[PATCH] Bug: 181465 - Handle spacing issues in objectClass SUP list
by Nathan Kinder
>From e36fcec6d950634ab65d22199f1ea4cc5bed8dea Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder(a)redhat.com>
Date: Fri, 29 May 2009 14:11:41 -0700
Subject: [PATCH] Bug: 181465 - Handle spacing issues in objectClass SUP list.
Our schema parser requires a space after the opening paran
when multiple SUP objectclasses are listed in the definition
of an objectclass. The RFCs show that a space is not required.
This patch simply removes the requirement that a space be
present after the opening paran.
---
ldap/servers/slapd/schema.c | 11 ++++++++---
1 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/ldap/servers/slapd/schema.c b/ldap/servers/slapd/schema.c
index e331a94..c2600f4 100644
--- a/ldap/servers/slapd/schema.c
+++ b/ldap/servers/slapd/schema.c
@@ -2896,7 +2896,7 @@ read_oc_ldif ( const char *input, struct objclass **oc, char *errorbuf,
* XXXmcs: Since we do not yet support multiple superior objectclasses, we
* just grab the first OID in a parenthesized list.
*/
- if ( NULL == ( pOcSup = get_tagged_oid( " SUP ( ", &nextinput,
+ if ( NULL == ( pOcSup = get_tagged_oid( " SUP (", &nextinput,
keyword_strstr_fn ))) {
pOcSup = get_tagged_oid( " SUP ", &nextinput, keyword_strstr_fn );
}
@@ -4332,10 +4332,15 @@ get_flag_keyword( const char *keyword, int flag_value, const char **inputp,
* The `strstr_fn' function pointer is used to search for `tag', e.g., it
* could be PL_strcasestr().
*
- * The string passed in `tag' MUST include a trailing space, e.g.,
+ * The string passed in `tag' SHOULD generally include a trailing space, e.g.,
*
* pSuperior = get_tagged_oid( "SUP ", &input, PL_strcasestr );
*
+ * The exception to this is when the tag contains '(' as a trailing character.
+ * This is used to process lists of oids, such as the following:
+ *
+ * SUP (inetOrgPerson $ testUser)
+ *
* A malloc'd string is returned if `tag; is found and NULL if not.
*/
static char *
@@ -4350,7 +4355,7 @@ get_tagged_oid( const char *tag, const char **inputp,
PR_ASSERT( NULL != tag );
PR_ASSERT( '\0' != tag[ 0 ] );
if('(' !=tag[0])
- PR_ASSERT( ' ' == tag[ strlen( tag ) - 1 ] );
+ PR_ASSERT((' ' == tag[ strlen( tag ) - 1 ]) || ('(' == tag[ strlen( tag ) - 1 ]));
if ( NULL == strstr_fn ) {
strstr_fn = PL_strcasestr;
--
1.6.0.6
14 years, 10 months
[PATCH] Add require secure binds switch.
by Nathan Kinder
>From 0bddab1fbd772f05738b0715566bd3346df01c84 Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder(a)redhat.com>
Date: Wed, 13 May 2009 19:45:12 -0700
Subject: [PATCH] Add require secure binds switch.
This adds a new configuration attribute named
nsslapd-require-secure-binds. When enabled, a simple bind
will only be allowed over a secure transport (SSL/TLS or a
SASL privacy layer). An attempt to do a simple bind over
an insecure transport will return a LDAP result of
LDAP_CONFIDENTIALITY_REQUIRED.
The default setting is to have this option disabled.
---
ldap/ldif/template-dse.ldif.in | 1 +
ldap/servers/slapd/bind.c | 24 ++++++++++++++++++++++++
ldap/servers/slapd/libglobs.c | 36 +++++++++++++++++++++++++++++++++++-
ldap/servers/slapd/proto-slap.h | 2 ++
ldap/servers/slapd/slap.h | 2 ++
5 files changed, 64 insertions(+), 1 deletions(-)
diff --git a/ldap/ldif/template-dse.ldif.in b/ldap/ldif/template-dse.ldif.in
index 54a9c4f..82326d5 100644
--- a/ldap/ldif/template-dse.ldif.in
+++ b/ldap/ldif/template-dse.ldif.in
@@ -30,6 +30,7 @@ nsslapd-rewrite-rfc1274: off
nsslapd-return-exact-case: on
nsslapd-ssl-check-hostname: on
nsslapd-allow-unauthenticated-binds: off
+nsslapd-require-secure-binds: off
nsslapd-port: %ds_port%
nsslapd-localuser: %ds_user%
nsslapd-errorlog-logging-enabled: on
diff --git a/ldap/servers/slapd/bind.c b/ldap/servers/slapd/bind.c
index fbf9a19..69844af 100644
--- a/ldap/servers/slapd/bind.c
+++ b/ldap/servers/slapd/bind.c
@@ -420,6 +420,30 @@ do_bind( Slapi_PBlock *pb )
}
break;
case LDAP_AUTH_SIMPLE:
+ /* Check if simple binds are allowed over an insecure channel. */
+ if (config_get_require_secure_binds() == 1) {
+ Connection *conn = NULL;
+ int sasl_ssf = 0;
+
+ /* Allow simple binds only for SSL/TLS established connections
+ * or connections using SASL privacy layers */
+ conn = pb->pb_conn;
+ if ( slapi_pblock_get(pb, SLAPI_CONN_SASL_SSF, &sasl_ssf) != 0) {
+ slapi_log_error( SLAPI_LOG_PLUGIN, "passwd_modify_extop",
+ "Could not get SASL SSF from connection\n" );
+ sasl_ssf = 0;
+ }
+
+ if (((conn->c_flags & CONN_FLAG_SSL) != CONN_FLAG_SSL) &&
+ (sasl_ssf <= 1) ) {
+ send_ldap_result(pb, LDAP_CONFIDENTIALITY_REQUIRED, NULL,
+ "Operation requires a secure connection",
+ 0, NULL);
+ slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors);
+ goto free_and_return;
+ }
+ }
+
slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsSimpleAuthBinds);
/* accept null binds */
if (dn == NULL || *dn == '\0') {
diff --git a/ldap/servers/slapd/libglobs.c b/ldap/servers/slapd/libglobs.c
index 8c13a9b..acd8615 100644
--- a/ldap/servers/slapd/libglobs.c
+++ b/ldap/servers/slapd/libglobs.c
@@ -612,7 +612,11 @@ static struct config_get_and_set {
{CONFIG_UNAUTH_BINDS_ATTRIBUTE, config_set_unauth_binds_switch,
NULL, 0,
(void**)&global_slapdFrontendConfig.allow_unauth_binds, CONFIG_ON_OFF,
- (ConfigGetFunc)config_get_unauth_binds_switch}
+ (ConfigGetFunc)config_get_unauth_binds_switch},
+ {CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE, config_set_require_secure_binds,
+ NULL, 0,
+ (void**)&global_slapdFrontendConfig.require_secure_binds, CONFIG_ON_OFF,
+ (ConfigGetFunc)config_get_require_secure_binds}
#ifdef MEMPOOL_EXPERIMENTAL
,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch,
NULL, 0,
@@ -863,6 +867,7 @@ FrontendConfig_init () {
cfg->ldapi_auto_dn_suffix = slapi_ch_strdup("cn=peercred,cn=external,cn=auth");
#endif
cfg->allow_unauth_binds = LDAP_OFF;
+ cfg->require_secure_binds = LDAP_OFF;
cfg->slapi_counters = LDAP_ON;
cfg->threadnumber = SLAPD_DEFAULT_MAX_THREADS;
cfg->maxthreadsperconn = SLAPD_DEFAULT_MAX_THREADS_PER_CONN;
@@ -4550,6 +4555,19 @@ config_get_unauth_binds_switch(void)
}
+int
+config_get_require_secure_binds(void)
+{
+ int retVal;
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+ CFG_LOCK_READ(slapdFrontendConfig);
+ retVal = slapdFrontendConfig->require_secure_binds;
+ CFG_UNLOCK_READ(slapdFrontendConfig);
+
+return retVal;
+}
+
+
int
config_is_slapd_lite ()
{
@@ -5316,6 +5334,22 @@ config_set_unauth_binds_switch( const char *attrname, char *value,
return retVal;
}
+int
+config_set_require_secure_binds( const char *attrname, char *value,
+ char *errorbuf, int apply )
+{
+ int retVal = LDAP_SUCCESS;
+ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig();
+
+ retVal = config_set_onoff(attrname,
+ value,
+ &(slapdFrontendConfig->require_secure_binds),
+ errorbuf,
+ apply);
+
+ return retVal;
+}
+
/*
* This function is intended to be used from the dse code modify callback. It
diff --git a/ldap/servers/slapd/proto-slap.h b/ldap/servers/slapd/proto-slap.h
index 2041a99..08279a0 100644
--- a/ldap/servers/slapd/proto-slap.h
+++ b/ldap/servers/slapd/proto-slap.h
@@ -343,6 +343,7 @@ int config_set_rewrite_rfc1274( const char *attrname, char *value, char *errorbu
int config_set_outbound_ldap_io_timeout( const char *attrname, char *value,
char *errorbuf, int apply );
int config_set_unauth_binds_switch(const char *attrname, char *value, char *errorbuf, int apply );
+int config_set_require_secure_binds(const char *attrname, char *value, char *errorbuf, int apply );
int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply);
int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply);
@@ -471,6 +472,7 @@ int config_get_hash_filters();
int config_get_rewrite_rfc1274();
int config_get_outbound_ldap_io_timeout(void);
int config_get_unauth_binds_switch(void);
+int config_get_require_secure_binds(void);
int config_get_csnlogging();
#ifdef MEMPOOL_EXPERIMENTAL
int config_get_mempool_switch();
diff --git a/ldap/servers/slapd/slap.h b/ldap/servers/slapd/slap.h
index 724bef9..df752f0 100644
--- a/ldap/servers/slapd/slap.h
+++ b/ldap/servers/slapd/slap.h
@@ -1695,6 +1695,7 @@ typedef struct _slapdEntryPoints {
#define CONFIG_USERAT_ATTRIBUTE "nsslapd-userat"
#define CONFIG_SVRTAB_ATTRIBUTE "nsslapd-svrtab"
#define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds"
+#define CONFIG_REQUIRE_SECURE_BINDS_ATTRIBUTE "nsslapd-require-secure-binds"
#ifndef _WIN32
#define CONFIG_LOCALUSER_ATTRIBUTE "nsslapd-localuser"
#endif /* !_WIN32 */
@@ -1988,6 +1989,7 @@ typedef struct _slapdFrontendConfig {
char *ldapi_auto_dn_suffix; /* suffix to be appended to auto gen DNs */
int slapi_counters; /* switch to turn slapi_counters on/off */
int allow_unauth_binds; /* switch to enable/disable unauthenticated binds */
+ int require_secure_binds; /* switch to require simple binds to use a secure channel */
size_t maxsasliosize; /* limit incoming SASL IO packet size */
#ifndef _WIN32
struct passwd *localuserinfo; /* userinfo of localuser */
--
1.6.0.6
14 years, 10 months
Please review: Use thread aware library for complex regex searches
by Noriko Hosoi
Subject: Use thread aware library for complex regex searches
Link:
http://nhosoi.fedorapeople.org/0001-Use-thread-aware-library-for-complex-...
Unfortunately, the fedoraproject.org is closed now. I'm going to create
the page http://directory.fedoraproject.org/wiki/Thread_Aware_Regex
which contains the following notes as soon as the wiki is reopened.
------------------------------------------------------------------------
Directory Server used to use the regular expression pattern matching and
replacing library which was not thread safe. Thus, the operation should
have been protected by the mutex lock. Regular expression could be used
by the search filters (syntax plugin), acl, schema file load, and SASL
Mapping. If one of them took a long time, the rest should have been
blocked. Replacing the library with the thread aware library solves the
problem and improves the throughput.
[http://www.pcre.org/ PCRE - Perl Compatible Regular Expressions]
library is installed on RHELs/Fedoras, by default. We need just a
subset of the APIs, thus we provide simplified slapi APIs wrapping the
PCRE APIs.
NAME
slapi_re_comp -- compiles a regular expression pattern. A thin wrapper
of pcre_compile.
SYNOPSIS
Slapi_Regex *slapi_re_comp( char *pat, char **error );
PARAMS
pat: Pattern to be compiled.
error: The error string is set if the compile fails.
RETURN VALUE
a pointer to the regex handler which stores the compiled pattern.
NULL if the compile fails.
WARNING
The regex handler should be released by slapi_re_free().
NAME
slapi_re_exec -- matches a compiled regular expression pattern against
a given string. A thin wrapper of pcre_exec.
SYNOPSIS
int slapi_re_exec( Slapi_Regex *re_handle, char *subject, time_t
time_up );
PARAMS
re_handle: The regex handler returned from slapi_re_comp.
subject: A string to be checked against the compiled pattern.
time_up: If the current time is larger than the value, this function
returns immediately. (-1) means no time limit.
RETURN VALUE
0 if the string did not match.
1 if the string matched.
other values if any error occurred.
NAME
slapi_re_subs -- substitutes '&' or '\#' in the param src with the
matched string.
SYNOPSIS
int slapi_re_subs( Slapi_Regex *re_handle, char *subject, char *src,
char **dst, unsigned long dstlen );
PARAMS
re_handle: The regex handler returned from slapi_re_comp.
subject: A string checked against the compiled pattern.
src: A given string which could contain the substitution symbols.
dst: A pointer pointing to the memory which stores the output string.
dstlen: Size of the memory dst.
RETURN VALUE
1 if the substitution was successful.
0 if the substitution failed.
NAME
slapi_re_free -- releases the regex handler which was returned from
slapi_re_comp.
SYNOPSIS
void slapi_re_free(Slapi_Regex *re_handle);
PARAMS
re_handle: The regex handler to be released.
RETURN VALUE
none
------------------------------------------------------------------------
Thanks,
--noriko
14 years, 10 months
Single attribute value from a list of possible values
by Eugene M Liberman
I would like identify an attribute in an entry to hold only one value from
a list of possible values. For example: attribute ?status? can only have
one of the following values: OFF, ON, UNKNOWN and nothing else. Is there
such a construct in LDAP and if there is please provide a link or an
example how to implement.
Thank you.
14 years, 10 months
new git push - added LICENSE.GPLv2
by Rich Megginson
One of the things we were dinged about in the Fedora review for 389 was
the lack of the full text of the GPLv2 - so I added it in LICENSE.GPLv2
and referred to it in LICENSE
14 years, 10 months
389 Project now uses git for our SCM
by Rich Megginson
389 has switched from using the venerable CVS to using git for our SCM.
All new development will take place in our new git repositories. The
old CVS repositories are still available, but they won't be used for any
new code. Some projects will still use the CVS repository, such as
mod_nss, mod_revocator, coolkey, esc, windowsautoenroll, and console
(just the idm console framework code - the rest of the console packages
have moved to git).
* What is git?
http://git-scm.com/
* Where are the repos?
http://port389.org/wiki/Developers#Source_Code
14 years, 10 months