ldap/schema/01core389.ldif | 13 +++++++++++ ldap/servers/slapd/libglobs.c | 46 +++++++++++++++++++++++++++++++++++++++- ldap/servers/slapd/proto-slap.h | 2 + ldap/servers/slapd/saslbind.c | 2 - ldap/servers/slapd/slap.h | 2 + 5 files changed, 63 insertions(+), 2 deletions(-)

New commits: commit 00463a1b23d970837e73a38a82fd34424ab13782 Author: Mark Reynolds mreynolds@redhat.com Date: Fri Mar 22 13:18:28 2013 -0400

Ticket 632 - 389-ds-base cannot handle Kerberos tickets with PAC

Bug Description: When FreeIPA is configured with AD trust support, Kerberos tickets may also contain PAC which makes them bigger than usually expected (bigger than 2048 B)

Fix Description: Make the default 64k(65536), and allow it to be configurable using: nsslapd-sasl-max-buffer-size

https://fedorahosted.org/389/ticket/632

Reviewed by: nkinder(Thanks!)

diff --git a/ldap/schema/01core389.ldif b/ldap/schema/01core389.ldif index fb707d3..ad5b555 100644 --- a/ldap/schema/01core389.ldif +++ b/ldap/schema/01core389.ldif @@ -139,6 +139,19 @@ attributeTypes: ( 2.16.840.1.113730.3.1.2136 NAME 'nsds5ReplicaCleanRUVNotified' attributeTypes: ( 2.16.840.1.113730.3.1.2137 NAME 'nsds5ReplicaAbortCleanRUV' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) attributeTypes: ( 2.16.840.1.113730.3.1.2111 NAME 'tombstoneNumSubordinates' DESC 'count of immediate subordinates for tombstone entries' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation X-ORIGIN '389 directory server' ) attributeTypes: ( 2.16.840.1.113730.3.1.2138 NAME 'nsslapd-readonly' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2143 NAME 'nsslapd-sasl-mapping-fallback' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2144 NAME 'rootdn-open-time' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2145 NAME 'rootdn-close-time' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2146 NAME 'rootdn-days-allowed' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2147 NAME 'rootdn-allow-host' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2148 NAME 'rootdn-deny-host' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2149 NAME 'rootdn-allow-ip' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2150 NAME 'rootdn-deny-ip' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2151 NAME 'nsslapd-plugin-depends-on-type' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2152 NAME 'nsds5ReplicaProtocolTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2154 NAME 'nsds5ReplicaBackoffMin' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2155 NAME 'nsds5ReplicaBackoffMax' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) +attributeTypes: ( 2.16.840.1.113730.3.1.2156 NAME 'nsslapd-sasl-max-buffer-size' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'Netscape Directory Server' ) # # objectclasses # diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c index ab366fc..a5c1067 100644 --- a/ldap/servers/slapd/libglobs.c +++ b/ldap/servers/slapd/libglobs.c @@ -175,6 +175,8 @@ static int config_set_schemareplace ( const char *attrname, char *value, #define DEFAULT_PW_RESETFAILURECOUNT "600" #define DEFAULT_PW_LOCKDURATION "3600" #define DEFAULT_NDN_SIZE "20971520" +#define DEFAULT_SASL_MAXBUFSIZE "65536" +#define SLAPD_DEFAULT_SASL_MAXBUFSIZE 65536 #ifdef MEMPOOL_EXPERIMENTAL #define DEFAULT_MEMPOOL_MAXFREELIST "1024" #endif @@ -1010,6 +1012,11 @@ static struct config_get_and_set { NULL, 0, (void**)&global_slapdFrontendConfig.allowed_sasl_mechs, CONFIG_STRING, (ConfigGetFunc)config_get_allowed_sasl_mechs, DEFAULT_ALLOWED_TO_DELETE_ATTRS}, + {CONFIG_SASL_MAXBUFSIZE, config_set_sasl_maxbufsize, + NULL, 0, + (void**)&global_slapdFrontendConfig.sasl_max_bufsize, + CONFIG_INT, (ConfigGetFunc)config_get_sasl_maxbufsize, + DEFAULT_SASL_MAXBUFSIZE}, #ifdef MEMPOOL_EXPERIMENTAL ,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch, NULL, 0, @@ -1436,6 +1443,7 @@ FrontendConfig_init () { init_disk_logging_critical = cfg->disk_logging_critical = LDAP_OFF; init_ndn_cache_enabled = cfg->ndn_cache_enabled = LDAP_OFF; cfg->ndn_cache_max_size = NDN_DEFAULT_SIZE; + cfg->sasl_max_bufsize = SLAPD_DEFAULT_SASL_MAXBUFSIZE;

#ifdef MEMPOOL_EXPERIMENTAL init_mempool_switch = cfg->mempool_switch = LDAP_ON; @@ -1669,8 +1677,8 @@ int config_set_ndn_cache_max_size(const char *attrname, char *value, char *errorbuf, int apply ) { slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); - long size; int retVal = LDAP_SUCCESS; + long size;

size = atol(value); if(size < 0){ @@ -1690,6 +1698,29 @@ config_set_ndn_cache_max_size(const char *attrname, char *value, char *errorbuf, return retVal; }

+int +config_set_sasl_maxbufsize(const char *attrname, char *value, char *errorbuf, int apply ) +{ + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + int retVal = LDAP_SUCCESS; + int default_size = atoi(DEFAULT_SASL_MAXBUFSIZE); + int size; + + size = atoi(value); + if(size < default_size){ + PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, "nsslapd-sasl-max-buffer-size is too low (%d), " + "setting to default value (%d).\n",size, default_size); + size = default_size; + } + if(apply){ + CFG_LOCK_WRITE(slapdFrontendConfig); + slapdFrontendConfig->sasl_max_bufsize = size; + CFG_UNLOCK_WRITE(slapdFrontendConfig); + } + + return retVal; +} + int config_set_port( const char *attrname, char *port, char *errorbuf, int apply ) { long nPort; @@ -4128,6 +4159,19 @@ config_get_port(){ }

int +config_get_sasl_maxbufsize() +{ + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + int retVal; + + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapdFrontendConfig->sasl_max_bufsize; + CFG_UNLOCK_READ(slapdFrontendConfig); + + return retVal; +} + +int config_get_disk_monitoring(){ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); int retVal; diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h index 6d7a1ad..e947248 100644 --- a/ldap/servers/slapd/proto-slap.h +++ b/ldap/servers/slapd/proto-slap.h @@ -392,6 +392,7 @@ int config_set_disk_logging_critical( const char *attrname, char *value, char *e int config_set_auditlog_unhashed_pw(const char *attrname, char *value, char *errorbuf, int apply); int config_set_ndn_cache_enabled(const char *attrname, char *value, char *errorbuf, int apply); int config_set_ndn_cache_max_size(const char *attrname, char *value, char *errorbuf, int apply); +int config_set_sasl_maxbufsize(const char *attrname, char *value, char *errorbuf, int apply );

#if !defined(_WIN32) && !defined(AIX) int config_set_maxdescriptors( const char *attrname, char *value, char *errorbuf, int apply ); @@ -553,6 +554,7 @@ int config_get_ndn_cache_enabled(); char *config_get_allowed_sasl_mechs(); int config_set_allowed_sasl_mechs(const char *attrname, char *value, char *errorbuf, int apply); int config_get_schemamod(); +int config_get_sasl_maxbufsize();

PLHashNumber hashNocaseString(const void *key); PRIntn hashNocaseCompare(const void *v1, const void *v2); diff --git a/ldap/servers/slapd/saslbind.c b/ldap/servers/slapd/saslbind.c index f9ddbfc..51c0a4e 100644 --- a/ldap/servers/slapd/saslbind.c +++ b/ldap/servers/slapd/saslbind.c @@ -661,7 +661,7 @@ void ids_sasl_server_new(Connection *conn) }

/* Enable security for this connection */ - secprops.maxbufsize = 2048; /* DBDB: hack */ + secprops.maxbufsize = config_get_sasl_maxbufsize(); secprops.max_ssf = 0xffffffff; secprops.min_ssf = config_get_minssf(); /* If anonymous access is disabled, set the appropriate flag */ diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h index 4e70aff..7e27a78 100644 --- a/ldap/servers/slapd/slap.h +++ b/ldap/servers/slapd/slap.h @@ -2052,6 +2052,7 @@ typedef struct _slapdEntryPoints { #define CONFIG_NDN_CACHE "nsslapd-ndn-cache-enabled" #define CONFIG_NDN_CACHE_SIZE "nsslapd-ndn-cache-max-size" #define CONFIG_ALLOWED_SASL_MECHS "nsslapd-allowed-sasl-mechanisms" +#define CONFIG_SASL_MAXBUFSIZE "nsslapd-sasl-max-buffer-size"

#ifdef MEMPOOL_EXPERIMENTAL #define CONFIG_MEMPOOL_SWITCH_ATTRIBUTE "nsslapd-mempool" @@ -2263,6 +2264,7 @@ typedef struct _slapdFrontendConfig { int pagedsizelimit; char *default_naming_context; /* Default naming context (normalized) */ char *allowed_sasl_mechs; /* comma/space separated list of allowed sasl mechs */ + int sasl_max_bufsize; /* The max receive buffer size for SASL */

/* disk monitoring */ int disk_monitoring;