[Fedora-directory-commits] ldapserver/ldap/servers/slapd globals.c, 1.9, 1.10 libglobs.c, 1.32, 1.33 proto-slap.h, 1.43, 1.44 sasl_map.c, 1.11, 1.12 slap.h, 1.41, 1.42 slapi-private.h, 1.30, 1.31 ssl.c, 1.19, 1.20 util.c, 1.19, 1.20
Richard Allen Megginson
rmeggins at fedoraproject.org
Tue Dec 2 15:29:33 UTC 2008
- Previous message (by thread): [Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication repl5_connection.c, 1.12, 1.13 windows_connection.c, 1.21, 1.22
- Next message (by thread): [Fedora-directory-commits] ldapserver/ldap/schema 01common.ldif, 1.2, 1.3 60autofs.ldif, 1.1, 1.2 60eduperson.ldif, 1.1, 1.2 60mozilla.ldif, 1.1, 1.2 60pureftpd.ldif, 1.1, 1.2 60rfc2739.ldif, 1.1, 1.2 60rfc3712.ldif, 1.1, 1.2 60sabayon.ldif, 1.1, 1.2 60trust.ldif, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/slapd
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv1168/ldapserver/ldap/servers/slapd
Modified Files:
globals.c libglobs.c proto-slap.h sasl_map.c slap.h
slapi-private.h ssl.c util.c
Log Message:
Resolves: bug 469261
Bug Description: Support server-to-server SASL - console chaining, server cleanup
Reviewed by: nkinder (Thanks!)
Fix Description: There are two sets of diffs here. The first set adds tls, gssapi, and digest to the chaining database (aka database link) panels in the console. I had to add support for revert to some of the code to make the Reset button work without having to retrieve the values from the server each time. We already store the original values locally in the _origModel - I added code to allow the use of that in the Reset button.
The second set of diffs is for the server.
1) I had to add support for "SIMPLE" for bindMechanism - this translates to LDAP_SASL_SIMPLE for the actual mechanism. This value is NULL, so I had to add handling for NULL values in the cb config code (slapi_ch_* work fine with NULL values).
2) Added some more debugging/tracing code
3) The server to server SSL code would only work if the server were configured to be an SSL server. But for the server to be an SSL client, it only needs NSS initialized and to have the CA cert. It also needs to configured some of the SSL settings and install the correct policy. I changed the server code to do this.
Platforms tested: RHEL5
Flag Day: no
Doc impact: Yes
Index: globals.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/globals.c,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- globals.c 24 Oct 2008 22:36:58 -0000 1.9
+++ globals.c 2 Dec 2008 15:29:30 -0000 1.10
@@ -165,7 +165,6 @@
sep->sep_ps_wakeup_all = (caddr_t)ps_wakeup_all;
sep->sep_ps_service = (caddr_t)ps_service_persistent_searches;
sep->sep_disconnect_server = (caddr_t)disconnect_server;
- sep->sep_slapd_SSL_client_init = (caddr_t)slapd_SSL_client_init;
sep->sep_slapd_ssl_init = (caddr_t)slapd_ssl_init;
sep->sep_slapd_ssl_init2 = (caddr_t)slapd_ssl_init2;
set_dll_entry_points( sep );
Index: libglobs.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/libglobs.c,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33
--- libglobs.c 26 Nov 2008 17:32:21 -0000 1.32
+++ libglobs.c 2 Dec 2008 15:29:30 -0000 1.33
@@ -1036,9 +1036,6 @@
case ENTRY_POINT_DISCONNECT_SERVER:
*ep_addr = sep->sep_disconnect_server;
break;
- case ENTRY_POINT_SLAPD_SSL_CLIENT_INIT:
- *ep_addr = sep->sep_slapd_SSL_client_init;
- break;
case ENTRY_POINT_SLAPD_SSL_INIT:
*ep_addr = sep->sep_slapd_ssl_init;
break;
Index: proto-slap.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/proto-slap.h,v
retrieving revision 1.43
retrieving revision 1.44
diff -u -r1.43 -r1.44
--- proto-slap.h 25 Nov 2008 19:20:27 -0000 1.43
+++ proto-slap.h 2 Dec 2008 15:29:30 -0000 1.44
@@ -899,9 +899,6 @@
/*
* ssl.c
*/
-int slapd_SSL_client_init();
-int slapd_SSL_client_bind_s( LDAP* ld, char* DN, char* pw, int use_SSL, int LDAPv);
-int slapd_sasl_ext_client_bind( LDAP* ld, int **msgid);
int slapd_nss_init(int init_ssl, int config_available);
int slapd_ssl_init();
int slapd_ssl_init2(PRFileDesc **fd, int startTLS);
Index: sasl_map.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/sasl_map.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- sasl_map.c 6 Nov 2008 00:34:19 -0000 1.11
+++ sasl_map.c 2 Dec 2008 15:29:30 -0000 1.12
@@ -320,6 +320,7 @@
sasl_map_data *dp = NULL;
for (map_entry = map_entry_list; *map_entry && !ret; map_entry++) {
+ LDAPDebug( LDAP_DEBUG_CONFIG, "sasl_map_read_config_startup - proceesing [%s]\n", *map_entry, 0, 0 );
getConfigEntry( *map_entry, &entry );
if ( entry == NULL ) {
continue;
@@ -331,6 +332,8 @@
ret = sasl_map_insert_list_entry(priv,dp);
if (ret) {
LDAPDebug( LDAP_DEBUG_ANY, "sasl_map_read_config_startup failed to insert entry\n", 0, 0, 0 );
+ } else {
+ LDAPDebug( LDAP_DEBUG_CONFIG, "sasl_map_read_config_startup - processed [%s]\n", *map_entry, 0, 0 );
}
}
freeConfigEntry( &entry );
@@ -513,6 +516,7 @@
while (this_map) {
int matched = 0;
/* If one matches, then make the search params */
+ LDAPDebug( LDAP_DEBUG_TRACE, "sasl_map_domap - trying map [%s]\n", this_map->name, 0, 0 );
matched = sasl_map_check(this_map, sasl_user_and_realm, ldap_search_base, ldap_search_filter);
if (1 == matched) {
ret = 1;
Index: slap.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slap.h,v
retrieving revision 1.41
retrieving revision 1.42
diff -u -r1.41 -r1.42
--- slap.h 26 Nov 2008 17:32:21 -0000 1.41
+++ slap.h 2 Dec 2008 15:29:30 -0000 1.42
@@ -1601,7 +1601,6 @@
typedef void (*ps_service_fn_ptr)(Slapi_Entry *, Slapi_Entry *, int, int );
typedef char *(*get_config_dn_fn_ptr)();
typedef void (*get_disconnect_server_fn_ptr)(Connection *conn, PRUint64 opconnid, int opid, PRErrorCode reason, PRInt32 error );
-typedef int (*slapd_SSL_client_init_fn_ptr)( void );
typedef int (*modify_config_dse_fn_ptr)( Slapi_PBlock *pb );
typedef int (*slapd_ssl_init_fn_ptr)( void );
typedef int (*slapd_ssl_init_fn_ptr2)( PRFileDesc **s, int StartTLS);
@@ -1614,7 +1613,6 @@
caddr_t sep_ps_wakeup_all;
caddr_t sep_ps_service;
caddr_t sep_disconnect_server;
- caddr_t sep_slapd_SSL_client_init;
caddr_t sep_slapd_ssl_init;
caddr_t sep_slapd_ssl_init2;
} slapdEntryPoints;
Index: slapi-private.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-private.h,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -r1.30 -r1.31
--- slapi-private.h 26 Nov 2008 22:42:12 -0000 1.30
+++ slapi-private.h 2 Dec 2008 15:29:30 -0000 1.31
@@ -1108,11 +1108,7 @@
time_t parse_genTime(char* from);
/* Client SSL code */
-int slapd_SSL_client_init( void );
int slapd_security_library_is_initialized( void );
-int slapd_SSL_client_bind_s(LDAP* ld, char* DN, char* pw, int use_SSL, int LDAPv);
-int slapd_sasl_ext_client_bind(LDAP* ld, int **msgid);
-int slapd_Client_auth(LDAP* ld);
char* slapd_get_tmp_dir( void );
/* Misc crrrrrrap */
Index: ssl.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/ssl.c,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- ssl.c 4 Nov 2008 18:23:08 -0000 1.19
+++ ssl.c 2 Dec 2008 15:29:30 -0000 1.20
@@ -459,6 +459,14 @@
rv = -1;
}
+ if(SSLPLCY_Install() != PR_SUCCESS) {
+ errorCode = PR_GetError();
+ slapd_SSL_warn("Security Initialization: Unable to set SSL export policy ("
+ SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
+ errorCode, slapd_pr_strerror(errorCode));
+ return -1;
+ }
+
/****** end of NSS Initialization ******/
slapi_ch_free_string(&certdir);
@@ -622,15 +630,6 @@
}
freeConfigEntry( &entry );
- if(SSLPLCY_Install() != PR_SUCCESS) {
- errorCode = PR_GetError();
- slapd_SSL_warn("Security Initialization: Unable to set SSL export policy ("
- SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- errorCode, slapd_pr_strerror(errorCode));
- return -1;
- }
-
-
/* ugaston- Cipher preferences must be set before any sslSocket is created
* for such sockets to take preferences into account.
*/
@@ -1041,12 +1040,6 @@
*/
int
-slapd_SSL_client_init()
-{
- return 0;
-}
-
-int
slapd_SSL_client_auth (LDAP* ld)
{
int rc = 0;
@@ -1205,111 +1198,6 @@
return rc;
}
-int
-slapd_simple_client_bind_s(LDAP* ld, char* DN, char* pw, int LDAPv)
-{
- int rc;
- PRErrorCode errorCode;
-
- ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, (void *) &LDAPv);
- rc = ldap_simple_bind_s (ld, DN, pw);
- if (rc != 0) {
- errorCode = PR_GetError();
- slapd_SSL_warn("ldap_simple_bind_s(%s, %s) %i (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- DN, pw, rc, errorCode, slapd_pr_strerror(errorCode));
- }
- LDAPDebug (LDAP_DEBUG_TRACE, "slapd_simple_client_bind_s(%s, %i) %i\n", DN, LDAPv, rc);
- return rc;
-}
-
-int
-slapd_SSL_client_bind_s (LDAP* ld, char* DN, char* pw, int use_SSL, int LDAPv)
-{
- int rc;
- struct berval noCred = {0, 0};
-
- if (!use_SSL || LDAPv == LDAP_VERSION2) {
- rc = slapd_simple_client_bind_s(ld, DN, pw, LDAPv);
- } else {
-
- LDAPDebug (
- LDAP_DEBUG_TRACE,
- "slapd_SSL_client_bind_s: Trying SSL Client Authentication\n",
- 0, 0, 0);
-
- rc = slapd_SSL_client_auth(ld);
-
- if(rc != 0)
- {
- LDAPDebug (
- LDAP_DEBUG_TRACE,
- "slapd_SSL_client_bind_s: SSL Client Auth Failed during replication Bind\n",
- 0, 0, 0);
- return rc;
- }
-
- rc = ldap_sasl_bind_s (ld, "", LDAP_SASL_EXTERNAL, &noCred,
- NULL /* LDAPControl **serverctrls */,
- NULL /* LDAPControl **clientctrls */,
- NULL /* struct berval **servercredp */);
-
- }
- LDAPDebug (
- LDAP_DEBUG_TRACE,
- "slapd_SSL_client_bind_s(%i,%i) %i\n", use_SSL, LDAPv, rc);
- return rc;
-}
-
-int
-slapd_sasl_ext_client_bind (LDAP* ld, int **msgid)
-{
- int rc;
- PRErrorCode errorCode;
- struct berval noCred = {0, 0};
-
- LDAPDebug (
- LDAP_DEBUG_TRACE,
- "slapd_sasl_ext_client_bind: Trying SSL Client Authentication\n",
- 0, 0, 0);
-
- rc = slapd_SSL_client_auth(ld);
- if(rc != 0)
- {
- LDAPDebug (
- LDAP_DEBUG_TRACE,
- "slapd_sasl_ext_client_bind: SSL Client Auth Failed during replication Bind\n",
- 0, 0, 0);
- return rc;
- }
-
- rc = ldap_sasl_bind (ld, "", LDAP_SASL_EXTERNAL, &noCred,
- NULL,
- NULL,
- *msgid);
- if (rc != 0) {
- errorCode = PR_GetError();
- slapd_SSL_warn("ldap_sasl_bind(\"\",LDAP_SASL_EXTERNAL) %i (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- rc, errorCode, slapd_pr_strerror(errorCode));
- }
-
- LDAPDebug (
- LDAP_DEBUG_TRACE,
- "slapd_sasl_ext_client_bind %i\n", rc, 0, 0);
-
- return rc;
-}
-
-
-int slapd_Client_auth(LDAP* ld)
-{
- int rc=0;
-
- rc = slapd_SSL_client_auth (ld);
-
- return rc;
-}
-
-
/* Function for keeping track of the SSL initialization status:
* - returns 1: when slapd_ssl_init has been executed
*/
Index: util.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/util.c,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -r1.19 -r1.20
--- util.c 12 Nov 2008 17:42:37 -0000 1.19
+++ util.c 2 Dec 2008 15:29:31 -0000 1.20
@@ -961,6 +961,7 @@
*/
if (secure > 0) {
int ssl_strength = 0;
+ LDAP *myld = NULL;
if (config_get_ssl_check_hostname()) {
/* check hostname against name in certificate */
@@ -970,24 +971,23 @@
ssl_strength = LDAPSSL_AUTH_CERT;
}
- /* Can only use ldapssl_set_strength on and LDAP* already
- initialized for SSL - this is not the case when using
- startTLS, so we use NULL to set the default for all
- new connections */
+ /* we can only use the set functions below with a real
+ LDAP* if it has already gone through ldapssl_init -
+ so, use NULL if using starttls */
if (secure == 1) {
- rc = ldapssl_set_strength(ld, ssl_strength);
- } else {
- rc = ldapssl_set_strength(NULL, ssl_strength);
+ myld = ld;
}
- if (rc != 0) {
+ if ((rc = ldapssl_set_strength(myld, ssl_strength)) ||
+ (rc = ldapssl_set_option(myld, SSL_ENABLE_SSL2, PR_FALSE)) ||
+ (rc = ldapssl_set_option(myld, SSL_ENABLE_SSL3, PR_TRUE)) ||
+ (rc = ldapssl_set_option(myld, SSL_ENABLE_TLS, PR_TRUE))) {
int prerr = PR_GetError();
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext",
- "failed: unable to set SSL strength to %d ("
+ "failed: unable to set SSL options ("
SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
- ssl_strength, prerr,
- slapd_pr_strerror(prerr));
+ prerr, slapd_pr_strerror(prerr));
}
if (secure == 1) {
@@ -1023,6 +1023,11 @@
ldap_controls_free(clientctrls); /* free the copy */
}
+ slapi_log_error(SLAPI_LOG_SHELL, "slapi_ldap_init_ext",
+ "Success: set up conn to [%s:%d]%s\n",
+ hostname, port,
+ (secure == 2) ? " using startTLS" :
+ ((secure == 1) ? " using SSL" : ""));
done:
ldap_free_urldesc(ludp);
@@ -1092,7 +1097,10 @@
"auth - error %d - make sure the server is "
"correctly configured for SSL/TLS\n", rc);
goto done;
- }
+ } else {
+ slapi_log_error(SLAPI_LOG_SHELL, "slapi_ldap_bind",
+ "Set up conn to use client auth\n");
+ }
bvcreds.bv_val = NULL; /* ignore username and passed in creds */
bvcreds.bv_len = 0; /* for external auth */
bindid = NULL;
@@ -1110,6 +1118,8 @@
rc, ldap_err2string(rc));
goto done;
}
+ slapi_log_error(SLAPI_LOG_SHELL, "slapi_ldap_bind",
+ "startTLS started on connection\n");
}
/* The connection has been set up - now do the actual bind, depending on
@@ -1118,14 +1128,20 @@
!strcmp(mech, LDAP_SASL_EXTERNAL)) {
int mymsgid = 0;
+ slapi_log_error(SLAPI_LOG_SHELL, "slapi_ldap_bind",
+ "attempting %s bind with id [%s] creds [%s]\n",
+ mech ? mech : "SIMPLE",
+ bindid, creds);
if ((rc = ldap_sasl_bind(ld, bindid, mech, &bvcreds, serverctrls,
NULL /* clientctrls */, &mymsgid))) {
slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind",
"Error: could not send bind request for id "
- "[%s] mech [%s]: error %d (%s)\n",
+ "[%s] mech [%s]: error %d (%s) %d (%s) %d (%s)\n",
bindid ? bindid : "(anon)",
mech ? mech : "SIMPLE",
- rc, ldap_err2string(rc));
+ rc, ldap_err2string(rc),
+ PR_GetError(), slapd_pr_strerror(PR_GetError()),
+ errno, slapd_system_strerror(errno));
goto done;
}
- Previous message (by thread): [Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication repl5_connection.c, 1.12, 1.13 windows_connection.c, 1.21, 1.22
- Next message (by thread): [Fedora-directory-commits] ldapserver/ldap/schema 01common.ldif, 1.2, 1.3 60autofs.ldif, 1.1, 1.2 60eduperson.ldif, 1.1, 1.2 60mozilla.ldif, 1.1, 1.2 60pureftpd.ldif, 1.1, 1.2 60rfc2739.ldif, 1.1, 1.2 60rfc3712.ldif, 1.1, 1.2 60sabayon.ldif, 1.1, 1.2 60trust.ldif, 1.1, 1.2
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-directory-commits
mailing list