ldap/admin/src/scripts/remove-ds.pl.in | 4 ++++
ldap/servers/slapd/back-ldbm/ldif2ldbm.c | 9 ++++-----
2 files changed, 8 insertions(+), 5 deletions(-)
New commits:
commit 17dc978c84e6099e4abe884a535067147b618c37
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Jul 27 14:37:13 2016 -0700
Ticket #48940 - DS logs have warning:ancestorid not indexed
Description: When reindexing, the subtree to be reindexed is empty,
a cryptic warning message is logged in the error log:
warning: ancestorid not indexed on 10; possibly, the entry id ##
has no descendants yet.
This message is benign and not to be logged as DEBUG_ANY/FATAL.
The message is logged when the log level is set to BACKLDBM = 0x080000
# vlvindex -Z test -n userRoot -T testIndex -d 524288
as follows:
Info: Entry id ### has no descendants according to ancestorid. Index
file created by this reindex will be empty.
https://fedorahosted.org/389/ticket/48940
Reviewed by wibrown(a)redhat.com (Thank you, William!!)
diff --git a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
index 52338c2..5898361 100644
--- a/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
+++ b/ldap/servers/slapd/back-ldbm/ldif2ldbm.c
@@ -903,11 +903,10 @@ static IDList *ldbm_fetch_subtrees(backend *be, char **include, int *err)
slapi_sdn_done(&sdn);
if (idl == NULL) {
if (DB_NOTFOUND == *err) {
- LDAPDebug(LDAP_DEBUG_ANY,
- "warning: %s not indexed on %lu; "
- "possibly, the entry id %lu has no descendants yet.\n",
- entryrdn_get_noancestorid()?"entryrdn":"ancestorid",
- id, id);
+ LDAPDebug2Args(LDAP_DEBUG_BACKLDBM,
+ "Info: Entry id %lu has no descendants according to %s. "
+ "Index file created by this reindex will be empty.\n",
+ id, entryrdn_get_noancestorid()?"entryrdn":"ancestorid");
*err = 0; /* not a problem */
} else {
LDAPDebug(LDAP_DEBUG_ANY,
commit 2b341922a42f305122fbd6eb97e96e0612f8e5d2
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Wed Jul 27 12:40:25 2016 -0700
Ticket #48934 - remove-ds.pl deletes an instance even if wrong prefix was specified
Description: remove-ds.pl skipped to check "slapd" part of "slapd-instance".
This patch adds the check and if it is not "slapd", it quits with the error
message. For example:
Error: Invalid instance name "bogus-test"
https://fedorahosted.org/389/ticket/48934
Reviewed by mreynolds(a)redhat.com (Thanks, Mark!!)
diff --git a/ldap/admin/src/scripts/remove-ds.pl.in b/ldap/admin/src/scripts/remove-ds.pl.in
index b35ae32..252f3f9 100755
--- a/ldap/admin/src/scripts/remove-ds.pl.in
+++ b/ldap/admin/src/scripts/remove-ds.pl.in
@@ -52,6 +52,10 @@ unless ($inst) {
print STDERR "Full instance name must be specified (e.g. - slapd-example)\n";
exit 1;
}
+unless ($slapd eq "slapd") {
+ print STDERR "Error: Invalid instance name \"$instname\"\n";
+ exit 1;
+}
my @errs = removeDSInstance($inst, $force, $all, $initconfig_dir);
if (@errs) {
rpm/389-ds-base.spec.in | 3 +++
1 file changed, 3 insertions(+)
New commits:
commit 0e4a9a6ea2000d0098df070f140957b3c6ab6398
Author: William Brown <firstyear(a)redhat.com>
Date: Wed Jul 27 10:05:31 2016 +1000
Ticket 48336 - Missing semanage dependency
Bug Description: On a clean install
Traceback (most recent call last):
File "/usr/sbin/ds_selinux_enabled", line 17, in <module>
import semanage
ImportError: No module named semanage
Fix Description: Add the proper dependency to the rpm so that we are not
missing the module.
https://fedorahosted.org/389/ticket/48336
Author: wibrown
Review by: mreynolds (Thanks!)
diff --git a/rpm/389-ds-base.spec.in b/rpm/389-ds-base.spec.in
index 0924cb5..33bf470 100644
--- a/rpm/389-ds-base.spec.in
+++ b/rpm/389-ds-base.spec.in
@@ -90,6 +90,9 @@ BuildRequires: libasan
# this is needed for using semanage from our setup scripts
Requires: policycoreutils-python
+# This is needed for our future move to python selinux interaction.
+Requires: libsemanage-python
+
# the following are needed for some of our scripts
%if %{use_openldap}
Requires: openldap-clients
dirsrvtests/tests/tickets/ticket1347760_test.py | 23 +++++++++++
ldap/servers/slapd/bind.c | 49 +++++++++++-------------
ldap/servers/slapd/saslbind.c | 4 -
3 files changed, 48 insertions(+), 28 deletions(-)
New commits:
commit 06876946f77436f71013392becb0fb9d9e4111f6
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Fri Jul 22 17:11:48 2016 -0700
Bug 1347760 - Additional CI test case
Description: Information disclosure via repeated use of LDAP ADD operation, etc.
Case 1. When an account is inactivated, if a bind is successful (e.g.,
a correct password is given), it returns UNWILLING_TO_PERFORM.
Case 2. When an account is inactivated, if a bind is not successful,
it returns INVALID_CREDENTIALS.
diff --git a/dirsrvtests/tests/tickets/ticket1347760_test.py b/dirsrvtests/tests/tickets/ticket1347760_test.py
index bf03563..a54aea1 100644
--- a/dirsrvtests/tests/tickets/ticket1347760_test.py
+++ b/dirsrvtests/tests/tickets/ticket1347760_test.py
@@ -12,6 +12,8 @@ import time
import ldap
import logging
import pytest
+
+from subprocess import Popen
from lib389 import DirSrv, Entry, tools, tasks
from lib389.tools import DirSrvTools
from lib389._constants import *
@@ -434,6 +436,27 @@ def test_ticket1347760(topology):
log.info('Delete case. the deleting entry does not exist, it should fail with %s' % rc.__name__)
check_op_result(topology.standalone, 'delete', BOGUSDN, None, exists, rc)
+ log.info('Inactivate %s' % BINDDN)
+ nsinactivate = '%s/sbin/ns-inactivate.pl' % topology.standalone.prefix
+ p = Popen([nsinactivate, '-Z', 'standalone', '-D', DN_DM, '-w', PASSWORD, '-I', BINDDN])
+ assert(p.wait() == 0)
+
+ log.info('Bind as {%s,%s} which should fail with %s.' % (BINDDN, BUID, ldap.UNWILLING_TO_PERFORM.__name__))
+ try:
+ topology.standalone.simple_bind_s(BINDDN, BUID)
+ except ldap.LDAPError as e:
+ log.info("Exception (expected): %s" % type(e).__name__)
+ log.info('Desc ' + e.message['desc'])
+ assert isinstance(e, ldap.UNWILLING_TO_PERFORM)
+
+ log.info('Bind as {%s,%s} which should fail with %s.' % (BINDDN, 'bogus', ldap.INVALID_CREDENTIALS.__name__))
+ try:
+ topology.standalone.simple_bind_s(BINDDN, 'bogus')
+ except ldap.LDAPError as e:
+ log.info("Exception (expected): %s" % type(e).__name__)
+ log.info('Desc ' + e.message['desc'])
+ assert isinstance(e, ldap.INVALID_CREDENTIALS)
+
log.info('SUCCESS')
commit b8767d510d11c7cbfede24daaae3348b9f028f47
Author: Noriko Hosoi <nhosoi(a)redhat.com>
Date: Tue Jul 26 18:08:38 2016 -0700
Bug 1347760 - CVE-2016-4992 389-ds-base: Information disclosure via repeated use of LDAP ADD operation, etc.
Description:
1. When an account is inactivated, the error UNWILLING_TO_PERFORM with
the inactivated message should be returned only when the bind is
successful.
2. When SASL bind fails, instead of returning the cause of the failure
directly to the client, but logging it in the access log.
https://bugzilla.redhat.com/show_bug.cgi?id=1347760
Reviewed by wibrown(a)redhat.com (Thank you, William!)
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index 702d4c2..c271577 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -720,25 +720,6 @@ do_bind( Slapi_PBlock *pb )
}
}
}
-
- /*
- * Is this account locked ?
- * could be locked through the account inactivation
- * or by the password policy
- *
- * rc=0: account not locked
- * rc=1: account locked, can not bind, result has been sent
- * rc!=0 and rc!=1: error. Result was not sent, lets be_bind
- * deal with it.
- *
- */
-
- /* get the entry now, so that we can give it to slapi_check_account_lock and reslimit_update_from_dn */
- if (! slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) {
- bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn));
- rc = slapi_check_account_lock ( pb, bind_target_entry, pw_response_requested, 1, 1);
- }
-
slapi_pblock_set( pb, SLAPI_PLUGIN, be->be_database );
set_db_default_result_handlers(pb);
if ( (rc != 1) &&
@@ -777,6 +758,28 @@ do_bind( Slapi_PBlock *pb )
if ( rc == SLAPI_BIND_SUCCESS ) {
int myrc = 0;
+ /*
+ * The bind is successful.
+ * We can give it to slapi_check_account_lock and reslimit_update_from_dn.
+ */
+ /*
+ * Is this account locked ?
+ * could be locked through the account inactivation
+ * or by the password policy
+ *
+ * rc=0: account not locked
+ * rc=1: account locked, can not bind, result has been sent
+ * rc!=0 and rc!=1: error. Result was not sent, lets be_bind
+ * deal with it.
+ *
+ */
+ if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA)) {
+ bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn));
+ rc = slapi_check_account_lock(pb, bind_target_entry, pw_response_requested, 1, 1);
+ if (1 == rc) { /* account is locked */
+ goto account_locked;
+ }
+ }
if (!auto_bind) {
/*
* There could be a race that bind_target_entry was not added
@@ -787,13 +790,7 @@ do_bind( Slapi_PBlock *pb )
if (!slapi_be_is_flag_set(be, SLAPI_BE_FLAG_REMOTE_DATA) &&
!bind_target_entry) {
bind_target_entry = get_entry(pb, slapi_sdn_get_ndn(sdn));
- if (bind_target_entry) {
- myrc = slapi_check_account_lock(pb, bind_target_entry,
- pw_response_requested, 1, 1);
- if (1 == myrc) { /* account is locked */
- goto account_locked;
- }
- } else {
+ if (!bind_target_entry) {
slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, "No such entry");
send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, "", 0, NULL);
goto free_and_return;
diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c
index 37175f4..742987e 100644
--- a/ldap/servers/slapd/saslbind.c
+++ b/ldap/servers/slapd/saslbind.c
@@ -1051,8 +1051,8 @@ sasl_check_result:
errstr = sasl_errdetail(sasl_conn);
PR_ExitMonitor(pb->pb_conn->c_mutex); /* BIG LOCK */
- send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL,
- (char*)errstr, 0, NULL);
+ slapi_pblock_set(pb, SLAPI_PB_RESULT_TEXT, (void *)errstr);
+ send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL);
break;
}