dse_ext(char *schemadir, Slapi_Backend *be,
if (schema_flags & DSE_SCHEMA_NO_LOAD)
{
struct asyntaxinfo *tmpasip = NULL;
- rc = parse_at_str(attr_str, &tmpasip, errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
+ rc = parse_at_str(attr_str, &tmpasip, errorbuf, sizeof(errorbuf),
DSE_SCHEMA_NO_GLOCK|schema_flags, 0, 0, 0);
attr_syntax_free( tmpasip ); /* trash it */
}
else
{
- rc = parse_at_str(attr_str, NULL, errorbuf, SLAPI_DSE_RETURNTEXT_SIZE,
+ rc = parse_at_str(attr_str, NULL, errorbuf, sizeof(errorbuf),
schema_flags, 0, 0, 0);
}
if (rc)
@@ -5918,7 +5918,7 @@ schema_create_errormsg(
}
/* ok to cast here because rc is positive */
if ( (rc >= 0) && ((size_t)rc < errorbufsize) ) {
- (void)PR_vsnprintf( errorbuf + rc, errorbufsize - rc, fmt, ap );
+ (void)PR_vsnprintf( errorbuf + rc, errorbufsize - rc - 1, fmt, ap );
}
va_end( ap );
}
@@ -7175,7 +7175,7 @@ static struct objclass *
schema_berval_to_oclist(struct berval **oc_berval)
{
struct objclass *oc, *oc_list, *oc_tail;
- char errorbuf[BUFSIZ];
+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE] = {0};
int schema_ds4x_compat, rc;
int i;
@@ -7185,12 +7185,11 @@ schema_berval_to_oclist(struct berval **oc_berval)
oc_list = NULL;
oc_tail = NULL;
if (oc_berval != NULL) {
- errorbuf[0] = '\0';
for (i = 0; oc_berval[i] != NULL; i++) {
/* parse the objectclass value */
oc = NULL;
if (LDAP_SUCCESS != (rc = parse_oc_str(oc_berval[i]->bv_val, &oc,
- errorbuf, sizeof (errorbuf), DSE_SCHEMA_NO_CHECK | DSE_SCHEMA_USE_PRIV_SCHEMA, 0,
+ errorbuf, sizeof(errorbuf), DSE_SCHEMA_NO_CHECK | DSE_SCHEMA_USE_PRIV_SCHEMA, 0,
schema_ds4x_compat, oc_list))) {
slapi_log_error(SLAPI_LOG_FATAL, "schema",
"parse_oc_str returned error: %s\n",
@@ -7222,17 +7221,16 @@ static struct asyntaxinfo *
schema_berval_to_atlist(struct berval **at_berval)
{
struct asyntaxinfo *at, *head = NULL, *at_list = NULL;
- char errorbuf[BUFSIZ];
+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE] = {0};
int schema_ds4x_compat, rc = 0, i;
schema_ds4x_compat = config_get_ds4_compatible_schema();
if (at_berval != NULL) {
- errorbuf[0] = '\0';
for (i = 0; at_berval[i] != NULL; i++) {
/* parse the objectclass value */
at = NULL;
- rc = parse_at_str(at_berval[i]->bv_val, &at, errorbuf, sizeof (errorbuf),
+ rc = parse_at_str(at_berval[i]->bv_val, &at, errorbuf, sizeof(errorbuf),
DSE_SCHEMA_NO_CHECK | DSE_SCHEMA_USE_PRIV_SCHEMA, 0, schema_ds4x_compat, 0);
if (rc) {
slapi_log_error(SLAPI_LOG_FATAL, "schema",
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index 9034869..dc70fdf 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -1359,6 +1359,15 @@ int util_info_sys_pages(size_t *pagesize, size_t *pages, size_t *procpages, size
*/
int util_is_cachesize_sane(size_t *cachesize);
+/**
+ * Write an error message to the given error buffer.
+ *
+ * \param errorbuf. The buffer that the error message is written into. If NULL, nothing happens. It could be a static array or allocated memory. If it is allocated memory, the next param len should be given.
+ * \param len. The length of errorbuf. If 0 is given, sizeof(errorbuf) is used.
+ * \param fmt. The format of the error message.
+ */
+void slapi_create_errormsg(char *errorbuf, size_t len, const char *fmt, ...);
+
#ifdef __cplusplus
}
#endif
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 85c2c6f..fd17c28 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -1618,7 +1618,7 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
char ** family_list;
CERTCertificate *cert = NULL;
SECKEYPrivateKey *key = NULL;
- char errorbuf[BUFSIZ];
+ char errorbuf[SLAPI_DSE_RETURNTEXT_SIZE] = {0};
char *val = NULL;
char *default_val = NULL;
int nFamilies = 0;
@@ -1650,7 +1650,6 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj();
SVRCORE_SetStdPinInteractive(StdPinObj, PR_FALSE);
#endif
- errorbuf[0] = '\0';
/*
* Cipher preferences must be set before any sslSocket is created
diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
index b9d2ea5..1ac7a52 100644
--- a/ldap/servers/slapd/util.c
+++ b/ldap/servers/slapd/util.c
@@ -1815,5 +1815,20 @@ out:
return issane;
}
+void
+slapi_create_errormsg(
+ char *errorbuf,
+ size_t len,
+ const char *fmt,
+ ...
+)
+{
+ if (errorbuf) {
+ va_list ap;
+ va_start(ap, fmt);
+ (void)PR_vsnprintf(errorbuf, len?len-1:sizeof(errorbuf)-1, fmt, ap);
+ va_end( ap );
+ }
+}
commit e3c533534a84718e57610457fafa40794c2f1e11
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Apr 21 22:53:09 2016 -0700
Ticket #47536 - CI test: added test cases for ticket 47536
Description: Allow usage of OpenLDAP libraries that don't use NSS for crypto
OpenLDAP has an ability to tell the application which crypto library is
linked with. The DS supports the both cases (OpenLDAP+NSS and OpenLDAP+
OpenSSL) by switching the behaviour based upon the info. This test also
works for both.
This test also covers:
Ticket #48756 - if startTLS is enabled, perl utilities fail to start.
Config param nsslapd-extract-pemfiles
https://fedorahosted.org/389/ticket/48536
Reviewed by wibrown(a)redhat.com (Thank you, William!!!)
diff --git a/dirsrvtests/tests/tickets/ticket47536_test.py b/dirsrvtests/tests/tickets/ticket47536_test.py
new file mode 100644
index 0000000..1712e7c
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket47536_test.py
@@ -0,0 +1,528 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+#
+import os
+import sys
+import time
+import shlex
+import subprocess
+import ldap
+import logging
+import pytest
+import base64
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+
+logging.getLogger(__name__).setLevel(logging.DEBUG)
+log = logging.getLogger(__name__)
+
+installation1_prefix = None
+
+CONFIG_DN = 'cn=config'
+ENCRYPTION_DN = 'cn=encryption,%s' % CONFIG_DN
+RSA = 'RSA'
+RSA_DN = 'cn=%s,%s' % (RSA, ENCRYPTION_DN)
+ISSUER = 'cn=CAcert'
+CACERT = 'CAcertificate'
+M1SERVERCERT = 'Server-Cert1'
+M2SERVERCERT = 'Server-Cert2'
+M1LDAPSPORT = '41636'
+M2LDAPSPORT = '42636'
+
+class TopologyReplication(object):
+ def __init__(self, master1, master2):
+ master1.open()
+ self.master1 = master1
+ master2.open()
+ self.master2 = master2
+
+
+(a)pytest.fixture(scope="module")
+def topology(request):
+ global installation1_prefix
+ if installation1_prefix:
+ args_instance[SER_DEPLOYED_DIR] = installation1_prefix
+
+ # Creating master 1...
+ master1 = DirSrv(verbose=False)
+ if installation1_prefix:
+ args_instance[SER_DEPLOYED_DIR] = installation1_prefix
+ args_instance[SER_HOST] = HOST_MASTER_1
+ args_instance[SER_PORT] = PORT_MASTER_1
+ args_instance[SER_SERVERID_PROP] = SERVERID_MASTER_1
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+ args_master = args_instance.copy()
+ master1.allocate(args_master)
+ instance_master1 = master1.exists()
+ if instance_master1:
+ master1.delete()
+ master1.create()
+ master1.open()
+ master1.replica.enableReplication(suffix=SUFFIX, role=REPLICAROLE_MASTER, replicaId=REPLICAID_MASTER_1)
+
+ # Creating master 2...
+ master2 = DirSrv(verbose=True)
+ if installation1_prefix:
+ args_instance[SER_DEPLOYED_DIR] = installation1_prefix
+ args_instance[SER_HOST] = HOST_MASTER_2
+ args_instance[SER_PORT] = PORT_MASTER_2
+ args_instance[SER_SERVERID_PROP] = SERVERID_MASTER_2
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+ args_master = args_instance.copy()
+ master2.allocate(args_master)
+ instance_master2 = master2.exists()
+ if instance_master2:
+ master2.delete()
+ master2.create()
+ master2.open()
+ master2.replica.enableReplication(suffix=SUFFIX, role=REPLICAROLE_MASTER, replicaId=REPLICAID_MASTER_2)
+
+ #
+ # Create all the agreements
+ #
+ # Creating agreement from master 1 to master 2
+ properties = {RA_NAME: r'meTo_%s:%s' % (master2.host, master2.port),
+ RA_BINDDN: defaultProperties[REPLICATION_BIND_DN],
+ RA_BINDPW: defaultProperties[REPLICATION_BIND_PW],
+ RA_METHOD: defaultProperties[REPLICATION_BIND_METHOD],
+ RA_TRANSPORT_PROT: defaultProperties[REPLICATION_TRANSPORT]}
+ global m1_m2_agmt
+ m1_m2_agmt = master1.agreement.create(suffix=SUFFIX, host=master2.host, port=master2.port, properties=properties)
+ if not m1_m2_agmt:
+ log.fatal("Fail to create a master -> master replica agreement")
+ sys.exit(1)
+ log.debug("%s created" % m1_m2_agmt)
+
+ # Creating agreement from master 2 to master 1
+ properties = {RA_NAME: r'meTo_%s:%s' % (master1.host, master1.port),
+ RA_BINDDN: defaultProperties[REPLICATION_BIND_DN],
+ RA_BINDPW: defaultProperties[REPLICATION_BIND_PW],
+ RA_METHOD: defaultProperties[REPLICATION_BIND_METHOD],
+ RA_TRANSPORT_PROT: defaultProperties[REPLICATION_TRANSPORT]}
+ global m2_m1_agmt
+ m2_m1_agmt = master2.agreement.create(suffix=SUFFIX, host=master1.host, port=master1.port, properties=properties)
+ if not m2_m1_agmt:
+ log.fatal("Fail to create a master -> master replica agreement")
+ sys.exit(1)
+ log.debug("%s created" % m2_m1_agmt)
+
+ # Allow the replicas to get situated with the new agreements...
+ time.sleep(2)
+
+ global M1SUBJECT
+ M1SUBJECT = 'CN=%s,OU=389 Directory Server' % (master1.host)
+ global M2SUBJECT
+ M2SUBJECT = 'CN=%s,OU=390 Directory Server' % (master2.host)
+
+ #
+ # Initialize all the agreements
+ #
+ master1.agreement.init(SUFFIX, HOST_MASTER_2, PORT_MASTER_2)
+ master1.waitForReplInit(m1_m2_agmt)
+
+ # Check replication is working...
+ if master1.testReplication(DEFAULT_SUFFIX, master2):
+ log.info('Replication is working.')
+ else:
+ log.fatal('Replication is not working.')
+ assert False
+
+ # Delete each instance in the end
+ def fin():
+ master1.delete()
+ master2.delete()
+ request.addfinalizer(fin)
+
+ # Clear out the tmp dir
+ master1.clearTmpDir(__file__)
+
+ return TopologyReplication(master1, master2)
+
+
+(a)pytest.fixture(scope="module")
+
+
+def add_entry(server, name, rdntmpl, start, num):
+ log.info("\n######################### Adding %d entries to %s ######################\n" % (num, name))
+
+ for i in range(num):
+ ii = start + i
+ dn = '%s%d,%s' % (rdntmpl, ii, DEFAULT_SUFFIX)
+ server.add_s(Entry((dn, {'objectclass': 'top person extensibleObject'.split(),
+ 'uid': '%s%d' % (rdntmpl, ii),
+ 'cn': '%s user%d' % (name, ii),
+ 'sn': 'user%d' % (ii)})))
+
+def enable_ssl(server, ldapsport, mycert):
+ log.info("\n######################### Enabling SSL LDAPSPORT %s ######################\n" % ldapsport)
+ server.simple_bind_s(DN_DM, PASSWORD)
+ server.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3', 'off'),
+ (ldap.MOD_REPLACE, 'nsTLS1', 'on'),
+ (ldap.MOD_REPLACE, 'nsSSLClientAuth', 'allowed'),
+ (ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+all')])
+
+ server.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-security', 'on'),
+ (ldap.MOD_REPLACE, 'nsslapd-ssl-check-hostname', 'off'),
+ (ldap.MOD_REPLACE, 'nsslapd-secureport', ldapsport)])
+
+ server.add_s(Entry((RSA_DN, {'objectclass': "top nsEncryptionModule".split(),
+ 'cn': RSA,
+ 'nsSSLPersonalitySSL': mycert,
+ 'nsSSLToken': 'internal (software)',
+ 'nsSSLActivation': 'on'})))
+
+def check_pems(confdir, mycacert, myservercert, myserverkey, notexist):
+ log.info("\n######################### Check PEM files (%s, %s, %s)%s in %s ######################\n"
+ % (mycacert, myservercert, myserverkey, notexist, confdir))
+ global cacert
+ cacert = '%s/%s.pem' % (confdir, mycacert)
+ if os.path.isfile(cacert):
+ if notexist == "":
+ log.info('%s is successfully generated.' % cacert)
+ else:
+ log.info('%s is incorrecly generated.' % cacert)
+ assert False
+ else:
+ if notexist == "":
+ log.fatal('%s is not generated.' % cacert)
+ assert False
+ else:
+ log.info('%s is correctly not generated.' % cacert)
+ servercert = '%s/%s.pem' % (confdir, myservercert)
+ if os.path.isfile(servercert):
+ if notexist == "":
+ log.info('%s is successfully generated.' % servercert)
+ else:
+ log.info('%s is incorrecly generated.' % servercert)
+ assert False
+ else:
+ if notexist == "":
+ log.fatal('%s was not generated.' % servercert)
+ assert False
+ else:
+ log.info('%s is correctly not generated.' % servercert)
+ serverkey = '%s/%s.pem' % (confdir, myserverkey)
+ if os.path.isfile(serverkey):
+ if notexist == "":
+ log.info('%s is successfully generated.' % serverkey)
+ else:
+ log.info('%s is incorrectly generated.' % serverkey)
+ assert False
+ else:
+ if notexist == "":
+ log.fatal('%s was not generated.' % serverkey)
+ assert False
+ else:
+ log.info('%s is correctly not generated.' % serverkey)
+
+def doAndPrintIt(cmdline):
+ proc = subprocess.Popen(cmdline, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ log.info(" OUT:")
+ while True:
+ l = proc.stdout.readline()
+ if l == "":
+ break
+ log.info(" %s" % l)
+ log.info(" ERR:")
+ while True:
+ l = proc.stderr.readline()
+ if l == "" or l == "\n":
+ break
+ log.info(" <%s>" % l)
+ assert False
+
+def create_keys_certs(topology):
+ log.info("\n######################### Creating SSL Keys and Certs ######################\n")
+
+ global m1confdir
+ m1confdir = topology.master1.confdir
+ global m2confdir
+ m2confdir = topology.master2.confdir
+
+ log.info("##### shutdown master1")
+ topology.master1.stop(timeout=10)
+
+ log.info("##### Creating a password file")
+ pwdfile = '%s/pwdfile.txt' % (m1confdir)
+ os.system('rm -f %s' % pwdfile)
+ opasswd = os.popen("(ps -ef ; w ) | sha1sum | awk '{print $1}'", "r")
+ passwd = opasswd.readline()
+ pwdfd = open(pwdfile, "w")
+ pwdfd.write(passwd)
+ pwdfd.close()
+
+ log.info("##### create the pin file")
+ m1pinfile = '%s/pin.txt' % (m1confdir)
+ m2pinfile = '%s/pin.txt' % (m2confdir)
+ os.system('rm -f %s' % m1pinfile)
+ os.system('rm -f %s' % m2pinfile)
+ pintxt = 'Internal (Software) Token:%s' % passwd
+ pinfd = open(m1pinfile, "w")
+ pinfd.write(pintxt)
+ pinfd.close()
+ os.system('chmod 400 %s' % m1pinfile)
+
+ log.info("##### Creating a noise file")
+ noisefile = '%s/noise.txt' % (m1confdir)
+ noise = os.popen("(w ; ps -ef ; date ) | sha1sum | awk '{print $1}'", "r")
+ noisewdfd = open(noisefile, "w")
+ noisewdfd.write(noise.readline())
+ noisewdfd.close()
+
+ cmdline = ['certutil', '-N', '-d', m1confdir, '-f', pwdfile]
+ log.info("##### Create key3.db and cert8.db database (master1): %s" % cmdline)
+ doAndPrintIt(cmdline)
+
+ cmdline = ['certutil', '-G', '-d', m1confdir, '-z', noisefile, '-f', pwdfile]
+ log.info("##### Creating encryption key for CA (master1): %s" % cmdline)
+ #os.system('certutil -G -d %s -z %s -f %s' % (m1confdir, noisefile, pwdfile))
+ doAndPrintIt(cmdline)
+
+ time.sleep(2)
+
+ log.info("##### Creating self-signed CA certificate (master1) -- nickname %s" % CACERT)
+ os.system('( echo y ; echo ; echo y ) | certutil -S -n "%s" -s "%s" -x -t "CT,," -m 1000 -v 120 -d %s -z %s -f %s -2' % (CACERT, ISSUER, m1confdir, noisefile, pwdfile))
+
+ global M1SUBJECT
+ cmdline = ['certutil', '-S', '-n', M1SERVERCERT, '-s', M1SUBJECT, '-c', CACERT, '-t', ',,', '-m', '1001', '-v', '120', '-d', m1confdir, '-z', noisefile, '-f', pwdfile]
+ log.info("##### Creating Server certificate -- nickname %s: %s" % (M1SERVERCERT, cmdline))
+ doAndPrintIt(cmdline)
+
+ time.sleep(2)
+
+ global M2SUBJECT
+ cmdline = ['certutil', '-S', '-n', M2SERVERCERT, '-s', M2SUBJECT, '-c', CACERT, '-t', ',,', '-m', '1002', '-v', '120', '-d', m1confdir, '-z', noisefile, '-f', pwdfile]
+ log.info("##### Creating Server certificate -- nickname %s: %s" % (M2SERVERCERT, cmdline))
+ doAndPrintIt(cmdline)
+
+ time.sleep(2)
+
+ log.info("##### start master1")
+ topology.master1.start(timeout=10)
+
+ log.info("##### enable SSL in master1 with all ciphers")
+ enable_ssl(topology.master1, M1LDAPSPORT, M1SERVERCERT)
+
+ cmdline = ['certutil', '-L', '-d', m1confdir]
+ log.info("##### Check the cert db: %s" % cmdline)
+ doAndPrintIt(cmdline)
+
+ log.info("##### restart master1")
+ topology.master1.restart(timeout=10)
+
+ log.info("##### Check PEM files of master1 (before setting nsslapd-extract-pemfiles")
+ check_pems(m1confdir, CACERT, M1SERVERCERT, M1SERVERCERT + '-Key', " not")
+
+ log.info("##### Set on to nsslapd-extract-pemfiles")
+ topology.master1.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-extract-pemfiles', 'on')])
+
+ log.info("##### restart master1")
+ topology.master1.restart(timeout=10)
+
+ log.info("##### Check PEM files of master1 (after setting nsslapd-extract-pemfiles")
+ check_pems(m1confdir, CACERT, M1SERVERCERT, M1SERVERCERT + '-Key', "")
+
+ global mytmp
+ mytmp = topology.master1.getDir(__file__, TMP_DIR)
+ m2pk12file = '%s/%s.pk12' % (mytmp, M2SERVERCERT)
+ cmd = 'pk12util -o %s -n "%s" -d %s -w %s -k %s' % (m2pk12file, M2SERVERCERT, m1confdir, pwdfile, pwdfile)
+ log.info("##### Extract PK12 file for master2: %s" % cmd)
+ os.system(cmd)
+
+ log.info("##### Check PK12 files")
+ if os.path.isfile(m2pk12file):
+ log.info('%s is successfully extracted.' % m2pk12file)
+ else:
+ log.fatal('%s was not extracted.' % m2pk12file)
+ assert False
+
+ log.info("##### stop master2")
+ topology.master2.stop(timeout=10)
+
+ log.info("##### Initialize Cert DB for master2")
+ cmdline = ['certutil', '-N', '-d', m2confdir, '-f', pwdfile]
+ log.info("##### Create key3.db and cert8.db database (master2): %s" % cmdline)
+ doAndPrintIt(cmdline)
+
+ log.info("##### Import certs to master2")
+ log.info('Importing %s' % CACERT)
+ global cacert
+ os.system('certutil -A -n "%s" -t "CT,," -f %s -d %s -a -i %s' % (CACERT, pwdfile, m2confdir, cacert))
+ cmd = 'pk12util -i %s -n "%s" -d %s -w %s -k %s' % (m2pk12file, M2SERVERCERT, m2confdir, pwdfile, pwdfile)
+ log.info('##### Importing %s to master2: %s' % (M2SERVERCERT, cmd))
+ os.system(cmd)
+ log.info('copy %s to %s' % (m1pinfile, m2pinfile))
+ os.system('cp %s %s' % (m1pinfile, m2pinfile))
+ os.system('chmod 400 %s' % m2pinfile)
+
+ log.info("##### start master2")
+ topology.master2.start(timeout=10)
+
+ log.info("##### enable SSL in master2 with all ciphers")
+ enable_ssl(topology.master2, M2LDAPSPORT, M2SERVERCERT)
+
+ log.info("##### restart master2")
+ topology.master2.restart(timeout=10)
+
+ log.info("##### Check PEM files of master2 (before setting nsslapd-extract-pemfiles")
+ check_pems(m2confdir, CACERT, M2SERVERCERT, M2SERVERCERT + '-Key', " not")
+
+ log.info("##### Set on to nsslapd-extract-pemfiles")
+ topology.master2.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-extract-pemfiles', 'on')])
+
+ log.info("##### restart master2")
+ topology.master2.restart(timeout=10)
+
+ log.info("##### Check PEM files of master2 (after setting nsslapd-extract-pemfiles")
+ check_pems(m2confdir, CACERT, M2SERVERCERT, M2SERVERCERT + '-Key', "")
+
+ log.info("##### restart master1")
+ topology.master1.restart(timeout=10)
+
+
+ log.info("\n######################### Creating SSL Keys and Certs Done ######################\n")
+
+def config_tls_agreements(topology):
+ log.info("######################### Configure SSL/TLS agreements ######################")
+ log.info("######################## master1 -- startTLS -> master2 #####################")
+ log.info("##################### master1 <- tls_clientAuth -- master2 ##################")
+
+ log.info("##### Update the agreement of master1")
+ global m1_m2_agmt
+ topology.master1.modify_s(m1_m2_agmt, [(ldap.MOD_REPLACE, 'nsDS5ReplicaTransportInfo', 'TLS')])
+
+ log.info("##### Add the cert to the repl manager on master1")
+ global mytmp
+ global m2confdir
+ m2servercert = '%s/%s.pem' % (m2confdir, M2SERVERCERT)
+ m2sc = open(m2servercert, "r")
+ m2servercertstr = ''
+ for l in m2sc.readlines():
+ if ((l == "") or l.startswith('This file is auto-generated') or
+ l.startswith('Do not edit') or l.startswith('Issuer:') or
+ l.startswith('Subject:') or l.startswith('-----')):
+ continue
+ m2servercertstr = "%s%s" % (m2servercertstr, l.rstrip())
+ m2sc.close()
+
+ log.info('##### master2 Server Cert in base64 format: %s' % m2servercertstr)
+
+ replmgr = defaultProperties[REPLICATION_BIND_DN]
+ rentry = topology.master1.search_s(replmgr, ldap.SCOPE_BASE, 'objectclass=*')
+ log.info('##### Replication manager on master1: %s' % replmgr)
+ oc = 'ObjectClass'
+ log.info(' %s:' % oc)
+ if rentry:
+ for val in rentry[0].getValues(oc):
+ log.info(' : %s' % val)
+ topology.master1.modify_s(replmgr, [(ldap.MOD_ADD, oc, 'extensibleObject')])
+
+ global M2SUBJECT
+ topology.master1.modify_s(replmgr, [(ldap.MOD_ADD, 'userCertificate;binary', base64.b64decode(m2servercertstr)),
+ (ldap.MOD_ADD, 'description', M2SUBJECT)])
+
+ log.info("##### Modify the certmap.conf on master1")
+ m1certmap = '%s/certmap.conf' % (m1confdir)
+ os.system('chmod 660 %s' % m1certmap)
+ m1cm = open(m1certmap, "w")
+ m1cm.write('certmap Example %s\n' % ISSUER)
+ m1cm.write('Example:DNComps cn\n')
+ m1cm.write('Example:FilterComps\n')
+ m1cm.write('Example:verifycert on\n')
+ m1cm.write('Example:CmapLdapAttr description')
+ m1cm.close()
+ os.system('chmod 440 %s' % m1certmap)
+
+ log.info("##### Update the agreement of master2")
+ global m2_m1_agmt
+ topology.master2.modify_s(m2_m1_agmt, [(ldap.MOD_REPLACE, 'nsDS5ReplicaTransportInfo', 'TLS'),
+ (ldap.MOD_REPLACE, 'nsDS5ReplicaBindMethod', 'SSLCLIENTAUTH')])
+
+ topology.master1.stop(10)
+ topology.master2.stop(10)
+ topology.master1.start(10)
+ topology.master2.start(10)
+
+ log.info("\n######################### Configure SSL/TLS agreements Done ######################\n")
+
+
+def relocate_pem_files(topology):
+ log.info("######################### Relocate PEM files on master1 ######################")
+ mycacert = 'MyCA'
+ topology.master1.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'CACertExtractFile', mycacert)])
+ myservercert = 'MyServerCert1'
+ myserverkey = 'MyServerKey1'
+ topology.master1.modify_s(RSA_DN, [(ldap.MOD_REPLACE, 'ServerCertExtractFile', myservercert),
+ (ldap.MOD_REPLACE, 'ServerKeyExtractFile', myserverkey)])
+ log.info("##### restart master1")
+ topology.master1.restart(timeout=10)
+ check_pems(m1confdir, mycacert, myservercert, myserverkey, "")
+
+def test_ticket47536(topology):
+ """
+ Set up 2way MMR:
+ master_1 ----- startTLS -----> master_2
+ master_1 <-- TLS_clientAuth -- master_2
+
+ Check CA cert, Server-Cert and Key are retrieved as PEM from cert db
+ when the server is started. First, the file names are not specified
+ and the default names derived from the cert nicknames. Next, the
+ file names are specified in the encryption config entries.
+
+ Each time add 5 entries to master 1 and 2 and check they are replicated.
+ """
+ log.info("Ticket 47536 - Allow usage of OpenLDAP libraries that don't use NSS for crypto")
+
+ create_keys_certs(topology)
+ config_tls_agreements(topology)
+
+ add_entry(topology.master1, 'master1', 'uid=m1user', 0, 5)
+ add_entry(topology.master2, 'master2', 'uid=m2user', 0, 5)
+
+ time.sleep(1)
+
+ log.info('##### Searching for entries on master1...')
+ entries = topology.master1.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(uid=*)')
+ assert 10 == len(entries)
+
+ log.info('##### Searching for entries on master2...')
+ entries = topology.master2.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(uid=*)')
+ assert 10 == len(entries)
+
+ relocate_pem_files(topology)
+
+ add_entry(topology.master1, 'master1', 'uid=m1user', 10, 5)
+ add_entry(topology.master2, 'master2', 'uid=m2user', 10, 5)
+
+ time.sleep(10)
+
+ log.info('##### Searching for entries on master1...')
+ entries = topology.master1.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(uid=*)')
+ assert 20 == len(entries)
+
+ log.info('##### Searching for entries on master2...')
+ entries = topology.master2.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(uid=*)')
+ assert 20 == len(entries)
+
+ db2ldifpl = '%s/sbin/db2ldif.pl' % os.getenv('PREFIX')
+ cmdline = [db2ldifpl, '-n', 'userRoot', '-Z', SERVERID_MASTER_1, '-D', DN_DM, '-w', PASSWORD]
+ log.info("##### db2ldif.pl -- %s" % (cmdline))
+ doAndPrintIt(cmdline)
+
+ log.info("Ticket 47536 - PASSED")
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
commit b170243e77ee7609529e6d34216d2c6478ab4d45
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Thu Apr 14 13:42:34 2016 -0700
Ticket #47536 - Allow usage of OpenLDAP libraries that don't use NSS for crypto
Design Doc: http://www.port389.org/docs/389ds/design/allow-usage-of-openldap-lib-w-op...
This patch also addresses the issue described in
Ticket #48756 - if startTLS is enabled, perl utilities fail to start.
The ticket #48756 is closed as dup of Ticket #47536.
Note: Instead of checking with "OpenSSL" for the openldap client library,
this patch checks with "Not MozNSS" for non-Fedora/RHEL platform support.
https://fedorahosted.org/389/ticket/47536
Reviewed by wibrown(a)redhat.com (Thank you, William!!!)
diff --git a/ldap/admin/src/scripts/DSUtil.pm.in b/ldap/admin/src/scripts/DSUtil.pm.in
index 9830703..3476d67 100644
--- a/ldap/admin/src/scripts/DSUtil.pm.in
+++ b/ldap/admin/src/scripts/DSUtil.pm.in
@@ -1251,6 +1251,19 @@ sub get_info {
$info{ldapiURL} = "ldapi://" . $value;
}
+ while($entry = readOneEntry $ldif){
+ if($entry->getDN() eq "cn=encryption,cn=config"){
+ $foundcfg = "yes";
+ last;
+ }
+ }
+ if($foundcfg eq "yes"){
+ $info{cacertfile} = $entry->getValues("CACertExtractFile");
+ if ($info{cacertfile}) {
+ $ENV{LDAPTLS_CACERT}=$info{cacertfile};
+ }
+ }
+
close (DSE);
return %info;
}
diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif
index 5628e99..e620e74 100644
--- a/ldap/schema/01core389.ldif
+++ b/ldap/schema/01core389.ldif
@@ -103,6 +103,9 @@ attributeTypes: ( allowWeakCipher-oid NAME 'allowWeakCipher' DESC 'Netscape defi
attributeTypes: ( nsSSLToken-oid NAME 'nsSSLToken' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsSSLPersonalitySSL-oid NAME 'nsSSLPersonalitySSL' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( nsSSLActivation-oid NAME 'nsSSLActivation' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
+attributeTypes: ( CACertExtractFile-oid NAME 'CACertExtractFile' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
+attributeTypes: ( ServerKeyExtractFile-oid NAME 'ServerKeyExtractFile' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
+attributeTypes: ( ServerCertExtractFile-oid NAME 'ServerCertExtractFile' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
attributeTypes: ( 2.16.840.1.113730.3.1.2091 NAME 'nsslapd-suffix' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Netscape' )
attributeTypes: ( 2.16.840.1.113730.3.1.2092 NAME 'nsslapd-ldapiautodnsuffix' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'Netscape' )
attributeTypes: ( 2.16.840.1.113730.3.1.2095 NAME 'connection' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape' )
@@ -308,8 +311,8 @@ objectClasses: ( 2.16.840.1.113730.3.2.103 NAME 'nsDS5ReplicationAgreement' DESC
objectClasses: ( 2.16.840.1.113730.3.2.39 NAME 'nsslapdConfig' DESC 'Netscape defined objectclass' SUP top MAY ( cn ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.317 NAME 'nsSaslMapping' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSaslMapRegexString $ nsSaslMapBaseDNTemplate $ nsSaslMapFilterTemplate ) MAY ( nsSaslMapPriority ) X-ORIGIN 'Netscape Directory Server' )
objectClasses: ( 2.16.840.1.113730.3.2.43 NAME 'nsSNMP' DESC 'Netscape defined objectclass' SUP top MUST ( cn $ nsSNMPEnabled ) MAY ( nsSNMPOrganization $ nsSNMPLocation $ nsSNMPContact $ nsSNMPDescription $ nsSNMPName $ nsSNMPMasterHost $ nsSNMPMasterPort ) X-ORIGIN 'Netscape Directory Server' )
-objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakCipher) X-ORIGIN 'Netscape' )
-objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation ) X-ORIGIN 'Netscape' )
+objectClasses: ( nsEncryptionConfig-oid NAME 'nsEncryptionConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsCertfile $ nsKeyfile $ nsSSL2 $ nsSSL3 $ nsTLS1 $ sslVersionMin $ sslVersionMax $ nsSSLSessionTimeout $ nsSSL3SessionTimeout $ nsSSLClientAuth $ nsSSL2Ciphers $ nsSSL3Ciphers $ nsSSLSupportedCiphers $ allowWeakCipher $ CACertExtractFile ) X-ORIGIN 'Netscape' )
+objectClasses: ( nsEncryptionModule-oid NAME 'nsEncryptionModule' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( nsSSLToken $ nsSSLPersonalityssl $ nsSSLActivation $ ServerKeyExtractFile $ ServerCertExtractFile ) X-ORIGIN 'Netscape' )
objectClasses: ( 2.16.840.1.113730.3.2.327 NAME 'rootDNPluginConfig' DESC 'Netscape defined objectclass' SUP top MUST ( cn ) MAY ( rootdn-open-time $ rootdn-close-time $ rootdn-days-allowed $ rootdn-allow-host $ rootdn-deny-host $ rootdn-allow-ip $ rootdn-deny-ip ) X-ORIGIN 'Netscape' )
objectClasses: ( 2.16.840.1.113730.3.2.328 NAME 'nsSchemaPolicy' DESC 'Netscape defined objectclass' SUP top MAY ( cn $ schemaUpdateObjectclassAccept $ schemaUpdateObjectclassReject $ schemaUpdateAttributeAccept $ schemaUpdateAttributeReject) X-ORIGIN 'Netscape Directory Server' )
diff --git a/ldap/servers/plugins/replication/repl5_connection.c b/ldap/servers/plugins/replication/repl5_connection.c
index d193938..88f2a1d 100644
--- a/ldap/servers/plugins/replication/repl5_connection.c
+++ b/ldap/servers/plugins/replication/repl5_connection.c
@@ -1234,9 +1234,9 @@ conn_connect(Repl_Connection *conn)
* initialisation should be done before ever trying to open any connection at all.
*/
if (conn->transport_flags == TRANSPORT_FLAG_TLS) {
- secure = 2;
+ secure = SLAPI_LDAP_INIT_FLAG_startTLS;
} else if (conn->transport_flags == TRANSPORT_FLAG_SSL) {
- secure = 1;
+ secure = SLAPI_LDAP_INIT_FLAG_SSL;
}
if (secure > 0) {
@@ -1261,7 +1261,7 @@ conn_connect(Repl_Connection *conn)
"%s: Trying %s%s slapi_ldap_init_ext\n",
agmt_get_long_name(conn->agmt),
secure ? "secure" : "non-secure",
- (secure == 2) ? " startTLS" : "");
+ (secure == SLAPI_LDAP_INIT_FLAG_startTLS) ? " startTLS" : "");
/* shared = 1 because we will read results from a second thread */
if (conn->ld) {
/* Since we call slapi_ldap_init, we must call slapi_ldap_unbind */
@@ -1279,7 +1279,7 @@ conn_connect(Repl_Connection *conn)
"%s: Failed to establish %s%sconnection to the consumer\n",
agmt_get_long_name(conn->agmt),
secure ? "secure " : "",
- (secure == 2) ? "startTLS " : "");
+ (secure == SLAPI_LDAP_INIT_FLAG_startTLS) ? "startTLS " : "");
goto done;
}
diff --git a/ldap/servers/plugins/replication/windows_connection.c b/ldap/servers/plugins/replication/windows_connection.c
index a06a07e..cab3715 100644
--- a/ldap/servers/plugins/replication/windows_connection.c
+++ b/ldap/servers/plugins/replication/windows_connection.c
@@ -1313,9 +1313,9 @@ windows_conn_connect(Repl_Connection *conn)
* initialisation should be done before ever trying to open any connection at all.
*/
if (conn->transport_flags == TRANSPORT_FLAG_TLS) {
- secure = 2;
+ secure = SLAPI_LDAP_INIT_FLAG_startTLS;
} else if (conn->transport_flags == TRANSPORT_FLAG_SSL) {
- secure = 1;
+ secure = SLAPI_LDAP_INIT_FLAG_SSL;
}
if (secure > 0) {
@@ -1340,7 +1340,7 @@ windows_conn_connect(Repl_Connection *conn)
"%s: Trying %s%s slapi_ldap_init_ext\n",
agmt_get_long_name(conn->agmt),
secure ? "secure" : "non-secure",
- (secure == 2) ? " startTLS" : "");
+ (secure == SLAPI_LDAP_INIT_FLAG_startTLS) ? " startTLS" : "");
conn->ld = slapi_ldap_init_ext(NULL, conn->hostname, conn->port, secure, 0, NULL);
if (NULL == conn->ld)
@@ -1353,7 +1353,7 @@ windows_conn_connect(Repl_Connection *conn)
"%s: Failed to establish %s%sconnection to the consumer\n",
agmt_get_long_name(conn->agmt),
secure ? "secure " : "",
- (secure == 2) ? "startTLS " : "");
+ (secure == SLAPI_LDAP_INIT_FLAG_startTLS) ? "startTLS " : "");
goto done;
}
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
index 8a54cb9..138be1e 100644
--- a/ldap/servers/slapd/ldaputil.c
+++ b/ldap/servers/slapd/ldaputil.c
@@ -575,6 +575,7 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
int optval = 0;
int ssl_strength = 0;
int rc = 0;
+ const char *cacert = NULL;
if (config_get_ssl_check_hostname()) {
ssl_strength = LDAP_OPT_X_TLS_HARD;
@@ -587,7 +588,29 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
slapi_log_error(SLAPI_LOG_FATAL, "setup_ol_tls_conn",
"failed: unable to set REQUIRE_CERT option to %d\n", ssl_strength);
}
- /* tell it where our cert db is */
+ if (slapi_client_uses_non_nss(ld)) {
+ cacert = slapi_get_cacertfile();
+ if (cacert) {
+ /* CA Cert PEM file exists. Set the path to openldap option. */
+ rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTFILE, cacert);
+ if (rc) {
+ slapi_log_error(SLAPI_LOG_FATAL, "setup_ol_tls_conn",
+ "Could not set CA cert path [%s]: %d:%s\n",
+ cacert, rc, ldap_err2string(rc));
+ }
+ }
+ if (slapi_client_uses_openssl(ld)) {
+ const int crlcheck = LDAP_OPT_X_TLS_CRL_ALL;
+ /* Sets the CRL evaluation strategy. */
+ rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CRLCHECK, &crlcheck);
+ if (rc) {
+ slapi_log_error(SLAPI_LOG_FATAL, "setup_ol_tls_conn",
+ "Could not set CRLCHECK [%d]: %d:%s\n",
+ crlcheck, rc, ldap_err2string(rc));
+ }
+ }
+ }
+ /* tell it where our cert db/file is */
if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, certdir))) {
slapi_log_error(SLAPI_LOG_FATAL, "setup_ol_tls_conn",
"failed: unable to set CACERTDIR option to %s\n", certdir);
@@ -635,8 +658,8 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
on the secure setting (389 for ldap, 636 for ldaps, 389 for starttls)
secure takes 1 of 3 values - 0 means regular ldap, 1 means ldaps, 2
means regular ldap with starttls.
- filename is the ldapi file name - if this is given, and no other options
- are given, ldapi is assumed.
+ ldapi_socket is the ldapi file name
+ if this is given, and no other options are given, ldapi is assumed.
*/
/* util_sasl_path: the string argument for putenv.
It must be a global or a static */
@@ -646,12 +669,12 @@ LDAP *
slapi_ldap_init_ext(
const char *ldapurl, /* full ldap url */
const char *hostname, /* can also use this to override
- host in url */
+ host in url */
int port, /* can also use this to override port in url */
int secure, /* 0 for ldap, 1 for ldaps, 2 for starttls -
- override proto in url */
+ override proto in url */
int shared, /* if true, LDAP* will be shared among multiple threads */
- const char *filename /* for ldapi */
+ const char *ldapi_socket /* for ldapi */
)
{
LDAPURLDesc *ludp = NULL;
@@ -705,16 +728,16 @@ slapi_ldap_init_ext(
/* use secure setting from url if none given */
if (!secure && ludp) {
if (secureurl) {
- secure = 1;
+ secure = SLAPI_LDAP_INIT_FLAG_SSL;
} else if (0/* starttls option - not supported yet in LDAP URLs */) {
- secure = 2;
+ secure = SLAPI_LDAP_INIT_FLAG_startTLS;
}
}
/* ldap_url_parse doesn't yet handle ldapi */
/*
- if (!filename && ludp && ludp->lud_file) {
- filename = ludp->lud_file;
+ if (!ldapi_socket && ludp && ludp->lud_file) {
+ ldapi_socket = ludp->lud_file;
}
*/
@@ -762,10 +785,11 @@ slapi_ldap_init_ext(
} else {
char *makeurl = NULL;
- if (filename) {
- makeurl = slapi_ch_smprintf("ldapi://%s/", filename);
+ if (ldapi_socket) {
+ makeurl = slapi_ch_smprintf("ldapi://%s/", ldapi_socket);
} else { /* host port */
- makeurl = convert_to_openldap_uri(hostname, port, (secure == 1 ? "ldaps" : "ldap"));
+ makeurl = convert_to_openldap_uri(hostname, port,
+ (secure == SLAPI_LDAP_INIT_FLAG_SSL ? "ldaps" : "ldap"));
}
if (PR_SUCCESS != PR_CallOnce(&ol_init_callOnce, internal_ol_init_init)) {
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext",
@@ -796,15 +820,15 @@ slapi_ldap_init_ext(
* hostname (such as localhost.localdomain).
*/
if((rc = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON))){
- slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext",
+ slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext",
"Could not set ldap option LDAP_OPT_X_SASL_NOCANON for (%s), error %d (%s)\n",
ldapurl, rc, ldap_err2string(rc) );
}
}
#else /* !USE_OPENLDAP */
- if (filename) {
+ if (ldapi_socket) {
/* ldapi in mozldap client is not yet supported */
- } else if (secure == 1) {
+ } else if (secure == SLAPI_LDAP_INIT_FLAG_SSL) {
ld = ldapssl_init(hostname, port, secure);
} else { /* regular ldap and/or starttls */
/*
@@ -828,7 +852,7 @@ slapi_ldap_init_ext(
}
}
- if ((ld != NULL) && !filename) {
+ if (ld && !ldapi_socket) {
/*
* Set the outbound LDAP I/O timeout based on the server config.
*/
@@ -876,7 +900,7 @@ slapi_ldap_init_ext(
* LDAP* if it has already gone through ldapssl_init -
* so, use NULL if using starttls
*/
- if (secure == 1) {
+ if (secure == SLAPI_LDAP_INIT_FLAG_SSL) {
myld = ld;
}
@@ -900,7 +924,7 @@ slapi_ldap_init_ext(
SLAPI_COMPONENT_NAME_NSPR " error %d - %s)\n",
prerr, slapd_pr_strerror(prerr));
}
- if (secure == 1) {
+ if (secure == SLAPI_LDAP_INIT_FLAG_SSL) {
/* tell bind code we are using SSL */
ldap_set_option(ld, LDAP_OPT_SSL, LDAP_OPT_ON);
}
@@ -908,7 +932,7 @@ slapi_ldap_init_ext(
}
}
- if (ld && (secure == 2)) {
+ if (ld && (secure == SLAPI_LDAP_INIT_FLAG_startTLS)) {
/*
* We don't have a way to stash context data with the LDAP*, so we
* stash the information in the client controls (currently unused).
@@ -938,8 +962,8 @@ slapi_ldap_init_ext(
slapi_log_error(SLAPI_LOG_SHELL, "slapi_ldap_init_ext",
"Success: set up conn to [%s:%d]%s\n",
hostname, port,
- (secure == 2) ? " using startTLS" :
- ((secure == 1) ? " using SSL" : ""));
+ (secure == SLAPI_LDAP_INIT_FLAG_startTLS) ? " using startTLS" :
+ ((secure == SLAPI_LDAP_INIT_FLAG_SSL) ? " using SSL" : ""));
done:
ldap_free_urldesc(ludp);
@@ -993,7 +1017,7 @@ ldaputil_get_saslpath()
LDAP *
slapi_ldap_init( char *ldaphost, int ldapport, int secure, int shared )
{
- return slapi_ldap_init_ext(NULL, ldaphost, ldapport, secure, shared, NULL);
+ return slapi_ldap_init_ext(NULL, ldaphost, ldapport, secure, shared, NULL/*, NULL*/);
}
/*
@@ -1030,7 +1054,7 @@ slapi_ldap_bind(
ldap_get_option(ld, LDAP_OPT_CLIENT_CONTROLS, &clientctrls);
if (clientctrls && clientctrls[0] &&
slapi_control_present(clientctrls, START_TLS_OID, NULL, NULL)) {
- secure = 2;
+ secure = SLAPI_LDAP_INIT_FLAG_startTLS;
} else {
#if defined(USE_OPENLDAP)
/* openldap doesn't have a SSL/TLS yes/no flag - so grab the
@@ -1039,7 +1063,7 @@ slapi_ldap_bind(
ldap_get_option(ld, LDAP_OPT_URI, &ldapurl);
if (ldapurl && !PL_strncasecmp(ldapurl, "ldaps", 5)) {
- secure = 1;
+ secure = SLAPI_LDAP_INIT_FLAG_SSL;
}
slapi_ch_free_string(&ldapurl);
#else /* !USE_OPENLDAP */
@@ -1077,7 +1101,7 @@ slapi_ldap_bind(
bvcreds.bv_len = creds ? strlen(creds) : 0;
}
- if (secure == 2) { /* send start tls */
+ if (secure == SLAPI_LDAP_INIT_FLAG_startTLS) { /* send start tls */
rc = ldap_start_tls_s(ld, NULL /* serverctrls?? */, NULL);
if (LDAP_SUCCESS != rc) {
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
@@ -2386,3 +2410,47 @@ slapi_berval_get_msg_len(struct berval *bv, int strict)
return len;
}
+
+int
+slapi_client_uses_non_nss(LDAP *ld)
+{
+ static int not_nss = 0;
+#if defined(USE_OPENLDAP)
+ static int initialized = 0;
+ char *package_name = NULL;
+ int rc;
+
+ if (initialized) {
+ return not_nss;
+ }
+ rc = ldap_get_option(ld, LDAP_OPT_X_TLS_PACKAGE, &package_name);
+ if (!rc && PL_strcasecmp(package_name, "MozNSS")) {
+ not_nss = 1;
+ slapi_ch_free_string(&package_name);
+ }
+ initialized = 1;
+#endif
+ return not_nss;
+}
+
+int
+slapi_client_uses_openssl(LDAP *ld)
+{
+ static int is_openssl = 0;
+#if defined(USE_OPENLDAP)
+ static int initialized = 0;
+ char *package_name = NULL;
+ int rc;
+
+ if (initialized) {
+ return is_openssl;
+ }
+ rc = ldap_get_option(ld, LDAP_OPT_X_TLS_PACKAGE, &package_name);
+ if (!rc && !PL_strcasecmp(package_name, "OpenSSL")) {
+ is_openssl = 1;
+ slapi_ch_free_string(&package_name);
+ }
+ initialized = 1;
+#endif
+ return is_openssl;
+}
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 33f2f92..7bbf10e 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -253,6 +253,7 @@ slapi_int_t init_malloc_mmap_threshold;
#ifdef MEMPOOL_EXPERIMENTAL
slapi_onoff_t init_mempool_switch;
#endif
+slapi_onoff_t init_extract_pem;
#define DEFAULT_SSLCLIENTAPTH "off"
#define DEFAULT_ALLOW_ANON_ACCESS "on"
@@ -1197,6 +1198,10 @@ static struct config_get_and_set {
(void**)&global_slapdFrontendConfig.logging_hr_timestamps,
CONFIG_ON_OFF, NULL, &init_logging_hr_timestamps},
#endif
+ {CONFIG_EXTRACT_PEM, config_set_extract_pem,
+ NULL, 0,
+ (void**)&global_slapdFrontendConfig.extract_pem,
+ CONFIG_ON_OFF, (ConfigGetFunc)config_get_extract_pem, &init_extract_pem},
{CONFIG_LOGGING_BACKEND, NULL,
log_set_backend, 0,
(void**)&global_slapdFrontendConfig.logging_backend,
@@ -1680,6 +1685,7 @@ FrontendConfig_init () {
}
}
#endif /* MEMPOOL_EXPERIMENTAL */
+ init_extract_pem = cfg->extract_pem = LDAP_OFF;
init_config_get_and_set();
}
@@ -8074,6 +8080,26 @@ config_get_maxsimplepaged_per_conn()
return retVal;
}
+int
+config_set_extract_pem(const char *attrname, char *value, char *errorbuf, int apply)
+{
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+ int retVal = LDAP_SUCCESS;
+
+ retVal = config_set_onoff(attrname, value, &(slapdFrontendConfig->extract_pem), errorbuf, apply);
+ return retVal;
+}
+
+int
+config_get_extract_pem()
+{
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+ int retVal;
+
+ retVal = slapdFrontendConfig->extract_pem;
+ return retVal;
+}
+
#if defined(LINUX)
int
config_set_malloc_mxfast(const char *attrname, char *value, char *errorbuf, int apply)
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index e9b4618..255e4bd 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -581,6 +581,7 @@ int config_get_cn_uses_dn_syntax_in_dns();
int config_get_enable_nunc_stans(void);
int config_set_enable_nunc_stans(const char *attrname, char *value, char *errorbuf, int apply);
#endif
+int config_set_extract_pem(const char *attrname, char *value, char *errorbuf, int apply);
PLHashNumber hashNocaseString(const void *key);
PRIntn hashNocaseCompare(const void *v1, const void *v2);
@@ -594,6 +595,7 @@ int config_get_malloc_mmap_threshold();
#endif
int config_get_maxsimplepaged_per_conn();
+int config_get_extract_pem();
int is_abspath(const char *);
char* rel2abspath( char * );
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 0019c68..c6763e4 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -2129,6 +2129,8 @@ typedef struct _slapdEntryPoints {
#define CONFIG_MAXSIMPLEPAGED_PER_CONN_ATTRIBUTE "nsslapd-maxsimplepaged-per-conn"
#define CONFIG_LOGGING_BACKEND "nsslapd-logging-backend"
+#define CONFIG_EXTRACT_PEM "nsslapd-extract-pemfiles"
+
#ifdef HAVE_CLOCK_GETTIME
#define CONFIG_LOGGING_HR_TIMESTAMPS "nsslapd-logging-hr-timestamps-enabled"
#endif
@@ -2331,7 +2333,6 @@ typedef struct _slapdFrontendConfig {
#ifdef HAVE_CLOCK_GETTIME
slapi_onoff_t logging_hr_timestamps;
#endif
-
slapi_onoff_t return_exact_case; /* Return attribute names with the same case
as they appear in at.conf */
@@ -2427,6 +2428,7 @@ typedef struct _slapdFrontendConfig {
int malloc_trim_threshold; /* mallopt M_TRIM_THRESHOLD */
int malloc_mmap_threshold; /* mallopt M_MMAP_THRESHOLD */
#endif
+ slapi_onoff_t extract_pem; /* If "on", export key/cert as pem files */
} slapdFrontendConfig_t;
/* possible values for slapdFrontendConfig_t.schemareplace */
diff --git a/ldap/servers/slapd/slapi-plugin.h b/ldap/servers/slapd/slapi-plugin.h
index 0dd10d9..d13aae9 100644
--- a/ldap/servers/slapd/slapi-plugin.h
+++ b/ldap/servers/slapd/slapi-plugin.h
@@ -6160,12 +6160,14 @@ int slapi_rwlock_get_size( void );
/*
* thread-safe LDAP connections
*/
+#define SLAPI_LDAP_INIT_FLAG_SSL 1 /* SSL */
+#define SLAPI_LDAP_INIT_FLAG_startTLS 2 /* startTLS */
/**
* Initializes an LDAP connection, and returns a handle to the connection.
*
* \param ldaphost Hostname or IP address - NOTE: for TLS or GSSAPI, should be the FQDN
* \param ldapport LDAP server port number (default 389)
- * \param secure \c 0 - LDAP \c 1 - LDAPS \c 2 - startTLS
+ * \param secure \c 0 - LDAP \c SLAPI_LDAP_INIT_FLAG_SSL - LDAPS \c SLAPI_LDAP_INIT_FLAG_startTLS - startTLS
* \param shared \c 0 - single thread access \c 1 - LDAP* will be shared among multiple threads
* \return A pointer to an LDAP* handle
*
@@ -6184,6 +6186,7 @@ LDAP *slapi_ldap_init( char *ldaphost, int ldapport, int secure, int shared );
* \see slapi_ldap_init_ext()
*/
void slapi_ldap_unbind( LDAP *ld );
+
/**
* Initializes an LDAP connection, and returns a handle to the connection.
*
@@ -6191,9 +6194,9 @@ void slapi_ldap_unbind( LDAP *ld );
* ldapi://path - if \c NULL, #hostname, #port, and #secure must be provided
* \param hostname Hostname or IP address - NOTE: for TLS or GSSAPI, should be the FQDN
* \param port LDAP server port number (default 389)
- * \param secure \c 0 - LDAP \c 1 - LDAPS \c 2 - startTLS
+ * \param secure \c 0 - LDAP \c SLAPI_LDAP_INIT_FLAG_SSL - LDAPS \c SLAPI_LDAP_INIT_FLAG_startTLS - startTLS
* \param shared \c 0 - single thread access \c 1 - LDAP* will be shared among multiple threads
- * \param filename - currently not supported
+ * \param ldapi_socket - ldapi socket path
* \return A pointer to an LDAP* handle
*
* \note Use #slapi_ldap_unbind() to close and free the handle
@@ -6209,7 +6212,7 @@ LDAP *slapi_ldap_init_ext(
int secure, /* 0 for ldap, 1 for ldaps, 2 for starttls -
override proto in url */
int shared, /* if true, LDAP* will be shared among multiple threads */
- const char *filename /* for ldapi */
+ const char *ldap_socket /* ldapi socket path */
);
/**
* The LDAP bind request - this function handles all of the different types of mechanisms
@@ -6246,6 +6249,18 @@ int slapi_ldap_bind(
);
/**
+ * Return the full path of PEM format CA Cert
+ *
+ * \return the full path of PEM format CA Cert
+ */
+const char * slapi_get_cacertfile();
+
+/**
+ * Set the full path of PEM format CA Cert
+ */
+void slapi_set_cacertfile(char *certfile);
+
+/**
* Create either a v1 Proxy Auth Control or a v2 Proxied Auth Control
*
* \param ld the LDAP connection handle
diff --git a/ldap/servers/slapd/slapi-private.h b/ldap/servers/slapd/slapi-private.h
index fb7b5f8..9034869 100644
--- a/ldap/servers/slapd/slapi-private.h
+++ b/ldap/servers/slapd/slapi-private.h
@@ -1160,6 +1160,7 @@ char* slapd_get_tmp_dir( void );
#include <stdio.h> /* GGOODREPL - For BUFSIZ, below, gak */
const char* escape_string (const char* str, char buf[BUFSIZ]);
const char* escape_string_with_punctuation(const char* str, char buf[BUFSIZ]);
+const char* escape_string_for_filename(const char* str);
void strcpy_unescape_value( char *d, const char *s );
char *slapi_berval_get_string_copy(const struct berval *bval);
@@ -1304,6 +1305,8 @@ void add_internal_modifiersname(Slapi_PBlock *pb, Slapi_Entry *e);
/* ldaputil.c */
char *ldaputil_get_saslpath();
+int slapi_client_uses_non_nss(LDAP *ld);
+int slapi_client_uses_openssl(LDAP *ld);
/* ssl.c */
/*
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 544c9bc..85c2c6f 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -231,6 +231,19 @@ PRBool enableSSL3 = PR_FALSE;
*/
PRBool enableTLS1 = PR_TRUE;
+/*
+ * OpenLDAP client library with OpenSSL (ticket 47536)
+ */
+#define PEMEXT ".pem"
+/* CA cert pem file */
+static char *CACertPemFile = NULL;
+
+/* helper functions for openldap update. */
+static int slapd_extract_cert(Slapi_Entry *entry, int isCA);
+static int slapd_extract_key(Slapi_Entry *entry, char *token, PK11SlotInfo *slot);
+static void entrySetValue(Slapi_DN *sdn, char *type, char *value);
+static char *gen_pem_path(char *filename);
+
static void
slapd_SSL_report(int degree, char *fmt, va_list args)
{
@@ -277,7 +290,7 @@ getSupportedCiphers()
SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[i].num,&info,sizeof(info));
/* only support FIPS approved ciphers in FIPS mode */
if (!isFIPS || info.isFIPS) {
- cipher_names[idx++] = PR_smprintf("%s%s%s%s%s%s%d",
+ cipher_names[idx++] = slapi_ch_smprintf("%s%s%s%s%s%s%d",
_conf_ciphers[i].name,sep,
info.symCipherName,sep,
info.macAlgorithmName,sep,
@@ -315,7 +328,7 @@ getEnabledCiphers()
SSL_CipherPrefGetDefault(_conf_ciphers[x].num, &enabled);
if (enabled) {
SSL_GetCipherSuiteInfo((PRUint16)_conf_ciphers[x].num,&info,sizeof(info));
- enabled_cipher_names[idx++] = PR_smprintf("%s%s%s%s%s%s%d",
+ enabled_cipher_names[idx++] = slapi_ch_smprintf("%s%s%s%s%s%s%d",
_conf_ciphers[x].name,sep,
info.symCipherName,sep,
info.macAlgorithmName,sep,
@@ -575,7 +588,7 @@ charray2str(char **ary, const char *delim)
if (str) {
str = PR_sprintf_append(str, "%s%s", delim, *ary++);
} else {
- str = PR_smprintf("%s", *ary++);
+ str = slapi_ch_smprintf("%s", *ary++);
}
}
@@ -757,7 +770,7 @@ _conf_setciphers(char *ciphers, int flags)
slapi_ch_free((void **)&unsuplist); /* strings inside are static */
if (!enabledOne) {
- char *nocipher = PR_smprintf("No active cipher suite is available.");
+ char *nocipher = slapi_ch_smprintf("No active cipher suite is available.");
return nocipher;
}
_conf_dumpciphers();
@@ -856,6 +869,31 @@ freeChildren( char **list ) {
}
}
+static void
+entrySetValue(Slapi_DN *sdn, char *type, char *value)
+{
+ Slapi_PBlock mypb;
+ LDAPMod attr;
+ LDAPMod *mods[2];
+ char *values[2];
+
+ values[0] = value;
+ values[1] = NULL;
+
+ /* modify the attribute */
+ attr.mod_type = type;
+ attr.mod_op = LDAP_MOD_REPLACE;
+ attr.mod_values = values;
+
+ mods[0] = &attr;
+ mods[1] = NULL;
+
+ pblock_init(&mypb);
+ slapi_modify_internal_set_pb_ext(&mypb, sdn, mods, NULL, NULL, (void *)plugin_get_default_component_id(), 0);
+ slapi_modify_internal_pb(&mypb);
+ pblock_done(&mypb);
+}
+
/* Logs a warning and returns 1 if cert file doesn't exist. You
* can skip the warning log message by setting no_log to 1.*/
static int
@@ -863,8 +901,8 @@ warn_if_no_cert_file(const char *dir, int no_log)
{
int ret = 0;
char *filename = slapi_ch_smprintf("%s/cert8.db", dir);
- PRStatus status = PR_Access(filename, PR_ACCESS_READ_OK);
- if (PR_SUCCESS != status) {
+ PRStatus status = PR_Access(filename, PR_ACCESS_READ_OK);
+ if (PR_SUCCESS != status) {
slapi_ch_free_string(&filename);
filename = slapi_ch_smprintf("%s/cert7.db", dir);
status = PR_Access(filename, PR_ACCESS_READ_OK);
@@ -1148,7 +1186,7 @@ slapd_nss_init(int init_ssl, int config_available)
slapd_pk11_configurePKCS11(NULL, NULL, tokPBE, ptokPBE, NULL, NULL, NULL, NULL, 0, 0 );
secStatus = NSS_Initialize(certdir, NULL, NULL, "secmod.db", nssFlags);
- dongle_file_name = PR_smprintf("%s/pin.txt", certdir);
+ dongle_file_name = slapi_ch_smprintf("%s/pin.txt", certdir);
if (secStatus != SECSuccess) {
errorCode = PR_GetError();
@@ -1280,10 +1318,16 @@ slapd_ssl_init()
freeConfigEntry( &entry );
return -1;
}
+ if (config_get_extract_pem()) {
+ /* extract cert file and convert it to a pem file. */
+ slapd_extract_cert(entry, PR_TRUE);
+ }
+
if ((family_list = getChildren(configDN))) {
char **family;
char *token;
char *activation;
+ int isinternal = 0;
for (family = family_list; *family; family++) {
@@ -1311,6 +1355,7 @@ slapd_ssl_init()
if (!PL_strcasecmp(token, "internal") ||
!PL_strcasecmp(token, "internal (software)")) {
slot = slapd_pk11_getInternalKeySlot();
+ isinternal = 1;
} else {
slot = slapd_pk11_findSlotByName(token);
}
@@ -1324,8 +1369,6 @@ slapd_ssl_init()
return -1;
}
- slapi_ch_free((void **) &token);
-
if (!slot) {
errorCode = PR_GetError();
slapd_SSL_warn("Security Initialization: Unable to find slot ("
@@ -1333,6 +1376,7 @@ slapd_ssl_init()
errorCode, slapd_pr_strerror(errorCode));
freeChildren(family_list);
freeConfigEntry( &entry );
+ slapi_ch_free((void **) &token);
return -1;
}
/* authenticate */
@@ -1342,13 +1386,20 @@ slapd_ssl_init()
#endif
if (slapd_pk11_authenticate(slot, PR_TRUE, NULL) != SECSuccess) {
errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Unable to authenticate ("
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- errorCode, slapd_pr_strerror(errorCode));
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_ssl_init",
+ "Unable to authenticate (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
+ errorCode, slapd_pr_strerror(errorCode));
freeChildren(family_list);
freeConfigEntry( &entry );
+ slapi_ch_free((void **) &token);
return -1;
}
+ if (config_get_extract_pem()) {
+ /* Get Server{Key,Cert}ExtractFile from cn=Cipher,cn=encryption entry if any. */
+ slapd_extract_cert(entry, PR_FALSE);
+ slapd_extract_key(entry, isinternal?internalTokenName:token, slot);
+ }
+ slapi_ch_free((void **) &token);
}
freeChildren( family_list );
freeConfigEntry( &entry );
@@ -1669,9 +1720,9 @@ slapd_ssl_init2(PRFileDesc **fd, int startTLS)
if(slapd_pk11_isFIPS()) {
if(slapd_pk11_authenticate(slot, PR_TRUE, NULL) != SECSuccess) {
errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Unable to authenticate ("
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- errorCode, slapd_pr_strerror(errorCode));
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_ssl_init2",
+ "Unable to authenticate (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)\n",
+ errorCode, slapd_pr_strerror(errorCode));
return -1;
}
fipsMode = PR_TRUE;
@@ -2103,111 +2154,117 @@ slapd_SSL_client_auth (LDAP* ld)
char *token = NULL;
SVRCOREStdPinObj *StdPinObj;
SVRCOREError err = SVRCORE_Success;
+ char *finalpersonality = NULL;
+ char *CertExtractFile = NULL;
+ char *KeyExtractFile = NULL;
- if((family_list = getChildren(configDN))) {
+ if ((family_list = getChildren(configDN))) {
char **family;
- char *personality = NULL;
char *activation = NULL;
char *cipher = NULL;
+ char *personality = NULL;
for (family = family_list; *family; family++) {
getConfigEntry( *family, &entry );
if ( entry == NULL ) {
- continue;
+ continue;
}
activation = slapi_entry_attr_get_charptr( entry, "nssslactivation" );
- if((!activation) || (!PL_strcasecmp(activation, "off"))) {
- /* this family was turned off, goto next */
- slapi_ch_free((void **) &activation);
- freeConfigEntry( &entry );
- continue;
+ if ((!activation) || (!PL_strcasecmp(activation, "off"))) {
+ /* this family was turned off, goto next */
+ slapi_ch_free((void **) &activation);
+ freeConfigEntry( &entry );
+ continue;
}
-
- slapi_ch_free((void **) &activation);
+ slapi_ch_free((void **) &activation);
personality = slapi_entry_attr_get_charptr( entry, "nssslpersonalityssl" );
cipher = slapi_entry_attr_get_charptr( entry, "cn" );
- if ( cipher && !PL_strcasecmp(cipher, "RSA" )) {
- char *ssltoken;
-
- /* If there already is a token name, use it */
- if (token) {
- slapi_ch_free((void **) &personality);
- slapi_ch_free((void **) &cipher);
- freeConfigEntry( &entry );
- continue;
- }
+ if ( cipher && !PL_strcasecmp(cipher, "RSA" )) {
+ char *ssltoken;
+
+ /* If there already is a token name, use it */
+ if (token) {
+ slapi_ch_free_string(&personality);
+ slapi_ch_free_string(&cipher);
+ freeConfigEntry( &entry );
+ continue;
+ }
- ssltoken = slapi_entry_attr_get_charptr( entry, "nsssltoken" );
- if( ssltoken && personality ) {
- if( !PL_strcasecmp(ssltoken, "internal") ||
- !PL_strcasecmp(ssltoken, "internal (software)") ) {
+ ssltoken = slapi_entry_attr_get_charptr( entry, "nsssltoken" );
+ if( ssltoken && personality ) {
+ if (!PL_strcasecmp(ssltoken, "internal") ||
+ !PL_strcasecmp(ssltoken, "internal (software)")) {
- /* Translate config internal name to more
- * readable form. Certificate name is just
- * the personality for internal tokens.
- */
- token = slapi_ch_strdup(internalTokenName);
+ /* Translate config internal name to more
+ * readable form. Certificate name is just
+ * the personality for internal tokens.
+ */
+ token = slapi_ch_strdup(internalTokenName);
#if defined(USE_OPENLDAP)
- /* openldap needs tokenname:certnick */
- PR_snprintf(cert_name, sizeof(cert_name), "%s:%s", token, personality);
+ /* openldap needs tokenname:certnick */
+ PR_snprintf(cert_name, sizeof(cert_name), "%s:%s", token, personality);
#else
- PL_strncpyz(cert_name, personality, sizeof(cert_name));
+ PL_strncpyz(cert_name, personality, sizeof(cert_name));
#endif
- slapi_ch_free((void **) &ssltoken);
- } else {
- /* external PKCS #11 token - attach token name */
- /*ssltoken was already dupped and we don't need it anymore*/
- token = ssltoken;
- PR_snprintf(cert_name, sizeof(cert_name), "%s:%s", token, personality);
- }
- } else {
- errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Failed to get cipher "
- "family information. Missing nsssltoken or"
- "nssslpersonalityssl in %s ("
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- *family, errorCode, slapd_pr_strerror(errorCode));
- slapi_ch_free((void **) &ssltoken);
- slapi_ch_free((void **) &personality);
- slapi_ch_free((void **) &cipher);
- freeConfigEntry( &entry );
- continue;
- }
- } else { /* external PKCS #11 cipher */
- char *ssltoken;
-
- ssltoken = slapi_entry_attr_get_charptr( entry, "nsssltoken" );
- if( token && personality ) {
-
- /* free the old token and remember the new one */
- if (token) slapi_ch_free((void **)&token);
- token = ssltoken; /*ssltoken was already dupped and we don't need it anymore*/
-
- /* external PKCS #11 token - attach token name */
- PR_snprintf(cert_name, sizeof(cert_name), "%s:%s", token, personality);
- } else {
- errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Failed to get cipher "
- "family information. Missing nsssltoken or"
- "nssslpersonalityssl in %s ("
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- *family, errorCode, slapd_pr_strerror(errorCode));
- slapi_ch_free((void **) &ssltoken);
- slapi_ch_free((void **) &personality);
- slapi_ch_free((void **) &cipher);
- freeConfigEntry( &entry );
- continue;
- }
+ slapi_ch_free_string(&ssltoken);
+ } else {
+ /* external PKCS #11 token - attach token name */
+ token = ssltoken; /*ssltoken was already dupped */
+ PR_snprintf(cert_name, sizeof(cert_name), "%s:%s", token, personality);
+ }
+ } else {
+ errorCode = PR_GetError();
+ slapd_SSL_warn("Security Initialization: Failed to get cipher "
+ "family information. Missing nsssltoken or"
+ "nssslpersonalityssl in %s ("
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
+ *family, errorCode, slapd_pr_strerror(errorCode));
+ slapi_ch_free_string(&ssltoken);
+ slapi_ch_free_string(&personality);
+ slapi_ch_free_string(&cipher);
+ freeConfigEntry( &entry );
+ continue;
+ }
+ } else { /* external PKCS #11 cipher */
+ char *ssltoken;
+
+ ssltoken = slapi_entry_attr_get_charptr( entry, "nsssltoken" );
+ if( ssltoken && personality ) {
- }
- slapi_ch_free((void **) &personality);
- slapi_ch_free((void **) &cipher);
- freeConfigEntry( &entry );
+ /* free the old token and remember the new one */
+ if (token) slapi_ch_free_string(&token);
+ token = ssltoken; /*ssltoken was already dupped */
+
+ /* external PKCS #11 token - attach token name */
+ PR_snprintf(cert_name, sizeof(cert_name), "%s:%s", token, personality);
+ } else {
+ errorCode = PR_GetError();
+ slapd_SSL_warn("Security Initialization: Failed to get cipher "
+ "family information. Missing nsssltoken or"
+ "nssslpersonalityssl in %s ("
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
+ * family, errorCode, slapd_pr_strerror(errorCode));
+ slapi_ch_free_string(&ssltoken);
+ slapi_ch_free_string(&personality);
+ slapi_ch_free_string(&cipher);
+ freeConfigEntry( &entry );
+ continue;
+ }
+ }
+ slapi_ch_free_string(&finalpersonality);
+ finalpersonality = personality;
+ slapi_ch_free_string(&cipher);
+ /* Get ServerCert/KeyExtractFile from given entry if any. */
+ slapi_ch_free_string(&CertExtractFile);
+ CertExtractFile = slapi_entry_attr_get_charptr(entry, "ServerCertExtractFile");
+ slapi_ch_free_string(&KeyExtractFile);
+ KeyExtractFile = slapi_entry_attr_get_charptr(entry, "ServerKeyExtractFile");
+ freeConfigEntry( &entry );
} /* end of for */
- freeChildren( family_list );
+ freeChildren( family_list );
}
/* Free config data */
@@ -2226,15 +2283,69 @@ slapd_SSL_client_auth (LDAP* ld)
errorCode, slapd_pr_strerror(errorCode));
} else {
#if defined(USE_OPENLDAP)
- rc = ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, SERVER_KEY_NAME);
- if (rc) {
- slapd_SSL_warn("SSL client authentication cannot be used "
- "unable to set the key to use to %s", SERVER_KEY_NAME);
- }
- rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, cert_name);
- if (rc) {
- slapd_SSL_warn("SSL client authentication cannot be used "
- "unable to set the cert to use to %s", cert_name);
+ if (slapi_client_uses_non_nss(ld)) {
+ char *certdir = config_get_certdir();
+ char *keyfile = NULL;
+ char *certfile = NULL;
+ if (KeyExtractFile) {
+ if ('/' == *KeyExtractFile) {
+ keyfile = KeyExtractFile;
+ } else {
+ keyfile = slapi_ch_smprintf("%s/%s", certdir, KeyExtractFile);
+ slapi_ch_free_string(&KeyExtractFile);
+ }
+ } else {
+ keyfile = slapi_ch_smprintf("%s/%s-Key%s", certdir, finalpersonality, PEMEXT);
+ }
+ if (CertExtractFile) {
+ if ('/' == *CertExtractFile) {
+ certfile = CertExtractFile;
+ } else {
+ certfile = slapi_ch_smprintf("%s/%s", certdir, CertExtractFile);
+ slapi_ch_free_string(&CertExtractFile);
+ }
+ } else {
+ certfile = slapi_ch_smprintf("%s/%s%s", certdir, finalpersonality, PEMEXT);
+ }
+ slapi_ch_free_string(&certdir);
+ if (PR_SUCCESS != PR_Access(keyfile, PR_ACCESS_EXISTS)) {
+ slapi_ch_free_string(&keyfile);
+ slapd_SSL_warn("SSL key file (%s) for client authentication does not exist. "
+ "Using %s", keyfile, SERVER_KEY_NAME);
+ keyfile = slapi_ch_strdup(SERVER_KEY_NAME);
+ }
+ rc = ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, keyfile);
+ if (rc) {
+ slapd_SSL_warn("SSL client authentication cannot be used "
+ "unable to set the key to use to %s", keyfile);
+ }
+ slapi_ch_free_string(&keyfile);
+ rc = PR_Access(certfile, PR_ACCESS_EXISTS);
+ if (rc) {
+ slapi_ch_free_string(&certfile);
+ slapd_SSL_warn("SSL cert file (%s) for client authentication does not exist. "
+ "Using %s", certfile, cert_name);
+ certfile = cert_name;
+ }
+ rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, certfile);
+ if (rc) {
+ slapd_SSL_warn("SSL client authentication cannot be used "
+ "unable to set the cert to use to %s", certfile);
+ }
+ if (certfile != cert_name) {
+ slapi_ch_free_string(&certfile);
+ }
+ } else {
+ rc = ldap_set_option(ld, LDAP_OPT_X_TLS_KEYFILE, SERVER_KEY_NAME);
+ if (rc) {
+ slapd_SSL_warn("SSL client authentication cannot be used "
+ "unable to set the key to use to %s", SERVER_KEY_NAME);
+ }
+ rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CERTFILE, cert_name);
+ if (rc) {
+ slapd_SSL_warn("SSL client authentication cannot be used "
+ "unable to set the cert to use to %s", cert_name);
+ }
}
/*
* not sure what else needs to be done for client auth - don't
@@ -2265,6 +2376,7 @@ slapd_SSL_client_auth (LDAP* ld)
slapi_ch_free_string(&token);
slapi_ch_free_string(&pw);
+ slapi_ch_free_string(&finalpersonality);
LDAPDebug (LDAP_DEBUG_TRACE, "slapd_SSL_client_auth() %i\n", rc, 0, 0);
return rc;
@@ -2365,9 +2477,10 @@ slapd_get_unlocked_key_for_cert(CERTCertificate *cert, void *pin_arg)
slotname, tokenname, certsubject);
break;
} else {
- slapi_log_error(SLAPI_LOG_TRACE, "slapd_get_unlocked_key_for_cert",
- "Skipping locked slot [%s] token [%s] for certificate [%s]\n",
- slotname, tokenname, certsubject);
+ PRErrorCode errcode = PR_GetError();
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_get_unlocked_key_for_cert",
+ "Skipping locked slot [%s] token [%s] for certificate [%s] (%d - %s)\n",
+ slotname, tokenname, certsubject, errcode, slapd_pr_strerror(errcode));
}
}
@@ -2391,3 +2504,591 @@ slapd_get_unlocked_key_for_cert(CERTCertificate *cert, void *pin_arg)
return key;
}
+/*
+ * Functions to extract key and cert from the NSS cert db.
+ */
+#include <libgen.h>
+#include <seccomon.h>
+#include <secmodt.h>
+#include <certt.h>
+#include <base64.h>
+#define DONOTEDIT "This file is auto-generated by 389-ds-base.\nDo not edit directly.\n"
+#define NS_CERT_HEADER "-----BEGIN CERTIFICATE-----"
+#define NS_CERT_TRAILER "-----END CERTIFICATE-----"
+#define KEY_HEADER "-----BEGIN PRIVATE KEY-----"
+#define KEY_TRAILER "-----END PRIVATE KEY-----"
+#define ENCRYPTED_KEY_HEADER "-----BEGIN ENCRYPTED PRIVATE KEY-----"
+#define ENCRYPTED_KEY_TRAILER "-----END ENCRYPTED PRIVATE KEY-----"
+
+typedef struct {
+ enum {
+ PW_NONE = 0,
+ PW_FROMFILE = 1,
+ PW_PLAINTEXT = 2,
+ PW_EXTERNAL = 3
+ } source;
+ char *data;
+} secuPWData;
+
+static SECStatus
+listCerts(CERTCertDBHandle *handle, CERTCertificate *cert, PK11SlotInfo *slot,
+ PRFileDesc *outfile, void *pwarg)
+{
+ SECItem data;
+ SECStatus rv = SECFailure;
+ CERTCertList *certs;
+ CERTCertListNode *node;
+ CERTCertificate *the_cert = NULL;
+ char *name = NULL;
+
+ if (!cert) {
+ slapi_log_error(SLAPI_LOG_FATAL, "listCerts", "No cert given\n");
+ return rv;
+ }
+ name = cert->nickname;
+
+ if (!name) {
+ slapi_log_error(SLAPI_LOG_FATAL, "listCerts", "No cert nickname\n");
+ return rv;
+ }
+ the_cert = CERT_FindCertByNicknameOrEmailAddr(handle, name);
+ if (!the_cert) {
+ slapi_log_error(SLAPI_LOG_FATAL, "listCerts", "Could not find cert: %s\n", name);
+ return SECFailure;
+ }
+
+ PR_fprintf(outfile, "%s\n", DONOTEDIT);
+ /* Here, we have one cert with the desired nickname or email
+ * address. Now, we will attempt to get a list of ALL certs
+ * with the same subject name as the cert we have. That list
+ * should contain, at a minimum, the one cert we have already found.
+ * If the list of certs is empty (NULL), the libraries have failed.
+ */
+ certs = CERT_CreateSubjectCertList(NULL, handle, &the_cert->derSubject,
+ PR_Now(), PR_FALSE);
+ CERT_DestroyCertificate(the_cert);
+ if (!certs) {
+ slapi_log_error(SLAPI_LOG_FATAL, "listCerts", "problem printing certificates");
+ return SECFailure;
+ }
+ for (node = CERT_LIST_HEAD(certs); !CERT_LIST_END(node,certs); node = CERT_LIST_NEXT(node)) {
+ the_cert = node->cert;
+ PR_fprintf(outfile, "Issuer: %s\n", the_cert->issuerName);
+ PR_fprintf(outfile, "Subject: %s\n", the_cert->subjectName);
+ /* now get the subjectList that matches this cert */
+ data.data = the_cert->derCert.data;
+ data.len = the_cert->derCert.len;
+ PR_fprintf(outfile, "\n%s\n%s\n%s\n", NS_CERT_HEADER,
+ BTOA_DataToAscii(data.data, data.len), NS_CERT_TRAILER);
+ rv = SECSuccess;
+ }
+ if (certs) {
+ CERT_DestroyCertList(certs);
+ }
+ if (rv) {
+ slapi_log_error(SLAPI_LOG_FATAL, "listCerts", "problem printing certificate nicknames");
+ return SECFailure;
+ }
+
+ return rv;
+}
+
+static char *
+gen_pem_path(char *filename)
+{
+ char *pem = NULL;
+ char *pempath = NULL;
+ char *dname = NULL;
+ char *bname = NULL;
+ char *certdir = config_get_certdir();
+
+ if (!filename) {
+ goto bail;
+ }
+ pem = PL_strstr(filename, PEMEXT);
+ if (pem) {
+ *pem = '\0';
+ }
+ bname = basename(filename);
+ dname = dirname(filename);
+ if (!PL_strcmp(dname, ".")) {
+ /* just a file name */
+ pempath = slapi_ch_smprintf("%s/%s%s", certdir, bname, PEMEXT);
+ } else if (*dname == '/') {
+ /* full path */
+ pempath = slapi_ch_smprintf("%s/%s%s", dname, bname, PEMEXT);
+ } else {
+ /* relative path */
+ pempath = slapi_ch_smprintf("%s/%s/%s%s", certdir, dname, bname, PEMEXT);
+ }
+bail:
+ return pempath;
+}
+
+static int
+slapd_extract_cert(Slapi_Entry *entry, int isCA)
+{
+ CERTCertDBHandle *certHandle;
+ char *certdir = config_get_certdir();
+ CERTCertListNode *node;
+ CERTCertList *list = PK11_ListCerts(PK11CertListAll, NULL);
+ PRFileDesc *outFile = NULL;
+ SECStatus rv = SECFailure;
+ char *CertExtractFile = NULL;
+ char *certfile = NULL;
+ char *personality = NULL;
+
+ if (!entry) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_cert",
+ "No entry is given for %s Cert.\n", isCA?"CA":"Server");
+ goto bail;
+ }
+
+ /* Get CertExtractFile from given entry if any. */
+ if (isCA) {
+ CertExtractFile = slapi_entry_attr_get_charptr(entry, "CACertExtractFile");
+ } else {
+ CertExtractFile = slapi_entry_attr_get_charptr(entry, "ServerCertExtractFile");
+ personality = slapi_entry_attr_get_charptr(entry, "nsSSLPersonalitySSL" );
+ }
+ certfile = gen_pem_path(CertExtractFile);
+ if (isCA) {
+ slapi_ch_free_string(&CACertPemFile);
+ CACertPemFile = certfile;
+ }
+
+ certHandle = CERT_GetDefaultCertDB();
+ for (node = CERT_LIST_HEAD(list); !CERT_LIST_END(node, list);
+ node = CERT_LIST_NEXT(node)) {
+ CERTCertificate *cert = node->cert;
+ CERTCertTrust trust;
+ switch (isCA) {
+ case PR_TRUE:
+ if ((CERT_GetCertTrust(cert, &trust) == SECSuccess) &&
+ (trust.sslFlags & (CERTDB_VALID_CA|CERTDB_TRUSTED_CA|CERTDB_TRUSTED_CLIENT_CA))) {
+ /* default token "internal" */
+ PK11SlotInfo *slot = slapd_pk11_getInternalKeySlot();
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_cert", "CA CERT NAME: %s\n", cert->nickname);
+ if (!certfile) {
+ certfile = slapi_ch_smprintf("%s/%s%s", certdir, escape_string_for_filename(cert->nickname), PEMEXT);
+ entrySetValue(slapi_entry_get_sdn(entry), "CACertExtractFile", certfile);
+ slapi_set_cacertfile(certfile);
+ }
+ if (!outFile) {
+ outFile = PR_Open(certfile, PR_CREATE_FILE | PR_RDWR | PR_TRUNCATE, 00660);
+ }
+ if (!outFile) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_cert",
+ "Unable to open \"%s\" for writing (%d, %d).\n",
+ certfile, PR_GetError(), PR_GetOSError());
+ goto bail;
+ }
+ rv = listCerts(certHandle, cert, slot, outFile, NULL);
+ if (rv) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_cert", "listCerts failed\n");
+ break;
+ }
+ }
+ break;
+ default:
+ if (!PL_strcmp(cert->nickname, personality)) {
+ PK11SlotInfo *slot = slapd_pk11_getInternalKeySlot();
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_cert", "SERVER CERT NAME: %s\n", cert->nickname);
+ if (!certfile) {
+ certfile = slapi_ch_smprintf("%s/%s%s", certdir, escape_string_for_filename(cert->nickname), PEMEXT);
+ }
+ if (!outFile) {
+ outFile = PR_Open(certfile, PR_CREATE_FILE | PR_RDWR | PR_TRUNCATE, 00660);
+ }
+ if (!outFile) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_cert",
+ "Unable to open \"%s\" for writing (%d, %d).\n",
+ certfile, PR_GetError(), PR_GetOSError());
+ goto bail;
+ }
+ rv = listCerts(certHandle, cert, slot, outFile, NULL);
+ if (rv) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_cert", "listCerts failed\n");
+ }
+ PR_Close(outFile);
+ outFile = NULL;
+ break; /* One cert per one pem file. */
+ }
+ break;
+ }
+ }
+ rv = SECSuccess;
+bail:
+ CERT_DestroyCertList(list);
+ slapi_ch_free_string(&CertExtractFile);
+ if (CACertPemFile != certfile) {
+ slapi_ch_free_string(&certfile);
+ }
+ slapi_ch_free_string(&personality);
+ if (outFile) {
+ PR_Close(outFile);
+ }
+ return rv;
+}
+
+/*
+ * Borrowed from keyutil.c (crypto-util)
+ *
+ * Extract the public and private keys and the subject
+ * distinguished from the cert with the given nickname
+ * in the given slot.
+ *
+ * @param nickname the certificate nickname
+ * @param slot the slot where keys it was loaded
+ * @param pwdat module authentication password
+ * @param privkey private key out
+ * @param pubkey public key out
+ * @param subject subject out
+ */
+static SECStatus
+extractRSAKeysAndSubject(
+ const char *nickname,
+ PK11SlotInfo *slot,
+ secuPWData *pwdata,
+ SECKEYPrivateKey **privkey,
+ SECKEYPublicKey **pubkey,
+ CERTName **subject)
+{
+ PRErrorCode rv = SECFailure;
+ CERTCertificate *cert = PK11_FindCertFromNickname((char *)nickname, NULL);
+ if (!cert) {
+ rv = PR_GetError();
+ slapi_log_error(SLAPI_LOG_FATAL, "extractRSAKeysAndSubject",
+ "Failed extract cert with %s, (%d-%s, %d).\n",
+ nickname, rv, slapd_pr_strerror(rv), PR_GetOSError());
+ goto bail;
+ }
+
+ *pubkey = CERT_ExtractPublicKey(cert);
+ if (!*pubkey) {
+ rv = PR_GetError();
+ slapi_log_error(SLAPI_LOG_FATAL, "extractRSAKeysAndSubject",
+ "Could not get public key from cert for %s, (%d-%s, %d)\n",
+ nickname, rv, slapd_pr_strerror(rv), PR_GetOSError());
+ goto bail;
+ }
+
+ *privkey = PK11_FindKeyByDERCert(slot, cert, pwdata);
+ if (!*privkey) {
+ rv = PR_GetError();
+ slapi_log_error(SLAPI_LOG_FATAL, "extractRSAKeysAndSubject",
+ "Unable to find the key with PK11_FindKeyByDERCert for %s, (%d-%s, %d)\n",
+ nickname, rv, slapd_pr_strerror(rv), PR_GetOSError());
+ *privkey= PK11_FindKeyByAnyCert(cert, &pwdata);
+ if (!*privkey) {
+ rv = PR_GetError();
+ slapi_log_error(SLAPI_LOG_FATAL, "extractRSAKeysAndSubject",
+ "Unable to find the key with PK11_FindKeyByAnyCert for %s, (%d-%s, %d)\n",
+ nickname, rv, slapd_pr_strerror(rv), PR_GetOSError());
+ goto bail;
+ }
+ }
+
+ PR_ASSERT(((*privkey)->keyType) == rsaKey);
+ *subject = CERT_AsciiToName(cert->subjectName);
+
+ if (!*subject) {
+ slapi_log_error(SLAPI_LOG_FATAL, "extractRSAKeysAndSubject",
+ "Improperly formatted name: \"%s\"\n",
+ cert->subjectName);
+ goto bail;
+ }
+ rv = SECSuccess;
+bail:
+ if (cert)
+ CERT_DestroyCertificate(cert);
+ return rv;
+}
+
+/*
+ * Decrypt the private key
+ */
+SECStatus DecryptKey(
+ SECKEYEncryptedPrivateKeyInfo *epki,
+ SECOidTag algTag,
+ SECItem *pwitem,
+ secuPWData *pwdata,
+ SECItem *derPKI)
+{
+ SECItem *cryptoParam = NULL;
+ PK11SymKey *symKey = NULL;
+ PK11Context *ctx = NULL;
+ SECStatus rv = SECFailure;
+
+ if (!pwitem) {
+ return rv;
+ }
+
+ do {
+ SECAlgorithmID algid = epki->algorithm;
+ CK_MECHANISM_TYPE cryptoMechType;
+ CK_ATTRIBUTE_TYPE operation = CKA_DECRYPT;
+ PK11SlotInfo *slot = NULL;
+
+ cryptoMechType = PK11_GetPBECryptoMechanism(&algid, &cryptoParam, pwitem);
+ if (cryptoMechType == CKM_INVALID_MECHANISM) {
+ break;
+ }
+
+ slot = PK11_GetBestSlot(cryptoMechType, NULL);
+ if (!slot) {
+ break;
+ }
+
+ symKey = PK11_PBEKeyGen(slot, &algid, pwitem, PR_FALSE, pwdata);
+ if (symKey == NULL) {
+ break;
+ }
+
+ ctx = PK11_CreateContextBySymKey(cryptoMechType, operation, symKey, cryptoParam);
+ if (ctx == NULL) {
+ break;
+ }
+
+ rv = PK11_CipherOp(ctx,
+ derPKI->data, /* out */
+ (int *)(&derPKI->len), /* out len */
+ (int)epki->encryptedData.len, /* max out */
+ epki->encryptedData.data, /* in */
+ (int)epki->encryptedData.len); /* in len */
+
+ PR_ASSERT(derPKI->len == epki->encryptedData.len);
+ PR_ASSERT(rv == SECSuccess);
+ rv = PK11_Finalize(ctx);
+ PR_ASSERT(rv == SECSuccess);
+
+ } while (0);
+
+ /* cleanup */
+ if (symKey) {
+ PK11_FreeSymKey(symKey);
+ }
+ if (cryptoParam) {
+ SECITEM_ZfreeItem(cryptoParam, PR_TRUE);
+ cryptoParam = NULL;
+ }
+ if (ctx) {
+ PK11_DestroyContext(ctx, PR_TRUE);
+ }
+
+ return rv;
+
+}
+
+/* #define ENCRYPTEDKEY 1 */
+#define RAND_PASS_LEN 32
+static int
+slapd_extract_key(Slapi_Entry *entry, char *token, PK11SlotInfo *slot)
+{
+ char *KeyExtractFile = NULL;
+ char *personality = NULL;
+ char *keyfile = NULL;
+ unsigned char randomPassword[RAND_PASS_LEN] = {0};
+ SECStatus rv = SECFailure;
+ SECItem pwitem = { 0, NULL, 0 };
+ SECItem clearKeyDER = { 0, NULL, 0 };
+ PRFileDesc *outFile = NULL;
+ SECKEYEncryptedPrivateKeyInfo *epki = NULL;
+ SECKEYPrivateKey *privkey = NULL;
+ SECKEYPublicKey *pubkey = NULL;
+ secuPWData pwdata = { PW_NONE, 0 };
+ CERTName *subject = NULL;
+ PLArenaPool *arenaForPKI = NULL;
+ char *b64 = NULL;
+ PRUint32 total = 0;
+ PRUint32 numBytes = 0;
+ char *certdir = config_get_certdir();
+#if defined(ENCRYPTEDKEY)
+ char *keyEncPwd = NULL;
+ SVRCOREError err = SVRCORE_Success;
+ PRArenaPool *arenaForEPKI = NULL;
+ SVRCOREStdPinObj *StdPinObj;
+ SECItem *encryptedKeyDER = NULL;
+#endif
+
+ if (!entry) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_key",
+ "No entry is given for Server Key.\n");
+ goto bail;
+ }
+#if defined(ENCRYPTEDKEY)
+ if (!token) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_key",
+ "No token is given.\n");
+ goto bail;
+ }
+ StdPinObj = (SVRCOREStdPinObj *)SVRCORE_GetRegisteredPinObj();
+ if (!StdPinObj) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_key",
+ "No entry is given for Server Key.\n");
+ goto bail;
+ }
+ err = SVRCORE_StdPinGetPin(&keyEncPwd, StdPinObj, token);
+ if (err || !keyEncPwd) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_key",
+ "Failed to extract pw with token %s.\n", token);
+ goto bail;
+ }
+ pwitem.data = (unsigned char *)keyEncPwd;
+ pwitem.len = (unsigned int)strlen(keyEncPwd);
+ pwitem.type = siBuffer;
+#else
+ /* Caller wants clear keys. Make up a dummy
+ * password to get NSS to export an encrypted
+ * key which we will decrypt.
+ */
+ rv = PK11_GenerateRandom(randomPassword, sizeof((const char *)randomPassword) - 1);
+ if (rv != SECSuccess) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_key", "Failed to generate random.\n");
+ goto bail;
+ }
+ pwitem.data = randomPassword;
+ pwitem.len = strlen((const char *)randomPassword);
+ pwitem.type = siBuffer;
+#endif
+
+ /* Get ServerKeyExtractFile from given entry if any. */
+ KeyExtractFile = slapi_entry_attr_get_charptr(entry, "ServerKeyExtractFile");
+ personality = slapi_entry_attr_get_charptr(entry, "nsSSLPersonalitySSL" );
+ if (!personality) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_key",
+ "nsSSLPersonalitySSL value not found.\n");
+ goto bail;
+ }
+ keyfile = gen_pem_path(KeyExtractFile);
+ if (!keyfile) {
+ keyfile = slapi_ch_smprintf("%s/%s-Key%s", certdir, escape_string_for_filename(personality), PEMEXT);
+ }
+ outFile = PR_Open(keyfile, PR_CREATE_FILE | PR_RDWR | PR_TRUNCATE, 00660);
+ if (!outFile) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_key",
+ "Unable to open \"%s\" for writing (%d, %d).\n",
+ keyfile, PR_GetError(), PR_GetOSError());
+ goto bail;
+ }
+ rv = extractRSAKeysAndSubject(personality, slot, &pwdata, &privkey, &pubkey, &subject);
+ if (rv != SECSuccess) {
+#if defined(ENCRYPTEDKEY)
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_key",
+ "Failed to extract keys for \"%s\".\n", token);
+#else
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_key", "Failed to extract keys for %s.\n", personality);
+#endif
+ goto bail;
+ }
+
+ /*
+ * Borrowed the code from KeyOut in keyutil.c (crypto-util).
+ * Is it ok to hardcode the algorithm SEC_OID_DES_EDE3_CBC???
+ */
+ epki = PK11_ExportEncryptedPrivKeyInfo(NULL, SEC_OID_DES_EDE3_CBC, &pwitem, privkey, 1000, &pwdata);
+ if (!epki) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_key",
+ "Unable to export encrypted private key (%d, %d).\n",
+ PR_GetError(), PR_GetOSError());
+ goto bail;
+ }
+#if defined(ENCRYPTEDKEY)
+ arenaForEPKI = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ /* NULL dest to let it allocate memory for us */
+ encryptedKeyDER = SEC_ASN1EncodeItem(arenaForEPKI, NULL, epki, SECKEY_EncryptedPrivateKeyInfoTemplate);
+ if (!encryptedKeyDER) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_key",
+ "SEC_ASN1EncodeItem failed. (%d, %d).\n", PR_GetError(), PR_GetOSError());
+ goto bail;
+ }
+#else
+ /* Make a decrypted key the one to write out. */
+ arenaForPKI = PORT_NewArena(2048);
+ if (!arenaForPKI) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_key",
+ "PORT_NewArena failed. (%d, %d).\n", PR_GetError(), PR_GetOSError());
+ goto bail;
+ }
+ clearKeyDER.data = PORT_ArenaAlloc(arenaForPKI, epki->encryptedData.len);
+ clearKeyDER.len = epki->encryptedData.len;
+ clearKeyDER.type = siBuffer;
+
+ rv = DecryptKey(epki, SEC_OID_DES_EDE3_CBC, &pwitem, &pwdata, &clearKeyDER);
+ if (rv != SECSuccess) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_key",
+ "DekryptKey failed. (%d, %d).\n", PR_GetError(), PR_GetOSError());
+ goto bail;
+ }
+#endif
+
+ /* we could be exporting a clear or encrypted key */
+#if defined(ENCRYPTEDKEY)
+ b64 = BTOA_ConvertItemToAscii(encryptedKeyDER);
+#else
+ b64 = BTOA_ConvertItemToAscii(&clearKeyDER);
+#endif
+ if (!b64) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_key",
+ "Failed to conver to the ASCII (%d, %d).\n",
+ PR_GetError(), PR_GetOSError());
+ goto bail;
+ }
+
+ total = PL_strlen(b64);
+ PR_fprintf(outFile, "%s\n", DONOTEDIT);
+#if defined(ENCRYPTEDKEY)
+ PR_fprintf(outFile, "%s\n", ENCRYPTED_KEY_HEADER);
+#else
+ PR_fprintf(outFile, "%s\n", KEY_HEADER);
+#endif
+ numBytes = PR_Write(outFile, b64, total);
+ if (numBytes != total) {
+ slapi_log_error(SLAPI_LOG_FATAL, "slapd_extract_key",
+ "Failed to write to the file (%d, %d).\n",
+ PR_GetError(), PR_GetOSError());
+ goto bail;
+ }
+#if defined(ENCRYPTEDKEY)
+ PR_fprintf(outFile, "\n%s\n", ENCRYPTED_KEY_TRAILER);
+#else
+ PR_fprintf(outFile, "\n%s\n", KEY_TRAILER);
+#endif
+ rv = SECSuccess;
+bail:
+ slapi_ch_free_string(&certdir);
+ slapi_ch_free_string(&KeyExtractFile);
+ slapi_ch_free_string(&keyfile);
+ if (outFile) {
+ PR_Close(outFile);
+ }
+#if defined(ENCRYPTEDKEY)
+ if (arenaForEPKI) {
+ PORT_FreeArena(arenaForEPKI, PR_FALSE);
+ }
+ if (pwitem.data) {
+ memset(pwitem.data, 0, pwitem.len);
+ PORT_Free(pwitem.data);
+ }
+ memset(&pwitem, 0, sizeof(SECItem));
+#else
+ if (arenaForPKI) {
+ PORT_FreeArena(arenaForPKI, PR_FALSE);
+ }
+ memset(randomPassword, 0, strlen((const char *)randomPassword));
+#endif
+ return rv;
+}
+
+const char *
+slapi_get_cacertfile()
+{
+ return CACertPemFile;
+}
+
+void
+slapi_set_cacertfile(char *certfile)
+{
+ slapi_ch_free_string(&CACertPemFile);
+ CACertPemFile = certfile;
+}
diff --git a/ldap/servers/slapd/util.c b/ldap/servers/slapd/util.c
index 41e213e..b9d2ea5 100644
--- a/ldap/servers/slapd/util.c
+++ b/ldap/servers/slapd/util.c
@@ -55,8 +55,14 @@
#include <sys/pstat.h>
#endif
-
-
+static int special_filename(unsigned char c)
+{
+ if ((c < 45) || (c == '/') || ((c > 57) && (c < 65)) ||
+ ((c > 90) && (c < 95)) || (c == 96) ||(c > 122) ) {
+ return UTIL_ESCAPE_HEX;
+ }
+ return UTIL_ESCAPE_NONE;
+}
static int special_np(unsigned char c)
{
@@ -118,12 +124,16 @@ special_attr_char(unsigned char c)
c == '"');
}
+/* No '\\' */
+#define DOESCAPE_FLAGS_HEX_NOESC 0x1
+
static const char*
do_escape_string (
const char* str,
int len, /* -1 means str is nul-terminated */
char buf[BUFSIZ],
- int (*special)(unsigned char)
+ int (*special)(unsigned char),
+ int flags
)
{
const char* s;
@@ -140,54 +150,56 @@ do_escape_string (
last = str + len - 1;
for (s = str; s <= last; ++s) {
- if ( (esc = (*special)((unsigned char)*s))) {
- const char* first = str;
- char* bufNext = buf;
- int bufSpace = BUFSIZ - 4;
- while (1) {
- if (bufSpace < (s - first)) s = first + bufSpace - 1;
- if (s > first) {
- memcpy (bufNext, first, s - first);
- bufNext += (s - first);
- bufSpace -= (s - first);
- }
- if (s > last) {
- break;
- }
- do {
- if (esc == UTIL_ESCAPE_BACKSLASH) {
- /* *s is '\\' */
- /* If *(s+1) and *(s+2) are both hex digits,
- * the char is already escaped. */
- if (isxdigit(*(s+1)) && isxdigit(*(s+2))) {
- memcpy(bufNext, s, 3);
- bufNext += 3;
- bufSpace -= 3;
- s += 2;
- } else {
- *bufNext++ = *s; --bufSpace;
- }
- } else { /* UTIL_ESCAPE_HEX */
- *bufNext++ = '\\'; --bufSpace;
- if (bufSpace < 3) {
- memcpy(bufNext, "..", 2);
- bufNext += 2;
- goto bail;
- }
- PR_snprintf(bufNext, 3, "%02x", *(unsigned char*)s);
- bufNext += 2; bufSpace -= 2;
- }
- } while (++s <= last &&
+ if ( (esc = (*special)((unsigned char)*s))) {
+ const char* first = str;
+ char* bufNext = buf;
+ int bufSpace = BUFSIZ - 4;
+ while (1) {
+ if (bufSpace < (s - first)) s = first + bufSpace - 1;
+ if (s > first) {
+ memcpy (bufNext, first, s - first);
+ bufNext += (s - first);
+ bufSpace -= (s - first);
+ }
+ if (s > last) {
+ break;
+ }
+ do {
+ if (esc == UTIL_ESCAPE_BACKSLASH) {
+ /* *s is '\\' */
+ /* If *(s+1) and *(s+2) are both hex digits,
+ * the char is already escaped. */
+ if (isxdigit(*(s+1)) && isxdigit(*(s+2))) {
+ memcpy(bufNext, s, 3);
+ bufNext += 3;
+ bufSpace -= 3;
+ s += 2;
+ } else {
+ *bufNext++ = *s; --bufSpace;
+ }
+ } else { /* UTIL_ESCAPE_HEX */
+ if (!(flags & DOESCAPE_FLAGS_HEX_NOESC)) {
+ *bufNext++ = '\\'; --bufSpace;
+ }
+ if (bufSpace < 3) {
+ memcpy(bufNext, "..", 2);
+ bufNext += 2;
+ goto bail;
+ }
+ PR_snprintf(bufNext, 3, "%02x", *(unsigned char*)s);
+ bufNext += 2; bufSpace -= 2;
+ }
+ } while (++s <= last &&
(esc = (*special)((unsigned char)*s)));
- if (s > last) break;
- first = s;
- while ( (esc = (*special)((unsigned char)*s)) == UTIL_ESCAPE_NONE && s <= last) ++s;
- }
- bail:
- *bufNext = '\0';
- return buf;
- }
- }
+ if (s > last) break;
+ first = s;
+ while ( (esc = (*special)((unsigned char)*s)) == UTIL_ESCAPE_NONE && s <= last) ++s;
+ }
+bail:
+ *bufNext = '\0';
+ return buf;
+ }
+ } /* for */
return str;
}
@@ -204,13 +216,20 @@ do_escape_string (
const char*
escape_string (const char* str, char buf[BUFSIZ])
{
- return do_escape_string(str,-1,buf,special_np);
+ return do_escape_string(str,-1,buf,special_np, 0);
}
const char*
escape_string_with_punctuation(const char* str, char buf[BUFSIZ])
{
- return do_escape_string(str,-1,buf,special_np_and_punct);
+ return do_escape_string(str,-1,buf,special_np_and_punct, 0);
+}
+
+const char*
+escape_string_for_filename(const char *str)
+{
+ char buf[BUFSIZ];
+ return do_escape_string(str,-1,buf,special_filename, DOESCAPE_FLAGS_HEX_NOESC);
}
#define ESCAPE_FILTER 1
commit f2953425ac26ceb8b168c7f1137a9a6d7392b120
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Mon Apr 11 15:43:41 2016 -0700
Ticket #48784 - CI test: added test cases for ticket 48784
Description: Make the SSL version set to the client library configurable.
https://fedorahosted.org/389/ticket/48784
Reviewed by wibrown(a)redhat.com (Thank you, William!)
diff --git a/dirsrvtests/tests/tickets/ticket48784_test.py b/dirsrvtests/tests/tickets/ticket48784_test.py
new file mode 100644
index 0000000..159301a
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket48784_test.py
@@ -0,0 +1,434 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2016 Red Hat, Inc.
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+#
+import os
+import sys
+import time
+import shlex
+import subprocess
+import ldap
+import logging
+import pytest
+import base64
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+
+logging.getLogger(__name__).setLevel(logging.DEBUG)
+log = logging.getLogger(__name__)
+
+installation1_prefix = None
+
+CONFIG_DN = 'cn=config'
+ENCRYPTION_DN = 'cn=encryption,%s' % CONFIG_DN
+RSA = 'RSA'
+RSA_DN = 'cn=%s,%s' % (RSA, ENCRYPTION_DN)
+ISSUER = 'cn=CAcert'
+CACERT = 'CAcertificate'
+M1SERVERCERT = 'Server-Cert1'
+M2SERVERCERT = 'Server-Cert2'
+M1LDAPSPORT = '41636'
+M2LDAPSPORT = '42636'
+
+class TopologyReplication(object):
+ def __init__(self, master1, master2):
+ master1.open()
+ self.master1 = master1
+ master2.open()
+ self.master2 = master2
+
+
+(a)pytest.fixture(scope="module")
+def topology(request):
+ global installation1_prefix
+ if installation1_prefix:
+ args_instance[SER_DEPLOYED_DIR] = installation1_prefix
+
+ # Creating master 1...
+ master1 = DirSrv(verbose=True)
+ if installation1_prefix:
+ args_instance[SER_DEPLOYED_DIR] = installation1_prefix
+ args_instance[SER_HOST] = HOST_MASTER_1
+ args_instance[SER_PORT] = PORT_MASTER_1
+ args_instance[SER_SERVERID_PROP] = SERVERID_MASTER_1
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+ args_master = args_instance.copy()
+ master1.allocate(args_master)
+ instance_master1 = master1.exists()
+ if instance_master1:
+ master1.delete()
+ master1.create()
+ master1.open()
+ master1.replica.enableReplication(suffix=SUFFIX, role=REPLICAROLE_MASTER, replicaId=REPLICAID_MASTER_1)
+
+ # Creating master 2...
+ master2 = DirSrv(verbose=True)
+ if installation1_prefix:
+ args_instance[SER_DEPLOYED_DIR] = installation1_prefix
+ args_instance[SER_HOST] = HOST_MASTER_2
+ args_instance[SER_PORT] = PORT_MASTER_2
+ args_instance[SER_SERVERID_PROP] = SERVERID_MASTER_2
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+ args_master = args_instance.copy()
+ master2.allocate(args_master)
+ instance_master2 = master2.exists()
+ if instance_master2:
+ master2.delete()
+ master2.create()
+ master2.open()
+ master2.replica.enableReplication(suffix=SUFFIX, role=REPLICAROLE_MASTER, replicaId=REPLICAID_MASTER_2)
+
+ #
+ # Create all the agreements
+ #
+ # Creating agreement from master 1 to master 2
+ properties = {RA_NAME: r'meTo_%s:%s' % (master2.host, master2.port),
+ RA_BINDDN: defaultProperties[REPLICATION_BIND_DN],
+ RA_BINDPW: defaultProperties[REPLICATION_BIND_PW],
+ RA_METHOD: defaultProperties[REPLICATION_BIND_METHOD],
+ RA_TRANSPORT_PROT: defaultProperties[REPLICATION_TRANSPORT]}
+ global m1_m2_agmt
+ m1_m2_agmt = master1.agreement.create(suffix=SUFFIX, host=master2.host, port=master2.port, properties=properties)
+ if not m1_m2_agmt:
+ log.fatal("Fail to create a master -> master replica agreement")
+ sys.exit(1)
+ log.debug("%s created" % m1_m2_agmt)
+
+ # Creating agreement from master 2 to master 1
+ properties = {RA_NAME: r'meTo_%s:%s' % (master1.host, master1.port),
+ RA_BINDDN: defaultProperties[REPLICATION_BIND_DN],
+ RA_BINDPW: defaultProperties[REPLICATION_BIND_PW],
+ RA_METHOD: defaultProperties[REPLICATION_BIND_METHOD],
+ RA_TRANSPORT_PROT: defaultProperties[REPLICATION_TRANSPORT]}
+ global m2_m1_agmt
+ m2_m1_agmt = master2.agreement.create(suffix=SUFFIX, host=master1.host, port=master1.port, properties=properties)
+ if not m2_m1_agmt:
+ log.fatal("Fail to create a master -> master replica agreement")
+ sys.exit(1)
+ log.debug("%s created" % m2_m1_agmt)
+
+ # Allow the replicas to get situated with the new agreements...
+ time.sleep(2)
+
+ global M1SUBJECT
+ M1SUBJECT = 'CN=%s,OU=389 Directory Server' % (master1.host)
+ global M2SUBJECT
+ M2SUBJECT = 'CN=%s,OU=390 Directory Server' % (master2.host)
+
+ #
+ # Initialize all the agreements
+ #
+ master1.agreement.init(SUFFIX, HOST_MASTER_2, PORT_MASTER_2)
+ master1.waitForReplInit(m1_m2_agmt)
+
+ # Check replication is working...
+ if master1.testReplication(DEFAULT_SUFFIX, master2):
+ log.info('Replication is working.')
+ else:
+ log.fatal('Replication is not working.')
+ assert False
+
+ # Delete each instance in the end
+ #def fin():
+ #master1.delete()
+ #master2.delete()
+ #request.addfinalizer(fin)
+
+ # Clear out the tmp dir
+ master1.clearTmpDir(__file__)
+
+ return TopologyReplication(master1, master2)
+
+
+(a)pytest.fixture(scope="module")
+
+
+def add_entry(server, name, rdntmpl, start, num):
+ log.info("\n######################### Adding %d entries to %s ######################" % (num, name))
+
+ for i in range(num):
+ ii = start + i
+ dn = '%s%d,%s' % (rdntmpl, ii, DEFAULT_SUFFIX)
+ try:
+ server.add_s(Entry((dn, {'objectclass': 'top person extensibleObject'.split(),
+ 'uid': '%s%d' % (rdntmpl, ii),
+ 'cn': '%s user%d' % (name, ii),
+ 'sn': 'user%d' % (ii)})))
+ except ldap.LDAPError as e:
+ log.error('Failed to add %s ' % dn + e.message['desc'])
+ assert False
+
+def enable_ssl(server, ldapsport, mycert):
+ log.info("\n######################### Enabling SSL LDAPSPORT %s ######################\n" % ldapsport)
+ server.simple_bind_s(DN_DM, PASSWORD)
+ server.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3', 'off'),
+ (ldap.MOD_REPLACE, 'nsTLS1', 'on'),
+ (ldap.MOD_REPLACE, 'nsSSLClientAuth', 'allowed'),
+ (ldap.MOD_REPLACE, 'nsSSL3Ciphers', '+all')])
+
+ server.modify_s(CONFIG_DN, [(ldap.MOD_REPLACE, 'nsslapd-security', 'on'),
+ (ldap.MOD_REPLACE, 'nsslapd-ssl-check-hostname', 'off'),
+ (ldap.MOD_REPLACE, 'nsslapd-secureport', ldapsport)])
+
+ server.add_s(Entry((RSA_DN, {'objectclass': "top nsEncryptionModule".split(),
+ 'cn': RSA,
+ 'nsSSLPersonalitySSL': mycert,
+ 'nsSSLToken': 'internal (software)',
+ 'nsSSLActivation': 'on'})))
+
+def doAndPrintIt(cmdline, filename):
+ proc = subprocess.Popen(cmdline, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ if filename is None:
+ log.info(" OUT:")
+ else:
+ log.info(" OUT: %s" % filename)
+ fd = open(filename, "w")
+ while True:
+ l = proc.stdout.readline()
+ if l == "":
+ break
+ if filename is None:
+ log.info(" %s" % l)
+ else:
+ fd.write(l)
+ log.info(" ERR:")
+ while True:
+ l = proc.stderr.readline()
+ if l == "" or l == "\n":
+ break
+ log.info(" <%s>" % l)
+ assert False
+
+ if filename is not None:
+ fd.close()
+
+def create_keys_certs(topology):
+ log.info("\n######################### Creating SSL Keys and Certs ######################\n")
+
+ global m1confdir
+ m1confdir = topology.master1.confdir
+ global m2confdir
+ m2confdir = topology.master2.confdir
+
+ log.info("##### shutdown master1")
+ topology.master1.stop(timeout=10)
+
+ log.info("##### Creating a password file")
+ pwdfile = '%s/pwdfile.txt' % (m1confdir)
+ os.system('rm -f %s' % pwdfile)
+ opasswd = os.popen("(ps -ef ; w ) | sha1sum | awk '{print $1}'", "r")
+ passwd = opasswd.readline()
+ pwdfd = open(pwdfile, "w")
+ pwdfd.write(passwd)
+ pwdfd.close()
+
+ log.info("##### create the pin file")
+ m1pinfile = '%s/pin.txt' % (m1confdir)
+ m2pinfile = '%s/pin.txt' % (m2confdir)
+ os.system('rm -f %s' % m1pinfile)
+ os.system('rm -f %s' % m2pinfile)
+ pintxt = 'Internal (Software) Token:%s' % passwd
+ pinfd = open(m1pinfile, "w")
+ pinfd.write(pintxt)
+ pinfd.close()
+ os.system('chmod 400 %s' % m1pinfile)
+
+ log.info("##### Creating a noise file")
+ noisefile = '%s/noise.txt' % (m1confdir)
+ noise = os.popen("(w ; ps -ef ; date ) | sha1sum | awk '{print $1}'", "r")
+ noisewdfd = open(noisefile, "w")
+ noisewdfd.write(noise.readline())
+ noisewdfd.close()
+
+ cmdline = ['certutil', '-N', '-d', m1confdir, '-f', pwdfile]
+ log.info("##### Create key3.db and cert8.db database (master1): %s" % cmdline)
+ doAndPrintIt(cmdline, None)
+
+ cmdline = ['certutil', '-G', '-d', m1confdir, '-z', noisefile, '-f', pwdfile]
+ log.info("##### Creating encryption key for CA (master1): %s" % cmdline)
+ #os.system('certutil -G -d %s -z %s -f %s' % (m1confdir, noisefile, pwdfile))
+ doAndPrintIt(cmdline, None)
+
+ time.sleep(2)
+
+ log.info("##### Creating self-signed CA certificate (master1) -- nickname %s" % CACERT)
+ os.system('( echo y ; echo ; echo y ) | certutil -S -n "%s" -s "%s" -x -t "CT,," -m 1000 -v 120 -d %s -z %s -f %s -2' % (CACERT, ISSUER, m1confdir, noisefile, pwdfile))
+
+ global M1SUBJECT
+ cmdline = ['certutil', '-S', '-n', M1SERVERCERT, '-s', M1SUBJECT, '-c', CACERT, '-t', ',,', '-m', '1001', '-v', '120', '-d', m1confdir, '-z', noisefile, '-f', pwdfile]
+ log.info("##### Creating Server certificate -- nickname %s: %s" % (M1SERVERCERT, cmdline))
+ doAndPrintIt(cmdline, None)
+
+ time.sleep(2)
+
+ global M2SUBJECT
+ cmdline = ['certutil', '-S', '-n', M2SERVERCERT, '-s', M2SUBJECT, '-c', CACERT, '-t', ',,', '-m', '1002', '-v', '120', '-d', m1confdir, '-z', noisefile, '-f', pwdfile]
+ log.info("##### Creating Server certificate -- nickname %s: %s" % (M2SERVERCERT, cmdline))
+ doAndPrintIt(cmdline, None)
+
+ time.sleep(2)
+
+ log.info("##### start master1")
+ topology.master1.start(timeout=10)
+
+ log.info("##### enable SSL in master1 with all ciphers")
+ enable_ssl(topology.master1, M1LDAPSPORT, M1SERVERCERT)
+
+ cmdline = ['certutil', '-L', '-d', m1confdir]
+ log.info("##### Check the cert db: %s" % cmdline)
+ doAndPrintIt(cmdline, None)
+
+ log.info("##### stop master[12]")
+ topology.master1.stop(timeout=10)
+ topology.master2.stop(timeout=10)
+
+ global mytmp
+ mytmp = topology.master1.getDir(__file__, TMP_DIR)
+ m2pk12file = '%s/%s.pk12' % (mytmp, M2SERVERCERT)
+ cmd = 'pk12util -o %s -n "%s" -d %s -w %s -k %s' % (m2pk12file, M2SERVERCERT, m1confdir, pwdfile, pwdfile)
+ log.info("##### Extract PK12 file for master2: %s" % cmd)
+ os.system(cmd)
+
+ log.info("##### Check PK12 files")
+ if os.path.isfile(m2pk12file):
+ log.info('%s is successfully extracted.' % m2pk12file)
+ else:
+ log.fatal('%s was not extracted.' % m2pk12file)
+ assert False
+
+ log.info("##### Initialize Cert DB for master2")
+ cmdline = ['certutil', '-N', '-d', m2confdir, '-f', pwdfile]
+ log.info("##### Create key3.db and cert8.db database (master2): %s" % cmdline)
+ doAndPrintIt(cmdline, None)
+
+ log.info("##### Import certs to master2")
+ log.info('Importing %s' % CACERT)
+ cacert = '%s%s.pem' % (mytmp, CACERT)
+ cmdline = ['certutil', '-L', '-n', CACERT, '-d', m1confdir, '-a']
+ doAndPrintIt(cmdline, cacert)
+
+ os.system('certutil -A -n "%s" -t "CT,," -f %s -d %s -a -i %s' % (CACERT, pwdfile, m2confdir, cacert))
+ cmd = 'pk12util -i %s -n "%s" -d %s -w %s -k %s' % (m2pk12file, M2SERVERCERT, m2confdir, pwdfile, pwdfile)
+ log.info('##### Importing %s to master2: %s' % (M2SERVERCERT, cmd))
+ os.system(cmd)
+ log.info('copy %s to %s' % (m1pinfile, m2pinfile))
+ os.system('cp %s %s' % (m1pinfile, m2pinfile))
+ os.system('chmod 400 %s' % m2pinfile)
+
+ log.info("##### start master2")
+ topology.master2.start(timeout=10)
+
+ log.info("##### enable SSL in master2 with all ciphers")
+ enable_ssl(topology.master2, M2LDAPSPORT, M2SERVERCERT)
+
+ log.info("##### restart master2")
+ topology.master2.restart(timeout=10)
+
+ log.info("##### restart master1")
+ topology.master1.restart(timeout=10)
+
+
+ log.info("\n######################### Creating SSL Keys and Certs Done ######################\n")
+
+def config_tls_agreements(topology):
+ log.info("######################### Configure SSL/TLS agreements ######################")
+ log.info("######################## master1 <-- startTLS -> master2 #####################")
+
+ log.info("##### Update the agreement of master1")
+ global m1_m2_agmt
+ topology.master1.modify_s(m1_m2_agmt, [(ldap.MOD_REPLACE, 'nsDS5ReplicaTransportInfo', 'TLS')])
+
+ log.info("##### Update the agreement of master2")
+ global m2_m1_agmt
+ topology.master2.modify_s(m2_m1_agmt, [(ldap.MOD_REPLACE, 'nsDS5ReplicaTransportInfo', 'TLS')])
+
+ time.sleep(1)
+
+ topology.master1.restart(10)
+ topology.master2.restart(10)
+
+ log.info("\n######################### Configure SSL/TLS agreements Done ######################\n")
+
+def set_ssl_Version(server, name, version):
+ log.info("\n######################### Set %s on %s ######################\n", (version, name))
+ server.simple_bind_s(DN_DM, PASSWORD)
+ if version.startswith('SSL'):
+ server.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3', 'on'),
+ (ldap.MOD_REPLACE, 'nsTLS1', 'off'),
+ (ldap.MOD_REPLACE, 'sslVersionMin', 'SSL3'),
+ (ldap.MOD_REPLACE, 'sslVersionMax', 'SSL3')])
+ elif version.startswith('TLS'):
+ server.modify_s(ENCRYPTION_DN, [(ldap.MOD_REPLACE, 'nsSSL3', 'off'),
+ (ldap.MOD_REPLACE, 'nsTLS1', 'on'),
+ (ldap.MOD_REPLACE, 'sslVersionMin', version),
+ (ldap.MOD_REPLACE, 'sslVersionMax', version)])
+ else:
+ log.info("Invalid version %s", version)
+ assert False
+
+def test_ticket48784(topology):
+ """
+ Set up 2way MMR:
+ master_1 <----- startTLS -----> master_2
+
+ Make sure the replication is working.
+ Then, stop the servers and set only SSLv3 on master_1 while TLS1.2 on master_2
+ Replication is supposed to fail.
+ """
+ log.info("Ticket 48784 - Allow usage of OpenLDAP libraries that don't use NSS for crypto")
+
+ create_keys_certs(topology)
+ config_tls_agreements(topology)
+
+ add_entry(topology.master1, 'master1', 'uid=m1user', 0, 5)
+ add_entry(topology.master2, 'master2', 'uid=m2user', 0, 5)
+
+ time.sleep(1)
+
+ log.info('##### Searching for entries on master1...')
+ entries = topology.master1.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(uid=*)')
+ assert 10 == len(entries)
+
+ log.info('##### Searching for entries on master2...')
+ entries = topology.master2.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(uid=*)')
+ assert 10 == len(entries)
+
+ log.info("##### openldap client just accepts sslVersionMin not Max.")
+ set_ssl_Version(topology.master1, 'master1', 'SSL3')
+ set_ssl_Version(topology.master2, 'master2', 'TLS1.2')
+
+ log.info("##### restart master[12]")
+ topology.master1.restart(timeout=10)
+ topology.master2.restart(timeout=10)
+
+ log.info("##### replication from master_1 to master_2 should be ok.")
+ add_entry(topology.master1, 'master1', 'uid=m1user', 10, 1)
+ log.info("##### replication from master_2 to master_1 should fail.")
+ add_entry(topology.master2, 'master2', 'uid=m2user', 10, 1)
+
+ time.sleep(2)
+
+ log.info('##### Searching for entries on master1...')
+ entries = topology.master1.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(uid=*)')
+ assert 11 == len(entries)
+
+ log.info('##### Searching for entries on master2...')
+ entries = topology.master2.search_s(DEFAULT_SUFFIX, ldap.SCOPE_SUBTREE, '(uid=*)')
+ assert 12 == len(entries)
+
+ log.info("Ticket 48784 - PASSED")
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
commit 0be073f9d70d0d88127d550a24f5c735a8c04253
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Fri Apr 1 09:52:17 2016 -0700
Ticket #48784 - Make the SSL version set to the client library configurable.
Description: The value to set to LDAP_OPT_X_TLS_PROTOCOL_MIN is hardcoded:
optval = LDAP_OPT_X_TLS_PROTOCOL_SSL3;
ldap_set_option(ld, LDAP_OPT_X_TLS_PROTOCOL_MIN, &optval);
Changing the code to retrieve the supported SSL min version and set it.
https://fedorahosted.org/389/ticket/48784
Reviewed by wibrown(a)redhat.com (Thank you, William!)
diff --git a/ldap/servers/slapd/ldaputil.c b/ldap/servers/slapd/ldaputil.c
index 3851be5..8a54cb9 100644
--- a/ldap/servers/slapd/ldaputil.c
+++ b/ldap/servers/slapd/ldaputil.c
@@ -70,6 +70,11 @@
static PRCallOnceType ol_init_callOnce = {0,0};
static PRLock *ol_init_lock = NULL;
+#if defined(USE_OPENLDAP)
+extern void getSSLVersionRangeOL(int *min, int *max);
+extern int getSSLVersionRange(char **min, char **max);
+#endif
+
static PRStatus
internal_ol_init_init(void)
{
@@ -572,35 +577,38 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
int rc = 0;
if (config_get_ssl_check_hostname()) {
- ssl_strength = LDAP_OPT_X_TLS_HARD;
+ ssl_strength = LDAP_OPT_X_TLS_HARD;
} else {
- /* verify certificate only */
- ssl_strength = LDAP_OPT_X_TLS_NEVER;
+ /* verify certificate only */
+ ssl_strength = LDAP_OPT_X_TLS_NEVER;
}
if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_REQUIRE_CERT, &ssl_strength))) {
- slapi_log_error(SLAPI_LOG_FATAL, "setup_ol_tls_conn",
- "failed: unable to set REQUIRE_CERT option to %d\n", ssl_strength);
+ slapi_log_error(SLAPI_LOG_FATAL, "setup_ol_tls_conn",
+ "failed: unable to set REQUIRE_CERT option to %d\n", ssl_strength);
}
/* tell it where our cert db is */
if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_CACERTDIR, certdir))) {
- slapi_log_error(SLAPI_LOG_FATAL, "setup_ol_tls_conn",
- "failed: unable to set CACERTDIR option to %s\n", certdir);
+ slapi_log_error(SLAPI_LOG_FATAL, "setup_ol_tls_conn",
+ "failed: unable to set CACERTDIR option to %s\n", certdir);
}
slapi_ch_free_string(&certdir);
#if defined(LDAP_OPT_X_TLS_PROTOCOL_MIN)
- optval = LDAP_OPT_X_TLS_PROTOCOL_SSL3;
+ getSSLVersionRangeOL(&optval, NULL);
if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_PROTOCOL_MIN, &optval))) {
- slapi_log_error(SLAPI_LOG_FATAL, "setup_ol_tls_conn",
- "failed: unable to set minimum TLS protocol level to SSL3\n");
+ char *minstr = NULL;
+ (void)getSSLVersionRange(&minstr, NULL);
+ slapi_log_error(SLAPI_LOG_FATAL, "setup_ol_tls_conn",
+ "failed: unable to set minimum TLS protocol level to %s\n", minstr);
+ slapi_ch_free_string(&minstr);
}
#endif /* LDAP_OPT_X_TLS_PROTOCOL_MIN */
if (clientauth) {
- rc = slapd_SSL_client_auth(ld);
- if (rc) {
- slapi_log_error(SLAPI_LOG_FATAL, "setup_ol_tls_conn",
- "failed: unable to setup connection for TLS/SSL EXTERNAL client cert authentication - %d\n", rc);
- }
+ rc = slapd_SSL_client_auth(ld);
+ if (rc) {
+ slapi_log_error(SLAPI_LOG_FATAL, "setup_ol_tls_conn",
+ "failed: unable to setup connection for TLS/SSL EXTERNAL client cert authentication - %d\n", rc);
+ }
}
/* have to do this last - this creates the new TLS handle and sets/copies
@@ -608,8 +616,8 @@ setup_ol_tls_conn(LDAP *ld, int clientauth)
that optval is zero, meaning create a context for a client */
optval = 0;
if ((rc = ldap_set_option(ld, LDAP_OPT_X_TLS_NEWCTX, &optval))) {
- slapi_log_error(SLAPI_LOG_FATAL, "setup_ol_tls_conn",
- "failed: unable to create new TLS context - %d\n", rc);
+ slapi_log_error(SLAPI_LOG_FATAL, "setup_ol_tls_conn",
+ "failed: unable to create new TLS context - %d\n", rc);
}
return rc;
diff --git a/ldap/servers/slapd/ssl.c b/ldap/servers/slapd/ssl.c
index 38efc73..544c9bc 100644
--- a/ldap/servers/slapd/ssl.c
+++ b/ldap/servers/slapd/ssl.c
@@ -380,21 +380,100 @@ getSSLVersionInfo(int *ssl2, int *ssl3, int *tls1)
int
getSSLVersionRange(char **min, char **max)
{
- if (!slapd_ssl_listener_is_initialized()) {
+ if (!min && !max) {
return -1;
}
- if ((NULL == min) || (NULL == max)) {
+ if (!slapd_ssl_listener_is_initialized()) {
+ if (min) {
+ *min = slapi_getSSLVersion_str(LDAP_OPT_X_TLS_PROTOCOL_TLS1_0, NULL, 0);
+ }
+ if (max) {
+ *max = slapi_getSSLVersion_str(LDAP_OPT_X_TLS_PROTOCOL_TLS1_2, NULL, 0);
+ }
return -1;
}
#if defined(NSS_TLS10)
return -1; /* not supported */
#else /* NSS_TLS11 or newer */
- *min = slapi_getSSLVersion_str(slapdNSSVersions.min, NULL, 0);
- *max = slapi_getSSLVersion_str(slapdNSSVersions.max, NULL, 0);
+ if (min) {
+ *min = slapi_getSSLVersion_str(slapdNSSVersions.min, NULL, 0);
+ }
+ if (max) {
+ *max = slapi_getSSLVersion_str(slapdNSSVersions.max, NULL, 0);
+ }
return 0;
#endif
}
+#if defined(USE_OPENLDAP)
+void
+getSSLVersionRangeOL(int *min, int *max)
+{
+ /* default range values */
+ if (min) {
+ *min = LDAP_OPT_X_TLS_PROTOCOL_TLS1_0;
+ }
+ if (max) {
+ *max = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2;
+ }
+ if (!slapd_ssl_listener_is_initialized()) {
+ return;
+ }
+#if defined(NSS_TLS10)
+ *max = LDAP_OPT_X_TLS_PROTOCOL_TLS1_0;
+ return;
+#else /* NSS_TLS11 or newer */
+ if (min) {
+ switch (slapdNSSVersions.min) {
+ case SSL_LIBRARY_VERSION_3_0:
+ *min = LDAP_OPT_X_TLS_PROTOCOL_SSL3;
+ break;
+ case SSL_LIBRARY_VERSION_TLS_1_0:
+ *min = LDAP_OPT_X_TLS_PROTOCOL_TLS1_0;
+ break;
+ case SSL_LIBRARY_VERSION_TLS_1_1:
+ *min = LDAP_OPT_X_TLS_PROTOCOL_TLS1_1;
+ break;
+ case SSL_LIBRARY_VERSION_TLS_1_2:
+ *min = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2;
+ break;
+ default:
+ if (slapdNSSVersions.min > SSL_LIBRARY_VERSION_TLS_1_2) {
+ *min = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 + 1;
+ } else {
+ *min = LDAP_OPT_X_TLS_PROTOCOL_SSL3;
+ }
+ break;
+ }
+ }
+ if (max) {
+ switch (slapdNSSVersions.max) {
+ case SSL_LIBRARY_VERSION_3_0:
+ *max = LDAP_OPT_X_TLS_PROTOCOL_SSL3;
+ break;
+ case SSL_LIBRARY_VERSION_TLS_1_0:
+ *max = LDAP_OPT_X_TLS_PROTOCOL_TLS1_0;
+ break;
+ case SSL_LIBRARY_VERSION_TLS_1_1:
+ *max = LDAP_OPT_X_TLS_PROTOCOL_TLS1_1;
+ break;
+ case SSL_LIBRARY_VERSION_TLS_1_2:
+ *max = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2;
+ break;
+ default:
+ if (slapdNSSVersions.max > SSL_LIBRARY_VERSION_TLS_1_2) {
+ *max = LDAP_OPT_X_TLS_PROTOCOL_TLS1_2 + 1;
+ } else {
+ *max = LDAP_OPT_X_TLS_PROTOCOL_SSL3;
+ }
+ break;
+ }
+ }
+ return;
+#endif
+}
+#endif /* USE_OPENLDAP */
+
static void
_conf_init_ciphers()
{
7 years, 7 months
- 1
- 0
ldap/servers
by William Brown
ldap/servers/plugins/passthru/ptpreop.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
New commits:
commit 4c66307c88d74ada36ebdbcfca4b97b1d71fd93b
Author: William Brown <firstyear(a)redhat.com>
Date: Fri Apr 22 12:12:59 2016 +1000
Ticket 48801 - ASAN errors during tests
Bug Description: ERROR: AddressSanitizer: stack-buffer-overflow was detected
during the stress tests of DS
Fix Description: passthru auth was using an int rather than a ber_tag_t for
the pointer into slapi_pblock_get causing a buffer overflow.
https://fedorahosted.org/389/ticket/48801
Author: wibrown
Review by: nhosoi
diff --git a/ldap/servers/plugins/passthru/ptpreop.c b/ldap/servers/plugins/passthru/ptpreop.c
index 1fc8b1f..95b3b33 100644
--- a/ldap/servers/plugins/passthru/ptpreop.c
+++ b/ldap/servers/plugins/passthru/ptpreop.c
@@ -120,7 +120,8 @@ passthru_bindpreop_close( Slapi_PBlock *pb )
static int
passthru_bindpreop( Slapi_PBlock *pb )
{
- int rc, method, freeresctrls=1;
+ int rc, freeresctrls=1;
+ ber_tag_t method = 0;
char *matcheddn;
const char *normbinddn = NULL;
Slapi_DN *sdn = NULL;
7 years, 7 months
- 1
- 0
Branch '389-ds-base-1.3.4' - ldap/servers
by Noriko Hosoi
ldap/servers/slapd/back-ldbm/ldbm_modify.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit af5c312eed8890648e9e17975f33bd3d2144a67e
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue Apr 19 15:54:03 2016 -0700
Ticket #48799 - objectclass values could be dropped on the consumer
Description: slapi_schema_expand_objectclasses was dropped if the modify
operation is replicated in the fix of Ticket 17 "new replication optimizations".
Since the replicated mods does not contain the expanded objectclasses,
slapi_schema_expand_objectclasses is needed on the consumer, too.
This patch resurrects the call for the consumer.
https://fedorahosted.org/389/ticket/48799
Author: nhosoi
Review: wibrown
(cherry picked from commit 016f0f9403a9492fc55c1c080afef9a9bf944f31)
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
index 83b7b55..fecd3b8 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
@@ -273,7 +273,7 @@ modify_apply_check_expand(
* If the objectClass attribute type was modified in any way, expand
* the objectClass values to reflect the inheritance hierarchy.
*/
- for ( i = 0; (mods != NULL) && (mods[i] != NULL) && !repl_op; ++i ) {
+ for ( i = 0; mods && mods[i]; ++i ) {
if ( 0 == strcasecmp( SLAPI_ATTR_OBJECTCLASS, mods[i]->mod_type )) {
slapi_schema_expand_objectclasses( ec->ep_entry );
break;
7 years, 7 months
- 1
- 0
Branch '389-ds-base-1.2.11' - ldap/servers
by William Brown
ldap/servers/slapd/back-ldbm/ldbm_modify.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit a80b2d85beaff0e85eb5bcdb5d4e9f847cded472
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue Apr 19 15:54:03 2016 -0700
Ticket #48799 - objectclass values could be dropped on the consumer
Description: slapi_schema_expand_objectclasses was dropped if the modify
operation is replicated in the fix of Ticket 17 "new replication optimizations".
Since the replicated mods does not contain the expanded objectclasses,
slapi_schema_expand_objectclasses is needed on the consumer, too.
This patch resurrects the call for the consumer.
https://fedorahosted.org/389/ticket/48799
Author: nhosoi
Review: wibrown
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
index bfcaf3d..d657dd0 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
@@ -299,7 +299,7 @@ modify_apply_check_expand(
* If the objectClass attribute type was modified in any way, expand
* the objectClass values to reflect the inheritance hierarchy.
*/
- for ( i = 0; (mods != NULL) && (mods[i] != NULL) && !repl_op; ++i ) {
+ for ( i = 0; mods && mods[i]; ++i ) {
if ( 0 == strcasecmp( SLAPI_ATTR_OBJECTCLASS, mods[i]->mod_type )) {
slapi_schema_expand_objectclasses( ec->ep_entry );
break;
7 years, 7 months
- 1
- 0
ldap/servers
by William Brown
ldap/servers/slapd/back-ldbm/ldbm_modify.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit 016f0f9403a9492fc55c1c080afef9a9bf944f31
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue Apr 19 15:54:03 2016 -0700
Ticket #48799 - objectclass values could be dropped on the consumer
Description: slapi_schema_expand_objectclasses was dropped if the modify
operation is replicated in the fix of Ticket 17 "new replication optimizations".
Since the replicated mods does not contain the expanded objectclasses,
slapi_schema_expand_objectclasses is needed on the consumer, too.
This patch resurrects the call for the consumer.
https://fedorahosted.org/389/ticket/48799
Author: nhosoi
Review: wibrown
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_modify.c b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
index 83b7b55..fecd3b8 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_modify.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_modify.c
@@ -273,7 +273,7 @@ modify_apply_check_expand(
* If the objectClass attribute type was modified in any way, expand
* the objectClass values to reflect the inheritance hierarchy.
*/
- for ( i = 0; (mods != NULL) && (mods[i] != NULL) && !repl_op; ++i ) {
+ for ( i = 0; mods && mods[i]; ++i ) {
if ( 0 == strcasecmp( SLAPI_ATTR_OBJECTCLASS, mods[i]->mod_type )) {
slapi_schema_expand_objectclasses( ec->ep_entry );
break;
7 years, 7 months
- 1
- 0