Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication
In directory
cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19724/ldapserver/ldap/servers/plugins/replication
Modified Files:
repl5_agmtlist.c
Log Message:
Resolves: bug 479253
Bug Description: Configuring Server to Server GSSAPI over SSL - Need better Error Message
Reviewed by: nkinder (Thanks!)
Fix Description: If the user attempts to set the bind mech to GSSAPI, and a secure
transport is being used, the server will return LDAP_UNWILLING_TO_PERFORM and provide a
useful error message. Same if GSSAPI is being used and the user attempts to use a secure
transport.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Index: repl5_agmtlist.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5_agmtlist.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- repl5_agmtlist.c 10 Nov 2006 23:45:17 -0000 1.11
+++ repl5_agmtlist.c 27 Jan 2009 22:37:18 -0000 1.12
@@ -48,6 +48,7 @@
*/
#include "repl5.h"
+#include <plstr.h>
#define AGMT_CONFIG_BASE "cn=mapping tree, cn=config"
#define CONFIG_FILTER "(objectclass=nsds5replicationagreement)"
@@ -373,8 +374,22 @@
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5TransportInfo))
{
+ /* do not allow GSSAPI if using TLS/SSL */
+ char *tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5TransportInfo);
+ /* if some value was set, and the value was not set to LDAP (i.e. was set to use
security),
+ and we're already using gssapi, deny the change */
+ if (tmpstr && PL_strcasecmp(tmpstr, "LDAP") &&
(BINDMETHOD_SASL_GSSAPI == agmt_get_bindmethod(agmt)))
+ {
+ /* Report the error to the client */
+ PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use SASL/GSSAPI if
using SSL or TLS - please change %s to a value other than SASL/GSSAPI before changing %s
to use security", type_nsds5ReplicaBindMethod, type_nsds5TransportInfo);
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmtlist_modify_callback:
"
+ "%s", errortext);
+
+ *returncode = LDAP_UNWILLING_TO_PERFORM;
+ rc = SLAPI_DSE_CALLBACK_ERROR;
+ }
/* New Transport info */
- if (agmt_set_transportinfo_from_entry(agmt, e) != 0)
+ else if (agmt_set_transportinfo_from_entry(agmt, e) != 0)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
"agmtlist_modify_callback: "
"failed to update transport info for agreement
%s\n",
@@ -386,8 +401,19 @@
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5ReplicaBindMethod))
{
- /* New replica bind method */
- if (agmt_set_bind_method_from_entry(agmt, e) != 0)
+ /* do not allow GSSAPI if using TLS/SSL */
+ char *tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaBindMethod);
+ if (tmpstr && !PL_strcasecmp(tmpstr, "SASL/GSSAPI") &&
agmt_get_transport_flags(agmt))
+ {
+ /* Report the error to the client */
+ PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use SASL/GSSAPI if
using SSL or TLS - please change %s to LDAP before changing %s to use SASL/GSSAPI",
type_nsds5TransportInfo, type_nsds5ReplicaBindMethod);
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmtlist_modify_callback:
"
+ "%s", errortext);
+
+ *returncode = LDAP_UNWILLING_TO_PERFORM;
+ rc = SLAPI_DSE_CALLBACK_ERROR;
+ }
+ else if (agmt_set_bind_method_from_entry(agmt, e) != 0)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name,
"agmtlist_modify_callback: "
"failed to update bind method for agreement
%s\n",
@@ -395,6 +421,7 @@
*returncode = LDAP_OPERATIONS_ERROR;
rc = SLAPI_DSE_CALLBACK_ERROR;
}
+ slapi_ch_free_string(&tmpstr);
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5ReplicatedAttributeList))