[389-commits] ldap/servers
Nathan Kinder
nkinder at fedoraproject.org
Thu Jan 20 22:07:49 UTC 2011
ldap/servers/plugins/dna/dna.c | 31 +++++++------------------------
1 file changed, 7 insertions(+), 24 deletions(-)
New commits:
commit bd717265ad729abdfaf02f91e3b7b92b76ad5781
Author: Nathan Kinder <nkinder at redhat.com>
Date: Thu Jan 20 10:03:33 2011 -0800
Bug 671033 - range sharing between server breaks with SASL/GSSAPI auth
The DNA range request extop uses the replication bind credentials
to authenticate to the other master. If the replication agreement
is configured to use SASL/GSSAPI (or any non simple bind auth), the
DNA plug-in falls back to using an anonymous bind, which will fail.
The problem is that the function that fetches the replication bind
credentials was expecting a bind dn and password. If both of these
were not found, it would free everything (including the bind
method). The fix is to just fetch the credentials and return them
without doing this additional check.
This patch also makes the receiving master check if the bind DN
matches any replication bind DN, which allows it to work properly
when multiple replication bind DNs are configured. It previously
only worked with a single-valued replication bind DN attribute.
diff --git a/ldap/servers/plugins/dna/dna.c b/ldap/servers/plugins/dna/dna.c
index 284203b..c457c0f 100644
--- a/ldap/servers/plugins/dna/dna.c
+++ b/ldap/servers/plugins/dna/dna.c
@@ -2313,10 +2313,7 @@ static int dna_is_replica_bind_dn(char *range_dn, char *bind_dn)
{
char *replica_dn = NULL;
Slapi_DN *replica_sdn = NULL;
- char *replica_bind_dn = NULL;
- Slapi_DN *replica_bind_sdn = NULL;
Slapi_DN *range_sdn = NULL;
- Slapi_DN *bind_sdn = NULL;
Slapi_Entry *e = NULL;
char *attrs[2];
Slapi_Backend *be = NULL;
@@ -2351,7 +2348,10 @@ static int dna_is_replica_bind_dn(char *range_dn, char *bind_dn)
slapi_search_internal_get_entry(replica_sdn, attrs, &e, getPluginID());
if (e) {
- replica_bind_dn = slapi_entry_attr_get_charptr(e, DNA_REPL_BIND_DN);
+ /* Check if the passed in bind dn matches any of the replica bind dns. */
+ Slapi_Value *bind_dn_sv = slapi_value_new_string(bind_dn);
+ ret = slapi_entry_attr_has_syntax_value(e, DNA_REPL_BIND_DN, bind_dn_sv);
+ slapi_value_free(&bind_dn_sv);
} else {
slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM,
"dna_is_replica_bind_dn: Failed to fetch replica entry "
@@ -2359,21 +2359,10 @@ static int dna_is_replica_bind_dn(char *range_dn, char *bind_dn)
}
}
- if (replica_bind_dn) {
- /* Compare the passed in bind dn to the replica bind dn */
- bind_sdn = slapi_sdn_new_dn_byref(bind_dn);
- replica_bind_sdn = slapi_sdn_new_dn_passin(replica_bind_dn);
- if (slapi_sdn_compare(bind_sdn, replica_bind_sdn) == 0) {
- ret = 1;
- }
- }
-
done:
slapi_entry_free(e);
slapi_sdn_free(&range_sdn);
slapi_sdn_free(&replica_sdn);
- slapi_sdn_free(&replica_bind_sdn);
- slapi_sdn_free(&bind_sdn);
return ret;
}
@@ -2515,15 +2504,9 @@ static int dna_get_replica_bind_creds(char *range_dn, struct dnaServer *server,
}
}
- /* If we didn't get both a bind DN and a decoded password,
- * then just free everything and return an error. */
- if (*bind_dn && *bind_passwd) {
- ret = 0;
- } else {
- slapi_ch_free_string(bind_dn);
- slapi_ch_free_string(bind_passwd);
- slapi_ch_free_string(bind_method);
- }
+ /* If we got here, we succesfully got the
+ * creds. Set the success return value. */
+ ret = 0;
bail:
slapi_ch_free_string(&transport);
More information about the 389-commits
mailing list