From nhosoi at fedoraproject.org Sat Nov 1 22:09:18 2008 From: nhosoi at fedoraproject.org (Noriko Hosoi) Date: Sat, 1 Nov 2008 22:09:18 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/plugins/acl acllas.c, 1.12, 1.13 Message-ID: <20081101220918.E70787013A@cvs1.fedora.phx.redhat.com> Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/acl In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13024 Modified Files: acllas.c Log Message: Resolves: #469243 Summary: ACL: support group filter Fix Description: . backoff the previous checkin . check the value of groupdn is the full ldapurl or not by ldap_url_parse. . if yes, run the search and get the search results. otherwise, evaluate the bind dn for the value as usual. . evaluate the bind dn against each group returned from the search. . additionally, added the code to trim the beginning and trailig spaces from the groupdn value, which is needed for ldap_url_parse. Index: acllas.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/acl/acllas.c,v retrieving revision 1.12 retrieving revision 1.13 diff -u -r1.12 -r1.13 --- acllas.c 31 Oct 2008 00:16:02 -0000 1.12 +++ acllas.c 1 Nov 2008 22:09:16 -0000 1.13 @@ -747,6 +747,7 @@ { char *groups; + char *groupNameOrig; char *groupName; char *ptr; char *end_dn; @@ -767,7 +768,7 @@ } groups = slapi_ch_strdup(attr_pattern); - groupName = groups; + groupNameOrig = groupName = groups; matched = ACL_FALSE; /* check if the groupdn is one of the users */ @@ -800,7 +801,17 @@ auto char *t = end_dn; LDAP_UTF8INC(end_dn); LDAP_UTF8INC(end_dn); - *t = 0; + /* removing trailing spaces */ + LDAP_UTF8DEC(t); + while (' ' == *t || '\t' == *t) { + LDAP_UTF8DEC(t); + } + LDAP_UTF8INC(t); + *t = '\0'; + /* removing beginning spaces */ + while (' ' == *end_dn || '\t' == *end_dn) { + LDAP_UTF8INC(end_dn); + } } if (*groupName) { @@ -841,10 +852,58 @@ slapi_log_error ( SLAPI_LOG_ACL, plugin_name, "DS_LASGroupDnEval: Param group name:%s\n", groupName); - } else {/* normal evaluation */ - - matched = acllas_eval_one_group( groupName, &lasinfo); - + } else { + LDAPURLDesc *ludp = NULL; + int rval; + Slapi_PBlock *myPb = NULL; + Slapi_Entry **grpentries = NULL; + + /* Groupdn is full ldapurl? */ + if (0 == ldap_url_parse(groupNameOrig, &ludp) && + NULL != ludp->lud_dn && + NULL != ludp->lud_scope && + NULL != ludp->lud_filter) { + /* Yes, it is full ldapurl; Let's run the search */ + myPb = slapi_pblock_new (); + slapi_search_internal_set_pb( + myPb, + ludp->lud_dn, + ludp->lud_scope, + ludp->lud_filter, + NULL, + 0, + NULL /* controls */, + NULL /* uniqueid */, + aclplugin_get_identity (ACL_PLUGIN_IDENTITY), + 0 ); + slapi_search_internal_pb(myPb); + slapi_pblock_get(myPb, SLAPI_PLUGIN_INTOP_RESULT, &rval); + if (rval == LDAP_SUCCESS) { + Slapi_Entry **ep; + slapi_pblock_get(myPb, + SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &grpentries); + if ((grpentries != NULL) && (grpentries[0] != NULL)) { + char *edn = NULL; + for (ep = grpentries; *ep; ep++) { + /* groups having ACI */ + edn = slapi_entry_get_ndn(*ep); + matched = acllas_eval_one_group(edn, &lasinfo); + if (ACL_TRUE == matched) { + break; /* matched ! */ + } + } + } + } + slapi_free_search_results_internal(myPb); + slapi_pblock_destroy (myPb); + + } else { + /* normal evaluation */ + matched = acllas_eval_one_group( groupName, &lasinfo ); + } + if ( ludp ) { + ldap_free_urldesc( ludp ); + } } if ( matched == ACL_TRUE ) { @@ -855,7 +914,7 @@ } } /* Nothing matched -- try the next DN */ - groupName = end_dn; + groupNameOrig = groupName = end_dn; } /* end of while */ @@ -2361,9 +2420,6 @@ char ebuf [ BUFSIZ ]; Slapi_Value *sval=NULL; const struct berval *attrVal; - int qcnt = 0; - Slapi_PBlock *myPb = NULL; - Slapi_Entry **grpentries = NULL; /* Parse the URL -- getting the group attr and counting up '?'s. * If there is no group attr and there are 3 '?' marks, @@ -2374,19 +2430,12 @@ str +=8; s = strchr (str, '?'); if (s) { - qcnt++; p = s; p++; *s = '\0'; base = str; s = strchr (p, '?'); - if (s) { - qcnt++; - *s = '\0'; - if (NULL != strchr (++s, '?')) { - qcnt++; - } - } + if (s) *s = '\0'; groupattr = p; } else { @@ -2394,49 +2443,6 @@ return ACL_FALSE; } - /* Full LDAPURL is given? */ - if ((NULL == groupattr || 0 == strlen(groupattr)) && 3 == qcnt) { - LDAPURLDesc *ludp = NULL; - int rval; - - if ( 0 != ldap_url_parse( attrName, &ludp) ) { - slapi_ch_free ( (void **)&s_str ); - return ACL_FALSE; - } - - /* Use new search internal API */ - myPb = slapi_pblock_new (); - slapi_search_internal_set_pb( - myPb, - ludp->lud_dn, - ludp->lud_scope, - ludp->lud_filter, - NULL, - 0, - NULL /* controls */, - NULL /* uniqueid */, - aclplugin_get_identity (ACL_PLUGIN_IDENTITY), - 0 ); - slapi_search_internal_pb(myPb); - ldap_free_urldesc( ludp ); - - slapi_pblock_get(myPb, SLAPI_PLUGIN_INTOP_RESULT, &rval); - if (rval != LDAP_SUCCESS) { - slapi_ch_free ( (void **)&s_str ); - slapi_free_search_results_internal(myPb); - slapi_pblock_destroy (myPb); - return ACL_FALSE; - } - - slapi_pblock_get(myPb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &grpentries); - if ((grpentries == NULL) || (grpentries[0] == NULL)) { - slapi_ch_free ( (void **)&s_str ); - slapi_free_search_results_internal(myPb); - slapi_pblock_destroy (myPb); - return ACL_FALSE; - } - } - if ( (u_group = aclg_get_usersGroup ( aclpb , n_clientdn )) == NULL) { slapi_log_error( SLAPI_LOG_ACL, plugin_name, "Failed to find/allocate a usergroup--aborting evaluation\n", 0, 0); @@ -2594,55 +2600,37 @@ j, ACL_ESCAPE_STRING_WITH_PUNCTUATION (u_group->aclug_member_groups[j], ebuf),0); matched = ACL_FALSE; - if ((NULL == groupattr || 0 == strlen(groupattr)) && 3 == qcnt) { - /* Full LDAPURL case */ - for (k = 0; u_group->aclug_member_groups[k]; k++) { /* groups the bind - user belong to */ - Slapi_Entry **ep; - for (ep = grpentries; *ep; ep++) { /* groups having ACI */ - char *n_edn = slapi_entry_get_ndn(*ep); - if (slapi_utf8casecmp((ACLUCHP)u_group->aclug_member_groups[k], - (ACLUCHP)n_edn) == 0) { - matched = ACL_TRUE; - break; - } - } - } - slapi_free_search_results_internal(myPb); - slapi_pblock_destroy(myPb); - } else { - slapi_entry_attr_find( e, groupattr, &attr); - if (attr == NULL) { - slapi_ch_free ( (void **)&s_str ); - return ACL_FALSE; + slapi_entry_attr_find( e, groupattr, &attr); + if (attr == NULL) { + slapi_ch_free ( (void **)&s_str ); + return ACL_FALSE; + } + k = slapi_attr_first_value ( attr,&sval ); + while ( k != -1 ) { + char *n_attrval; + attrVal = slapi_value_get_berval ( sval ); + n_attrval = slapi_ch_strdup( attrVal->bv_val); + n_attrval = slapi_dn_normalize (n_attrval); + + /* We support: The attribute value can be a USER or a GROUP. + ** Let's compare with the client, thi might be just an user. If it is not + ** then we test it against the list of groups. + */ + if (slapi_utf8casecmp ((ACLUCHP)n_attrval, (ACLUCHP)n_clientdn) == 0 ) { + matched = ACL_TRUE; + slapi_ch_free ( (void **)&n_attrval ); + break; } - k = slapi_attr_first_value ( attr,&sval ); - while ( k != -1 ) { - char *n_attrval; - attrVal = slapi_value_get_berval ( sval ); - n_attrval = slapi_ch_strdup( attrVal->bv_val); - n_attrval = slapi_dn_normalize (n_attrval); - - /* We support: The attribute value can be a USER or a GROUP. - ** Let's compare with the client, thi might be just an user. If it is not - ** then we test it against the list of groups. - */ - if (slapi_utf8casecmp ((ACLUCHP)n_attrval, (ACLUCHP)n_clientdn) == 0 ) { + for (j=0; j aclug_numof_member_group; j++) { + if ( slapi_utf8casecmp((ACLUCHP)n_attrval, + (ACLUCHP)u_group->aclug_member_groups[j]) == 0) { matched = ACL_TRUE; - slapi_ch_free ( (void **)&n_attrval ); break; } - for (j=0; j aclug_numof_member_group; j++) { - if ( slapi_utf8casecmp((ACLUCHP)n_attrval, - (ACLUCHP)u_group->aclug_member_groups[j]) == 0) { - matched = ACL_TRUE; - break; - } - } - slapi_ch_free ( (void **)&n_attrval ); - if (matched == ACL_TRUE) break; - k= slapi_attr_next_value ( attr, k, &sval ); } + slapi_ch_free ( (void **)&n_attrval ); + if (matched == ACL_TRUE) break; + k= slapi_attr_next_value ( attr, k, &sval ); } slapi_ch_free ( (void **)&s_str ); return matched; From nkinder at fedoraproject.org Mon Nov 3 23:21:19 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Mon, 3 Nov 2008 23:21:19 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/plugins/dna dna.c, 1.13, 1.14 Message-ID: <20081103232119.CD2D77013A@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/dna In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4190/ldap/servers/plugins/dna Modified Files: dna.c Log Message: Resolves: 467931 Summary: Fix crash caused by DNA shared config update event. Index: dna.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/dna/dna.c,v retrieving revision 1.13 retrieving revision 1.14 diff -u -r1.13 -r1.14 --- dna.c 17 Oct 2008 22:12:47 -0000 1.13 +++ dna.c 3 Nov 2008 23:21:16 -0000 1.14 @@ -603,6 +603,7 @@ int status = DNA_SUCCESS; int result; int i; + time_t now; Slapi_PBlock *search_pb; Slapi_Entry **entries = NULL; @@ -639,6 +640,14 @@ dna_parse_config_entry(entries[i], 1); } + /* Setup an event to update the shared config 30 + * seconds from now. We need to do this since + * performing the operation at this point when + * starting up would cause the change to not + * get changelogged. */ + time(&now); + slapi_eq_once(dna_update_config_event, NULL, now + 30); + cleanup: slapi_free_search_results_internal(search_pb); slapi_pblock_destroy(search_pb); @@ -1021,16 +1030,6 @@ } dna_free_config_entry(&entry); } else { - time_t now; - - time(&now); - - /* Setup an event to update the shared config 30 - * seconds from now. We need to do this since - * performing the operation now would cause the - * change to not get changelogged. */ - slapi_eq_once(dna_update_config_event, entry, now + 30); - ret = DNA_SUCCESS; } @@ -1174,39 +1173,59 @@ * dna_update_config_event() * * Event queue callback that we use to do the initial - * update of the shared config entry shortly after + * update of the shared config entries shortly after * startup. */ static void dna_update_config_event(time_t event_time, void *arg) { Slapi_PBlock *pb = NULL; - struct configEntry *config_entry = arg; - - if ((pb = slapi_pblock_new()) == NULL) - goto bail; + struct configEntry *config_entry = NULL; + PRCList *list = NULL; /* Get read lock to prevent config changes */ dna_read_lock(); - /* First delete the existing shared config entry. This - * will allow the entry to be updated for things like - * port number changes, etc. */ - slapi_delete_internal_set_pb(pb, config_entry->shared_cfg_dn, - NULL, NULL, getPluginID(), 0); + /* Loop through all config entries and update the shared + * config entries. */ + if (!PR_CLIST_IS_EMPTY(dna_global_config)) { + list = PR_LIST_HEAD(dna_global_config); - /* We don't care about the results */ - slapi_delete_internal_pb(pb); + /* Create the pblock. We'll reuse this for all + * shared config updates. */ + if ((pb = slapi_pblock_new()) == NULL) + goto bail; - /* Now force the entry to be recreated */ - slapi_lock_mutex(config_entry->lock); - dna_update_shared_config(config_entry); - slapi_unlock_mutex(config_entry->lock); - dna_unlock(); + while (list != dna_global_config) { + config_entry = (struct configEntry *) list; - bail: + /* If a shared config dn is set, update the shared config. */ + if (config_entry->shared_cfg_dn != NULL) { + slapi_lock_mutex(config_entry->lock); + + /* First delete the existing shared config entry. This + * will allow the entry to be updated for things like + * port number changes, etc. */ + slapi_delete_internal_set_pb(pb, config_entry->shared_cfg_dn, + NULL, NULL, getPluginID(), 0); + + /* We don't care about the results */ + slapi_delete_internal_pb(pb); + + /* Now force the entry to be recreated */ + dna_update_shared_config(config_entry); + + slapi_unlock_mutex(config_entry->lock); + slapi_pblock_init(pb); + } + + list = PR_NEXT_LINK(list); + } + } + +bail: + dna_unlock(); slapi_pblock_destroy(pb); - pb = NULL; } /**************************************************** From rmeggins at fedoraproject.org Tue Nov 4 18:23:10 2008 From: rmeggins at fedoraproject.org (Richard Allen Megginson) Date: Tue, 4 Nov 2008 18:23:10 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/m4 kerberos.m4,NONE,1.1 Message-ID: <20081104182310.834207013A@cvs1.fedora.phx.redhat.com> Author: rmeggins Update of /cvs/dirsec/ldapserver/m4 In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9401/ldapserver/m4 Added Files: kerberos.m4 Log Message: Resolves: bug 469261 Bug Description: Support server-to-server SASL - part 1 Reviewed by: nkinder, nhosoi, ssorce (Thanks!) Fix Description: I've created two new functions to handle the client side of LDAP in the server - slapi_ldap_init_ext and slapi_ldap_bind. These two functions are designed to work with any connection type (ldap, ldaps, ldap+starttls, and eventually ldapi) and bind type (plain, sasl, client cert). The secure flag has been extended to use a value of 2 to mean use startTLS. One tricky part is that there is no place to store the startTLS flag in init to pass to bind, so we store that in the clientcontrols field which is currently unused. We do that because the semantics of ldap_init are not to do any network traffic, but defer that until the bind operation (or whatever the first actual operation is e.g. start_tls). I plan to replace all of the places in the code that do ldap init and bind with these functions. I started with replication. I extended the transport to add tls for startTLS and the bind method to add sasl/gssapi and sasl/digest-md5. I removed a lot of code from repl5_connection that is now done with just slapi_ldap_init_ext and slapi_ldap_bind. One tricky part of the replication code is that it polls the connection for write available, using some ldap sdk internals. I had to fix that code to work within the public ldap api since nspr and sasl muck with the internals in different incompatible ways. Finally, there is a lot of new kerberos code in the server. The way the server does sasl/gssapi auth with its keytab is similar to the way it does client cert auth with its ssl server cert. One big difference is that the server cannot pass the kerberos identity and credentials through the ldap/sasl/gssapi layers directly. Instead, we have to create a memory credentials cache and set the environment variable to point to it. This allows the sasl/gssapi layer to grab the credentials for use with kerberos. The way the code is written, it should also allow "external" kerberos auth e.g. if someone really wants to do some script which does a periodic kinit to refresh the file based cache, that should also work. I added some kerberos configure options. configure tries to first use krb5-config to get the compiler and linker information. If that fails, it just looks for some standard system libraries. Note that Solaris does not allow direct use of the kerberos api until Solaris 11, so most likely Solaris builds will have to use --without-kerberos (--with-kerberos is on by default). Fixed a bug in kerberos.m4 found by nkinder. ssorce has pointed out a few problems with my kerberos usage that will be addressed in the next patch. Changed the log level in ldap_sasl_get_val - pointed out by nkinder Platforms tested: Fedora 9, Fedora 8 Flag Day: yes Doc impact: oh yes --- NEW FILE kerberos.m4 --- # BEGIN COPYRIGHT BLOCK # Copyright (C) 2008 Red Hat, Inc. # All rights reserved. # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # # END COPYRIGHT BLOCK # -*- tab-width: 4; -*- # Configure paths for Kerberos dnl ======================================================== dnl = Kerberos is used directly for server to server SASL/GSSAPI dnl = authentication (replication, chaining, etc.) dnl = This allows us to authenticate using a keytab without dnl = having to call kinit outside the process dnl ======================================================== AC_CHECKING(for kerberos) if test -z "$with_kerberos" ; then with_kerberos=yes # if not set on cmdline, set default fi AC_MSG_CHECKING(for --with-kerberos) AC_ARG_WITH(kerberos, AS_HELP_STRING([--with-kerberos[=PATH]], [Use the kerberos API in the server directly - allows the server to authenticate directly with a keytab - otherwise, SASL/GSSAPI auth depends on underlying SASL libraries and external kinit with a keytab - if PATH is not specified, look for kerberos in the system locations. This will attempt to use krb5-config from the PATH to find the libs and include dirs - you can specify KRB5_CONFIG_BIN to specify a different filename or absolute path. If krb5-config does not work, this will attempt to look in various system directories]), [ if test "x$withval" = "xyes"; then AC_MSG_RESULT(yes) elif test "x$withval" = "xno"; then AC_MSG_RESULT(no) with_kerberos= elif test -d "$withval" -a -d "$withval/lib" -a -d "$withval/include" ; then AC_MSG_RESULT([using $withval]) kerberos_incdir="$withval/include" kerberos_libdir="$withval/lib" else AC_MSG_RESULT(yes) AC_MSG_ERROR([kerberos not found in $withval]) fi ], [ AC_MSG_RESULT(no) with_kerberos= ] ) AC_MSG_CHECKING(for --with-kerberos-inc) AC_ARG_WITH(kerberos-inc, AS_HELP_STRING([--with-kerberos-inc=PATH], [Allows you to explicitly set the directory containing the kerberos include files - implies use of kerberos]), [ if test -f "$withval"/krb5.h; then AC_MSG_RESULT([using $withval]) kerberos_incdir="$withval" with_kerberos=yes # implies use of kerberos else echo AC_MSG_ERROR([$withval/krb5.h not found]) fi ], AC_MSG_RESULT(no) ) AC_MSG_CHECKING(for --with-kerberos-lib) AC_ARG_WITH(kerberos-lib, AS_HELP_STRING([--with-kerberos-lib=PATH], [Allows you to explicitly set the directory containing the kerberos libraries - implies use of kerberos]), [ if test -d "$withval"; then AC_MSG_RESULT([using $withval]) kerberos_libdir="$withval" with_kerberos=yes # implies use of kerberos else echo AC_MSG_ERROR([$withval not found]) fi ], AC_MSG_RESULT(no) ) if test -n "$with_kerberos" ; then if test -z "$kerberos_incdir" -o -z "$kerberos_libdir" ; then dnl look for these using the krb5-config script dnl user can define KRB5_CONFIG_BIN to the full path dnl and filename of the script if it cannot or will not dnl be found in PATH if test -z "$KRB5_CONFIG_BIN" ; then AC_PATH_PROG(KRB5_CONFIG_BIN, krb5-config) fi if test -n "$KRB5_CONFIG_BIN" ; then AC_MSG_CHECKING(for kerberos with $KRB5_CONFIG_BIN) if test -z "$kerberos_libdir" ; then kerberos_lib=`$KRB5_CONFIG_BIN --libs krb5` fi if test -z "$kerberos_incdir" ; then kerberos_inc=`$KRB5_CONFIG_BIN --cflags krb5` fi dnl if using system includes, inc will be empty - ok if test -n "$kerberos_lib" ; then AC_MSG_RESULT([using kerberos found with $KRB5_CONFIG_BIN]) have_krb5=yes fi fi fi fi if test -n "$with_kerberos" -a -z "$kerberos_lib" ; then # save these in order to set them to use the check macros below # like AC_CHECK_HEADERS, AC_CHECK_LIB, and AC_CHECK_FUNCS save_CPPFLAGS="$CPPFLAGS" if test -n "$kerberos_incdir" ; then CPPFLAGS="-I$kerberos_incdir $CPPFLAGS" fi save_LDFLAGS="$LDFLAGS" if test -n "$kerberos_libdir" ; then LDFLAGS="-L$kerberos_libdir $LDFLAGS" fi krb5_impl=mit dnl check for Heimdal Kerberos AC_CHECK_HEADERS(heim_err.h) if test $ac_cv_header_heim_err_h = yes ; then krb5_impl=heimdal fi if test "x$krb5_impl" = "xmit"; then AC_CHECK_LIB(k5crypto, main, [krb5crypto=k5crypto], [krb5crypto=crypto]) AC_CHECK_LIB(krb5, main, [have_krb5=yes kerberos_lib="-lkrb5 -l$krb5crypto -lcom_err"], [have_krb5=no], [-l$krb5crypto -lcom_err]) elif test "x$krb5_impl" = "xheimdal"; then AC_CHECK_LIB(des, main, [krb5crypto=des], [krb5crypto=crypto]) AC_CHECK_LIB(krb5, main, [have_krb5=yes kerberos_lib="-lkrb5 -l$krb5crypto -lasn1 -lroken -lcom_err"], [have_krb5=no], [-l$krb5crypto -lasn1 -lroken -lcom_err]) AC_DEFINE(HAVE_HEIMDAL_KERBEROS, 1, [define if you have HEIMDAL Kerberos]) else have_krb5=no AC_MSG_WARN([Unrecognized Kerberos5 Implementation]) fi # reset to original values CPPFLAGS="$save_CPPFLAGS" LDFLAGS="$save_LDFLAGS" if test -n "$kerberos_incdir" ; then kerberos_inc="-I$kerberos_incdir" fi if test -n "$kerberos_libdir" ; then kerberos_lib="-L$kerberos_libdir $kerberos_lib" fi fi dnl at this point kerberos_lib and kerberos_inc should be set if test -n "$with_kerberos" ; then if test "x$have_krb5" = "xyes" ; then AC_DEFINE(HAVE_KRB5, 1, [define if you have Kerberos V]) else AC_MSG_ERROR([Required Kerberos 5 support not available]) fi dnl look for the wonderfully time saving function krb5_cc_new_unique save_LIBS="$LIBS" LIBS="$kerberos_lib" save_CPPFLAGS="$CPPFLAGS" CPPFLAGS="$kerberos_inc $CPPFLAGS" AC_CHECK_FUNCS([krb5_cc_new_unique]) LIBS="$save_LIBS" CPPFLAGS="$save_CPPFLAGS" fi AC_SUBST(kerberos_inc) AC_SUBST(kerberos_lib) AC_SUBST(kerberos_libdir) From rmeggins at fedoraproject.org Tue Nov 4 18:23:10 2008 From: rmeggins at fedoraproject.org (Richard Allen Megginson) Date: Tue, 4 Nov 2008 18:23:10 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd proto-slap.h, 1.40, 1.41 slapi-plugin.h, 1.32, 1.33 slapi2nspr.c, 1.6, 1.7 ssl.c, 1.18, 1.19 util.c, 1.16, 1.17 Message-ID: <20081104182310.7E9BF70121@cvs1.fedora.phx.redhat.com> Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9401/ldapserver/ldap/servers/slapd Modified Files: proto-slap.h slapi-plugin.h slapi2nspr.c ssl.c util.c Log Message: Resolves: bug 469261 Bug Description: Support server-to-server SASL - part 1 Reviewed by: nkinder, nhosoi, ssorce (Thanks!) Fix Description: I've created two new functions to handle the client side of LDAP in the server - slapi_ldap_init_ext and slapi_ldap_bind. These two functions are designed to work with any connection type (ldap, ldaps, ldap+starttls, and eventually ldapi) and bind type (plain, sasl, client cert). The secure flag has been extended to use a value of 2 to mean use startTLS. One tricky part is that there is no place to store the startTLS flag in init to pass to bind, so we store that in the clientcontrols field which is currently unused. We do that because the semantics of ldap_init are not to do any network traffic, but defer that until the bind operation (or whatever the first actual operation is e.g. start_tls). I plan to replace all of the places in the code that do ldap init and bind with these functions. I started with replication. I extended the transport to add tls for startTLS and the bind method to add sasl/gssapi and sasl/digest-md5. I removed a lot of code from repl5_connection that is now done with just slapi_ldap_init_ext and slapi_ldap_bind. One tricky part of the replication code is that it polls the connection for write available, using some ldap sdk internals. I had to fix that code to work within the public ldap api since nspr and sasl muck with the internals in different incompatible ways. Finally, there is a lot of new kerberos code in the server. The way the server does sasl/gssapi auth with its keytab is similar to the way it does client cert auth with its ssl server cert. One big difference is that the server cannot pass the kerberos identity and credentials through the ldap/sasl/gssapi layers directly. Instead, we have to create a memory credentials cache and set the environment variable to point to it. This allows the sasl/gssapi layer to grab the credentials for use with kerberos. The way the code is written, it should also allow "external" kerberos auth e.g. if someone really wants to do some script which does a periodic kinit to refresh the file based cache, that should also work. I added some kerberos configure options. configure tries to first use krb5-config to get the compiler and linker information. If that fails, it just looks for some standard system libraries. Note that Solaris does not allow direct use of the kerberos api until Solaris 11, so most likely Solaris builds will have to use --without-kerberos (--with-kerberos is on by default). Fixed a bug in kerberos.m4 found by nkinder. ssorce has pointed out a few problems with my kerberos usage that will be addressed in the next patch. Changed the log level in ldap_sasl_get_val - pointed out by nkinder Platforms tested: Fedora 9, Fedora 8 Flag Day: yes Doc impact: oh yes Index: proto-slap.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/proto-slap.h,v retrieving revision 1.40 retrieving revision 1.41 diff -u -r1.40 -r1.41 --- proto-slap.h 24 Oct 2008 22:36:58 -0000 1.40 +++ proto-slap.h 4 Nov 2008 18:23:08 -0000 1.41 @@ -904,6 +904,7 @@ int slapd_security_library_is_initialized(); int slapd_ssl_listener_is_initialized(); int sasl_io_cleanup(Connection *c); +int slapd_SSL_client_auth (LDAP* ld); /* * security_wrappers.c @@ -1279,6 +1280,15 @@ char **ids_sasl_listmech(Slapi_PBlock *pb); void ids_sasl_check_bind(Slapi_PBlock *pb); void ids_sasl_server_new(Connection *conn); +int slapd_ldap_sasl_interactive_bind( + LDAP *ld, /* ldap connection */ + const char *bindid, /* usually a bind DN for simple bind */ + const char *creds, /* usually a password for simple bind */ + const char *mech, /* name of mechanism */ + LDAPControl **serverctrls, /* additional controls to send */ + LDAPControl ***returnedctrls, /* returned controls */ + int *msgidp /* pass in non-NULL for async handling */ +); /* * sasl_io.c Index: slapi-plugin.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-plugin.h,v retrieving revision 1.32 retrieving revision 1.33 diff -u -r1.32 -r1.33 --- slapi-plugin.h 17 Oct 2008 22:12:47 -0000 1.32 +++ slapi-plugin.h 4 Nov 2008 18:23:08 -0000 1.33 @@ -1084,6 +1084,27 @@ */ LDAP *slapi_ldap_init( char *ldaphost, int ldapport, int secure, int shared ); void slapi_ldap_unbind( LDAP *ld ); +LDAP * +slapi_ldap_init_ext( + const char *ldapurl, /* full ldap url */ + const char *hostname, /* can also use this to override + host in url */ + int port, /* can also use this to override port in url */ + int secure, /* 0 for ldap, 1 for ldaps, 2 for starttls - + override proto in url */ + int shared, /* if true, LDAP* will be shared among multiple threads */ + const char *filename /* for ldapi */ +); +int +slapi_ldap_bind( + LDAP *ld, /* ldap connection */ + const char *bindid, /* usually a bind DN for simple bind */ + const char *creds, /* usually a password for simple bind */ + const char *mech, /* name of mechanism */ + LDAPControl **serverctrls, /* additional controls to send */ + LDAPControl ***returnedctrls, /* returned controls */ + int *msgidp /* pass in non-NULL for async handling */ +); /* Index: slapi2nspr.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi2nspr.c,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- slapi2nspr.c 15 Oct 2008 06:30:05 -0000 1.6 +++ slapi2nspr.c 4 Nov 2008 18:23:08 -0000 1.7 @@ -46,9 +46,6 @@ */ #include "slap.h" -#include "snmp_collator.h" -#include -#include #include /* @@ -213,127 +210,3 @@ return( prrc == PR_SUCCESS ? 1 : 0 ); } - -#ifdef MEMPOOL_EXPERIMENTAL -void _free_wrapper(void *ptr) -{ - slapi_ch_free(&ptr); -} -#endif - -/* - * Function: slapi_ldap_init() - * Description: just like ldap_ssl_init() but also arranges for the LDAP - * session handle returned to be safely shareable by multiple threads - * if "shared" is non-zero. - * Returns: - * an LDAP session handle (NULL if some local error occurs). - */ -LDAP * -slapi_ldap_init( char *ldaphost, int ldapport, int secure, int shared ) -{ - LDAP *ld; - int io_timeout_ms; - - - if ( secure && slapd_SSL_client_init() != 0 ) { - return( NULL ); - } - - /* - * Leverage the libprldap layer to take care of all the NSPR integration. - * Note that ldapssl_init() uses libprldap implicitly. - */ - -#ifdef MEMPOOL_EXPERIMENTAL - { - /* - * slapi_ch_malloc functions need to be set to LDAP C SDK - */ - struct ldap_memalloc_fns memalloc_fns; - memalloc_fns.ldapmem_malloc = (LDAP_MALLOC_CALLBACK *)slapi_ch_malloc; - memalloc_fns.ldapmem_calloc = (LDAP_CALLOC_CALLBACK *)slapi_ch_calloc; - memalloc_fns.ldapmem_realloc = (LDAP_REALLOC_CALLBACK *)slapi_ch_realloc; - memalloc_fns.ldapmem_free = (LDAP_FREE_CALLBACK *)_free_wrapper; - } - /* - * MEMPOOL_EXPERIMENTAL: - * These LDAP C SDK init function needs to be revisited. - * In ldap_init called via ldapssl_init and prldap_init initializes - * options and set default values including memalloc_fns, then it - * initializes as sasl client by calling sasl_client_init. In - * sasl_client_init, it creates mechlist using the malloc function - * available at the moment which could mismatch the malloc/free functions - * set later. - */ -#endif - if ( secure ) { - ld = ldapssl_init( ldaphost, ldapport, secure ); - } else { - ld = prldap_init( ldaphost, ldapport, shared ); - } - - /* Update snmp interaction table */ - if ( ld == NULL) { - set_snmp_interaction_row( ldaphost, ldapport, -1); - } else { - set_snmp_interaction_row( ldaphost, ldapport, 0); - } - - if ( ld != NULL ) { - /* - * Set the outbound LDAP I/O timeout based on the server config. - */ - io_timeout_ms = config_get_outbound_ldap_io_timeout(); - if ( io_timeout_ms > 0 ) { - if ( prldap_set_session_option( ld, NULL, PRLDAP_OPT_IO_MAX_TIMEOUT, - io_timeout_ms ) != LDAP_SUCCESS ) { - slapi_log_error( SLAPI_LOG_FATAL, "slapi_ldap_init", - "failed: unable to set outbound I/O timeout to %dms\n", - io_timeout_ms ); - slapi_ldap_unbind( ld ); - return( NULL ); - } - } - - /* - * Set SSL strength (server certificate validity checking). - */ - if ( secure ) { - int ssl_strength; - - if ( config_get_ssl_check_hostname()) { - /* check hostname against name in certificate */ - ssl_strength = LDAPSSL_AUTH_CNCHECK; - } else { - /* verify certificate only */ - ssl_strength = LDAPSSL_AUTH_CERT; - } - - if ( ldapssl_set_strength( ld, ssl_strength ) != 0 ) { - int prerr = PR_GetError(); - - slapi_log_error( SLAPI_LOG_FATAL, "slapi_ldap_init", - "failed: unable to set SSL strength to %d (" - SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", - ssl_strength, prerr, slapd_pr_strerror( prerr )); - - } - } - } - - return( ld ); -} - - -/* - * Function: slapi_ldap_unbind() - * Purpose: release an LDAP session obtained from a call to slapi_ldap_init(). - */ -void -slapi_ldap_unbind( LDAP *ld ) -{ - if ( ld != NULL ) { - ldap_unbind( ld ); - } -} Index: ssl.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/ssl.c,v retrieving revision 1.18 retrieving revision 1.19 diff -u -r1.18 -r1.19 --- ssl.c 27 Aug 2008 21:56:07 -0000 1.18 +++ ssl.c 4 Nov 2008 18:23:08 -0000 1.19 @@ -1034,8 +1034,7 @@ } NSS_Init(certdbpath); SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_FALSE); - SSL_OptionSetDefault(SSL_ENABLE_SSLdirs -3, PR_TRUE); + SSL_OptionSetDefault(SSL_ENABLE_SSL3, PR_TRUE); s = NSS_SetDomesticPolicy(); We already do pr_init, we don't need pr_setconcurrency, we already do nss_init and the rest @@ -1047,7 +1046,7 @@ return 0; } -static int +int slapd_SSL_client_auth (LDAP* ld) { int rc = 0; Index: util.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/util.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- util.c 30 Nov 2007 17:23:13 -0000 1.16 +++ util.c 4 Nov 2008 18:23:08 -0000 1.17 @@ -54,6 +54,9 @@ #include "slap.h" #include "prtime.h" #include "prinrval.h" +#include "snmp_collator.h" +#include +#include #define UTIL_ESCAPE_NONE 0 #define UTIL_ESCAPE_HEX 1 @@ -69,6 +72,11 @@ #define _CSEP '/' #endif +#ifdef HAVE_KRB5 +static void set_krb5_creds(); +#endif + + static int special_np(unsigned char c) { if(c < 32 || c > 126) { @@ -775,3 +783,1029 @@ slapi_ch_free_string(&norm_p1); return rval; } + +#ifdef MEMPOOL_EXPERIMENTAL +void _free_wrapper(void *ptr) +{ + slapi_ch_free(&ptr); +} +#endif + +/* + * Function: slapi_ldap_unbind() + * Purpose: release an LDAP session obtained from a call to slapi_ldap_init(). + */ +void +slapi_ldap_unbind( LDAP *ld ) +{ + if ( ld != NULL ) { + ldap_unbind( ld ); + } +} + +const char * +slapi_urlparse_err2string( int err ) +{ + const char *s="internal error"; + + switch( err ) { + case 0: + s = "no error"; + break; + case LDAP_URL_ERR_NOTLDAP: + s = "missing ldap:// or ldaps:// or ldapi://"; + break; + case LDAP_URL_ERR_NODN: + s = "missing suffix"; + break; + case LDAP_URL_ERR_BADSCOPE: + s = "invalid search scope"; + break; + case LDAP_URL_ERR_MEM: + s = "unable to allocate memory"; + break; + case LDAP_URL_ERR_PARAM: + s = "bad parameter to an LDAP URL function"; + break; + } + + return( s ); +} + +/* + Perform LDAP init and return an LDAP* handle. If ldapurl is given, + that is used as the basis for the protocol, host, port, and whether + to use starttls (given on the end as ldap://..../?????starttlsOID + If hostname is given, LDAP or LDAPS is assumed, and this will override + the hostname from the ldapurl, if any. If port is > 0, this is the + port number to use. It will override the port in the ldapurl, if any. + If no port is given in port or ldapurl, the default will be used based + on the secure setting (389 for ldap, 636 for ldaps, 389 for starttls) + secure takes 1 of 3 values - 0 means regular ldap, 1 means ldaps, 2 + means regular ldap with starttls. + filename is the ldapi file name - if this is given, and no other options + are given, ldapi is assumed. + */ +LDAP * +slapi_ldap_init_ext( + const char *ldapurl, /* full ldap url */ + const char *hostname, /* can also use this to override + host in url */ + int port, /* can also use this to override port in url */ + int secure, /* 0 for ldap, 1 for ldaps, 2 for starttls - + override proto in url */ + int shared, /* if true, LDAP* will be shared among multiple threads */ + const char *filename /* for ldapi */ +) +{ + LDAPURLDesc *ludp = NULL; + LDAP *ld = NULL; + int rc = 0; + + /* if ldapurl is given, parse it */ + if (ldapurl && ((rc = ldap_url_parse_no_defaults(ldapurl, &ludp, 0)) || + !ludp)) { + slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext", + "Could not parse given LDAP URL [%s] : error [%s]\n", + ldapurl ? ldapurl : "NULL", + slapi_urlparse_err2string(rc)); + goto done; + } + + /* use url host if no host given */ + if (!hostname && ludp && ludp->lud_host) { + hostname = ludp->lud_host; + } + + /* use url port if no port given */ + if (!port && ludp && ludp->lud_port) { + port = ludp->lud_port; + } + + /* use secure setting from url if none given */ + if (!secure && ludp) { + if (ludp->lud_options & LDAP_URL_OPT_SECURE) { + secure = 1; + } else if (0/* starttls option - not supported yet in LDAP URLs */) { + secure = 2; + } + } + + /* ldap_url_parse doesn't yet handle ldapi */ + /* + if (!filename && ludp && ludp->lud_file) { + filename = ludp->lud_file; + } + */ + +#ifdef MEMPOOL_EXPERIMENTAL + { + /* + * slapi_ch_malloc functions need to be set to LDAP C SDK + */ + struct ldap_memalloc_fns memalloc_fns; + memalloc_fns.ldapmem_malloc = (LDAP_MALLOC_CALLBACK *)slapi_ch_malloc; + memalloc_fns.ldapmem_calloc = (LDAP_CALLOC_CALLBACK *)slapi_ch_calloc; + memalloc_fns.ldapmem_realloc = (LDAP_REALLOC_CALLBACK *)slapi_ch_realloc; + memalloc_fns.ldapmem_free = (LDAP_FREE_CALLBACK *)_free_wrapper; + } + /* + * MEMPOOL_EXPERIMENTAL: + * These LDAP C SDK init function needs to be revisited. + * In ldap_init called via ldapssl_init and prldap_init initializes + * options and set default values including memalloc_fns, then it + * initializes as sasl client by calling sasl_client_init. In + * sasl_client_init, it creates mechlist using the malloc function + * available at the moment which could mismatch the malloc/free functions + * set later. + */ +#endif + if (filename) { + /* ldapi in mozldap client is not yet supported */ + } else if (secure == 1) { + ld = ldapssl_init(hostname, port, secure); + } else { /* regular ldap and/or starttls */ + /* + * Leverage the libprldap layer to take care of all the NSPR + * integration. + * Note that ldapssl_init() uses libprldap implicitly. + */ + ld = prldap_init(hostname, port, shared); + } + + /* Update snmp interaction table */ + if (hostname) { + if (ld == NULL) { + set_snmp_interaction_row((char *)hostname, port, -1); + } else { + set_snmp_interaction_row((char *)hostname, port, 0); + } + } + + if ((ld != NULL) && !filename) { + /* + * Set the outbound LDAP I/O timeout based on the server config. + */ + int io_timeout_ms = config_get_outbound_ldap_io_timeout(); + if (io_timeout_ms > 0) { + if (prldap_set_session_option(ld, NULL, PRLDAP_OPT_IO_MAX_TIMEOUT, + io_timeout_ms) != LDAP_SUCCESS) { + slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext", + "failed: unable to set outbound I/O " + "timeout to %dms\n", + io_timeout_ms); + slapi_ldap_unbind(ld); + ld = NULL; + goto done; + } + } + + /* + * Set SSL strength (server certificate validity checking). + */ + if (secure > 0) { + int ssl_strength = 0; + + if (config_get_ssl_check_hostname()) { + /* check hostname against name in certificate */ + ssl_strength = LDAPSSL_AUTH_CNCHECK; + } else { + /* verify certificate only */ + ssl_strength = LDAPSSL_AUTH_CERT; + } + + if (ldapssl_set_strength(ld, ssl_strength) != 0) { + int prerr = PR_GetError(); + + slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext", + "failed: unable to set SSL strength to %d (" + SLAPI_COMPONENT_NAME_NSPR " error %d - %s)", + ssl_strength, prerr, + slapd_pr_strerror(prerr)); + + } + if (secure == 1) { + /* tell bind code we are using SSL */ + ldap_set_option(ld, LDAP_OPT_SSL, LDAP_OPT_ON); + } + } + } + + if (ld && (secure == 2)) { + /* We don't have a way to stash context data with the LDAP*, so we + stash the information in the client controls (currently unused). + We don't want to open the connection in ldap_init, since that's + not the semantic - the connection is not usually opened until + the first operation is sent, which is usually the bind - or + in this case, the start_tls - so we stash the start_tls so + we can do it in slapi_ldap_bind - note that this will get + cleaned up when the LDAP* is disposed of + */ + LDAPControl start_tls_dummy_ctrl; + LDAPControl **clientctrls = NULL; + + /* returns copy of controls */ + ldap_get_option(ld, LDAP_OPT_CLIENT_CONTROLS, &clientctrls); + + start_tls_dummy_ctrl.ldctl_oid = slapi_ch_strdup(START_TLS_OID); + start_tls_dummy_ctrl.ldctl_value.bv_val = NULL; + start_tls_dummy_ctrl.ldctl_value.bv_len = 0; + start_tls_dummy_ctrl.ldctl_iscritical = 0; + slapi_add_control_ext(&clientctrls, &start_tls_dummy_ctrl, 1); + /* set option frees old list and copies the new list */ + ldap_set_option(ld, LDAP_OPT_CLIENT_CONTROLS, clientctrls); + ldap_controls_free(clientctrls); /* free the copy */ + } + +done: + ldap_free_urldesc(ludp); + + return( ld ); +} + +/* + * Function: slapi_ldap_init() + * Description: just like ldap_ssl_init() but also arranges for the LDAP + * session handle returned to be safely shareable by multiple threads + * if "shared" is non-zero. + * Returns: + * an LDAP session handle (NULL if some local error occurs). + */ +LDAP * +slapi_ldap_init( char *ldaphost, int ldapport, int secure, int shared ) +{ + return slapi_ldap_init_ext(NULL, ldaphost, ldapport, secure, shared, NULL); +} + +/* + * Does the correct bind operation simple/sasl/cert depending + * on the arguments passed in. If the user specified to use + * starttls in init, this will do the starttls first. If using + * ssl or client cert auth, this will initialize the client side + * of that. + */ +int +slapi_ldap_bind( + LDAP *ld, /* ldap connection */ + const char *bindid, /* usually a bind DN for simple bind */ + const char *creds, /* usually a password for simple bind */ + const char *mech, /* name of mechanism */ + LDAPControl **serverctrls, /* additional controls to send */ + LDAPControl ***returnedctrls, /* returned controls */ + int *msgidp /* pass in non-NULL for async handling */ +) +{ + int rc = LDAP_SUCCESS; + LDAPControl **clientctrls = NULL; + int secure = 0; + struct berval bvcreds = {0, NULL}; + LDAPMessage *result = NULL; + struct berval *servercredp = NULL; + + /* do starttls if requested + NOTE - starttls is an extop, not a control, but we don't have + a place we can stash this information in the LDAP*, other + than the currently unused clientctrls */ + ldap_get_option(ld, LDAP_OPT_CLIENT_CONTROLS, &clientctrls); + if (clientctrls && clientctrls[0] && + slapi_control_present(clientctrls, START_TLS_OID, NULL, NULL)) { + secure = 2; + } else { + ldap_get_option(ld, LDAP_OPT_SSL, &secure); + } + + if ((secure > 0) && mech && !strcmp(mech, LDAP_SASL_EXTERNAL)) { + /* SSL connections will use the server's security context + and cert for client auth */ + rc = slapd_SSL_client_auth(ld); + + if (rc != 0) { + slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind", + "Error: could not configure the server for cert " + "auth - error %d - make sure the server is " + "correctly configured for SSL/TLS\n", rc); + goto done; + } + bvcreds.bv_val = NULL; /* ignore username and passed in creds */ + bvcreds.bv_len = 0; /* for external auth */ + bindid = NULL; + } else { /* other type of auth */ + bvcreds.bv_val = (char *)creds; + bvcreds.bv_len = creds ? strlen(creds) : 0; + } + + if (secure == 2) { /* send start tls */ + rc = ldap_start_tls_s(ld, NULL /* serverctrls?? */, NULL); + if (LDAP_SUCCESS != rc) { + slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind", + "Error: could not send startTLS request: " + "error %d (%s)\n", + rc, ldap_err2string(rc)); + goto done; + } + } + + /* The connection has been set up - now do the actual bind, depending on + the mechanism and arguments */ + if (!mech || (mech == LDAP_SASL_SIMPLE) || + !strcmp(mech, LDAP_SASL_EXTERNAL)) { + int mymsgid = 0; + + if ((rc = ldap_sasl_bind(ld, bindid, mech, &bvcreds, serverctrls, + NULL /* clientctrls */, &mymsgid))) { + slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind", + "Error: could not send bind request for id " + "[%s] mech [%s]: error %d (%s)\n", + bindid ? bindid : "(anon)", + mech ? mech : "SIMPLE", + rc, ldap_err2string(rc)); + goto done; + } + + if (msgidp) { /* let caller process result */ + *msgidp = mymsgid; + } else { /* process results */ + if (ldap_result(ld, mymsgid, LDAP_MSG_ALL, + (struct timeval *)0, &result) == -1) { + rc = ldap_get_lderrno(ld, NULL, NULL); + slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind", + "Error reading bind response for id " + "[%s] mech [%s]: error %d (%s)\n", + bindid ? bindid : "(anon)", + mech ? mech : "SIMPLE", + rc, ldap_err2string(rc)); + goto done; + } + + /* Get the controls sent by the server if requested */ + if (returnedctrls) { + if ((rc = ldap_parse_result(ld, result, &rc, NULL, NULL, + NULL, returnedctrls, + 0)) != LDAP_SUCCESS) { + slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind", + "Error: could not bind id " + "[%s] mech [%s]: error %d (%s)\n", + bindid ? bindid : "(anon)", + mech ? mech : "SIMPLE", + rc, ldap_err2string(rc)); + goto done; + } + } + + /* parse the bind result and get the ldap error code */ + if ((rc = ldap_parse_sasl_bind_result(ld, result, &servercredp, + 0)) || + (rc = ldap_result2error(ld, result, 0))) { + slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind", + "Error: could not read bind results for id " + "[%s] mech [%s]: error %d (%s)\n", + bindid ? bindid : "(anon)", + mech ? mech : "SIMPLE", + rc, ldap_err2string(rc)); + goto done; + } + } + } else { + rc = slapd_ldap_sasl_interactive_bind(ld, bindid, creds, mech, + serverctrls, returnedctrls, + msgidp); + if (LDAP_SUCCESS != rc) { + slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind", + "Error: could not perform interactive bind for id " + "[%s] mech [%s]: error %d (%s)\n", + bindid ? bindid : "(anon)", + mech ? mech : "SIMPLE", + rc, ldap_err2string(rc)); + } + } + +done: + slapi_ch_bvfree(&servercredp); + ldap_msgfree(result); + + return rc; +} + +/* the following implements the client side of sasl bind, for LDAP server + -> LDAP server SASL */ +#include + +typedef struct { + char *mech; + char *authid; + char *username; + char *passwd; + char *realm; +} ldapSaslInteractVals; + +static void * +ldap_sasl_set_interact_vals(LDAP *ld, const char *mech, const char *authid, + const char *username, const char *passwd, + const char *realm) +{ + ldapSaslInteractVals *vals = NULL; + + vals = (ldapSaslInteractVals *) + slapi_ch_calloc(1, sizeof(ldapSaslInteractVals)); + + if (!vals) { + return NULL; + } + + if (mech) { + vals->mech = slapi_ch_strdup(mech); + } else { + ldap_get_option(ld, LDAP_OPT_X_SASL_MECH, &vals->mech); + } + + if (authid) { /* use explicit passed in value */ + vals->authid = slapi_ch_strdup(authid); + } else { /* use option value if any */ + ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHCID, &vals->authid); + if (!vals->authid) { +/* get server user id? */ + vals->authid = slapi_ch_strdup(""); + } + } + +#ifdef HAVE_KRB5 + if (mech && !strcmp(mech, "GSSAPI")) { + username = NULL; /* get from krb creds */ + } +#endif + + if (username) { /* use explicit passed in value */ + vals->username = slapi_ch_strdup(username); + } else { /* use option value if any */ + ldap_get_option(ld, LDAP_OPT_X_SASL_AUTHZID, &vals->username); + if (!vals->username) { /* use default sasl value */ + vals->username = slapi_ch_strdup(""); + } + } + + if (passwd) { + vals->passwd = slapi_ch_strdup(passwd); + } else { + vals->passwd = slapi_ch_strdup(""); + } + + if (realm) { + vals->realm = slapi_ch_strdup(realm); + } else { + ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &vals->realm); + if (!vals->realm) { /* use default sasl value */ + vals->realm = slapi_ch_strdup(""); + } + } + +#ifdef HAVE_KRB5 + if (mech && !strcmp(mech, "GSSAPI")) { + set_krb5_creds(); + } +#endif /* HAVE_KRB5 */ + + return vals; +} + +static void +ldap_sasl_free_interact_vals(void *defaults) +{ + ldapSaslInteractVals *vals = defaults; + + if (vals) { + slapi_ch_free_string(&vals->mech); + slapi_ch_free_string(&vals->authid); + slapi_ch_free_string(&vals->username); + slapi_ch_free_string(&vals->passwd); + slapi_ch_free_string(&vals->realm); + slapi_ch_free(&defaults); + } +} + +static int +ldap_sasl_get_val(ldapSaslInteractVals *vals, sasl_interact_t *interact, unsigned flags) +{ + const char *defvalue = interact->defresult; + int authtracelevel = SLAPI_LOG_SHELL; /* special auth tracing */ + + if (vals != NULL) { + switch(interact->id) { + case SASL_CB_AUTHNAME: + defvalue = vals->authid; + slapi_log_error(authtracelevel, "ldap_sasl_get_val", + "Using value [%s] for SASL_CB_AUTHNAME\n", + defvalue ? defvalue : "(null)"); + break; + case SASL_CB_USER: + defvalue = vals->username; + slapi_log_error(authtracelevel, "ldap_sasl_get_val", + "Using value [%s] for SASL_CB_USER\n", + defvalue ? defvalue : "(null)"); + break; + case SASL_CB_PASS: + defvalue = vals->passwd; + slapi_log_error(authtracelevel, "ldap_sasl_get_val", + "Using value [%s] for SASL_CB_PASS\n", + defvalue ? defvalue : "(null)"); + break; + case SASL_CB_GETREALM: + defvalue = vals->realm; + slapi_log_error(authtracelevel, "ldap_sasl_get_val", + "Using value [%s] for SASL_CB_GETREALM\n", + defvalue ? defvalue : "(null)"); + break; + } + } + + if (defvalue != NULL) { + interact->result = defvalue; + if ((char *)interact->result == NULL) + return (LDAP_NO_MEMORY); + interact->len = strlen((char *)(interact->result)); + } + return (LDAP_SUCCESS); +} + +static int +ldap_sasl_interact_cb(LDAP *ld, unsigned flags, void *defaults, void *prompts) +{ + sasl_interact_t *interact = NULL; + ldapSaslInteractVals *sasldefaults = defaults; + int rc; + + if (prompts == NULL) { + return (LDAP_PARAM_ERROR); + } + + for (interact = prompts; interact->id != SASL_CB_LIST_END; interact++) { + /* Obtain the default value */ + if ((rc = ldap_sasl_get_val(sasldefaults, interact, flags)) != LDAP_SUCCESS) { + return (rc); + } + } + + return (LDAP_SUCCESS); +} + +int +slapd_ldap_sasl_interactive_bind( + LDAP *ld, /* ldap connection */ + const char *bindid, /* usually a bind DN for simple bind */ + const char *creds, /* usually a password for simple bind */ + const char *mech, /* name of mechanism */ + LDAPControl **serverctrls, /* additional controls to send */ + LDAPControl ***returnedctrls, /* returned controls */ + int *msgidp /* pass in non-NULL for async handling */ +) +{ + int rc = LDAP_SUCCESS; + void *defaults = ldap_sasl_set_interact_vals(ld, mech, NULL, bindid, + creds, NULL); + /* have to first set the defaults used by the callback function */ + /* call the bind function */ + rc = ldap_sasl_interactive_bind_ext_s(ld, bindid, mech, serverctrls, + NULL, LDAP_SASL_QUIET, + ldap_sasl_interact_cb, defaults, + returnedctrls); + ldap_sasl_free_interact_vals(defaults); + if (LDAP_SUCCESS != rc) { + slapi_log_error(SLAPI_LOG_FATAL, "slapd_ldap_sasl_interactive_bind", + "Error: could not perform interactive bind for id " + "[%s] mech [%s]: error %d (%s)\n", + bindid ? bindid : "(anon)", + mech ? mech : "SIMPLE", + rc, ldap_err2string(rc)); + } + + return rc; +} + +#ifdef HAVE_KRB5 +#include + +/* for some reason this is not in the public API? + but it is documented e.g. man kinit */ +#ifndef KRB5_ENV_CCNAME +#define KRB5_ENV_CCNAME "KRB5CCNAME" +#endif + +static void +show_one_credential(int authtracelevel, + krb5_context ctx, krb5_creds *cred) +{ + char *logname = "show_one_credential"; + krb5_error_code rc; + char *name = NULL, *sname = NULL; + char startts[BUFSIZ], endts[BUFSIZ], renewts[BUFSIZ]; + + if ((rc = krb5_unparse_name(ctx, cred->client, &name))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Could not get client name from credential: %d (%s)\n", + rc, error_message(rc)); + goto cleanup; + } + if ((rc = krb5_unparse_name(ctx, cred->server, &sname))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Could not get server name from credential: %d (%s)\n", + rc, error_message(rc)); + goto cleanup; + } + if (!cred->times.starttime) { + cred->times.starttime = cred->times.authtime; + } + krb5_timestamp_to_sfstring((krb5_timestamp)cred->times.starttime, + startts, sizeof(startts), NULL); + krb5_timestamp_to_sfstring((krb5_timestamp)cred->times.endtime, + endts, sizeof(endts), NULL); + krb5_timestamp_to_sfstring((krb5_timestamp)cred->times.renew_till, + renewts, sizeof(renewts), NULL); + + slapi_log_error(authtracelevel, logname, + "\tKerberos credential: client [%s] server [%s] " + "start time [%s] end time [%s] renew time [%s] " + "flags [0x%x]\n", name, sname, startts, endts, + renewts, (uint32_t)cred->ticket_flags); + +cleanup: + krb5_free_unparsed_name(ctx, name); + krb5_free_unparsed_name(ctx, sname); + + return; +} + +/* + * Call this after storing the credentials in the cache + */ +static void +show_cached_credentials(int authtracelevel, + krb5_context ctx, krb5_ccache cc, + krb5_principal princ) +{ + char *logname = "show_cached_credentials"; + krb5_error_code rc = 0; + krb5_creds creds; + krb5_cc_cursor cur; + char *princ_name = NULL; + + if ((rc = krb5_unparse_name(ctx, princ, &princ_name))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Could not get principal name from principal: %d (%s)\n", + rc, error_message(rc)); + goto cleanup; + } + + slapi_log_error(authtracelevel, logname, + "Ticket cache: %s:%s\nDefault principal: %s\n\n", + krb5_cc_get_type(ctx, cc), + krb5_cc_get_name(ctx, cc), princ_name); + + if ((rc = krb5_cc_start_seq_get(ctx, cc, &cur))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Could not get cursor to iterate cached credentials: " + "%d (%s)\n", rc, error_message(rc)); + goto cleanup; + } + + while (!(rc = krb5_cc_next_cred(ctx, cc, &cur, &creds))) { + show_one_credential(authtracelevel, ctx, &creds); + krb5_free_cred_contents(ctx, &creds); + } + if (rc == KRB5_CC_END) { + if ((rc = krb5_cc_end_seq_get(ctx, cc, &cur))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Could not close cached credentials cursor: " + "%d (%s)\n", rc, error_message(rc)); + goto cleanup; + } + } + +cleanup: + krb5_free_unparsed_name(ctx, princ_name); + + return; +} + +/* + * This implementation assumes that we want to use the + * keytab from the default keytab env. var KRB5_KTNAME + * as. This code is very similar to kinit -k -t. We + * get a krb context, get the default keytab, get + * the credentials from the keytab, authenticate with + * those credentials, create a ccache, store the + * credentials in the ccache, and set the ccache + * env var to point to those credentials. + */ +static void +set_krb5_creds() +{ + char *logname = "set_krb5_creds"; + const char *cc_type = "MEMORY"; /* keep cred cache in memory */ + krb5_context ctx = NULL; + krb5_ccache cc = NULL; + krb5_principal princ = NULL; + char *princ_name = NULL; + krb5_error_code rc = 0; + krb5_error_code looprc = 0; + krb5_creds creds; + krb5_keytab kt = NULL; + krb5_keytab_entry ktent; + krb5_kt_cursor ktcur = NULL; + char *cc_name = NULL; + char ktname[MAX_KEYTAB_NAME_LEN]; + static char cc_env_name[1024+32]; /* size from ccdefname.c */ + int new_ccache = 0; + int authtracelevel = SLAPI_LOG_SHELL; /* special auth tracing + not sure what shell was + used for, does not + appear to be used + currently */ + + /* probably have to put a mutex around this whole thing, to avoid + problems with reentrancy, since we are setting a "global" + variable via an environment variable */ + + /* wipe this out so we can safely free it later if we + short circuit */ + memset(&creds, 0, sizeof(creds)); + + /* initialize the kerberos context */ + if ((rc = krb5_init_context(&ctx))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Could not init Kerberos context: %d (%s)\n", + rc, error_message(rc)); + goto cleanup; + } + + /* see if there is already a ccache, and see if there are + creds in the ccache */ + /* grab the default ccache - note: this does not open the cache */ + if ((rc = krb5_cc_default(ctx, &cc))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Could not get default Kerberos ccache: %d (%s)\n", + rc, error_message(rc)); + goto cleanup; + } + + /* use this cache - construct the full cache name */ + cc_name = slapi_ch_smprintf("%s:%s", krb5_cc_get_type(ctx, cc), + krb5_cc_get_name(ctx, cc)); + + /* grab the principal from the ccache - will fail if there + is no ccache */ + if ((rc = krb5_cc_get_principal(ctx, cc, &princ))) { + if (KRB5_FCC_NOFILE == rc) { /* no cache - ok */ + slapi_log_error(authtracelevel, logname, + "The default credentials cache [%s] not found: " + "will create a new one.\n", cc_name); + /* close the cache - we will create a new one below */ + krb5_cc_close(ctx, cc); + cc = NULL; + slapi_ch_free_string(&cc_name); + /* fall through to the keytab auth code below */ + } else { /* fatal */ + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Could not open default Kerberos ccache [%s]: " + "%d (%s)\n", cc_name, rc, error_message(rc)); + goto cleanup; + } + } else { /* have a valid ccache && found principal */ + if ((rc = krb5_unparse_name(ctx, princ, &princ_name))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Unable to get name of principal from ccache [%s]: " + "%d (%s)\n", cc_name, rc, error_message(rc)); + goto cleanup; + } + slapi_log_error(authtracelevel, logname, + "Using principal [%s] from ccache [%s]\n", + princ_name, cc_name); + } + + /* if this is not our type of ccache, there is nothing more we can + do - just punt and let sasl/gssapi take it's course - this + usually means there has been an external kinit e.g. in the + start up script, and it is the responsibility of the script to + renew those credentials or face lots of sasl/gssapi failures + This means, however, that the caller MUST MAKE SURE THERE IS NO + DEFAULT CCACHE FILE or the server will attempt to use it (and + likely fail) - THERE MUST BE NO DEFAULT CCACHE FILE IF YOU WANT + THE SERVER TO AUTHENTICATE WITH THE KEYTAB + NOTE: cc types are case sensitive and always upper case */ + if (cc && strcmp(cc_type, krb5_cc_get_type(ctx, cc))) { + static int errmsgcounter = 0; + int loglevel = SLAPI_LOG_FATAL; + if (errmsgcounter) { + loglevel = authtracelevel; + } + /* make sure we log this message once, in case the user has + done something unintended, we want to make sure they know + about it. However, if the user knows what he/she is doing, + by using an external ccache file, they probably don't want + to be notified with an error every time. */ + slapi_log_error(loglevel, logname, + "The server will use the external SASL/GSSAPI " + "credentials cache [%s:%s]. If you want the " + "server to automatically authenticate with its " + "keytab, you must remove this cache. If you " + "did not intend to use this cache, you will likely " + "see many SASL/GSSAPI authentication failures.\n", + krb5_cc_get_type(ctx, cc), krb5_cc_get_name(ctx, cc)); + errmsgcounter++; + goto cleanup; + } + + /* find our default keytab */ + if ((rc = krb5_kt_default(ctx, &kt))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Unable to get default keytab: %d (%s)\n", + rc, error_message(rc)); + goto cleanup; + } + + /* get name of keytab for debugging purposes */ + if ((rc = krb5_kt_get_name(ctx, kt, ktname, sizeof(ktname)))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Unable to get name of default keytab: %d (%s)\n", + rc, error_message(rc)); + goto cleanup; + } + + slapi_log_error(authtracelevel, logname, + "Using keytab named [%s]\n", ktname); + + /* if there was no cache, or no principal in the cache, we look + in the keytab */ + if (!princ) { + /* just use the first principal in the keytab + "first principals, clarice" + */ + if ((rc = krb5_kt_start_seq_get(ctx, kt, &ktcur))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Unable to open keytab [%s] cursor: %d (%s)\n", + ktname, rc, error_message(rc)); + goto cleanup; + } + + memset(&ktent, 0, sizeof(ktent)); + while ((looprc = krb5_kt_next_entry(ctx, kt, &ktent, &ktcur)) == 0) { + if ((looprc = krb5_unparse_name(ctx, ktent.principal, + &princ_name))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Unable to get name from keytab [%s] " + "principal: %d (%s)\n", ktname, looprc, + error_message(looprc)); + break; + } + /* found one - make a copy to free later */ + if ((looprc = krb5_copy_principal(ctx, ktent.principal, + &princ))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Unable to copy keytab [%s] principal [%s]: " + "%d (%s)\n", ktname, princ_name, looprc, + error_message(looprc)); + break; + } + slapi_log_error(authtracelevel, logname, + "Using keytab principal [%s]\n", princ_name); + break; + } + + krb5_free_keytab_entry_contents(ctx, &ktent); + memset(&ktent, 0, sizeof(ktent)); + if ((rc = krb5_kt_end_seq_get(ctx, kt, &ktcur))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Unable to close keytab [%s] cursor: %d (%s)\n", + ktname, rc, error_message(rc)); + goto cleanup; + } + + /* if we had an error in the loop above, just bail out + after closing the keytab cursor and keytab */ + if (looprc) { + rc = looprc; + goto cleanup; + } + } + + /* now do the actual kerberos authentication using + the keytab, and get the creds */ + rc = krb5_get_init_creds_keytab(ctx, &creds, princ, kt, + 0, NULL, NULL); + if (rc) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Could not get initial credentials for principal [%s] " + "in keytab [%s]: %d (%s)\n", + princ_name, ktname, rc, error_message(rc)); + goto cleanup; + } + + /* completely done with the keytab now, close it */ + krb5_kt_close(ctx, kt); + kt = NULL; /* no double free */ + + /* we now have the creds and the principal to which the + creds belong - use or allocate a new memory based + cache to hold the creds */ + if (!cc_name) { +#if HAVE_KRB5_CC_NEW_UNIQUE + /* krb5_cc_new_unique is a new convenience function which + generates a new unique name and returns a memory + cache with that name */ + if ((rc = krb5_cc_new_unique(ctx, cc_type, NULL, &cc))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Could not create new unique memory ccache: " + "%d (%s)\n", + rc, error_message(rc)); + goto cleanup; + } + cc_name = slapi_ch_smprintf("%s:%s", cc_type, + krb5_cc_get_name(ctx, cc)); +#else + /* store the cache in memory - krb5_init_context uses malloc + to create the ctx, so the address should be unique enough + for our purposes */ + if (!(cc_name = slapi_ch_smprintf("%s:%p", cc_type, ctx))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Could create Kerberos memory ccache: " + "out of memory\n"); + rc = 1; + goto cleanup; + } +#endif + slapi_log_error(authtracelevel, logname, + "Generated new memory ccache [%s]\n", cc_name); + new_ccache = 1; /* need to set this in env. */ + } else { + slapi_log_error(authtracelevel, logname, + "Using existing ccache [%s]\n", cc_name); + } + + /* krb5_cc_resolve is basically like an init - + this creates the cache structure, and creates a slot + for the cache in the static linked list in memory, if + there is not already a slot - + see cc_memory.c for details + cc could already have been created by new_unique above + */ + if (!cc && (rc = krb5_cc_resolve(ctx, cc_name, &cc))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Could not create ccache [%s]: %d (%s)\n", + cc_name, rc, error_message(rc)); + goto cleanup; + } + + /* wipe out previous contents of cache for this principal, if any */ + if ((rc = krb5_cc_initialize(ctx, cc, princ))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Could not initialize ccache [%s] for the new " + "credentials for principal [%s]: %d (%s)\n", + cc_name, princ_name, rc, error_message(rc)); + goto cleanup; + } + + /* store the credentials in the cache */ + if ((rc = krb5_cc_store_cred(ctx, cc, &creds))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Could not store the credentials in the " + "ccache [%s] for principal [%s]: %d (%s)\n", + cc_name, princ_name, rc, error_message(rc)); + goto cleanup; + } + + /* now, do a "klist" to show the credential information, and log it */ + show_cached_credentials(authtracelevel, ctx, cc, princ); + + /* set the CC env var to the value of the cc cache name */ + /* since we can't pass krb5 context up and out of here + and down through the ldap sasl layer, we set this + env var so that calls to krb5_cc_default_name will + use this */ + if (new_ccache) { + PR_snprintf(cc_env_name, sizeof(cc_env_name), + "%s=%s", KRB5_ENV_CCNAME, cc_name); + PR_SetEnv(cc_env_name); + slapi_log_error(authtracelevel, logname, + "Set new env for ccache: [%s]\n", + cc_env_name); + } + +cleanup: + krb5_free_unparsed_name(ctx, princ_name); + if (kt) { /* NULL not allowed */ + krb5_kt_close(ctx, kt); + } + if (creds.client == princ) { + creds.client = NULL; + } + krb5_free_cred_contents(ctx, &creds); + slapi_ch_free_string(&cc_name); + krb5_free_principal(ctx, princ); + if (cc) { + krb5_cc_close(ctx, cc); + } + if (ctx) { /* cannot pass NULL to free context */ + krb5_free_context(ctx); + } + return; +} + +#endif /* HAVE_KRB5 */ From rmeggins at fedoraproject.org Tue Nov 4 18:23:10 2008 From: rmeggins at fedoraproject.org (Richard Allen Megginson) Date: Tue, 4 Nov 2008 18:23:10 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication repl5.h, 1.12, 1.13 repl5_agmt.c, 1.14, 1.15 repl5_connection.c, 1.9, 1.10 Message-ID: <20081104182310.689957013B@cvs1.fedora.phx.redhat.com> Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9401/ldapserver/ldap/servers/plugins/replication Modified Files: repl5.h repl5_agmt.c repl5_connection.c Log Message: Resolves: bug 469261 Bug Description: Support server-to-server SASL - part 1 Reviewed by: nkinder, nhosoi, ssorce (Thanks!) Fix Description: I've created two new functions to handle the client side of LDAP in the server - slapi_ldap_init_ext and slapi_ldap_bind. These two functions are designed to work with any connection type (ldap, ldaps, ldap+starttls, and eventually ldapi) and bind type (plain, sasl, client cert). The secure flag has been extended to use a value of 2 to mean use startTLS. One tricky part is that there is no place to store the startTLS flag in init to pass to bind, so we store that in the clientcontrols field which is currently unused. We do that because the semantics of ldap_init are not to do any network traffic, but defer that until the bind operation (or whatever the first actual operation is e.g. start_tls). I plan to replace all of the places in the code that do ldap init and bind with these functions. I started with replication. I extended the transport to add tls for startTLS and the bind method to add sasl/gssapi and sasl/digest-md5. I removed a lot of code from repl5_connection that is now done with just slapi_ldap_init_ext and slapi_ldap_bind. One tricky part of the replication code is that it polls the connection for write available, using some ldap sdk internals. I had to fix that code to work within the public ldap api since nspr and sasl muck with the internals in different incompatible ways. Finally, there is a lot of new kerberos code in the server. The way the server does sasl/gssapi auth with its keytab is similar to the way it does client cert auth with its ssl server cert. One big difference is that the server cannot pass the kerberos identity and credentials through the ldap/sasl/gssapi layers directly. Instead, we have to create a memory credentials cache and set the environment variable to point to it. This allows the sasl/gssapi layer to grab the credentials for use with kerberos. The way the code is written, it should also allow "external" kerberos auth e.g. if someone really wants to do some script which does a periodic kinit to refresh the file based cache, that should also work. I added some kerberos configure options. configure tries to first use krb5-config to get the compiler and linker information. If that fails, it just looks for some standard system libraries. Note that Solaris does not allow direct use of the kerberos api until Solaris 11, so most likely Solaris builds will have to use --without-kerberos (--with-kerberos is on by default). Fixed a bug in kerberos.m4 found by nkinder. ssorce has pointed out a few problems with my kerberos usage that will be addressed in the next patch. Changed the log level in ldap_sasl_get_val - pointed out by nkinder Platforms tested: Fedora 9, Fedora 8 Flag Day: yes Doc impact: oh yes Index: repl5.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5.h,v retrieving revision 1.12 retrieving revision 1.13 diff -u -r1.12 -r1.13 --- repl5.h 17 Oct 2008 22:12:47 -0000 1.12 +++ repl5.h 4 Nov 2008 18:23:08 -0000 1.13 @@ -256,6 +256,8 @@ #define TRANSPORT_FLAG_TLS 2 #define BINDMETHOD_SIMPLE_AUTH 1 #define BINDMETHOD_SSL_CLIENTAUTH 2 +#define BINDMETHOD_SASL_GSSAPI 3 +#define BINDMETHOD_SASL_DIGEST_MD5 4 Repl_Agmt *agmt_new_from_entry(Slapi_Entry *e); Repl_Agmt *agmt_new_from_pblock(Slapi_PBlock *pb); void agmt_delete(void **ra); Index: repl5_agmt.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5_agmt.c,v retrieving revision 1.14 retrieving revision 1.15 diff -u -r1.14 -r1.15 --- repl5_agmt.c 15 Oct 2008 06:29:58 -0000 1.14 +++ repl5_agmt.c 4 Nov 2008 18:23:08 -0000 1.15 @@ -87,7 +87,6 @@ #include "slapi-plugin.h" #define DEFAULT_TIMEOUT 600 /* (seconds) default outbound LDAP connection */ -#define TRANSPORT_FLAG_SSL 1 #define STATUS_LEN 1024 struct changecounter { @@ -1223,6 +1222,14 @@ { ra->bindmethod = BINDMETHOD_SSL_CLIENTAUTH; } + else if (strcasecmp(tmpstr, "SASL/GSSAPI") == 0) + { + ra->bindmethod = BINDMETHOD_SASL_GSSAPI; + } + else if (strcasecmp(tmpstr, "SASL/DIGEST-MD5") == 0) + { + ra->bindmethod = BINDMETHOD_SASL_DIGEST_MD5; + } else { ra->bindmethod = BINDMETHOD_SIMPLE_AUTH; @@ -1261,14 +1268,16 @@ int rc = 0; tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5TransportInfo); - if (NULL != tmpstr && strcasecmp(tmpstr, "SSL") == 0) - { - ra->transport_flags |= TRANSPORT_FLAG_SSL; - } else { - ra->transport_flags &= ~TRANSPORT_FLAG_SSL; + if (!tmpstr || !strcasecmp(tmpstr, "LDAP")) { + ra->transport_flags = 0; + } else if (strcasecmp(tmpstr, "SSL") == 0) { + ra->transport_flags = TRANSPORT_FLAG_SSL; + } else if (strcasecmp(tmpstr, "TLS") == 0) { + ra->transport_flags = TRANSPORT_FLAG_TLS; } + /* else do nothing - invalid value is a no-op */ - slapi_ch_free((void **)&tmpstr); + slapi_ch_free_string(&tmpstr); return (rc); } Index: repl5_connection.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5_connection.c,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- repl5_connection.c 8 Oct 2008 17:29:03 -0000 1.9 +++ repl5_connection.c 4 Nov 2008 18:23:08 -0000 1.10 @@ -93,7 +93,6 @@ static int attribute_string_value_present(LDAP *ld, LDAPMessage *entry, const char *type, const char *value); static int bind_and_check_pwp(Repl_Connection *conn, char * binddn, char *password); -static int do_simple_bind (Repl_Connection *conn, LDAP *ld, char * binddn, char *password); static int s_debug_timeout = 0; static int s_debug_level = 0; @@ -445,6 +444,80 @@ return conn_read_result_ex(conn,NULL,NULL,NULL,message_id,1); } +/* Because the SDK isn't really thread-safe (it can deadlock between + * a thread sending an operation and a thread trying to retrieve a response + * on the same connection), we need to _first_ verify that the connection + * is writable. If it isn't, we can deadlock if we proceed any further... + */ +/* Since we're poking around with ldap c sdk internals, we have to + be careful since the PR layer stores different session and socket + info than the NSS SSL layer than the SASL layer - and they all + use different poll functions too +*/ +static ConnResult +see_if_write_available(Repl_Connection *conn, PRIntervalTime timeout) +{ + LDAP_X_PollFD pollstr; + int nfds = 1; + struct ldap_x_ext_io_fns iofns; + int rc = LDAP_SUCCESS; + LDAP_X_EXTIOF_POLL_CALLBACK *ldap_poll; + struct lextiof_session_private *private; + + /* get the poll function to use */ + memset(&iofns, 0, sizeof(iofns)); + iofns.lextiof_size = LDAP_X_EXTIO_FNS_SIZE; + if (ldap_get_option(conn->ld, LDAP_X_OPT_EXTIO_FN_PTRS, &iofns) < 0) { + rc = ldap_get_lderrno(conn->ld, NULL, NULL); + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, + "%s: Failed call to ldap_get_option to get extiofns in " + "see_if_write_available: LDAP error %d (%s)\n", + agmt_get_long_name(conn->agmt), + rc, ldap_err2string(rc)); + conn->last_ldap_error = rc; + return CONN_OPERATION_FAILED; + } + ldap_poll = iofns.lextiof_poll; + + /* set up the poll structure */ + if (ldap_get_option(conn->ld, LDAP_OPT_DESC, &pollstr.lpoll_fd) < 0) { + rc = ldap_get_lderrno(conn->ld, NULL, NULL); + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, + "%s: Failed call to ldap_get_option for poll_fd in " + "see_if_write_available: LDAP error %d (%s)\n", + agmt_get_long_name(conn->agmt), + rc, ldap_err2string(rc)); + conn->last_ldap_error = rc; + return CONN_OPERATION_FAILED; + } + + if (ldap_get_option(conn->ld, LDAP_X_OPT_SOCKETARG, + &pollstr.lpoll_socketarg) < 0) { + rc = ldap_get_lderrno(conn->ld, NULL, NULL); + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, + "%s: Failed call to ldap_get_option for socketarg in " + "see_if_write_available: LDAP error %d (%s)\n", + agmt_get_long_name(conn->agmt), + rc, ldap_err2string(rc)); + conn->last_ldap_error = rc; + return CONN_OPERATION_FAILED; + } + + pollstr.lpoll_events = LDAP_X_POLLOUT; + pollstr.lpoll_revents = 0; + private = iofns.lextiof_session_arg; + + if (0 == (*ldap_poll)(&pollstr, nfds, timeout, private)) { + slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, + "%s: poll timed out - poll interval [%d]\n", + agmt_get_long_name(conn->agmt), + timeout); + return CONN_TIMEOUT; + } + + return CONN_OPERATION_SUCCESS; +} + /* * Common code to send an LDAPv3 operation and collect the result. * Return values: @@ -483,54 +556,11 @@ Slapi_Eq_Context eqctx = repl5_start_debug_timeout(&setlevel); - /* Because the SDK isn't really thread-safe (it can deadlock between - * a thread sending an operation and a thread trying to retrieve a response - * on the same connection), we need to _first_ verify that the connection - * is writable. If it isn't, we can deadlock if we proceed any further... - */ - { - struct PRPollDesc pr_pd; - PRIntervalTime timeout = PR_SecondsToInterval(conn->timeout.tv_sec); - PRFileDesc *prfd = NULL; - struct lextiof_socket_private *socketargp = NULL; - PRLDAPSocketInfo soi; - - if ( (rc = ldap_get_option(conn->ld, LDAP_X_OPT_SOCKETARG, &socketargp)) != LDAP_SUCCESS) - { - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Failed call to ldap_get_option in perform_operation: LDAP error %d (%s)\n", - agmt_get_long_name(conn->agmt), - op_string ? op_string : "NULL", rc, ldap_err2string(rc)); - conn->last_ldap_error = rc; - return CONN_OPERATION_FAILED; - } - memset( &soi, 0, sizeof(soi)); - soi.soinfo_size = PRLDAP_SOCKETINFO_SIZE; - if (LDAP_SUCCESS != (rc = prldap_get_socket_info(0, socketargp, &soi))) - { - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Failed call to prldap_get_socket_info in perform_operation: LDAP error %d (%s)\n", - agmt_get_long_name(conn->agmt), - op_string ? op_string : "NULL", rc, ldap_err2string(rc)); - conn->last_ldap_error = rc; - return CONN_OPERATION_FAILED; - } - prfd = soi.soinfo_prfd; - /* Before we connect, the prfd can be null */ - if (prfd) - { - pr_pd.fd = prfd; - pr_pd.in_flags = PR_POLL_WRITE; - pr_pd.out_flags = 0; - rc = PR_Poll(&pr_pd, 1, timeout); - /* Did we time out ? */ - if (rc == 0) - { - return CONN_TIMEOUT; - } - } + return_value = see_if_write_available( + conn, PR_SecondsToInterval(conn->timeout.tv_sec)); + if (return_value != CONN_OPERATION_SUCCESS) { + return return_value; } - conn->last_operation = optype; switch (optype) { @@ -919,16 +949,8 @@ /* ugaston: if SSL has been selected in the replication agreement, SSL client * initialisation should be done before ever trying to open any connection at all. */ - if (conn->transport_flags == TRANSPORT_FLAG_TLS) - { - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Replication secured by StartTLS not currently supported\n", - agmt_get_long_name(conn->agmt)); - - return_value = CONN_OPERATION_FAILED; - conn->last_ldap_error = LDAP_STRONG_AUTH_NOT_SUPPORTED; - conn->state = STATE_DISCONNECTED; - } else if(conn->transport_flags == TRANSPORT_FLAG_SSL) + if ((conn->transport_flags == TRANSPORT_FLAG_TLS) || + (conn->transport_flags == TRANSPORT_FLAG_SSL)) { /** Make sure the SSL Library has been initialized before anything else **/ @@ -942,9 +964,12 @@ ber_bvfree(creds); creds = NULL; return CONN_SSL_NOT_ENABLED; - } else + } else if (conn->transport_flags == TRANSPORT_FLAG_SSL) { secure = 1; + } else + { + secure = 2; /* 2 means starttls security */ } } @@ -953,11 +978,12 @@ /* Now we initialize the LDAP Structure and set options */ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, - "%s: Trying %s slapi_ldap_init\n", + "%s: Trying %s%s slapi_ldap_init_ext\n", agmt_get_long_name(conn->agmt), - secure ? "secure" : "non-secure"); + secure ? "secure" : "non-secure", + (secure == 2) ? " startTLS" : ""); /* shared = 1 because we will read results from a second thread */ - conn->ld = slapi_ldap_init(conn->hostname, conn->port, secure, 1); + conn->ld = slapi_ldap_init_ext(NULL, conn->hostname, conn->port, secure, 1, NULL); if (NULL == conn->ld) { return_value = CONN_OPERATION_FAILED; @@ -1501,8 +1527,28 @@ PR_Unlock(conn->lock); } +static const char * +bind_method_to_mech(int bindmethod) +{ + switch (bindmethod) { + case BINDMETHOD_SSL_CLIENTAUTH: + return LDAP_SASL_EXTERNAL; + break; + case BINDMETHOD_SASL_GSSAPI: + return "GSSAPI"; + break; + case BINDMETHOD_SASL_DIGEST_MD5: + return "DIGEST-MD5"; + break; + default: /* anything else */ + return LDAP_SASL_SIMPLE; + } + + return LDAP_SASL_SIMPLE; +} + /* - * Check the result of an ldap_simple_bind operation to see we it + * Check the result of an ldap BIND operation to see we it * contains the expiration controls * return: -1 error, not bound * 0, OK bind has succeeded @@ -1512,91 +1558,24 @@ { LDAPControl **ctrls = NULL; - LDAPMessage *res = NULL; - char *errmsg = NULL; LDAP *ld = conn->ld; - int msgid; - int *msgidAdr = &msgid; int rc; + const char *mech = bind_method_to_mech(conn->bindmethod); - char * optype; /* ldap_simple_bind or slapd_SSL_client_bind */ - - if ( conn->transport_flags == TRANSPORT_FLAG_SSL ) - { - char *auth; - optype = "ldap_sasl_bind"; + rc = slapi_ldap_bind(conn->ld, binddn, password, mech, NULL, + &ctrls, NULL); - if ( conn->bindmethod == BINDMETHOD_SSL_CLIENTAUTH ) - { - rc = slapd_sasl_ext_client_bind(conn->ld, &msgidAdr); - auth = "SSL client authentication"; - - if ( rc == LDAP_SUCCESS ) - { - if (conn->last_ldap_error != rc) - { - conn->last_ldap_error = rc; - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Replication bind with %s resumed\n", - agmt_get_long_name(conn->agmt), auth); - } - } - else - { - /* Do not report the same error over and over again */ - if (conn->last_ldap_error != rc) - { - conn->last_ldap_error = rc; - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Replication bind with %s failed: LDAP error %d (%s)\n", - agmt_get_long_name(conn->agmt), auth, rc, - ldap_err2string(rc)); - } - - return (CONN_OPERATION_FAILED); - } - } - else - { - if( ( msgid = do_simple_bind( conn, ld, binddn, password ) ) == -1 ) - { - return (CONN_OPERATION_FAILED); - } - } - } - else + if ( rc == LDAP_SUCCESS ) { - optype = "ldap_simple_bind"; - if( ( msgid = do_simple_bind( conn, ld, binddn, password ) ) == -1 ) + if (conn->last_ldap_error != rc) { - return (CONN_OPERATION_FAILED); + conn->last_ldap_error = rc; + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, + "%s: Replication bind with %s auth resumed\n", + agmt_get_long_name(conn->agmt), + mech ? mech : "SIMPLE"); } - } - - /* Wait for the result */ - if ( ldap_result( ld, msgid, LDAP_MSG_ALL, NULL, &res ) == -1 ) - { - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Received error from consumer for %s operation\n", - agmt_get_long_name(conn->agmt), optype); - - return (CONN_OPERATION_FAILED); - } - /* Don't check ldap_result against 0 because, no timeout is specified */ - - /* Free res as we won't use it any longer */ - if ( ldap_parse_result( ld, res, &rc, NULL, NULL, NULL, &ctrls, 1 /* Free res */) - != LDAP_SUCCESS ) - { - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Received error from consumer for %s operation\n", - agmt_get_long_name(conn->agmt), optype); - return (CONN_OPERATION_FAILED); - } - - if ( rc == LDAP_SUCCESS ) - { if ( ctrls ) { int i; @@ -1631,50 +1610,23 @@ } else { - /* errmsg is a pointer directly into the ld structure - do not free */ - rc = ldap_get_lderrno( ld, NULL, &errmsg ); - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Replication bind to %s on consumer failed: %d (%s)\n", - agmt_get_long_name(conn->agmt), binddn, rc, errmsg); - - conn->last_ldap_error = rc; /* specific error */ - return (CONN_OPERATION_FAILED); - } -} - -static int -do_simple_bind (Repl_Connection *conn, LDAP *ld, char * binddn, char *password) -{ - int msgid; - - if( ( msgid = ldap_simple_bind( ld, binddn, password ) ) == -1 ) - { - char *ldaperrtext = NULL; - int ldaperr; - int prerr = PR_GetError(); - - ldaperr = ldap_get_lderrno( ld, NULL, &ldaperrtext ); + ldap_controls_free( ctrls ); /* Do not report the same error over and over again */ - if (conn->last_ldap_error != ldaperr) + if (conn->last_ldap_error != rc) { - conn->last_ldap_error = ldaperr; - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Simple bind failed, " - SLAPI_COMPONENT_NAME_LDAPSDK " error %d (%s), " - SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n", - agmt_get_long_name(conn->agmt), - ldaperr, ldaperrtext ? ldaperrtext : ldap_err2string(ldaperr), - prerr, slapd_pr_strerror(prerr)); + char *errmsg = NULL; + conn->last_ldap_error = rc; + /* errmsg is a pointer directly into the ld structure - do not free */ + rc = ldap_get_lderrno( ld, NULL, &errmsg ); + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, + "%s: Replication bind with %s auth failed: LDAP error %d (%s) (%s)\n", + agmt_get_long_name(conn->agmt), + mech ? mech : "SIMPLE", rc, + ldap_err2string(rc), errmsg); } + + return (CONN_OPERATION_FAILED); } - else if (conn->last_ldap_error != LDAP_SUCCESS) - { - conn->last_ldap_error = LDAP_SUCCESS; - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Simple bind resumed\n", - agmt_get_long_name(conn->agmt)); - } - return msgid; } void From rmeggins at fedoraproject.org Tue Nov 4 18:23:10 2008 From: rmeggins at fedoraproject.org (Richard Allen Megginson) Date: Tue, 4 Nov 2008 18:23:10 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver Makefile.am, 1.77, 1.78 configure.ac, 1.56, 1.57 aclocal.m4, 1.77, 1.78 configure, 1.97, 1.98 missing, 1.58, 1.59 install-sh, 1.58, 1.59 depcomp, 1.58, 1.59 compile, 1.51, 1.52 config.sub, 1.57, 1.58 config.guess, 1.57, 1.58 Makefile.in, 1.101, 1.102 Message-ID: <20081104182310.731F770138@cvs1.fedora.phx.redhat.com> Author: rmeggins Update of /cvs/dirsec/ldapserver In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9401/ldapserver Modified Files: Makefile.am configure.ac aclocal.m4 configure missing install-sh depcomp compile config.sub config.guess Makefile.in Log Message: Resolves: bug 469261 Bug Description: Support server-to-server SASL - part 1 Reviewed by: nkinder, nhosoi, ssorce (Thanks!) Fix Description: I've created two new functions to handle the client side of LDAP in the server - slapi_ldap_init_ext and slapi_ldap_bind. These two functions are designed to work with any connection type (ldap, ldaps, ldap+starttls, and eventually ldapi) and bind type (plain, sasl, client cert). The secure flag has been extended to use a value of 2 to mean use startTLS. One tricky part is that there is no place to store the startTLS flag in init to pass to bind, so we store that in the clientcontrols field which is currently unused. We do that because the semantics of ldap_init are not to do any network traffic, but defer that until the bind operation (or whatever the first actual operation is e.g. start_tls). I plan to replace all of the places in the code that do ldap init and bind with these functions. I started with replication. I extended the transport to add tls for startTLS and the bind method to add sasl/gssapi and sasl/digest-md5. I removed a lot of code from repl5_connection that is now done with just slapi_ldap_init_ext and slapi_ldap_bind. One tricky part of the replication code is that it polls the connection for write available, using some ldap sdk internals. I had to fix that code to work within the public ldap api since nspr and sasl muck with the internals in different incompatible ways. Finally, there is a lot of new kerberos code in the server. The way the server does sasl/gssapi auth with its keytab is similar to the way it does client cert auth with its ssl server cert. One big difference is that the server cannot pass the kerberos identity and credentials through the ldap/sasl/gssapi layers directly. Instead, we have to create a memory credentials cache and set the environment variable to point to it. This allows the sasl/gssapi layer to grab the credentials for use with kerberos. The way the code is written, it should also allow "external" kerberos auth e.g. if someone really wants to do some script which does a periodic kinit to refresh the file based cache, that should also work. I added some kerberos configure options. configure tries to first use krb5-config to get the compiler and linker information. If that fails, it just looks for some standard system libraries. Note that Solaris does not allow direct use of the kerberos api until Solaris 11, so most likely Solaris builds will have to use --without-kerberos (--with-kerberos is on by default). Fixed a bug in kerberos.m4 found by nkinder. ssorce has pointed out a few problems with my kerberos usage that will be addressed in the next patch. Changed the log level in ldap_sasl_get_val - pointed out by nkinder Platforms tested: Fedora 9, Fedora 8 Flag Day: yes Doc impact: oh yes Index: Makefile.am =================================================================== RCS file: /cvs/dirsec/ldapserver/Makefile.am,v retrieving revision 1.77 retrieving revision 1.78 diff -u -r1.77 -r1.78 --- Makefile.am 26 Oct 2008 04:04:56 -0000 1.77 +++ Makefile.am 4 Nov 2008 18:23:05 -0000 1.78 @@ -47,6 +47,7 @@ ICU_LINK = @icu_lib@ -licui18n -licuuc -licudata NETSNMP_LINK = @netsnmp_lib@ @netsnmp_link@ PAM_LINK = -lpam +KERBEROS_LINK = $(kerberos_lib) LIBSOCKET=@LIBSOCKET@ LIBNSL=@LIBNSL@ @@ -534,12 +535,12 @@ ldap/servers/slapd/vattr.c \ $(libavl_a_SOURCES) +libslapd_la_CPPFLAGS = $(PLUGIN_CPPFLAGS) @sasl_inc@ @db_inc@ @svrcore_inc@ @kerberos_inc@ if SOLARIS libslapd_la_SOURCES += ldap/servers/slapd/slapi_counter_sunos_sparcv9.S endif -libslapd_la_CPPFLAGS = $(PLUGIN_CPPFLAGS) @db_inc@ @svrcore_inc@ -libslapd_la_LIBADD = $(LDAPSDK_LINK) $(SASL_LINK) $(SVRCORE_LINK) $(NSS_LINK) $(NSPR_LINK) +libslapd_la_LIBADD = $(LDAPSDK_LINK) $(SASL_LINK) $(SVRCORE_LINK) $(NSS_LINK) $(NSPR_LINK) $(KERBEROS_LINK) #//////////////////////////////////////////////////////////////// Index: configure.ac =================================================================== RCS file: /cvs/dirsec/ldapserver/configure.ac,v retrieving revision 1.56 retrieving revision 1.57 diff -u -r1.56 -r1.57 --- configure.ac 29 Oct 2008 19:16:29 -0000 1.56 +++ configure.ac 4 Nov 2008 18:23:06 -0000 1.57 @@ -271,10 +271,12 @@ AC_ERROR([Please specify a full path with --with-instconfigdir]) fi instconfigdir="$withval" + AC_MSG_RESULT($withval) ], [ dnl this value is expanded out in Makefile.am instconfigdir='$(sysconfdir)/$(PACKAGE_NAME)' + AC_MSG_RESULT(no) ]) AC_SUBST(instconfigdir) @@ -422,6 +424,7 @@ m4_include(m4/svrcore.m4) m4_include(m4/icu.m4) m4_include(m4/netsnmp.m4) +m4_include(m4/kerberos.m4) PACKAGE_BASE_VERSION=`echo $PACKAGE_VERSION | awk -F\. '{print $1"."$2}'` AC_SUBST(PACKAGE_BASE_VERSION) Index: configure =================================================================== RCS file: /cvs/dirsec/ldapserver/configure,v retrieving revision 1.97 retrieving revision 1.98 diff -u -r1.97 -r1.98 --- configure 29 Oct 2008 19:16:29 -0000 1.97 +++ configure 4 Nov 2008 18:23:06 -0000 1.98 @@ -465,7 +465,7 @@ #endif" ac_default_prefix=/opt/$PACKAGE_NAME -ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CYGPATH_W PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM mkdir_p AWK SET_MAKE am__leading_dot AMTAR am__tar am__untar MAINTAINER_MODE_TRUE MAINTAINER_MODE_FALSE MAINT build build_cpu build_vendor build_os host host_cpu host_vendor host_os CXX CXXFLAGS LDFLAGS CPPFLAGS ac_ct_CXX EXEEXT OBJEXT DEPDIR am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CXXDEPMODE am__fastdepCXX_TRUE am__fastdepCXX_FALSE CC CFLAGS ac_ct_CC CCDEPMODE am__fastdepCC_TRUE am__fastdepCC_FALSE CCAS CCASFLAGS SED EGREP LN_S ECHO AR ac_ct_AR RANLIB a c_ct_RANLIB CPP CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL LIBOBJS debug_defs BUNDLE_TRUE BUNDLE_FALSE enable_pam_passthru_TRUE enable_pam_passthru_FALSE enable_dna_TRUE enable_dna_FALSE enable_ldapi_TRUE enable_ldapi_FALSE enable_autobind_TRUE enable_autobind_FALSE enable_auto_dn_suffix_TRUE enable_auto_dn_suffix_FALSE enable_bitwise_TRUE enable_bitwise_FALSE with_fhs_opt configdir sampledatadir propertydir schemadir serverdir serverplugindir scripttemplatedir perldir infdir mibdir defaultuser defaultgroup instconfigdir WINNT_TRUE WINNT_FALSE LIBSOCKET LIBNSL LIBDL LIBCSTD LIBCRUN initdir perlexec initconfigdir HPUX_TRUE HPUX_FALSE SOLARIS_TRUE SOLARIS_FALSE PKG_CONFIG ICU_CONFIG NETSNMP_CONFIG PACKAGE_BASE_VERSION nspr_inc nspr_lib nspr_libdir nss_inc nss_lib nss_libdir ldapsdk_inc ldapsdk_lib ldapsdk_libdir ldapsdk_bindir db_inc db_incdir db_lib db_libdir db_bindir db_libver sasl_inc sasl_lib sasl_libdir sasl_path svrcore_inc svrcore_lib icu_lib icu_inc icu_bin netsnmp_inc netsn mp_lib netsnmp_libdir netsnmp_link brand capbrand vendor LTLIBOBJS' +ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CYGPATH_W PACKAGE VERSION ACLOCAL AUTOCONF AUTOMAKE AUTOHEADER MAKEINFO install_sh STRIP ac_ct_STRIP INSTALL_STRIP_PROGRAM mkdir_p AWK SET_MAKE am__leading_dot AMTAR am__tar am__untar MAINTAINER_MODE_TRUE MAINTAINER_MODE_FALSE MAINT build build_cpu build_vendor build_os host host_cpu host_vendor host_os CXX CXXFLAGS LDFLAGS CPPFLAGS ac_ct_CXX EXEEXT OBJEXT DEPDIR am__include am__quote AMDEP_TRUE AMDEP_FALSE AMDEPBACKSLASH CXXDEPMODE am__fastdepCXX_TRUE am__fastdepCXX_FALSE CC CFLAGS ac_ct_CC CCDEPMODE am__fastdepCC_TRUE am__fastdepCC_FALSE CCAS CCASFLAGS SED EGREP LN_S ECHO AR ac_ct_AR RANLIB a c_ct_RANLIB CPP CXXCPP F77 FFLAGS ac_ct_F77 LIBTOOL LIBOBJS debug_defs BUNDLE_TRUE BUNDLE_FALSE enable_pam_passthru_TRUE enable_pam_passthru_FALSE enable_dna_TRUE enable_dna_FALSE enable_ldapi_TRUE enable_ldapi_FALSE enable_autobind_TRUE enable_autobind_FALSE enable_auto_dn_suffix_TRUE enable_auto_dn_suffix_FALSE enable_bitwise_TRUE enable_bitwise_FALSE with_fhs_opt configdir sampledatadir propertydir schemadir serverdir serverplugindir scripttemplatedir perldir infdir mibdir defaultuser defaultgroup instconfigdir WINNT_TRUE WINNT_FALSE LIBSOCKET LIBNSL LIBDL LIBCSTD LIBCRUN initdir perlexec initconfigdir HPUX_TRUE HPUX_FALSE SOLARIS_TRUE SOLARIS_FALSE PKG_CONFIG ICU_CONFIG NETSNMP_CONFIG KRB5_CONFIG_BIN kerberos_inc kerberos_lib kerberos_libdir PACKAGE_BASE_VERSION nspr_inc nspr_lib nspr_libdir nss_inc nss_lib nss_libdir ldapsdk_inc ldapsdk_lib ldapsdk_libdir ldapsdk_bindir db_inc db_incdir db_lib db_libdir db_bindir db_libver sasl_inc sasl_lib sasl_libdir sasl_path svrcore _inc svrcore_lib icu_lib icu_inc icu_bin netsnmp_inc netsnmp_lib netsnmp_libdir netsnmp_link brand capbrand vendor LTLIBOBJS' ac_subst_files='' # Initialize some variables set by options. @@ -1099,6 +1099,25 @@ --with-netsnmp=PATH Net-SNMP directory --with-netsnmp-inc=PATH Net-SNMP include directory --with-netsnmp-lib=PATH Net-SNMP library directory + --with-kerberos=PATH Use the kerberos API in the server directly - allows + the server to authenticate directly with a keytab - + otherwise, SASL/GSSAPI auth depends on underlying + SASL libraries and external kinit with a keytab - if + PATH is not specified, look for kerberos in the + system locations. This will attempt to use + krb5-config from the PATH to find the libs and + include dirs - you can specify KRB5_CONFIG_BIN to + specify a different filename or absolute path. If + krb5-config does not work, this will attempt to look + in various system directories + --with-kerberos-inc=PATH + Allows you to explicitly set the directory + containing the kerberos include files - implies use + of kerberos + --with-kerberos-lib=PATH + Allows you to explicitly set the directory + containing the kerberos libraries - implies use of + kerberos Some influential environment variables: CXX C++ compiler command @@ -4333,7 +4352,7 @@ ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 4336 "configure"' > conftest.$ac_ext + echo '#line 4355 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -5468,7 +5487,7 @@ # Provide some information about the compiler. -echo "$as_me:5471:" \ +echo "$as_me:5490:" \ "checking for Fortran 77 compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` { (eval echo "$as_me:$LINENO: \"$ac_compiler --version &5\"") >&5 @@ -6531,11 +6550,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:6534: $lt_compile\"" >&5) + (eval echo "\"\$as_me:6553: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:6538: \$? = $ac_status" >&5 + echo "$as_me:6557: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -6799,11 +6818,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:6802: $lt_compile\"" >&5) + (eval echo "\"\$as_me:6821: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:6806: \$? = $ac_status" >&5 + echo "$as_me:6825: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -6903,11 +6922,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:6906: $lt_compile\"" >&5) + (eval echo "\"\$as_me:6925: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:6910: \$? = $ac_status" >&5 + echo "$as_me:6929: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -8372,7 +8391,7 @@ libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 8375 "configure"' > conftest.$ac_ext + echo '#line 8394 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9269,7 +9288,7 @@ lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext < conftest.$ac_ext <&5) + (eval echo "\"\$as_me:11734: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:11719: \$? = $ac_status" >&5 + echo "$as_me:11738: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -11816,11 +11835,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:11819: $lt_compile\"" >&5) + (eval echo "\"\$as_me:11838: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:11823: \$? = $ac_status" >&5 + echo "$as_me:11842: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -12352,7 +12371,7 @@ libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 12355 "configure"' > conftest.$ac_ext + echo '#line 12374 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -13410,11 +13429,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:13413: $lt_compile\"" >&5) + (eval echo "\"\$as_me:13432: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:13417: \$? = $ac_status" >&5 + echo "$as_me:13436: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -13514,11 +13533,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:13517: $lt_compile\"" >&5) + (eval echo "\"\$as_me:13536: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:13521: \$? = $ac_status" >&5 + echo "$as_me:13540: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -14963,7 +14982,7 @@ libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 14966 "configure"' > conftest.$ac_ext + echo '#line 14985 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -15741,11 +15760,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:15744: $lt_compile\"" >&5) + (eval echo "\"\$as_me:15763: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:15748: \$? = $ac_status" >&5 + echo "$as_me:15767: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -16009,11 +16028,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:16012: $lt_compile\"" >&5) + (eval echo "\"\$as_me:16031: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:16016: \$? = $ac_status" >&5 + echo "$as_me:16035: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -16113,11 +16132,11 @@ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:16116: $lt_compile\"" >&5) + (eval echo "\"\$as_me:16135: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:16120: \$? = $ac_status" >&5 + echo "$as_me:16139: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -17582,7 +17601,7 @@ libsuff= case "$host_cpu" in x86_64*|s390x*|powerpc64*) - echo '#line 17585 "configure"' > conftest.$ac_ext + echo '#line 17604 "configure"' > conftest.$ac_ext if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -23325,10 +23344,14 @@ { (exit 1); exit 1; }; } fi instconfigdir="$withval" + echo "$as_me:$LINENO: result: $withval" >&5 +echo "${ECHO_T}$withval" >&6 else instconfigdir='$(sysconfdir)/$(PACKAGE_NAME)' + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 fi; @@ -25542,6 +25565,764 @@ { (exit 1); exit 1; }; } fi +# BEGIN COPYRIGHT BLOCK +# Copyright (C) 2008 Red Hat, Inc. +# All rights reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# END COPYRIGHT BLOCK +# -*- tab-width: 4; -*- +# Configure paths for Kerberos + +{ echo "$as_me:$LINENO: checking for kerberos..." >&5 +echo "$as_me: checking for kerberos..." >&6;} + +if test -z "$with_kerberos" ; then + with_kerberos=yes # if not set on cmdline, set default +fi + +echo "$as_me:$LINENO: checking for --with-kerberos" >&5 +echo $ECHO_N "checking for --with-kerberos... $ECHO_C" >&6 + +# Check whether --with-kerberos or --without-kerberos was given. +if test "${with_kerberos+set}" = set; then + withval="$with_kerberos" + + if test "x$withval" = "xyes"; then + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + elif test "x$withval" = "xno"; then + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 + with_kerberos= + elif test -d "$withval" -a -d "$withval/lib" -a -d "$withval/include" ; then + echo "$as_me:$LINENO: result: using $withval" >&5 +echo "${ECHO_T}using $withval" >&6 + kerberos_incdir="$withval/include" + kerberos_libdir="$withval/lib" + else + echo "$as_me:$LINENO: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + { { echo "$as_me:$LINENO: error: kerberos not found in $withval" >&5 +echo "$as_me: error: kerberos not found in $withval" >&2;} + { (exit 1); exit 1; }; } + fi + +else + + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 + with_kerberos= + + +fi; + +echo "$as_me:$LINENO: checking for --with-kerberos-inc" >&5 +echo $ECHO_N "checking for --with-kerberos-inc... $ECHO_C" >&6 + +# Check whether --with-kerberos-inc or --without-kerberos-inc was given. +if test "${with_kerberos_inc+set}" = set; then + withval="$with_kerberos_inc" + + if test -f "$withval"/krb5.h; then + echo "$as_me:$LINENO: result: using $withval" >&5 +echo "${ECHO_T}using $withval" >&6 + kerberos_incdir="$withval" + with_kerberos=yes # implies use of kerberos + else + echo + { { echo "$as_me:$LINENO: error: $withval/krb5.h not found" >&5 +echo "$as_me: error: $withval/krb5.h not found" >&2;} + { (exit 1); exit 1; }; } + fi + +else + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 + +fi; + +echo "$as_me:$LINENO: checking for --with-kerberos-lib" >&5 +echo $ECHO_N "checking for --with-kerberos-lib... $ECHO_C" >&6 + +# Check whether --with-kerberos-lib or --without-kerberos-lib was given. +if test "${with_kerberos_lib+set}" = set; then + withval="$with_kerberos_lib" + + if test -d "$withval"; then + echo "$as_me:$LINENO: result: using $withval" >&5 +echo "${ECHO_T}using $withval" >&6 + kerberos_libdir="$withval" + with_kerberos=yes # implies use of kerberos + else + echo + { { echo "$as_me:$LINENO: error: $withval not found" >&5 +echo "$as_me: error: $withval not found" >&2;} + { (exit 1); exit 1; }; } + fi + +else + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 + +fi; + +if test -n "$with_kerberos" ; then + if test -z "$kerberos_incdir" -o -z "$kerberos_libdir" ; then + if test -z "$KRB5_CONFIG_BIN" ; then + # Extract the first word of "krb5-config", so it can be a program name with args. +set dummy krb5-config; ac_word=$2 +echo "$as_me:$LINENO: checking for $ac_word" >&5 +echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 +if test "${ac_cv_path_KRB5_CONFIG_BIN+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + case $KRB5_CONFIG_BIN in + [\\/]* | ?:[\\/]*) + ac_cv_path_KRB5_CONFIG_BIN="$KRB5_CONFIG_BIN" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if $as_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_path_KRB5_CONFIG_BIN="$as_dir/$ac_word$ac_exec_ext" + echo "$as_me:$LINENO: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done +done + + ;; +esac +fi +KRB5_CONFIG_BIN=$ac_cv_path_KRB5_CONFIG_BIN + +if test -n "$KRB5_CONFIG_BIN"; then + echo "$as_me:$LINENO: result: $KRB5_CONFIG_BIN" >&5 +echo "${ECHO_T}$KRB5_CONFIG_BIN" >&6 +else + echo "$as_me:$LINENO: result: no" >&5 +echo "${ECHO_T}no" >&6 +fi + + fi + if test -n "$KRB5_CONFIG_BIN" ; then + echo "$as_me:$LINENO: checking for kerberos with $KRB5_CONFIG_BIN" >&5 +echo $ECHO_N "checking for kerberos with $KRB5_CONFIG_BIN... $ECHO_C" >&6 + if test -z "$kerberos_libdir" ; then + kerberos_lib=`$KRB5_CONFIG_BIN --libs krb5` + fi + if test -z "$kerberos_incdir" ; then + kerberos_inc=`$KRB5_CONFIG_BIN --cflags krb5` + fi + if test -n "$kerberos_lib" ; then + echo "$as_me:$LINENO: result: using kerberos found with $KRB5_CONFIG_BIN" >&5 +echo "${ECHO_T}using kerberos found with $KRB5_CONFIG_BIN" >&6 + have_krb5=yes + fi + fi + fi +fi + +if test -n "$with_kerberos" -a -z "$kerberos_lib" ; then + # save these in order to set them to use the check macros below + # like AC_CHECK_HEADERS, AC_CHECK_LIB, and AC_CHECK_FUNCS + save_CPPFLAGS="$CPPFLAGS" + if test -n "$kerberos_incdir" ; then + CPPFLAGS="-I$kerberos_incdir $CPPFLAGS" + fi + save_LDFLAGS="$LDFLAGS" + if test -n "$kerberos_libdir" ; then + LDFLAGS="-L$kerberos_libdir $LDFLAGS" + fi + krb5_impl=mit + + +for ac_header in heim_err.h +do +as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` +if eval "test \"\${$as_ac_Header+set}\" = set"; then + echo "$as_me:$LINENO: checking for $ac_header" >&5 +echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 +if eval "test \"\${$as_ac_Header+set}\" = set"; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +fi +echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5 +echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 +else + # Is the header compilable? +echo "$as_me:$LINENO: checking $ac_header usability" >&5 +echo $ECHO_N "checking $ac_header usability... $ECHO_C" >&6 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +$ac_includes_default +#include <$ac_header> +_ACEOF +rm -f conftest.$ac_objext +if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 + (eval $ac_compile) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest.$ac_objext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_header_compiler=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_header_compiler=no +fi +rm -f conftest.err conftest.$ac_objext conftest.$ac_ext +echo "$as_me:$LINENO: result: $ac_header_compiler" >&5 +echo "${ECHO_T}$ac_header_compiler" >&6 + +# Is the header present? +echo "$as_me:$LINENO: checking $ac_header presence" >&5 +echo $ECHO_N "checking $ac_header presence... $ECHO_C" >&6 +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +#include <$ac_header> +_ACEOF +if { (eval echo "$as_me:$LINENO: \"$ac_cpp conftest.$ac_ext\"") >&5 + (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null; then + if test -s conftest.err; then + ac_cpp_err=$ac_c_preproc_warn_flag + ac_cpp_err=$ac_cpp_err$ac_c_werror_flag + else + ac_cpp_err= + fi +else + ac_cpp_err=yes +fi +if test -z "$ac_cpp_err"; then + ac_header_preproc=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_header_preproc=no +fi +rm -f conftest.err conftest.$ac_ext +echo "$as_me:$LINENO: result: $ac_header_preproc" >&5 +echo "${ECHO_T}$ac_header_preproc" >&6 + +# So? What about this header? +case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in + yes:no: ) + { echo "$as_me:$LINENO: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&5 +echo "$as_me: WARNING: $ac_header: accepted by the compiler, rejected by the preprocessor!" >&2;} + { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the compiler's result" >&5 +echo "$as_me: WARNING: $ac_header: proceeding with the compiler's result" >&2;} + ac_header_preproc=yes + ;; + no:yes:* ) + { echo "$as_me:$LINENO: WARNING: $ac_header: present but cannot be compiled" >&5 +echo "$as_me: WARNING: $ac_header: present but cannot be compiled" >&2;} + { echo "$as_me:$LINENO: WARNING: $ac_header: check for missing prerequisite headers?" >&5 +echo "$as_me: WARNING: $ac_header: check for missing prerequisite headers?" >&2;} + { echo "$as_me:$LINENO: WARNING: $ac_header: see the Autoconf documentation" >&5 +echo "$as_me: WARNING: $ac_header: see the Autoconf documentation" >&2;} + { echo "$as_me:$LINENO: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&5 +echo "$as_me: WARNING: $ac_header: section \"Present But Cannot Be Compiled\"" >&2;} + { echo "$as_me:$LINENO: WARNING: $ac_header: proceeding with the preprocessor's result" >&5 +echo "$as_me: WARNING: $ac_header: proceeding with the preprocessor's result" >&2;} + { echo "$as_me:$LINENO: WARNING: $ac_header: in the future, the compiler will take precedence" >&5 +echo "$as_me: WARNING: $ac_header: in the future, the compiler will take precedence" >&2;} + ( + cat <<\_ASBOX +## ------------------------------------------ ## +## Report this to http://bugzilla.redhat.com/ ## +## ------------------------------------------ ## +_ASBOX + ) | + sed "s/^/$as_me: WARNING: /" >&2 + ;; +esac +echo "$as_me:$LINENO: checking for $ac_header" >&5 +echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 +if eval "test \"\${$as_ac_Header+set}\" = set"; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + eval "$as_ac_Header=\$ac_header_preproc" +fi +echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_Header'}'`" >&5 +echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 + +fi +if test `eval echo '${'$as_ac_Header'}'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + + if test $ac_cv_header_heim_err_h = yes ; then + krb5_impl=heimdal + fi + + if test "x$krb5_impl" = "xmit"; then + echo "$as_me:$LINENO: checking for main in -lk5crypto" >&5 +echo $ECHO_N "checking for main in -lk5crypto... $ECHO_C" >&6 +if test "${ac_cv_lib_k5crypto_main+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lk5crypto $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + + +int +main () +{ +main (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_k5crypto_main=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_k5crypto_main=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_k5crypto_main" >&5 +echo "${ECHO_T}$ac_cv_lib_k5crypto_main" >&6 +if test $ac_cv_lib_k5crypto_main = yes; then + krb5crypto=k5crypto +else + krb5crypto=crypto +fi + + + echo "$as_me:$LINENO: checking for main in -lkrb5" >&5 +echo $ECHO_N "checking for main in -lkrb5... $ECHO_C" >&6 +if test "${ac_cv_lib_krb5_main+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lkrb5 -l$krb5crypto -lcom_err $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + + +int +main () +{ +main (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_krb5_main=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_krb5_main=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_krb5_main" >&5 +echo "${ECHO_T}$ac_cv_lib_krb5_main" >&6 +if test $ac_cv_lib_krb5_main = yes; then + have_krb5=yes + kerberos_lib="-lkrb5 -l$krb5crypto -lcom_err" +else + have_krb5=no +fi + + + elif test "x$krb5_impl" = "xheimdal"; then + echo "$as_me:$LINENO: checking for main in -ldes" >&5 +echo $ECHO_N "checking for main in -ldes... $ECHO_C" >&6 +if test "${ac_cv_lib_des_main+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-ldes $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + + +int +main () +{ +main (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_des_main=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_des_main=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_des_main" >&5 +echo "${ECHO_T}$ac_cv_lib_des_main" >&6 +if test $ac_cv_lib_des_main = yes; then + krb5crypto=des +else + krb5crypto=crypto +fi + + + echo "$as_me:$LINENO: checking for main in -lkrb5" >&5 +echo $ECHO_N "checking for main in -lkrb5... $ECHO_C" >&6 +if test "${ac_cv_lib_krb5_main+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lkrb5 -l$krb5crypto -lasn1 -lroken -lcom_err $LIBS" +cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ + + +int +main () +{ +main (); + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + ac_cv_lib_krb5_main=yes +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +ac_cv_lib_krb5_main=no +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +echo "$as_me:$LINENO: result: $ac_cv_lib_krb5_main" >&5 +echo "${ECHO_T}$ac_cv_lib_krb5_main" >&6 +if test $ac_cv_lib_krb5_main = yes; then + have_krb5=yes + kerberos_lib="-lkrb5 -l$krb5crypto -lasn1 -lroken -lcom_err" +else + have_krb5=no +fi + + + +cat >>confdefs.h <<\_ACEOF +#define HAVE_HEIMDAL_KERBEROS 1 +_ACEOF + + + else + have_krb5=no + { echo "$as_me:$LINENO: WARNING: Unrecognized Kerberos5 Implementation" >&5 +echo "$as_me: WARNING: Unrecognized Kerberos5 Implementation" >&2;} + fi + + # reset to original values + CPPFLAGS="$save_CPPFLAGS" + LDFLAGS="$save_LDFLAGS" + if test -n "$kerberos_incdir" ; then + kerberos_inc="-I$kerberos_incdir" + fi + if test -n "$kerberos_libdir" ; then + kerberos_lib="-L$kerberos_libdir $kerberos_lib" + fi +fi + + +if test -n "$with_kerberos" ; then + if test "x$have_krb5" = "xyes" ; then + +cat >>confdefs.h <<\_ACEOF +#define HAVE_KRB5 1 +_ACEOF + + else + { { echo "$as_me:$LINENO: error: Required Kerberos 5 support not available" >&5 +echo "$as_me: error: Required Kerberos 5 support not available" >&2;} + { (exit 1); exit 1; }; } + fi + + save_LIBS="$LIBS" + LIBS="$kerberos_lib" + save_CPPFLAGS="$CPPFLAGS" + CPPFLAGS="$kerberos_inc $CPPFLAGS" + +for ac_func in krb5_cc_new_unique +do +as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` +echo "$as_me:$LINENO: checking for $ac_func" >&5 +echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 +if eval "test \"\${$as_ac_var+set}\" = set"; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +/* confdefs.h. */ +_ACEOF +cat confdefs.h >>conftest.$ac_ext +cat >>conftest.$ac_ext <<_ACEOF +/* end confdefs.h. */ +/* Define $ac_func to an innocuous variant, in case declares $ac_func. + For example, HP-UX 11i declares gettimeofday. */ +#define $ac_func innocuous_$ac_func + +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. + Prefer to if __STDC__ is defined, since + exists even on freestanding compilers. */ + +#ifdef __STDC__ +# include +#else +# include +#endif + +#undef $ac_func + +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +{ +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func (); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +char (*f) () = $ac_func; +#endif +#ifdef __cplusplus +} +#endif + +int +main () +{ +return f != $ac_func; + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 + (eval $ac_link) 2>conftest.er1 + ac_status=$? + grep -v '^ *+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -z "$ac_c_werror_flag" + || test ! -s conftest.err' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:$LINENO: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + eval "$as_ac_var=yes" +else + echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +eval "$as_ac_var=no" +fi +rm -f conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +fi +echo "$as_me:$LINENO: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 +if test `eval echo '${'$as_ac_var'}'` = yes; then + cat >>confdefs.h <<_ACEOF +#define `echo "HAVE_$ac_func" | $as_tr_cpp` 1 +_ACEOF + +fi +done + + LIBS="$save_LIBS" + CPPFLAGS="$save_CPPFLAGS" +fi + + + + + PACKAGE_BASE_VERSION=`echo $PACKAGE_VERSION | awk -F\. '{print $1"."$2}'` @@ -26463,6 +27244,10 @@ s, at PKG_CONFIG@,$PKG_CONFIG,;t t s, at ICU_CONFIG@,$ICU_CONFIG,;t t s, at NETSNMP_CONFIG@,$NETSNMP_CONFIG,;t t +s, at KRB5_CONFIG_BIN@,$KRB5_CONFIG_BIN,;t t +s, at kerberos_inc@,$kerberos_inc,;t t +s, at kerberos_lib@,$kerberos_lib,;t t +s, at kerberos_libdir@,$kerberos_libdir,;t t s, at PACKAGE_BASE_VERSION@,$PACKAGE_BASE_VERSION,;t t s, at nspr_inc@,$nspr_inc,;t t s, at nspr_lib@,$nspr_lib,;t t Index: Makefile.in =================================================================== RCS file: /cvs/dirsec/ldapserver/Makefile.in,v retrieving revision 1.101 retrieving revision 1.102 diff -u -r1.101 -r1.102 --- Makefile.in 26 Oct 2008 04:04:56 -0000 1.101 +++ Makefile.in 4 Nov 2008 18:23:07 -0000 1.102 @@ -59,7 +59,8 @@ $(top_srcdir)/m4/nss.m4 $(top_srcdir)/m4/mozldap.m4 \ $(top_srcdir)/m4/db.m4 $(top_srcdir)/m4/sasl.m4 \ $(top_srcdir)/m4/svrcore.m4 $(top_srcdir)/m4/icu.m4 \ - $(top_srcdir)/m4/netsnmp.m4 $(top_srcdir)/configure.ac + $(top_srcdir)/m4/netsnmp.m4 $(top_srcdir)/m4/kerberos.m4 \ + $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ @@ -434,9 +435,10 @@ am_libschemareload_plugin_la_OBJECTS = ldap/servers/plugins/schema_reload/libschemareload_plugin_la-schema_reload.lo libschemareload_plugin_la_OBJECTS = \ $(am_libschemareload_plugin_la_OBJECTS) +am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1) libslapd_la_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) am__libslapd_la_SOURCES_DIST = ldap/servers/slapd/add.c \ ldap/servers/slapd/agtmmap.c ldap/servers/slapd/apibroker.c \ ldap/servers/slapd/attr.c ldap/servers/slapd/attrlist.c \ @@ -905,6 +907,7 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +KRB5_CONFIG_BIN = @KRB5_CONFIG_BIN@ LDFLAGS = @LDFLAGS@ LIBCRUN = @LIBCRUN@ LIBCSTD = @LIBCSTD@ @@ -1007,6 +1010,9 @@ initdir = $(sysconfdir)@initdir@ install_sh = @install_sh@ instconfigdir = @instconfigdir@ +kerberos_inc = @kerberos_inc@ +kerberos_lib = @kerberos_lib@ +kerberos_libdir = @kerberos_libdir@ ldapsdk_bindir = @ldapsdk_bindir@ ldapsdk_inc = @ldapsdk_inc@ ldapsdk_lib = @ldapsdk_lib@ @@ -1098,6 +1104,7 @@ ICU_LINK = @icu_lib@ -licui18n -licuuc -licudata NETSNMP_LINK = @netsnmp_lib@ @netsnmp_link@ PAM_LINK = -lpam +KERBEROS_LINK = $(kerberos_lib) #------------------------ # Generated Sources @@ -1488,8 +1495,8 @@ ldap/servers/slapd/uuid.c ldap/servers/slapd/value.c \ ldap/servers/slapd/valueset.c ldap/servers/slapd/vattr.c \ $(libavl_a_SOURCES) $(am__append_1) -libslapd_la_CPPFLAGS = $(PLUGIN_CPPFLAGS) @db_inc@ @svrcore_inc@ -libslapd_la_LIBADD = $(LDAPSDK_LINK) $(SASL_LINK) $(SVRCORE_LINK) $(NSS_LINK) $(NSPR_LINK) +libslapd_la_CPPFLAGS = $(PLUGIN_CPPFLAGS) @sasl_inc@ @db_inc@ @svrcore_inc@ @kerberos_inc@ +libslapd_la_LIBADD = $(LDAPSDK_LINK) $(SASL_LINK) $(SVRCORE_LINK) $(NSS_LINK) $(NSPR_LINK) $(KERBEROS_LINK) #//////////////////////////////////////////////////////////////// # From nhosoi at fedoraproject.org Tue Nov 4 23:12:42 2008 From: nhosoi at fedoraproject.org (Noriko Hosoi) Date: Tue, 4 Nov 2008 23:12:42 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm import-threads.c, 1.18, 1.19 Message-ID: <20081104231242.819F17013A@cvs1.fedora.phx.redhat.com> Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28179 Modified Files: import-threads.c Log Message: Resolves: #462922 Summary: Import of data does not record timestamps Description: Added a static function import_add_created_attrs to add ModifiersName, CreateTimestamp, ModifyTimestamp to each imported entry. I also added a check if nsslapd-lastmod is on or off. It adds the created info only if the lastmod is on. Index: import-threads.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/import-threads.c,v retrieving revision 1.18 retrieving revision 1.19 diff -u -r1.18 -r1.19 --- import-threads.c 17 Oct 2008 16:54:47 -0000 1.18 +++ import-threads.c 4 Nov 2008 23:12:39 -0000 1.19 @@ -301,6 +301,47 @@ return my_version; } +/* + * add CreatorsName, ModifiersName, CreateTimestamp, ModifyTimestamp to entry + */ +static void +import_add_created_attrs(Slapi_Entry *e) +{ + char buf[20]; + struct berval bv; + struct berval *bvals[2]; + time_t curtime; + struct tm ltm; + + bvals[0] = &bv; + bvals[1] = NULL; + + bv.bv_val = ""; + bv.bv_len = 0; + slapi_entry_attr_replace(e, "creatorsname", bvals); + slapi_entry_attr_replace(e, "modifiersname", bvals); + + curtime = current_time(); +#ifdef _WIN32 +{ + struct tm *pt; + pt = gmtime(&curtime); + memcpy(<m, pt, sizeof(struct tm)); +} +#else + gmtime_r(&curtime, <m); +#endif + strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", <m); + + bv.bv_val = buf; + bv.bv_len = strlen(bv.bv_val); + slapi_entry_attr_replace(e, "createtimestamp", bvals); + + bv.bv_val = buf; + bv.bv_len = strlen(bv.bv_val); + slapi_entry_attr_replace(e, "modifytimestamp", bvals); +} + /* producer thread: * read through the given file list, parsing entries (str2entry), assigning * them IDs and queueing them on the entry FIFO. other threads will do @@ -501,6 +542,9 @@ /* generate uniqueid if necessary */ import_generate_uniqueid(job, e); + if (g_get_global_lastmod()) { + import_add_created_attrs(e); + } ep = import_make_backentry(e, id); if (!ep) From nkinder at fedoraproject.org Tue Nov 4 23:21:12 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Tue, 4 Nov 2008 23:21:12 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd saslbind.c, 1.27, 1.28 Message-ID: <20081104232112.C1A3B7013A@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31500/ldap/servers/slapd Modified Files: saslbind.c Log Message: Resolves: 452569 Summary: Use 64-bit specific SASL default plug-in path on 64-bit Linux machines. Index: saslbind.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/saslbind.c,v retrieving revision 1.27 retrieving revision 1.28 diff -u -r1.27 -r1.28 --- saslbind.c 8 Oct 2008 17:29:03 -0000 1.27 +++ saslbind.c 4 Nov 2008 23:21:10 -0000 1.28 @@ -475,12 +475,17 @@ static int ids_sasl_getpluginpath(sasl_conn_t *conn, const char **path) { /* Try to get path from config, otherwise check for SASL_PATH environment - * variable. If neither of these are set, just default to /usr/lib/sasl2 + * variable. If neither of these are set, default to /usr/lib64/sasl2 on + * 64-bit Linux machines, and /usr/lib/sasl2 on all other platforms. */ char *pluginpath = config_get_saslpath(); if ((!pluginpath) || (*pluginpath == '\0')) { if (!(pluginpath = getenv("SASL_PATH"))) { - pluginpath = "/usr/lib64/sasl2:/usr/lib/sasl2"; +#if defined(LINUX) && defined(__LP64__) + pluginpath = "/usr/lib64/sasl2"; +#else + pluginpath = "/usr/lib/sasl2"; +#endif } } *path = pluginpath; From rmeggins at fedoraproject.org Wed Nov 5 18:14:39 2008 From: rmeggins at fedoraproject.org (Richard Allen Megginson) Date: Wed, 5 Nov 2008 18:14:39 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/plugins/acl acllas.c, 1.13, 1.14 Message-ID: <20081105181439.8CF817013A@cvs1.fedora.phx.redhat.com> Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/acl In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv11608 Modified Files: acllas.c Log Message: Resolves: bug 469243 Description: ACL: support group filter Fix Description: unset value for lud_scope is -1, not NULL Index: acllas.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/acl/acllas.c,v retrieving revision 1.13 retrieving revision 1.14 diff -u -r1.13 -r1.14 --- acllas.c 1 Nov 2008 22:09:16 -0000 1.13 +++ acllas.c 5 Nov 2008 18:14:37 -0000 1.14 @@ -861,7 +861,7 @@ /* Groupdn is full ldapurl? */ if (0 == ldap_url_parse(groupNameOrig, &ludp) && NULL != ludp->lud_dn && - NULL != ludp->lud_scope && + -1 != ludp->lud_scope && NULL != ludp->lud_filter) { /* Yes, it is full ldapurl; Let's run the search */ myPb = slapi_pblock_new (); From rmeggins at fedoraproject.org Wed Nov 5 18:21:07 2008 From: rmeggins at fedoraproject.org (Richard Allen Megginson) Date: Wed, 5 Nov 2008 18:21:07 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/ldif template-dse.ldif.in, 1.9, 1.10 Message-ID: <20081105182107.D2BDF7013A@cvs1.fedora.phx.redhat.com> Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/ldif In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12377/ldapserver/ldap/ldif Modified Files: template-dse.ldif.in Log Message: Resolves: bug 469261 Bug Description: Support server-to-server SASL - part 2 Reviewed by: nhosoi (Thanks!) Fix Description: This part focuses on chaining backend - allowing the mux server to use SASL to connect to the farm server, and allowing SASL authentication to chain. I had to add two new config parameters for chaining: nsUseStartTLS - on or off - tell connection to use startTLS - default is off nsBindMechanism - if absent, will just use simple auth. If present, this must be one of the supported mechanisms (EXTERNAL, GSSAPI, DIGEST-MD5) - default is absent (simple bind) The chaining code uses a timeout, so I had to add a timeout to slapi_ldap_bind, and correct the replication code to pass in a NULL for the timeout parameter. Fixed a bug in the starttls code in slapi_ldap_init_ext. The sasl code uses an internal search to find the entry corresponding to the sasl user id. This search could not be chained due to the way it was coded. So I added a new chainable component called cn=sasl and changed the sasl internal search code to use this component ID. This allows the sasl code to work with a chained backend. In order to use chaining with sasl, this component must be set in the chaining configuration nsActiveChainingComponents. I also discovered that password policy must be configured too, in order for the sasl code to determine if the account is locked out. I fixed a bug in the sasl mapping debug trace code. Still to come - sasl mappings to work with all of this new code - kerberos code improvements - changes to pta and dna Platforms tested: Fedora 8, Fedora 9 Flag Day: yes Doc impact: yes Index: template-dse.ldif.in =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/ldif/template-dse.ldif.in,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- template-dse.ldif.in 1 Jul 2008 22:30:05 -0000 1.9 +++ template-dse.ldif.in 5 Nov 2008 18:21:05 -0000 1.10 @@ -752,6 +752,9 @@ nsTransmittedControls: 1.3.6.1.4.1.1466.29539.12 nsPossibleChainingComponents: cn=resource limits,cn=components,cn=config nsPossibleChainingComponents: cn=certificate-based authentication,cn=components,cn=config +nsPossibleChainingComponents: cn=password policy,cn=components,cn=config +nsPossibleChainingComponents: cn=sasl,cn=components,cn=config +nsPossibleChainingComponents: cn=roles,cn=components,cn=config nsPossibleChainingComponents: cn=ACL Plugin,cn=plugins,cn=config nsPossibleChainingComponents: cn=old plugin,cn=plugins,cn=config nsPossibleChainingComponents: cn=referential integrity postoperation,cn=plugins,cn=config From rmeggins at fedoraproject.org Wed Nov 5 18:21:07 2008 From: rmeggins at fedoraproject.org (Richard Allen Megginson) Date: Wed, 5 Nov 2008 18:21:07 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/plugins/chainingdb cb.h, 1.5, 1.6 cb_conn_stateless.c, 1.8, 1.9 cb_instance.c, 1.10, 1.11 Message-ID: <20081105182108.06CE17013A@cvs1.fedora.phx.redhat.com> Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/chainingdb In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12377/ldapserver/ldap/servers/plugins/chainingdb Modified Files: cb.h cb_conn_stateless.c cb_instance.c Log Message: Resolves: bug 469261 Bug Description: Support server-to-server SASL - part 2 Reviewed by: nhosoi (Thanks!) Fix Description: This part focuses on chaining backend - allowing the mux server to use SASL to connect to the farm server, and allowing SASL authentication to chain. I had to add two new config parameters for chaining: nsUseStartTLS - on or off - tell connection to use startTLS - default is off nsBindMechanism - if absent, will just use simple auth. If present, this must be one of the supported mechanisms (EXTERNAL, GSSAPI, DIGEST-MD5) - default is absent (simple bind) The chaining code uses a timeout, so I had to add a timeout to slapi_ldap_bind, and correct the replication code to pass in a NULL for the timeout parameter. Fixed a bug in the starttls code in slapi_ldap_init_ext. The sasl code uses an internal search to find the entry corresponding to the sasl user id. This search could not be chained due to the way it was coded. So I added a new chainable component called cn=sasl and changed the sasl internal search code to use this component ID. This allows the sasl code to work with a chained backend. In order to use chaining with sasl, this component must be set in the chaining configuration nsActiveChainingComponents. I also discovered that password policy must be configured too, in order for the sasl code to determine if the account is locked out. I fixed a bug in the sasl mapping debug trace code. Still to come - sasl mappings to work with all of this new code - kerberos code improvements - changes to pta and dna Platforms tested: Fedora 8, Fedora 9 Flag Day: yes Doc impact: yes Index: cb.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/chainingdb/cb.h,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- cb.h 10 Nov 2006 23:44:50 -0000 1.5 +++ cb.h 5 Nov 2008 18:21:05 -0000 1.6 @@ -114,8 +114,10 @@ #define CB_CONFIG_SIZELIMIT "nsslapd-sizelimit" #define CB_CONFIG_TIMELIMIT "nsslapd-timelimit" #define CB_CONFIG_HOSTURL "nsFarmServerURL" +#define CB_CONFIG_STARTTLS "nsUseStartTLS" #define CB_CONFIG_BINDUSER "nsMultiplexorBindDn" +#define CB_CONFIG_BINDMECH "nsBindMechanism" #define CB_CONFIG_USERPASSWORD "nsMultiplexorCredentials" #define CB_CONFIG_MAXBINDCONNECTIONS "nsBindConnectionsLimit" #define CB_CONFIG_MAXCONNECTIONS "nsOperationConnectionsLimit" @@ -163,6 +165,8 @@ #define CB_DEF_HOPLIMIT "10" /* CB_CONFIG_HOPLIMIT */ #define CB_DEF_MAX_IDLE_TIME "60" /* CB_CONFIG_MAX_IDLE_TIME */ #define CB_DEF_MAX_TEST_TIME "15" /* CB_CONFIG_MAX_TEST_TIME */ +#define CB_DEF_STARTTLS "off" /* CB_CONFIG_STARTTLS */ +#define CB_DEF_BINDMECH LDAP_SASL_SIMPLE /* CB_CONFIG_BINDMECH */ typedef void *cb_config_get_fn_t(void *arg); typedef int cb_config_set_fn_t(void *arg, void *value, char *errorbuf, int phase, int apply); @@ -290,6 +294,8 @@ /* To protect the config set by LDAP */ PRRWLock * rwl_config_lock; + int starttls; /* use starttls with connection */ + char *mech; /* plain, external, or a sasl mech */ } cb_conn_pool; Index: cb_conn_stateless.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/chainingdb/cb_conn_stateless.c,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- cb_conn_stateless.c 15 Oct 2008 06:29:54 -0000 1.8 +++ cb_conn_stateless.c 5 Nov 2008 18:21:05 -0000 1.9 @@ -164,6 +164,7 @@ char *password,*binddn,*hostname; unsigned int port; int secure; + char *mech = NULL;; static char *error1="Can't contact remote server : %s"; static char *error2="Can't bind to remote server : %s"; int isMultiThread = ENABLE_MULTITHREAD_PER_CONN ; /* by default, we enable multiple operations per connection */ @@ -199,6 +200,10 @@ hostname=pool->hostname; port=pool->port; secure=pool->secure; + if (pool->starttls) { + secure = 2; + } + mech=pool->mech; PR_RWLock_Unlock(pool->rwl_config_lock); @@ -348,12 +353,8 @@ /* For now, bind even if no user to detect error */ /* earlier */ if (pool->bindit) { - int msgid; - LDAPMessage *res=NULL; - int parse_rc; PRErrorCode prerr = 0; LDAPControl **serverctrls=NULL; - char **referrals=NULL; char *plain = NULL; int ret = -1; @@ -381,14 +382,21 @@ } /* Password-based client authentication */ + rc = slapi_ldap_bind(ld, binddn, plain, mech, NULL, &serverctrls, + &bind_to, NULL); - if (( msgid = ldap_simple_bind( ld, binddn, plain)) <0) { - rc=ldap_get_lderrno( ld, NULL, NULL ); - prerr=PR_GetError(); - } if ( ret == 0 ) slapi_ch_free_string(&plain); /* free plain only if it has been duplicated */ - if ( rc != LDAP_SUCCESS ) { + if ( rc == LDAP_TIMEOUT ) { + if (cb_debug_on()) { + slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM, + "Can't bind to server <%s> port <%d>. (%s)\n", + hostname, port, "time-out expired"); + } + rc = LDAP_CONNECT_ERROR; + goto unlock_and_return; + } else if ( rc != LDAP_SUCCESS ) { + prerr=PR_GetError(); if (cb_debug_on()) { slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM, "Can't bind to server <%s> port <%d>. " @@ -405,67 +413,11 @@ goto unlock_and_return; } - rc = ldap_result( ld, msgid, 0, &bind_to, &res ); - switch (rc) { - case -1: - rc = ldap_get_lderrno( ld, NULL, NULL ); - if (cb_debug_on()) { - slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM, - "Can't bind to server <%s> port <%d>. " - "(LDAP error %d - %s; " - SLAPI_COMPONENT_NAME_NSPR " error %d - %s)\n", - hostname, port, rc, - ldap_err2string(rc), - prerr, slapd_pr_strerror(prerr)); - } - if ( errmsg ) { - *errmsg = PR_smprintf(error2,ldap_err2string(rc)); - } - rc = LDAP_CONNECT_ERROR; - goto unlock_and_return; - case 0: - if (cb_debug_on()) { - slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM, - "Can't bind to server <%s> port <%d>. (%s)\n", - hostname, port, "time-out expired"); - } - rc = LDAP_CONNECT_ERROR; - goto unlock_and_return; - default: - - parse_rc = ldap_parse_result( ld, res, &rc, NULL, - NULL, &referrals, &serverctrls, 1 ); - - if ( parse_rc != LDAP_SUCCESS ) { - if (cb_debug_on()) { - slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM, - "Can't bind to server <%s> port <%d>. (%s)\n", - hostname, port, ldap_err2string(parse_rc)); - } - if ( errmsg ) { - *errmsg = PR_smprintf(error2,ldap_err2string(parse_rc)); - } - rc = parse_rc; - goto unlock_and_return; - } - - if ( rc != LDAP_SUCCESS ) { - if (cb_debug_on()) { - slapi_log_error( SLAPI_LOG_PLUGIN, CB_PLUGIN_SUBSYSTEM, - "Can't bind to server <%s> port <%d>. (%s)\n", - hostname, port, ldap_err2string(rc)); - } - if ( errmsg ) { - *errmsg = PR_smprintf(error2, ldap_err2string(rc)); - } - goto unlock_and_return; - } - - if ( serverctrls ) + if ( serverctrls ) + { + int i; + for( i = 0; serverctrls[ i ] != NULL; ++i ) { - int i; - for( i = 0; serverctrls[ i ] != NULL; ++i ) - { if ( !(strcmp( serverctrls[ i ]->ldctl_oid, LDAP_CONTROL_PWEXPIRED)) ) { /* Bind is successful but password has expired */ @@ -487,12 +439,8 @@ binddn, hostname, port, password_expiring); } } - } - ldap_controls_free(serverctrls); - } - - if (referrals) - charray_free(referrals); + } + ldap_controls_free(serverctrls); } } @@ -896,6 +844,7 @@ LDAP *ld; LDAPMessage *result; time_t now; + int secure; if (cb->max_idle_time <=0) /* Heart-beat disabled */ return LDAP_SUCCESS; @@ -904,8 +853,12 @@ now = current_time(); if (end_time && ((now <= end_time) || (end_time <0))) return LDAP_SUCCESS; - - ld=slapi_ldap_init(cb->pool->hostname,cb->pool->port,cb->pool->secure,0); + + secure = cb->pool->secure; + if (cb->pool->starttls) { + secure = 2; + } + ld=slapi_ldap_init(cb->pool->hostname,cb->pool->port,secure,0); if (NULL == ld) { cb_update_failed_conn_cpt( cb ); return LDAP_SERVER_DOWN; @@ -914,6 +867,8 @@ timeout.tv_sec=cb->max_test_time; timeout.tv_usec=0; + /* NOTE: This will fail if we implement the ability to disable + anonymous bind */ rc=ldap_search_ext_s(ld ,NULL,LDAP_SCOPE_BASE,"objectclass=*",attrs,1,NULL, NULL, &timeout, 1,&result); if ( LDAP_SUCCESS != rc ) { Index: cb_instance.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/chainingdb/cb_instance.c,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- cb_instance.c 8 Oct 2008 17:29:01 -0000 1.10 +++ cb_instance.c 5 Nov 2008 18:21:05 -0000 1.11 @@ -53,7 +53,9 @@ /* Get functions */ static void *cb_instance_hosturl_get(void *arg); +static void *cb_instance_starttls_get(void *arg); static void *cb_instance_binduser_get(void *arg); +static void *cb_instance_bindmech_get(void *arg); static void *cb_instance_userpassword_get(void *arg); static void *cb_instance_maxbconn_get(void *arg); static void *cb_instance_maxconn_get(void *arg); @@ -77,7 +79,9 @@ /* Set functions */ static int cb_instance_hosturl_set(void *arg, void *value, char *errorbuf, int phase, int apply); +static int cb_instance_starttls_set(void *arg, void *value, char *errorbuf, int phase, int apply); static int cb_instance_binduser_set(void *arg, void *value, char *errorbuf, int phase, int apply); +static int cb_instance_bindmech_set(void *arg, void *value, char *errorbuf, int phase, int apply); static int cb_instance_userpassword_set(void *arg, void *value, char *errorbuf, int phase, int apply); static int cb_instance_maxbconn_set(void *arg, void *value, char *errorbuf, int phase, int apply); static int cb_instance_maxconn_set(void *arg, void *value, char *errorbuf, int phase, int apply); @@ -120,6 +124,8 @@ {CB_CONFIG_HOPLIMIT,CB_CONFIG_TYPE_INT,CB_DEF_HOPLIMIT,&cb_instance_hoplimit_get, &cb_instance_hoplimit_set,CB_ALWAYS_SHOW}, {CB_CONFIG_MAX_IDLE_TIME,CB_CONFIG_TYPE_INT,CB_DEF_MAX_IDLE_TIME,&cb_instance_max_idle_get, &cb_instance_max_idle_set,CB_ALWAYS_SHOW}, {CB_CONFIG_MAX_TEST_TIME,CB_CONFIG_TYPE_INT,CB_DEF_MAX_TEST_TIME,&cb_instance_max_test_get, &cb_instance_max_test_set,CB_ALWAYS_SHOW}, +{CB_CONFIG_STARTTLS,CB_CONFIG_TYPE_ONOFF,CB_DEF_STARTTLS,&cb_instance_starttls_get, &cb_instance_starttls_set,CB_ALWAYS_SHOW}, +{CB_CONFIG_BINDMECH,CB_CONFIG_TYPE_STRING,CB_DEF_BINDMECH,&cb_instance_bindmech_get, &cb_instance_bindmech_set,CB_ALWAYS_SHOW}, {NULL, 0, NULL, NULL, NULL, 0} }; @@ -256,9 +262,9 @@ slapi_destroy_mutex(inst->pool->conn.conn_list_mutex); slapi_destroy_mutex(inst->monitor_availability.cpt_lock); slapi_destroy_mutex(inst->monitor_availability.lock_timeLimit); - slapi_ch_free((void **) &inst->configDn); - slapi_ch_free((void **) &inst->monitorDn); - slapi_ch_free((void **) &inst->inst_name); + slapi_ch_free_string(&inst->configDn); + slapi_ch_free_string(&inst->monitorDn); + slapi_ch_free_string(&inst->inst_name); charray_free(inst->every_attribute); slapi_ch_free((void **) &inst->bind_pool); @@ -1324,6 +1330,66 @@ } +static void *cb_instance_starttls_get(void *arg) +{ + cb_backend_instance * inst=(cb_backend_instance *) arg; + uintptr_t data; + + PR_RWLock_Rlock(inst->rwl_config_lock); + data=inst->pool->starttls; + PR_RWLock_Unlock(inst->rwl_config_lock); + return (void *) data; +} + +static int cb_instance_starttls_set(void *arg, void *value, char *errorbuf, int phase, int apply) +{ + cb_backend_instance * inst=(cb_backend_instance *) arg; + int rc = LDAP_SUCCESS; + + if (apply) { + PR_RWLock_Wlock(inst->rwl_config_lock); + inst->pool->starttls=(int) ((uintptr_t)value); + PR_RWLock_Unlock(inst->rwl_config_lock); + if (( phase != CB_CONFIG_PHASE_INITIALIZATION ) && + ( phase != CB_CONFIG_PHASE_STARTUP )) { + rc=CB_REOPEN_CONN; /* reconnect with the new starttls setting */ + } + } + return rc; +} + +static void *cb_instance_bindmech_get(void *arg) +{ + cb_backend_instance * inst=(cb_backend_instance *) arg; + char * data; + + PR_RWLock_Rlock(inst->rwl_config_lock); + data = slapi_ch_strdup(inst->pool->mech); + PR_RWLock_Unlock(inst->rwl_config_lock); + return data; +} + +static int cb_instance_bindmech_set(void *arg, void *value, char *errorbuf, int phase, int apply) +{ + cb_backend_instance * inst=(cb_backend_instance *) arg; + int rc=LDAP_SUCCESS; + + if (apply) { + PR_RWLock_Wlock(inst->rwl_config_lock); + if (( phase != CB_CONFIG_PHASE_INITIALIZATION ) && + ( phase != CB_CONFIG_PHASE_STARTUP )) { + + /* Dynamic modif */ + charray_add(&inst->pool->waste_basket,inst->pool->mech); + rc=CB_REOPEN_CONN; + } + + inst->pool->mech=slapi_ch_strdup((char *) value); + PR_RWLock_Unlock(inst->rwl_config_lock); + } + return rc; +} + /* Finds an entry in a config_info array with the given name. Returns From rmeggins at fedoraproject.org Wed Nov 5 18:21:08 2008 From: rmeggins at fedoraproject.org (Richard Allen Megginson) Date: Wed, 5 Nov 2008 18:21:08 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication repl5_connection.c, 1.10, 1.11 Message-ID: <20081105182108.1A0397013D@cvs1.fedora.phx.redhat.com> Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12377/ldapserver/ldap/servers/plugins/replication Modified Files: repl5_connection.c Log Message: Resolves: bug 469261 Bug Description: Support server-to-server SASL - part 2 Reviewed by: nhosoi (Thanks!) Fix Description: This part focuses on chaining backend - allowing the mux server to use SASL to connect to the farm server, and allowing SASL authentication to chain. I had to add two new config parameters for chaining: nsUseStartTLS - on or off - tell connection to use startTLS - default is off nsBindMechanism - if absent, will just use simple auth. If present, this must be one of the supported mechanisms (EXTERNAL, GSSAPI, DIGEST-MD5) - default is absent (simple bind) The chaining code uses a timeout, so I had to add a timeout to slapi_ldap_bind, and correct the replication code to pass in a NULL for the timeout parameter. Fixed a bug in the starttls code in slapi_ldap_init_ext. The sasl code uses an internal search to find the entry corresponding to the sasl user id. This search could not be chained due to the way it was coded. So I added a new chainable component called cn=sasl and changed the sasl internal search code to use this component ID. This allows the sasl code to work with a chained backend. In order to use chaining with sasl, this component must be set in the chaining configuration nsActiveChainingComponents. I also discovered that password policy must be configured too, in order for the sasl code to determine if the account is locked out. I fixed a bug in the sasl mapping debug trace code. Still to come - sasl mappings to work with all of this new code - kerberos code improvements - changes to pta and dna Platforms tested: Fedora 8, Fedora 9 Flag Day: yes Doc impact: yes Index: repl5_connection.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5_connection.c,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- repl5_connection.c 4 Nov 2008 18:23:08 -0000 1.10 +++ repl5_connection.c 5 Nov 2008 18:21:05 -0000 1.11 @@ -1563,7 +1563,7 @@ const char *mech = bind_method_to_mech(conn->bindmethod); rc = slapi_ldap_bind(conn->ld, binddn, password, mech, NULL, - &ctrls, NULL); + &ctrls, NULL, NULL); if ( rc == LDAP_SUCCESS ) { From rmeggins at fedoraproject.org Wed Nov 5 18:21:08 2008 From: rmeggins at fedoraproject.org (Richard Allen Megginson) Date: Wed, 5 Nov 2008 18:21:08 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd sasl_map.c, 1.9, 1.10 saslbind.c, 1.28, 1.29 slapi-plugin.h, 1.33, 1.34 slapi-private.h, 1.28, 1.29 util.c, 1.17, 1.18 Message-ID: <20081105182108.613C37013A@cvs1.fedora.phx.redhat.com> Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12377/ldapserver/ldap/servers/slapd Modified Files: sasl_map.c saslbind.c slapi-plugin.h slapi-private.h util.c Log Message: Resolves: bug 469261 Bug Description: Support server-to-server SASL - part 2 Reviewed by: nhosoi (Thanks!) Fix Description: This part focuses on chaining backend - allowing the mux server to use SASL to connect to the farm server, and allowing SASL authentication to chain. I had to add two new config parameters for chaining: nsUseStartTLS - on or off - tell connection to use startTLS - default is off nsBindMechanism - if absent, will just use simple auth. If present, this must be one of the supported mechanisms (EXTERNAL, GSSAPI, DIGEST-MD5) - default is absent (simple bind) The chaining code uses a timeout, so I had to add a timeout to slapi_ldap_bind, and correct the replication code to pass in a NULL for the timeout parameter. Fixed a bug in the starttls code in slapi_ldap_init_ext. The sasl code uses an internal search to find the entry corresponding to the sasl user id. This search could not be chained due to the way it was coded. So I added a new chainable component called cn=sasl and changed the sasl internal search code to use this component ID. This allows the sasl code to work with a chained backend. In order to use chaining with sasl, this component must be set in the chaining configuration nsActiveChainingComponents. I also discovered that password policy must be configured too, in order for the sasl code to determine if the account is locked out. I fixed a bug in the sasl mapping debug trace code. Still to come - sasl mappings to work with all of this new code - kerberos code improvements - changes to pta and dna Platforms tested: Fedora 8, Fedora 9 Flag Day: yes Doc impact: yes Index: sasl_map.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/sasl_map.c,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- sasl_map.c 30 Jun 2008 17:28:16 -0000 1.9 +++ sasl_map.c 5 Nov 2008 18:21:06 -0000 1.10 @@ -440,6 +440,8 @@ } if (matched) { if (matched == 1) { + char escape_base[BUFSIZ]; + char escape_filt[BUFSIZ]; /* Allocate buffers for the returned strings */ /* We already computed this, so we could pass it in to speed up a little */ size_t userrealmlen = strlen(sasl_user_and_realm); @@ -448,7 +450,11 @@ *ldap_search_filter = (char *) slapi_ch_malloc(userrealmlen + strlen(dp->template_search_filter) + 1); slapd_re_subs(dp->template_base_dn,*ldap_search_base); slapd_re_subs(dp->template_search_filter,*ldap_search_filter); - LDAPDebug( LDAP_DEBUG_TRACE, "mapped base dn: %s, filter: %s\n", ldap_search_base, ldap_search_filter, 0 ); + /* these values are internal regex representations with lots of + unprintable control chars - escape for logging */ + LDAPDebug( LDAP_DEBUG_TRACE, "mapped base dn: %s, filter: %s\n", + escape_string( *ldap_search_base, escape_base ), + escape_string( *ldap_search_filter, escape_filt ), 0 ); ret = 1; } else { LDAPDebug( LDAP_DEBUG_ANY, "sasl_map_check : re_exec failed\n", 0, 0, 0 ); Index: saslbind.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/saslbind.c,v retrieving revision 1.28 retrieving revision 1.29 diff -u -r1.28 -r1.29 --- saslbind.c 4 Nov 2008 23:21:10 -0000 1.28 +++ saslbind.c 5 Nov 2008 18:21:06 -0000 1.29 @@ -81,6 +81,21 @@ slapi_ch_free(&ptr); } +static Slapi_ComponentId *sasl_component_id = NULL; + +static void generate_component_id() +{ + if (NULL == sasl_component_id) { + sasl_component_id = generate_componentid(NULL /* Not a plugin */, + COMPONENT_SASL); + } +} + +static Slapi_ComponentId *sasl_get_component_id() +{ + return sasl_component_id; +} + /* * sasl library callbacks */ @@ -238,20 +253,23 @@ ) { Slapi_Entry **entries = NULL; - Slapi_PBlock *pb; + Slapi_PBlock *pb = NULL; int i, ret; LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search basedn=\"%s\" filter=\"%s\"\n", basedn, filter, 0); /* TODO: set size and time limits */ - - pb = slapi_search_internal(basedn, scope, filter, - ctrls, attrs, attrsonly); - if (pb == NULL) { - LDAPDebug(LDAP_DEBUG_TRACE, "null pblock from slapi_search_internal\n", 0, 0, 0); + pb = slapi_pblock_new(); + if (!pb) { + LDAPDebug(LDAP_DEBUG_TRACE, "null pblock for search_internal_pb\n", 0, 0, 0); goto out; } + slapi_search_internal_set_pb(pb, basedn, scope, filter, attrs, attrsonly, ctrls, + NULL, sasl_get_component_id(), 0); + + slapi_search_internal_pb(pb); + slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_RESULT, &ret); if (ret != LDAP_SUCCESS) { LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search failed basedn=\"%s\" " @@ -261,7 +279,11 @@ } slapi_pblock_get(pb, SLAPI_PLUGIN_INTOP_SEARCH_ENTRIES, &entries); - if (entries == NULL) goto out; + if ((entries == NULL) || (entries[0] == NULL)) { + LDAPDebug(LDAP_DEBUG_TRACE, "sasl user search found no entries\n", + 0, 0, 0); + goto out; + } for (i = 0; entries[i]; i++) { (*foundp)++; @@ -546,6 +568,9 @@ LDAPDebug(LDAP_DEBUG_TRACE, "sasl service fqdn is: %s\n", serverfqdn, 0, 0); + /* get component ID for internal operations */ + generate_component_id(); + /* Set SASL memory allocation callbacks */ sasl_set_alloc( (sasl_malloc_t *)slapi_ch_malloc, @@ -1016,4 +1041,3 @@ return; } - Index: slapi-plugin.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-plugin.h,v retrieving revision 1.33 retrieving revision 1.34 diff -u -r1.33 -r1.34 --- slapi-plugin.h 4 Nov 2008 18:23:08 -0000 1.33 +++ slapi-plugin.h 5 Nov 2008 18:21:06 -0000 1.34 @@ -1103,6 +1103,7 @@ const char *mech, /* name of mechanism */ LDAPControl **serverctrls, /* additional controls to send */ LDAPControl ***returnedctrls, /* returned controls */ + struct timeval *timeout, /* timeout */ int *msgidp /* pass in non-NULL for async handling */ ); Index: slapi-private.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-private.h,v retrieving revision 1.28 retrieving revision 1.29 diff -u -r1.28 -r1.29 --- slapi-private.h 24 Oct 2008 22:36:58 -0000 1.28 +++ slapi-private.h 5 Nov 2008 18:21:06 -0000 1.29 @@ -720,6 +720,7 @@ #define COMPONENT_RESLIMIT "cn=resource limits,"COMPONENT_BASE_DN #define COMPONENT_PWPOLICY "cn=password policy,"COMPONENT_BASE_DN #define COMPONENT_CERT_AUTH "cn=certificate-based authentication,"COMPONENT_BASE_DN +#define COMPONENT_SASL "cn=sasl,"COMPONENT_BASE_DN /* Component names for logging */ #define SLAPI_COMPONENT_NAME_NSPR "Netscape Portable Runtime" Index: util.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/util.c,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- util.c 4 Nov 2008 18:23:08 -0000 1.17 +++ util.c 5 Nov 2008 18:21:06 -0000 1.18 @@ -974,7 +974,17 @@ ssl_strength = LDAPSSL_AUTH_CERT; } - if (ldapssl_set_strength(ld, ssl_strength) != 0) { + /* Can only use ldapssl_set_strength on and LDAP* already + initialized for SSL - this is not the case when using + startTLS, so we use NULL to set the default for all + new connections */ + if (secure == 1) { + rc = ldapssl_set_strength(ld, ssl_strength); + } else { + rc = ldapssl_set_strength(NULL, ssl_strength); + } + + if (rc != 0) { int prerr = PR_GetError(); slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_init_ext", @@ -1052,6 +1062,7 @@ const char *mech, /* name of mechanism */ LDAPControl **serverctrls, /* additional controls to send */ LDAPControl ***returnedctrls, /* returned controls */ + struct timeval *timeout, /* timeout */ int *msgidp /* pass in non-NULL for async handling */ ) { @@ -1125,8 +1136,8 @@ if (msgidp) { /* let caller process result */ *msgidp = mymsgid; } else { /* process results */ - if (ldap_result(ld, mymsgid, LDAP_MSG_ALL, - (struct timeval *)0, &result) == -1) { + rc = ldap_result(ld, mymsgid, LDAP_MSG_ALL, timeout, &result); + if (-1 == rc) { /* error */ rc = ldap_get_lderrno(ld, NULL, NULL); slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind", "Error reading bind response for id " @@ -1135,8 +1146,18 @@ mech ? mech : "SIMPLE", rc, ldap_err2string(rc)); goto done; - } - + } else if (rc == 0) { /* timeout */ + rc = LDAP_TIMEOUT; + slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind", + "Error: timeout after [%d.%d] seconds reading " + "bind response for [%s] mech [%s]\n", + timeout ? timeout->tv_sec : 0, + timeout ? timeout->tv_usec : 0, + bindid ? bindid : "(anon)", + mech ? mech : "SIMPLE"); + goto done; + } + /* if we got here, we were able to read success result */ /* Get the controls sent by the server if requested */ if (returnedctrls) { if ((rc = ldap_parse_result(ld, result, &rc, NULL, NULL, From nhosoi at fedoraproject.org Wed Nov 5 23:50:01 2008 From: nhosoi at fedoraproject.org (Noriko Hosoi) Date: Wed, 5 Nov 2008 23:50:01 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm ldif2ldbm.c, 1.20, 1.21 Message-ID: <20081105235001.145FF70139@cvs1.fedora.phx.redhat.com> Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv18655 Modified Files: ldif2ldbm.c Log Message: Resolves: #469792 Summary: vlvindex should not give an error message when the vlvindex is empty Fix description: In ldbm_fetch_subtrees, if the parent entry to be vlvindexed ('ou=payroll,dc=example,dc=com' in this example) does not exist, then vlvindex with the proposed code issues this warning but no further messages. warning: entrydn not indexed on 'ou=payroll,dc=example,dc=com'; entry ou=payroll,dc=example,dc=com may not be added to the database yet. If the parent entry exists (entry id 10 in this example), but no descendant entries to be vlvindexed do not, then vlvindex with the proposed code issues this warning but no further messages. warning: ancestorid not indexed on 10; possibly, the entry id 10 has no descendants yet. Index: ldif2ldbm.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/ldif2ldbm.c,v retrieving revision 1.20 retrieving revision 1.21 diff -u -r1.20 -r1.21 --- ldif2ldbm.c 17 Oct 2008 16:54:47 -0000 1.20 +++ ldif2ldbm.c 5 Nov 2008 23:49:58 -0000 1.21 @@ -687,8 +687,16 @@ bv.bv_len = strlen(include[i]); idl = index_read(be, "entrydn", indextype_EQUALITY, &bv, txn, err); if (idl == NULL) { - LDAPDebug(LDAP_DEBUG_ANY, "warning: entrydn not indexed on '%s'\n", - include[i], 0, 0); + if (DB_NOTFOUND == *err) { + LDAPDebug(LDAP_DEBUG_ANY, + "warning: entrydn not indexed on '%s'; " + "entry %s may not be added to the database yet.\n", + include[i], include[i], 0); + *err = 0; /* not a problem */ + } else { + LDAPDebug(LDAP_DEBUG_ANY, + "warning: entrydn not indexed on '%s'\n", include[i], 0, 0); + } continue; } id = idl_firstid(idl); @@ -700,8 +708,17 @@ */ *err = ldbm_ancestorid_read(be, txn, id, &idl); if (idl == NULL) { - LDAPDebug(LDAP_DEBUG_ANY, "warning: ancestorid not indexed on %lu\n", - id, 0, 0); + if (DB_NOTFOUND == *err) { + LDAPDebug(LDAP_DEBUG_ANY, + "warning: ancestorid not indexed on %lu; " + "possibly, the entry id %lu has no descendants yet.\n", + id, id, 0); + *err = 0; /* not a problem */ + } else { + LDAPDebug(LDAP_DEBUG_ANY, + "warning: ancestorid not indexed on %lu\n", + id, 0, 0); + } continue; } @@ -1474,20 +1491,23 @@ idl = ldbm_fetch_subtrees(be, suffix_list, &err); charray_free(suffix_list); if (! idl) { - LDAPDebug(LDAP_DEBUG_ANY, + /* most likely, indexes are bad if err is set. */ + if (0 != err) { + LDAPDebug(LDAP_DEBUG_ANY, "%s: WARNING: Failed to fetch subtree lists: (%d) %s\n", inst->inst_name, err, dblayer_strerror(err)); - LDAPDebug(LDAP_DEBUG_ANY, + LDAPDebug(LDAP_DEBUG_ANY, "%s: Possibly the entrydn or ancestorid index is " "corrupted or does not exist.\n", inst->inst_name, 0, 0); - LDAPDebug(LDAP_DEBUG_ANY, + LDAPDebug(LDAP_DEBUG_ANY, "%s: Attempting brute-force method instead.\n", inst->inst_name, 0, 0); - if (task) { - slapi_task_log_notice(task, - "%s: WARNING: Failed to fetch subtree lists (err %d) -- " - "attempting brute-force method instead.", - inst->inst_name, err); + if (task) { + slapi_task_log_notice(task, + "%s: WARNING: Failed to fetch subtree lists (err %d) -- " + "attempting brute-force method instead.", + inst->inst_name, err); + } } } else if (ALLIDS(idl)) { /* that's no help. */ From nhosoi at fedoraproject.org Thu Nov 6 00:34:21 2008 From: nhosoi at fedoraproject.org (Noriko Hosoi) Date: Thu, 6 Nov 2008 00:34:21 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd sasl_map.c, 1.10, 1.11 Message-ID: <20081106003422.01A377013A@cvs1.fedora.phx.redhat.com> Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23087 Modified Files: sasl_map.c Log Message: Resolves: #459302 Summary: SASL MAP: memory leak in sasl_map_init Fix Description: sasl_map_done put just comments to free the map list and the private structure, but not implemented them. Added the code to release the map list and the private structure. Index: sasl_map.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/sasl_map.c,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- sasl_map.c 5 Nov 2008 18:21:06 -0000 1.10 +++ sasl_map.c 6 Nov 2008 00:34:19 -0000 1.11 @@ -101,7 +101,6 @@ return new_priv; } -#if 0 /* unused for now */ static void sasl_map_free_private(sasl_map_private **priv) { @@ -109,7 +108,6 @@ slapi_ch_free((void**)priv); *priv = NULL; } -#endif /* This function does a shallow copy on the payload data supplied, so the caller should not free it, and it needs to be allocated using slapi_ch_malloc() */ static @@ -132,6 +130,10 @@ static void sasl_map_free_data(sasl_map_data **dp) { + slapi_ch_free_string(&(*dp)->name); + slapi_ch_free_string(&(*dp)->regular_expression); + slapi_ch_free_string(&(*dp)->template_base_dn); + slapi_ch_free_string(&(*dp)->template_search_filter); slapi_ch_free((void**)dp); } @@ -287,7 +289,8 @@ filtertemplate = slapi_entry_attr_get_charptr( entry, "nsSaslMapFilterTemplate" ); map_name = slapi_entry_attr_get_charptr( entry, "cn" ); - if ( (NULL == regex) || (NULL == basedntemplate) || (NULL == filtertemplate) ) { + if ( (NULL == map_name) || (NULL == regex) || + (NULL == basedntemplate) || (NULL == filtertemplate) ) { /* Invalid entry */ ret = -1; } else { @@ -296,6 +299,7 @@ } if (ret) { + slapi_ch_free((void **) &map_name); slapi_ch_free((void **) ®ex); slapi_ch_free((void **) &basedntemplate); slapi_ch_free((void **) &filtertemplate); @@ -405,8 +409,21 @@ int sasl_map_done() { int ret = 0; + sasl_map_private *priv = sasl_map_get_global_priv(); + sasl_map_data *dp = NULL; + /* Free the map list */ + PR_Lock(priv->lock); + dp = priv->map_data_list; + while (dp) { + sasl_map_data *dp_next = dp->next; + sasl_map_free_data(&dp); + dp = dp_next; + } + PR_Unlock(priv->lock); + /* Free the private structure */ + sasl_map_free_private(&priv); return ret; } From nhosoi at fedoraproject.org Thu Nov 6 01:02:23 2008 From: nhosoi at fedoraproject.org (Noriko Hosoi) Date: Thu, 6 Nov 2008 01:02:23 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd mempool.c, 1.1, 1.2 Message-ID: <20081106010223.707C27013B@cvs1.fedora.phx.redhat.com> Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25685 Modified Files: mempool.c Log Message: Resolves: #466702 Summpary: Memory usage research: checking in the experimental code Comment: added a missing line Index: mempool.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/mempool.c,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- mempool.c 15 Oct 2008 06:30:05 -0000 1.1 +++ mempool.c 6 Nov 2008 01:02:21 -0000 1.2 @@ -234,6 +234,7 @@ if ((maxfreelist > 0) && (my_mempool[type].mempool_count > maxfreelist)) { return LDAP_UNWILLING_TO_PERFORM; } else { + ((struct mempool_object *)object)->mempool_next = mempool[type].mempool_head; my_mempool[type].mempool_head = (struct mempool_object *)object; my_mempool[type].mempool_cleanup_fn = cleanup; my_mempool[type].mempool_count++; From nhosoi at fedoraproject.org Thu Nov 6 21:04:19 2008 From: nhosoi at fedoraproject.org (Noriko Hosoi) Date: Thu, 6 Nov 2008 21:04:19 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm ldbm_instance_config.c, 1.11, 1.12 Message-ID: <20081106210419.E426E7013A@cvs1.fedora.phx.redhat.com> Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27815 Modified Files: ldbm_instance_config.c Log Message: Resolves: #463774 Summary: index files for database should be deleted when db is deleted. Fix Description: The callback ldbm_instance_post_delete_instance_entry_callback is called when the backend instance is removed. In the callback, there was a code to cleanup the primary db (id2entry.db#), but no other index files nor the instance directory. Also, the code included a bug to get the instance directory path. The proposed code gets the right instance directory path and cleans up all the files in the directory, then removes the backend instance directory. Index: ldbm_instance_config.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/ldbm_instance_config.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- ldbm_instance_config.c 8 Oct 2008 17:29:04 -0000 1.11 +++ ldbm_instance_config.c 6 Nov 2008 21:04:17 -0000 1.12 @@ -939,34 +939,53 @@ struct dblayer_private_env *pEnv = priv->dblayer_env; if(pEnv) { PRDir *dirhandle = NULL; - char dbName[MAXPATHLEN*2]; - char *dbNamep = NULL; - char *p; - int dbbasenamelen, dbnamelen; - int rc; + char inst_dir[MAXPATHLEN*2]; + char *inst_dirp = NULL; + if (inst->inst_dir_name == NULL){ dblayer_get_instance_data_dir(inst->inst_be); } - dirhandle = PR_OpenDir(inst->inst_dir_name); - /* the db dir instance may have been removed already */ - if (dirhandle){ - dbNamep = dblayer_get_full_inst_dir(li, inst, - dbName, MAXPATHLEN*2); - dbbasenamelen = strlen(dbNamep); - dbnamelen = dbbasenamelen + 14; /* "/id2entry.db#" + '\0' */ - if (dbnamelen > MAXPATHLEN*2) - { - dbNamep = (char *)slapi_ch_realloc(dbNamep, dbnamelen); + inst_dirp = dblayer_get_full_inst_dir(li, inst, + inst_dir, MAXPATHLEN*2); + if (NULL != inst_dirp) { + dirhandle = PR_OpenDir(inst_dirp); + /* the db dir instance may have been removed already */ + if (dirhandle) { + PRDirEntry *direntry = NULL; + char *dbp = NULL; + char *p = NULL; + while (NULL != (direntry = PR_ReadDir(dirhandle, + PR_SKIP_DOT|PR_SKIP_DOT_DOT))) { + int rc; + if (!direntry->name) + break; + + dbp = PR_smprintf("%s/%s", inst_dirp, direntry->name); + if (NULL == dbp) { + LDAPDebug (LDAP_DEBUG_ANY, + "ldbm_instance_post_delete_instance_entry_callback:" + " failed to generate db path: %s/%s\n", + inst_dirp, direntry->name, 0); + break; + } + + p = strstr(dbp, LDBM_FILENAME_SUFFIX); + if (NULL != p && + strlen(p) == strlen(LDBM_FILENAME_SUFFIX)) { + rc = dblayer_db_remove(pEnv, dbp, 0); + } else { + rc = PR_Delete(dbp); + } + PR_ASSERT(rc == 0); + PR_smprintf_free(dbp); + } + PR_CloseDir(dirhandle); } - p = dbNamep + dbbasenamelen; - sprintf(p, "%c%s%s", get_sep(dbNamep), - "id2entry", LDBM_FILENAME_SUFFIX); - rc = dblayer_db_remove(pEnv, dbName, 0); - PR_ASSERT(rc == 0); - if (dbNamep != dbName) - slapi_ch_free_string(&dbNamep); - PR_CloseDir(dirhandle); + PR_RmDir(inst_dirp); } /* non-null dirhandle */ + if (inst_dirp != inst_dir) { + slapi_ch_free_string(&inst_dirp); + } } /* non-null pEnv */ } From nkinder at fedoraproject.org Fri Nov 7 22:32:59 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Fri, 7 Nov 2008 22:32:59 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/ldif template-dse.ldif.in, 1.10, 1.11 Message-ID: <20081107223259.F36267013B@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/ldif In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8277/ldap/ldif Modified Files: template-dse.ldif.in Log Message: Resolves: 316241 Summary: Add config setting to disable unauthenticated binds. Index: template-dse.ldif.in =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/ldif/template-dse.ldif.in,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- template-dse.ldif.in 5 Nov 2008 18:21:05 -0000 1.10 +++ template-dse.ldif.in 7 Nov 2008 22:32:57 -0000 1.11 @@ -27,6 +27,7 @@ nsslapd-rewrite-rfc1274: off nsslapd-return-exact-case: on nsslapd-ssl-check-hostname: on +nsslapd-allow-unauthenticated-binds: off nsslapd-port: %ds_port% nsslapd-localuser: %ds_user% nsslapd-errorlog-logging-enabled: on From nkinder at fedoraproject.org Fri Nov 7 22:33:00 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Fri, 7 Nov 2008 22:33:00 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd bind.c, 1.17, 1.18 libglobs.c, 1.28, 1.29 proto-slap.h, 1.41, 1.42 slap.h, 1.38, 1.39 Message-ID: <20081107223300.17C2A700FB@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8277/ldap/servers/slapd Modified Files: bind.c libglobs.c proto-slap.h slap.h Log Message: Resolves: 316241 Summary: Add config setting to disable unauthenticated binds. Index: bind.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/bind.c,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- bind.c 24 Oct 2008 22:36:58 -0000 1.17 +++ bind.c 7 Nov 2008 22:32:57 -0000 1.18 @@ -259,9 +259,6 @@ PR_Lock( pb->pb_conn->c_mutex ); - /* According to RFC2251, - * "if the bind fails, the connection will be treated as anonymous". - */ bind_credentials_clear( pb->pb_conn, PR_FALSE, /* do not lock conn */ PR_FALSE /* do not clear external creds. */ ); @@ -442,6 +439,21 @@ plugin_call_plugins( pb, SLAPI_PLUGIN_POST_BIND_FN ); } goto free_and_return; + } else if ( cred.bv_len == 0 ) { + /* Increment unauthenticated bind counter */ + slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds); + + /* Refuse the operation if unauthenticated binds are disabled. */ + if (!config_get_unauth_binds_switch()) { + /* As stated in RFC 4513, a server SHOULD by default fail + * Unauthenticated Bind requests with a resultCode of + * unwillingToPerform. */ + send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, + "Unauthenticated binds are not allowed", 0, NULL); + /* increment BindSecurityErrorcount */ + slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors); + goto free_and_return; + } } break; default: @@ -453,26 +465,22 @@ */ if ( isroot && method == LDAP_AUTH_SIMPLE ) { - if ( cred.bv_len == 0 ) { - /* unauthenticated bind */ - slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsUnAuthBinds); - - } else { + if (cred.bv_len != 0) { /* a passwd was supplied -- check it */ Slapi_Value cv; slapi_value_init_berval(&cv,&cred); + /* right dn and passwd - authorize */ if ( is_root_dn_pw( slapi_sdn_get_ndn(&sdn), &cv )) { - /* right dn and passwd - authorize */ bind_credentials_set( pb->pb_conn, SLAPD_AUTH_SIMPLE, slapi_ch_strdup( slapi_sdn_get_ndn(&sdn) ), NULL, NULL, NULL , NULL); - /* right dn, wrong passwd - reject with invalid creds */ + /* right dn, wrong passwd - reject with invalid creds */ } else { send_ldap_result( pb, LDAP_INVALID_CREDENTIALS, NULL, NULL, 0, NULL ); - /* increment BindSecurityErrorcount */ + /* increment BindSecurityErrorcount */ slapi_counter_increment(g_get_global_snmp_vars()->ops_tbl.dsBindSecurityErrors); value_done(&cv); goto free_and_return; Index: libglobs.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/libglobs.c,v retrieving revision 1.28 retrieving revision 1.29 diff -u -r1.28 -r1.29 --- libglobs.c 24 Oct 2008 22:36:58 -0000 1.28 +++ libglobs.c 7 Nov 2008 22:32:57 -0000 1.29 @@ -491,7 +491,7 @@ {CONFIG_SLAPI_COUNTER_ATTRIBUTE, config_set_slapi_counters, NULL, 0, (void**)&global_slapdFrontendConfig.slapi_counters, CONFIG_ON_OFF, - config_get_slapi_counters}, + (ConfigGetFunc)config_get_slapi_counters}, {CONFIG_ACCESSLOG_MINFREEDISKSPACE_ATTRIBUTE, NULL, log_set_mindiskspace, SLAPD_ACCESS_LOG, (void**)&global_slapdFrontendConfig.accesslog_minfreespace, CONFIG_INT, NULL}, @@ -590,7 +590,11 @@ config_set_outbound_ldap_io_timeout, NULL, 0, (void **)&global_slapdFrontendConfig.outbound_ldap_io_timeout, - CONFIG_INT, NULL} + CONFIG_INT, NULL}, + {CONFIG_UNAUTH_BINDS_ATTRIBUTE, config_set_unauth_binds_switch, + NULL, 0, + (void**)&global_slapdFrontendConfig.allow_unauth_binds, CONFIG_ON_OFF, + (ConfigGetFunc)config_get_unauth_binds_switch} #ifdef MEMPOOL_EXPERIMENTAL ,{CONFIG_MEMPOOL_SWITCH_ATTRIBUTE, config_set_mempool_switch, NULL, 0, @@ -840,6 +844,7 @@ #if defined(ENABLE_AUTO_DN_SUFFIX) cfg->ldapi_auto_dn_suffix = slapi_ch_strdup("cn=peercred,cn=external,cn=auth"); #endif + cfg->allow_unauth_binds = LDAP_OFF; cfg->slapi_counters = LDAP_ON; cfg->threadnumber = SLAPD_DEFAULT_MAX_THREADS; cfg->maxthreadsperconn = SLAPD_DEFAULT_MAX_THREADS_PER_CONN; @@ -4427,6 +4432,20 @@ return retVal; } + +int +config_get_unauth_binds_switch(void) +{ + int retVal; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + CFG_LOCK_READ(slapdFrontendConfig); + retVal = slapdFrontendConfig->allow_unauth_binds; + CFG_UNLOCK_READ(slapdFrontendConfig); + + return retVal; +} + + int config_is_slapd_lite () { @@ -5124,6 +5143,23 @@ } +int +config_set_unauth_binds_switch( const char *attrname, char *value, + char *errorbuf, int apply ) +{ + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + retVal = config_set_onoff(attrname, + value, + &(slapdFrontendConfig->allow_unauth_binds), + errorbuf, + apply); + + return retVal; +} + + /* * This function is intended to be used from the dse code modify callback. It * is "optimized" for that case because it takes a berval** of values, which is Index: proto-slap.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/proto-slap.h,v retrieving revision 1.41 retrieving revision 1.42 diff -u -r1.41 -r1.42 --- proto-slap.h 4 Nov 2008 18:23:08 -0000 1.41 +++ proto-slap.h 7 Nov 2008 22:32:57 -0000 1.42 @@ -338,6 +338,7 @@ int config_set_rewrite_rfc1274( const char *attrname, char *value, char *errorbuf, int apply ); int config_set_outbound_ldap_io_timeout( const char *attrname, char *value, char *errorbuf, int apply ); +int config_set_unauth_binds_switch(const char *attrname, char *value, char *errorbuf, int apply ); int config_set_accesslogbuffering(const char *attrname, char *value, char *errorbuf, int apply); int config_set_csnlogging(const char *attrname, char *value, char *errorbuf, int apply); @@ -461,6 +462,7 @@ int config_get_hash_filters(); int config_get_rewrite_rfc1274(); int config_get_outbound_ldap_io_timeout(void); +int config_get_unauth_binds_switch(void); int config_get_csnlogging(); #ifdef MEMPOOL_EXPERIMENTAL int config_get_mempool_switch(); Index: slap.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slap.h,v retrieving revision 1.38 retrieving revision 1.39 diff -u -r1.38 -r1.39 --- slap.h 24 Oct 2008 22:36:58 -0000 1.38 +++ slap.h 7 Nov 2008 22:32:57 -0000 1.39 @@ -1693,6 +1693,7 @@ #define CONFIG_USEROC_ATTRIBUTE "nsslapd-useroc" #define CONFIG_USERAT_ATTRIBUTE "nsslapd-userat" #define CONFIG_SVRTAB_ATTRIBUTE "nsslapd-svrtab" +#define CONFIG_UNAUTH_BINDS_ATTRIBUTE "nsslapd-allow-unauthenticated-binds" #ifndef _WIN32 #define CONFIG_LOCALUSER_ATTRIBUTE "nsslapd-localuser" #endif /* !_WIN32 */ @@ -1981,6 +1982,7 @@ char *ldapi_search_base_dn; /* base dn to search for mapped entries */ char *ldapi_auto_dn_suffix; /* suffix to be appended to auto gen DNs */ int slapi_counters; /* switch to turn slapi_counters on/off */ + int allow_unauth_binds; /* switch to enable/disable unauthenticated binds */ #ifndef _WIN32 struct passwd *localuserinfo; /* userinfo of localuser */ #endif /* _WIN32 */ From rmeggins at fedoraproject.org Mon Nov 10 16:01:09 2008 From: rmeggins at fedoraproject.org (Richard Allen Megginson) Date: Mon, 10 Nov 2008 16:01:09 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/plugins/dna dna.c, 1.14, 1.15 Message-ID: <20081110160109.523E27013A@cvs1.fedora.phx.redhat.com> Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/dna In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv15522/ldapserver/ldap/servers/plugins/dna Modified Files: dna.c Log Message: Resolves: bug 469261 Bug Description: Support server-to-server SASL - part 3 - dna plugin Reviewed by: nkinder (Thanks!) Fix Description: Changed the DNA code to use the new slapi_ldap_init/slapi_ldap_bind code. Also changed the code to get the port number to use from the replication agreement. Added some more replication internal code knowledge to the DNA code (unfortunately). Platforms tested: Fedora 9 Flag Day: no Doc impact: yes Index: dna.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/dna/dna.c,v retrieving revision 1.14 retrieving revision 1.15 diff -u -r1.14 -r1.15 --- dna.c 3 Nov 2008 23:21:16 -0000 1.14 +++ dna.c 10 Nov 2008 16:01:05 -0000 1.15 @@ -118,6 +118,7 @@ #define DNA_REPL_CREDS "nsds5ReplicaCredentials" #define DNA_REPL_BIND_METHOD "nsds5ReplicaBindMethod" #define DNA_REPL_TRANSPORT "nsds5ReplicaTransportInfo" +#define DNA_REPL_PORT "nsds5ReplicaPort" #define DNA_FEATURE_DESC "Distributed Numeric Assignment" #define DNA_EXOP_FEATURE_DESC "DNA Range Extension Request" @@ -261,7 +262,7 @@ static int dna_is_replica_bind_dn(char *range_dn, char *bind_dn); static int dna_get_replica_bind_creds(char *range_dn, struct dnaServer *server, char **bind_dn, char **bind_passwd, - char **bind_method, int *is_ssl); + char **bind_method, int *is_ssl, int *port); /** * @@ -1483,7 +1484,6 @@ return ret; } - /* * dna_request_range() * @@ -1500,7 +1500,6 @@ char *bind_passwd = NULL; char *bind_method = NULL; int is_ssl = 0; - int is_client_auth = 0; struct berval *request = NULL; char *retoid = NULL; struct berval *responsedata = NULL; @@ -1510,6 +1509,7 @@ char *upper_str = NULL; int set_extend_flag = 0; int ret = LDAP_OPERATIONS_ERROR; + int port = 0; /* See if we're allowed to send a range request now */ slapi_lock_mutex(config_entry->extend_lock); @@ -1529,26 +1529,14 @@ /* Fetch the replication bind dn info */ if (dna_get_replica_bind_creds(config_entry->shared_cfg_base, server, - &bind_dn, &bind_passwd, &bind_method, &is_ssl) != 0) { + &bind_dn, &bind_passwd, &bind_method, + &is_ssl, &port) != 0) { slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, "dna_request_range: Unable to retrieve " "replica bind credentials.\n"); goto bail; } - if (strcasecmp(bind_method, "SIMPLE") == 0) { - slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, - "dna_request_range: Using SIMPLE bind method.\n"); - } else if (strcasecmp(bind_method, "SSLCLIENTAUTH") == 0) { - slapi_log_error(SLAPI_LOG_PLUGIN, DNA_PLUGIN_SUBSYSTEM, - "dna_request_range: Using SSLCLIENTAUTH bind method.\n"); - is_client_auth = 1; - } else { - slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, - "dna_request_range: Unknown bind method.\n"); - goto bail; - } - if ((request = dna_create_range_request(config_entry->shared_cfg_base)) == NULL) { slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, "dna_request_range: Failed to create " @@ -1556,7 +1544,7 @@ goto bail; } - if ((ld = slapi_ldap_init(server->host, is_ssl?server->secureport:server->port, is_ssl, 0)) == NULL) { + if ((ld = slapi_ldap_init(server->host, port, is_ssl, 0)) == NULL) { slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, "dna_request_range: Unable to " "initialize LDAP session to server %s:%u.\n", @@ -1567,15 +1555,11 @@ /* Disable referrals and set timelimit and a connect timeout */ ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF); ldap_set_option(ld, LDAP_OPT_TIMELIMIT, &config_entry->timeout); - ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &config_entry->timeout); + ldap_set_option(ld, LDAP_X_OPT_CONNECT_TIMEOUT, &config_entry->timeout); /* Bind to the replica server */ - if (is_client_auth) { - ret = slapd_SSL_client_bind_s(ld, bind_dn, bind_passwd, - is_ssl, LDAP_VERSION3); - } else { - ret = ldap_simple_bind_s(ld, bind_dn, bind_passwd); - } + ret = slapi_ldap_bind(ld, bind_dn, bind_passwd, bind_method, + NULL, NULL, NULL, NULL); if (ret != LDAP_SUCCESS) { slapi_log_error(SLAPI_LOG_FATAL, DNA_PLUGIN_SUBSYSTEM, @@ -2363,14 +2347,14 @@ static int dna_get_replica_bind_creds(char *range_dn, struct dnaServer *server, char **bind_dn, char **bind_passwd, - char **bind_method, int *is_ssl) + char **bind_method, int *is_ssl, int *port) { Slapi_PBlock *pb = NULL; Slapi_DN *range_sdn = NULL; char *replica_dn = NULL; Slapi_Backend *be = NULL; const char *be_suffix = NULL; - char *attrs[5]; + char *attrs[6]; char *filter = NULL; char *bind_cred = NULL; char *transport = NULL; @@ -2388,15 +2372,16 @@ replica_dn = slapi_ch_smprintf("cn=replica,cn=\"%s\",cn=mapping tree,cn=config", be_suffix); - filter = slapi_ch_smprintf("(&(nsds5ReplicaHost=%s)(|(nsds5ReplicaPort=%u)" - "(nsds5ReplicaPort=%u)))", + filter = slapi_ch_smprintf("(&(nsds5ReplicaHost=%s)(|(" DNA_REPL_PORT "=%u)" + "(" DNA_REPL_PORT "=%u)))", server->host, server->port, server->secureport); attrs[0] = DNA_REPL_BIND_DN; attrs[1] = DNA_REPL_CREDS; attrs[2] = DNA_REPL_BIND_METHOD; attrs[3] = DNA_REPL_TRANSPORT; - attrs[4] = 0; + attrs[4] = DNA_REPL_PORT; + attrs[5] = 0; pb = slapi_pblock_new(); if (NULL == pb) { @@ -2440,14 +2425,34 @@ *bind_method = slapi_entry_attr_get_charptr(entries[0], DNA_REPL_BIND_METHOD); bind_cred = slapi_entry_attr_get_charptr(entries[0], DNA_REPL_CREDS); transport = slapi_entry_attr_get_charptr(entries[0], DNA_REPL_TRANSPORT); + *port = slapi_entry_attr_get_int(entries[0], DNA_REPL_PORT); /* Check if we should use SSL */ if (transport && (strcasecmp(transport, "SSL") == 0)) { *is_ssl = 1; + } else if (transport && (strcasecmp(transport, "TLS") == 0)) { + *is_ssl = 2; } else { *is_ssl = 0; } + /* fix up the bind method */ + if ((NULL == *bind_method) || (strcasecmp(*bind_method, "SIMPLE") == 0)) { + slapi_ch_free_string(bind_method); + *bind_method = slapi_ch_strdup(LDAP_SASL_SIMPLE); + } else if (strcasecmp(*bind_method, "SSLCLIENTAUTH") == 0) { + slapi_ch_free_string(bind_method); + *bind_method = slapi_ch_strdup(LDAP_SASL_EXTERNAL); + } else if (strcasecmp(*bind_method, "SASL/GSSAPI") == 0) { + slapi_ch_free_string(bind_method); + *bind_method = slapi_ch_strdup("GSSAPI"); + } else if (strcasecmp(*bind_method, "SASL/DIGEST-MD5") == 0) { + slapi_ch_free_string(bind_method); + *bind_method = slapi_ch_strdup("DIGEST-MD5"); + } else { /* some other weird value */ + ; /* just use it directly */ + } + /* Decode the password */ if (bind_cred) { int pw_ret = 0; @@ -2472,7 +2477,7 @@ /* If we didn't get both a bind DN and a decoded password, * then just free everything and return an error. */ - if (*bind_dn && *bind_passwd && *bind_method) { + if (*bind_dn && *bind_passwd) { ret = 0; } else { slapi_ch_free_string(bind_dn); From rmeggins at fedoraproject.org Mon Nov 10 23:57:49 2008 From: rmeggins at fedoraproject.org (Richard Allen Megginson) Date: Mon, 10 Nov 2008 23:57:49 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/plugins/passthru passthru.h, 1.5, 1.6 ptconfig.c, 1.9, 1.10 Message-ID: <20081110235749.A74D270139@cvs1.fedora.phx.redhat.com> Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/passthru In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31171/ldapserver/ldap/servers/plugins/passthru Modified Files: passthru.h ptconfig.c Log Message: Resolves: bug 469261 Bug Description: Support server-to-server SASL - part 4 - pta, winsync Reviewed by: nhosoi (Thanks!) Fix Description: Allow pass through auth (PTA) to use starttls. PTA uses the old style argv config params, so I just added an optional starttls (0, 1) to the end of the list, since there is currently no way to encode the startTLS extop in the LDAP URL. NOTE: adding support for true pass through auth for sasl or external cert auth will require a lot of work - not sure it's worth it - anyone other than console users can use chaining backend instead. For windows sync, I just ported the same slapi_ldap_init/slapi_ldap_bind changes made to regular replication to the windows specific code. The Windows code still needs the do_simple_bind function to check the windows password, but it is not used for server to server bind anymore. NOTE: Windows does support startTLS, but I did not test the SASL mechanisms with Windows. Platforms tested: Fedora 9 Flag Day: no Doc impact: yes Index: passthru.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/passthru/passthru.h,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- passthru.h 10 Nov 2006 23:45:04 -0000 1.5 +++ passthru.h 10 Nov 2008 23:57:47 -0000 1.6 @@ -112,7 +112,7 @@ char *ptsrvr_url; /* copy from argv[i] */ char *ptsrvr_hostname; int ptsrvr_port; - int ptsrvr_secure; /* use SSL? */ + int ptsrvr_secure; /* use SSL? or TLS == 2 */ int ptsrvr_ldapversion; int ptsrvr_maxconnections; int ptsrvr_maxconcurrency; Index: ptconfig.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/passthru/ptconfig.c,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- ptconfig.c 8 Oct 2008 17:29:02 -0000 1.9 +++ ptconfig.c 10 Nov 2008 23:57:47 -0000 1.10 @@ -101,7 +101,7 @@ int passthru_config( int argc, char **argv ) { - int i, j, rc, tosecs, using_def_connlifetime; + int i, j, rc, tosecs, using_def_connlifetime, starttls = 0; char **suffixarray; PassThruServer *prevsrvr, *srvr; PassThruSuffix *suffix, *prevsuffix; @@ -170,11 +170,13 @@ * parse parameters. format is: * maxconnections,maxconcurrency,timeout,ldapversion * OR maxconnections,maxconcurrency,timeout,ldapversion,lifetime + * OR maxconnections,maxconcurrency,timeout,ldapversion,lifetime,starttls */ *p++ = '\0'; /* p points at space preceding optional arguments */ - rc = sscanf( p, "%d,%d,%d,%d,%d", &srvr->ptsrvr_maxconnections, + rc = sscanf( p, "%d,%d,%d,%d,%d,%d", &srvr->ptsrvr_maxconnections, &srvr->ptsrvr_maxconcurrency, &tosecs, - &srvr->ptsrvr_ldapversion, &srvr->ptsrvr_connlifetime ); + &srvr->ptsrvr_ldapversion, &srvr->ptsrvr_connlifetime, + &starttls); if ( rc < 4 ) { slapi_log_error( SLAPI_LOG_FATAL, PASSTHRU_PLUGIN_SUBSYSTEM, "server parameters should be in the form " @@ -184,8 +186,13 @@ } else if ( rc < 5 ) { using_def_connlifetime = 1; srvr->ptsrvr_connlifetime = PASSTHRU_DEF_SRVR_CONNLIFETIME; - } else { - using_def_connlifetime = 0; + starttls = 0; + } else if ( rc < 6 ) { + using_def_connlifetime = 0; /* lifetime specified */ + starttls = 0; /* but not starttls */ + } else { /* all 6 args supplied */ + using_def_connlifetime = 0; /* lifetime specified */ + /* and starttls */ } if ( srvr->ptsrvr_ldapversion != LDAP_VERSION2 @@ -241,6 +248,9 @@ srvr->ptsrvr_port = ludp->lud_port; srvr->ptsrvr_secure = (( ludp->lud_options & LDAP_URL_OPT_SECURE ) != 0 ); + if (starttls) { + srvr->ptsrvr_secure = 2; + } /* * If a space-separated list of hosts is configured for failover, From rmeggins at fedoraproject.org Mon Nov 10 23:57:49 2008 From: rmeggins at fedoraproject.org (Richard Allen Megginson) Date: Mon, 10 Nov 2008 23:57:49 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication windows_connection.c, 1.20, 1.21 repl5_connection.c, 1.11, 1.12 Message-ID: <20081110235750.218A570133@cvs1.fedora.phx.redhat.com> Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31171/ldapserver/ldap/servers/plugins/replication Modified Files: windows_connection.c repl5_connection.c Log Message: Resolves: bug 469261 Bug Description: Support server-to-server SASL - part 4 - pta, winsync Reviewed by: nhosoi (Thanks!) Fix Description: Allow pass through auth (PTA) to use starttls. PTA uses the old style argv config params, so I just added an optional starttls (0, 1) to the end of the list, since there is currently no way to encode the startTLS extop in the LDAP URL. NOTE: adding support for true pass through auth for sasl or external cert auth will require a lot of work - not sure it's worth it - anyone other than console users can use chaining backend instead. For windows sync, I just ported the same slapi_ldap_init/slapi_ldap_bind changes made to regular replication to the windows specific code. The Windows code still needs the do_simple_bind function to check the windows password, but it is not used for server to server bind anymore. NOTE: Windows does support startTLS, but I did not test the SASL mechanisms with Windows. Platforms tested: Fedora 9 Flag Day: no Doc impact: yes Index: windows_connection.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/windows_connection.c,v retrieving revision 1.20 retrieving revision 1.21 diff -u -r1.20 -r1.21 --- windows_connection.c 27 Aug 2008 21:46:55 -0000 1.20 +++ windows_connection.c 10 Nov 2008 23:57:47 -0000 1.21 @@ -102,9 +102,6 @@ static Slapi_Eq_Context repl5_start_debug_timeout(int *setlevel); static void repl5_stop_debug_timeout(Slapi_Eq_Context eqctx, int *setlevel); static void repl5_debug_timeout_callback(time_t when, void *arg); -#ifndef DSE_RETURNTEXT_SIZE -#define SLAPI_DSE_RETURNTEXT_SIZE 512 -#endif #define STATE_CONNECTED 600 #define STATE_DISCONNECTED 601 @@ -1190,21 +1187,14 @@ conn->plain = slapi_ch_strdup (plain); if (!pw_ret) slapi_ch_free((void**)&plain); } + /* ugaston: if SSL has been selected in the replication agreement, SSL client * initialisation should be done before ever trying to open any connection at all. */ - if (conn->transport_flags == TRANSPORT_FLAG_TLS) - { - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Replication secured by StartTLS not currently supported\n", - agmt_get_long_name(conn->agmt)); - - return_value = CONN_OPERATION_FAILED; - conn->last_ldap_error = LDAP_STRONG_AUTH_NOT_SUPPORTED; - conn->state = STATE_DISCONNECTED; - } else if(conn->transport_flags == TRANSPORT_FLAG_SSL) + if ((conn->transport_flags == TRANSPORT_FLAG_TLS) || + (conn->transport_flags == TRANSPORT_FLAG_SSL)) { /** Make sure the SSL Library has been initialized before anything else **/ @@ -1217,11 +1207,13 @@ conn->last_operation = CONN_INIT; ber_bvfree(creds); creds = NULL; - LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_connect\n", 0, 0, 0 ); return CONN_SSL_NOT_ENABLED; - } else + } else if (conn->transport_flags == TRANSPORT_FLAG_SSL) { secure = 1; + } else + { + secure = 2; /* 2 means starttls security */ } } @@ -1230,11 +1222,12 @@ /* Now we initialize the LDAP Structure and set options */ slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, - "%s: Trying %s slapi_ldap_init\n", + "%s: Trying %s%s slapi_ldap_init_ext\n", agmt_get_long_name(conn->agmt), - secure ? "secure" : "non-secure"); + secure ? "secure" : "non-secure", + (secure == 2) ? " startTLS" : ""); - conn->ld = slapi_ldap_init(conn->hostname, conn->port, secure, 0); + conn->ld = slapi_ldap_init_ext(NULL, conn->hostname, conn->port, secure, 0, NULL); if (NULL == conn->ld) { return_value = CONN_OPERATION_FAILED; @@ -1242,9 +1235,10 @@ conn->last_operation = CONN_INIT; conn->last_ldap_error = LDAP_LOCAL_ERROR; slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Failed to establish %sconnection to the consumer\n", + "%s: Failed to establish %s%sconnection to the consumer\n", agmt_get_long_name(conn->agmt), - secure ? "secure " : ""); + secure ? "secure " : "", + (secure == 2) ? "startTLS " : ""); ber_bvfree(creds); creds = NULL; LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_connect\n", 0, 0, 0 ); @@ -1684,6 +1678,26 @@ LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_set_agmt_changed\n", 0, 0, 0 ); } +static const char * +bind_method_to_mech(int bindmethod) +{ + switch (bindmethod) { + case BINDMETHOD_SSL_CLIENTAUTH: + return LDAP_SASL_EXTERNAL; + break; + case BINDMETHOD_SASL_GSSAPI: + return "GSSAPI"; + break; + case BINDMETHOD_SASL_DIGEST_MD5: + return "DIGEST-MD5"; + break; + default: /* anything else */ + return LDAP_SASL_SIMPLE; + } + + return LDAP_SASL_SIMPLE; +} + /* * Check the result of an ldap_simple_bind operation to see we it * contains the expiration controls @@ -1695,101 +1709,26 @@ { LDAPControl **ctrls = NULL; - LDAPMessage *res = NULL; - char *errmsg = NULL; LDAP *ld = conn->ld; - int msgid; - int *msgidAdr = &msgid; int rc; + const char *mech = bind_method_to_mech(conn->bindmethod); - char * optype; /* ldap_simple_bind or slapd_SSL_client_bind */ - - LDAPDebug( LDAP_DEBUG_TRACE, "=> windows_conn_set_agmt_changed\n", 0, 0, 0 ); - - if ( conn->transport_flags == TRANSPORT_FLAG_SSL ) - { - char *auth; - optype = "ldap_sasl_bind"; - - if ( conn->bindmethod == BINDMETHOD_SSL_CLIENTAUTH ) - { - rc = slapd_sasl_ext_client_bind(conn->ld, &msgidAdr); - auth = "SSL client authentication"; - - if ( rc == LDAP_SUCCESS ) - { - if (conn->last_ldap_error != rc) - { - conn->last_ldap_error = rc; - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Replication bind with %s resumed\n", - agmt_get_long_name(conn->agmt), auth); - } - } - else - { - /* Do not report the same error over and over again */ - if (conn->last_ldap_error != rc) - { - conn->last_ldap_error = rc; - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Replication bind with %s failed: LDAP error %d (%s)\n", - agmt_get_long_name(conn->agmt), auth, rc, - ldap_err2string(rc)); - } + LDAPDebug( LDAP_DEBUG_TRACE, "=> bind_and_check_pwp\n", 0, 0, 0 ); - LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_set_agmt_changed - CONN_OPERATION_FAILED\n", 0, 0, 0 ); + rc = slapi_ldap_bind(conn->ld, binddn, password, mech, NULL, + &ctrls, NULL, NULL); - return (CONN_OPERATION_FAILED); - } - } - else - { - if( ( msgid = do_simple_bind( conn, ld, binddn, password ) ) == -1 ) - { - LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_set_agmt_changed - CONN_OPERATION_FAILED\n", 0, 0, 0 ); - return (CONN_OPERATION_FAILED); - } - } - } - else + if ( rc == LDAP_SUCCESS ) { - optype = "ldap_simple_bind"; - if( ( msgid = do_simple_bind( conn, ld, binddn, password ) ) == -1 ) + if (conn->last_ldap_error != rc) { - LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_set_agmt_changed - CONN_OPERATION_FAILED\n", 0, 0, 0 ); - return (CONN_OPERATION_FAILED); + conn->last_ldap_error = rc; + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, + "%s: Replication bind with %s auth resumed\n", + agmt_get_long_name(conn->agmt), + mech ? mech : "SIMPLE"); } - } - /* Wait for the result */ - if ( ldap_result( ld, msgid, LDAP_MSG_ALL, NULL, &res ) == -1 ) - { - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Received error from consumer for %s operation\n", - - agmt_get_long_name(conn->agmt), optype); - LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_set_agmt_changed - CONN_OPERATION_FAILED\n", 0, 0, 0 ); - - return (CONN_OPERATION_FAILED); - } - /* Don't check ldap_result against 0 because, no timeout is specified */ - - /* Free res as we won't use it any longer */ - if ( ldap_parse_result( ld, res, &rc, NULL, NULL, NULL, &ctrls, 1 /* Free res */) - != LDAP_SUCCESS ) - { - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Received error from consumer for %s operation\n", - agmt_get_long_name(conn->agmt), optype); - - LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_set_agmt_changed - CONN_OPERATION_FAILED\n", 0, 0, 0 ); - - return (CONN_OPERATION_FAILED); - } - - if ( rc == LDAP_SUCCESS ) - { if ( ctrls ) { int i; @@ -1820,20 +1759,28 @@ ldap_controls_free( ctrls ); } - LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_set_agmt_changed - CONN_OPERATION_SUCCESS\n", 0, 0, 0 ); + LDAPDebug( LDAP_DEBUG_TRACE, "<= bind_and_check_pwp - CONN_OPERATION_SUCCESS\n", 0, 0, 0 ); return (CONN_OPERATION_SUCCESS); } else { - /* errmsg is a pointer directly into the ld structure - do not free */ - rc = ldap_get_lderrno( ld, NULL, &errmsg ); - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Replication bind to %s on consumer failed: %d (%s)\n", - agmt_get_long_name(conn->agmt), binddn, rc, errmsg); + ldap_controls_free( ctrls ); + /* Do not report the same error over and over again */ + if (conn->last_ldap_error != rc) + { + char *errmsg = NULL; + conn->last_ldap_error = rc; + /* errmsg is a pointer directly into the ld structure - do not free */ + rc = ldap_get_lderrno( ld, NULL, &errmsg ); + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, + "%s: Replication bind with %s auth failed: LDAP error %d (%s) (%s)\n", + agmt_get_long_name(conn->agmt), + mech ? mech : "SIMPLE", rc, + ldap_err2string(rc), errmsg); + } - conn->last_ldap_error = rc; /* specific error */ - LDAPDebug( LDAP_DEBUG_TRACE, "<= windows_conn_set_agmt_changed - CONN_OPERATION_FAILED\n", 0, 0, 0 ); + LDAPDebug( LDAP_DEBUG_TRACE, "<= bind_and_check_pwp - CONN_OPERATION_FAILED\n", 0, 0, 0 ); return (CONN_OPERATION_FAILED); } } @@ -1861,7 +1808,7 @@ ldap_parse_result( conn->ld, res, &rc, NULL, NULL, NULL, NULL, 1 /* Free res */); /* rebind as the DN specified in the sync agreement */ - do_simple_bind(conn, conn->ld, conn->binddn, conn->plain); + bind_and_check_pwp(conn, conn->binddn, conn->plain); return rc; } @@ -1886,10 +1833,11 @@ conn->last_ldap_error = ldaperr; slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "%s: Simple bind failed, " - SLAPI_COMPONENT_NAME_LDAPSDK " error %d (%s), " + SLAPI_COMPONENT_NAME_LDAPSDK " error %d (%s) (%s), " SLAPI_COMPONENT_NAME_NSPR " error %d (%s)\n", agmt_get_long_name(conn->agmt), - ldaperr, ldaperrtext ? ldaperrtext : ldap_err2string(ldaperr), + ldaperr, ldap_err2string(ldaperr), + ldaperrtext ? ldaperrtext : "", prerr, slapd_pr_strerror(prerr)); } } Index: repl5_connection.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5_connection.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- repl5_connection.c 5 Nov 2008 18:21:05 -0000 1.11 +++ repl5_connection.c 10 Nov 2008 23:57:47 -0000 1.12 @@ -991,9 +991,10 @@ conn->last_operation = CONN_INIT; conn->last_ldap_error = LDAP_LOCAL_ERROR; slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, - "%s: Failed to establish %sconnection to the consumer\n", + "%s: Failed to establish %s%sconnection to the consumer\n", agmt_get_long_name(conn->agmt), - secure ? "secure " : ""); + secure ? "secure " : "", + (secure == 2) ? "startTLS " : ""); ber_bvfree(creds); creds = NULL; return return_value; From nhosoi at fedoraproject.org Tue Nov 11 21:31:44 2008 From: nhosoi at fedoraproject.org (Noriko Hosoi) Date: Tue, 11 Nov 2008 21:31:44 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm cache.c, 1.7, 1.8 Message-ID: <20081111213145.647A570140@cvs1.fedora.phx.redhat.com> Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv22092 Modified Files: cache.c Log Message: Resolves: #207457 Summary: (64bitcounters) rhds 7.1 - server stats use 32-bit integers - entrycachehitratio 1503% Description: additional fix for #207457; e->ep_refcnt should have been protected by cache->c_mutex, otherwise it breaks the lru list under the stress. Index: cache.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/cache.c,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- cache.c 24 Oct 2008 22:36:59 -0000 1.7 +++ cache.c 11 Nov 2008 21:31:41 -0000 1.8 @@ -938,8 +938,8 @@ } if (e->ep_refcnt == 0) lru_delete(cache, e); - PR_Unlock(cache->c_mutex); e->ep_refcnt++; + PR_Unlock(cache->c_mutex); slapi_counter_increment(cache->c_hits); } else { PR_Unlock(cache->c_mutex); @@ -969,8 +969,8 @@ } if (e->ep_refcnt == 0) lru_delete(cache, e); - PR_Unlock(cache->c_mutex); e->ep_refcnt++; + PR_Unlock(cache->c_mutex); slapi_counter_increment(cache->c_hits); } else { PR_Unlock(cache->c_mutex); @@ -1000,8 +1000,8 @@ } if (e->ep_refcnt == 0) lru_delete(cache, e); - PR_Unlock(cache->c_mutex); e->ep_refcnt++; + PR_Unlock(cache->c_mutex); slapi_counter_increment(cache->c_hits); } else { PR_Unlock(cache->c_mutex); From nkinder at fedoraproject.org Wed Nov 12 16:58:09 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Wed, 12 Nov 2008 16:58:09 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd slapi_counter.c, 1.5, 1.6 Message-ID: <20081112165809.75BD97012B@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30012/ldap/servers/slapd Modified Files: slapi_counter.c Log Message: Resolves: 207457 Summary: Correct use of offset in counter ASM for passed in parameter. Index: slapi_counter.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi_counter.c,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- slapi_counter.c 30 Oct 2008 19:06:55 -0000 1.5 +++ slapi_counter.c 12 Nov 2008 16:58:06 -0000 1.6 @@ -451,7 +451,7 @@ " movl 4%0, %%edx;" /* Put addval in ECX:EBX */ " movl %2, %%ebx;" - " movl 4%2, %%ecx;" + " movl 4+%2, %%ecx;" /* Add value from EDX:EAX to value in ECX:EBX */ " addl %%eax, %%ebx;" " adcl %%edx, %%ecx;" @@ -498,7 +498,7 @@ " movl %%edx, %%ecx;" /* Subtract subval from value in ECX:EBX */ " subl %2, %%ebx;" - " sbbl 4%2, %%ecx;" + " sbbl 4+%2, %%ecx;" /* If EDX:EAX and ptr are the same, replace *ptr with ECX:EBX */ " lock; cmpxchg8b %0;" " jnz retrysub;" From rmeggins at fedoraproject.org Wed Nov 12 17:42:39 2008 From: rmeggins at fedoraproject.org (Richard Allen Megginson) Date: Wed, 12 Nov 2008 17:42:39 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd util.c, 1.18, 1.19 Message-ID: <20081112174239.D59A370140@cvs1.fedora.phx.redhat.com> Author: rmeggins Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2757/ldapserver/ldap/servers/slapd Modified Files: util.c Log Message: Resolves: bug 469261 Bug Description: Support server-to-server SASL - kerberos improvements Reviewed by: ssorce (Thanks!) Fix Description: I made several improvements to the kerberos code at Simo's suggestion First look for the principal in the ccache. If not found, use the username if it does not look like a DN. If still not found, construct a principal using the krb5_sname_to_principal() function to construct "ldap/fqdn at REALM". Next, see if the credentials for this principal are still valid. In order to grab the credentials from the ccache, I needed to construct the server principal, which in this case is the TGS service principal (e.g. krbtgt/REALM at REALM). If the credentials are present and not expired, then the code assumes they are ok and does not acquire new credentials. If the credentials are expired or not found, the code will then use the keytab to authenticate. Based on more feedback from Simo, I made some additional changes: * Go ahead and reacquire the creds if they have expired or will expire in 30 seconds - this is not configurable but could be made to be - 30 seconds should be long enough so that the credentials will not expire by the time they are actually used deep in the ldap/sasl/gssapi/krb code, and short enough so that this won't cause unnecessary credential churn * Retry the bind in the case of Ticket expired. There is no way that I can see to get the actual error code - fortunately the extended ldap error message has this information Platforms tested: Fedora 8, Fedora 9 Flag Day: no Doc impact: oh yes Index: util.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/util.c,v retrieving revision 1.18 retrieving revision 1.19 diff -u -r1.18 -r1.19 --- util.c 5 Nov 2008 18:21:06 -0000 1.18 +++ util.c 12 Nov 2008 17:42:37 -0000 1.19 @@ -72,10 +72,6 @@ #define _CSEP '/' #endif -#ifdef HAVE_KRB5 -static void set_krb5_creds(); -#endif - static int special_np(unsigned char c) { @@ -1136,7 +1132,7 @@ if (msgidp) { /* let caller process result */ *msgidp = mymsgid; } else { /* process results */ - rc = ldap_result(ld, mymsgid, LDAP_MSG_ALL, timeout, &result); + rc = ldap_result(ld, mymsgid, LDAP_MSG_ALL, timeout, &result); if (-1 == rc) { /* error */ rc = ldap_get_lderrno(ld, NULL, NULL); slapi_log_error(SLAPI_LOG_FATAL, "slapi_ldap_bind", @@ -1219,6 +1215,16 @@ char *realm; } ldapSaslInteractVals; +#ifdef HAVE_KRB5 +static void set_krb5_creds( + const char *authid, + const char *username, + const char *passwd, + const char *realm, + ldapSaslInteractVals *vals +); +#endif + static void * ldap_sasl_set_interact_vals(LDAP *ld, const char *mech, const char *authid, const char *username, const char *passwd, @@ -1249,12 +1255,6 @@ } } -#ifdef HAVE_KRB5 - if (mech && !strcmp(mech, "GSSAPI")) { - username = NULL; /* get from krb creds */ - } -#endif - if (username) { /* use explicit passed in value */ vals->username = slapi_ch_strdup(username); } else { /* use option value if any */ @@ -1281,7 +1281,7 @@ #ifdef HAVE_KRB5 if (mech && !strcmp(mech, "GSSAPI")) { - set_krb5_creds(); + set_krb5_creds(authid, username, passwd, realm, vals); } #endif /* HAVE_KRB5 */ @@ -1368,6 +1368,20 @@ return (LDAP_SUCCESS); } +/* figure out from the context and this error if we should + attempt to retry the bind */ +static int +can_retry_bind(LDAP *ld, const char *mech, const char *bindid, + const char *creds, int rc, const char *errmsg) +{ + int localrc = 0; + if (errmsg && strstr(errmsg, "Ticket expired")) { + localrc = 1; + } + + return localrc; +} + int slapd_ldap_sasl_interactive_bind( LDAP *ld, /* ldap connection */ @@ -1380,22 +1394,36 @@ ) { int rc = LDAP_SUCCESS; - void *defaults = ldap_sasl_set_interact_vals(ld, mech, NULL, bindid, - creds, NULL); - /* have to first set the defaults used by the callback function */ - /* call the bind function */ - rc = ldap_sasl_interactive_bind_ext_s(ld, bindid, mech, serverctrls, - NULL, LDAP_SASL_QUIET, - ldap_sasl_interact_cb, defaults, - returnedctrls); - ldap_sasl_free_interact_vals(defaults); - if (LDAP_SUCCESS != rc) { - slapi_log_error(SLAPI_LOG_FATAL, "slapd_ldap_sasl_interactive_bind", - "Error: could not perform interactive bind for id " - "[%s] mech [%s]: error %d (%s)\n", - bindid ? bindid : "(anon)", - mech ? mech : "SIMPLE", - rc, ldap_err2string(rc)); + int tries = 0; + + while (tries < 2) { + void *defaults = ldap_sasl_set_interact_vals(ld, mech, NULL, bindid, + creds, NULL); + /* have to first set the defaults used by the callback function */ + /* call the bind function */ + rc = ldap_sasl_interactive_bind_ext_s(ld, bindid, mech, serverctrls, + NULL, LDAP_SASL_QUIET, + ldap_sasl_interact_cb, defaults, + returnedctrls); + ldap_sasl_free_interact_vals(defaults); + if (LDAP_SUCCESS != rc) { + char *errmsg = NULL; + rc = ldap_get_lderrno(ld, NULL, &errmsg); + slapi_log_error(SLAPI_LOG_FATAL, "slapd_ldap_sasl_interactive_bind", + "Error: could not perform interactive bind for id " + "[%s] mech [%s]: error %d (%s) (%s)\n", + bindid ? bindid : "(anon)", + mech ? mech : "SIMPLE", + rc, ldap_err2string(rc), errmsg); + if (can_retry_bind(ld, mech, bindid, creds, rc, errmsg)) { + ; /* pass through to retry one time */ + } else { + break; /* done - fail - cannot retry */ + } + } else { + break; /* done - success */ + } + tries++; } return rc; @@ -1506,6 +1534,94 @@ return; } +static int +looks_like_a_dn(const char *username) +{ + return (username && strchr(username, '=')); +} + +static int +credentials_are_valid( + krb5_context ctx, + krb5_ccache cc, + krb5_principal princ, + const char *princ_name, + int *rc +) +{ + char *logname = "credentials_are_valid"; + int myrc = 0; + krb5_creds mcreds; /* match these values */ + krb5_creds creds; /* returned creds */ + char *tgs_princ_name = NULL; + krb5_timestamp currenttime; + int authtracelevel = SLAPI_LOG_SHELL; /* special auth tracing */ + int realm_len; + char *realm_str; + int time_buffer = 30; /* seconds - go ahead and renew if creds are + about to expire */ + + memset(&mcreds, 0, sizeof(mcreds)); + memset(&creds, 0, sizeof(creds)); + *rc = 0; + if (!cc) { + /* ok - no error */ + goto cleanup; + } + + /* have to construct the tgs server principal in + order to set mcreds.server required in order + to use krb5_cc_retrieve_creds() */ + /* get default realm first */ + realm_len = krb5_princ_realm(ctx, princ)->length; + realm_str = krb5_princ_realm(ctx, princ)->data; + tgs_princ_name = slapi_ch_smprintf("%s/%*s@%*s", KRB5_TGS_NAME, + realm_len, realm_str, + realm_len, realm_str); + + if ((*rc = krb5_parse_name(ctx, tgs_princ_name, &mcreds.server))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Could parse principal [%s]: %d (%s)\n", + tgs_princ_name, *rc, error_message(*rc)); + goto cleanup; + } + + mcreds.client = princ; + if ((*rc = krb5_cc_retrieve_cred(ctx, cc, 0, &mcreds, &creds))) { + if (*rc == KRB5_CC_NOTFOUND) { + /* ok - no creds for this princ in the cache */ + *rc = 0; + } + goto cleanup; + } + + /* have the creds - now look at the timestamp */ + if ((*rc = krb5_timeofday(ctx, ¤ttime))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Could not get current time: %d (%s)\n", + *rc, error_message(*rc)); + goto cleanup; + } + + if (currenttime > (creds.times.endtime + time_buffer)) { + slapi_log_error(authtracelevel, logname, + "Credentials for [%s] have expired or will soon " + "expire - now [%d] endtime [%d]\n", princ_name, + currenttime, creds.times.endtime); + goto cleanup; + } + + myrc = 1; /* credentials are valid */ +cleanup: + krb5_free_cred_contents(ctx, &creds); + slapi_ch_free_string(&tgs_princ_name); + if (mcreds.server) { + krb5_free_principal(ctx, mcreds.server); + } + + return myrc; +} + /* * This implementation assumes that we want to use the * keytab from the default keytab env. var KRB5_KTNAME @@ -1517,7 +1633,13 @@ * env var to point to those credentials. */ static void -set_krb5_creds() +set_krb5_creds( + const char *authid, + const char *username, + const char *passwd, + const char *realm, + ldapSaslInteractVals *vals +) { char *logname = "set_krb5_creds"; const char *cc_type = "MEMORY"; /* keep cred cache in memory */ @@ -1526,11 +1648,8 @@ krb5_principal princ = NULL; char *princ_name = NULL; krb5_error_code rc = 0; - krb5_error_code looprc = 0; krb5_creds creds; krb5_keytab kt = NULL; - krb5_keytab_entry ktent; - krb5_kt_cursor ktcur = NULL; char *cc_name = NULL; char ktname[MAX_KEYTAB_NAME_LEN]; static char cc_env_name[1024+32]; /* size from ccdefname.c */ @@ -1634,6 +1753,57 @@ goto cleanup; } + /* need to figure out which principal to use + 1) use the one from the ccache + 2) use username + 3) construct one in the form ldap/fqdn at REALM + */ + if (!princ && username && !looks_like_a_dn(username) && + (rc = krb5_parse_name(ctx, username, &princ))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Error: could not convert [%s] into a kerberos " + "principal: %d (%s)\n", username, + rc, error_message(rc)); + goto cleanup; + } + + /* if still no principal, construct one */ + if (!princ && + (rc = krb5_sname_to_principal(ctx, NULL, "ldap", + KRB5_NT_SRV_HST, &princ))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Error: could not construct ldap service " + "principal: %d (%s)\n", rc, error_message(rc)); + goto cleanup; + } + + if ((rc = krb5_unparse_name(ctx, princ, &princ_name))) { + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Unable to get name of principal: " + "%d (%s)\n", rc, error_message(rc)); + goto cleanup; + } + + slapi_log_error(authtracelevel, logname, + "Using principal named [%s]\n", princ_name); + + /* grab the credentials from the ccache, if any - + if the credentials are still valid, we do not have + to authenticate again */ + if (credentials_are_valid(ctx, cc, princ, princ_name, &rc)) { + slapi_log_error(authtracelevel, logname, + "Credentials for principal [%s] are still " + "valid - no auth is necessary.\n", + princ_name); + goto cleanup; + } else if (rc) { /* some error other than "there are no credentials" */ + slapi_log_error(SLAPI_LOG_FATAL, logname, + "Unable to verify cached credentials for " + "principal [%s]: %d (%s)\n", princ_name, + rc, error_message(rc)); + goto cleanup; + } + /* find our default keytab */ if ((rc = krb5_kt_default(ctx, &kt))) { slapi_log_error(SLAPI_LOG_FATAL, logname, @@ -1653,60 +1823,6 @@ slapi_log_error(authtracelevel, logname, "Using keytab named [%s]\n", ktname); - /* if there was no cache, or no principal in the cache, we look - in the keytab */ - if (!princ) { - /* just use the first principal in the keytab - "first principals, clarice" - */ - if ((rc = krb5_kt_start_seq_get(ctx, kt, &ktcur))) { - slapi_log_error(SLAPI_LOG_FATAL, logname, - "Unable to open keytab [%s] cursor: %d (%s)\n", - ktname, rc, error_message(rc)); - goto cleanup; - } - - memset(&ktent, 0, sizeof(ktent)); - while ((looprc = krb5_kt_next_entry(ctx, kt, &ktent, &ktcur)) == 0) { - if ((looprc = krb5_unparse_name(ctx, ktent.principal, - &princ_name))) { - slapi_log_error(SLAPI_LOG_FATAL, logname, - "Unable to get name from keytab [%s] " - "principal: %d (%s)\n", ktname, looprc, - error_message(looprc)); - break; - } - /* found one - make a copy to free later */ - if ((looprc = krb5_copy_principal(ctx, ktent.principal, - &princ))) { - slapi_log_error(SLAPI_LOG_FATAL, logname, - "Unable to copy keytab [%s] principal [%s]: " - "%d (%s)\n", ktname, princ_name, looprc, - error_message(looprc)); - break; - } - slapi_log_error(authtracelevel, logname, - "Using keytab principal [%s]\n", princ_name); - break; - } - - krb5_free_keytab_entry_contents(ctx, &ktent); - memset(&ktent, 0, sizeof(ktent)); - if ((rc = krb5_kt_end_seq_get(ctx, kt, &ktcur))) { - slapi_log_error(SLAPI_LOG_FATAL, logname, - "Unable to close keytab [%s] cursor: %d (%s)\n", - ktname, rc, error_message(rc)); - goto cleanup; - } - - /* if we had an error in the loop above, just bail out - after closing the keytab cursor and keytab */ - if (looprc) { - rc = looprc; - goto cleanup; - } - } - /* now do the actual kerberos authentication using the keytab, and get the creds */ rc = krb5_get_init_creds_keytab(ctx, &creds, princ, kt, @@ -1809,6 +1925,9 @@ cc_env_name); } + /* use NULL as username */ + slapi_ch_free_string(&vals->username); + cleanup: krb5_free_unparsed_name(ctx, princ_name); if (kt) { /* NULL not allowed */ From rmeggins at fedoraproject.org Wed Nov 12 17:42:39 2008 From: rmeggins at fedoraproject.org (Richard Allen Megginson) Date: Wed, 12 Nov 2008 17:42:39 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver config.h.in,1.25,1.26 Message-ID: <20081112174239.F41F570141@cvs1.fedora.phx.redhat.com> Author: rmeggins Update of /cvs/dirsec/ldapserver In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv2757/ldapserver Modified Files: config.h.in Log Message: Resolves: bug 469261 Bug Description: Support server-to-server SASL - kerberos improvements Reviewed by: ssorce (Thanks!) Fix Description: I made several improvements to the kerberos code at Simo's suggestion First look for the principal in the ccache. If not found, use the username if it does not look like a DN. If still not found, construct a principal using the krb5_sname_to_principal() function to construct "ldap/fqdn at REALM". Next, see if the credentials for this principal are still valid. In order to grab the credentials from the ccache, I needed to construct the server principal, which in this case is the TGS service principal (e.g. krbtgt/REALM at REALM). If the credentials are present and not expired, then the code assumes they are ok and does not acquire new credentials. If the credentials are expired or not found, the code will then use the keytab to authenticate. Based on more feedback from Simo, I made some additional changes: * Go ahead and reacquire the creds if they have expired or will expire in 30 seconds - this is not configurable but could be made to be - 30 seconds should be long enough so that the credentials will not expire by the time they are actually used deep in the ldap/sasl/gssapi/krb code, and short enough so that this won't cause unnecessary credential churn * Retry the bind in the case of Ticket expired. There is no way that I can see to get the actual error code - fortunately the extended ldap error message has this information Platforms tested: Fedora 8, Fedora 9 Flag Day: no Doc impact: oh yes Index: config.h.in =================================================================== RCS file: /cvs/dirsec/ldapserver/config.h.in,v retrieving revision 1.25 retrieving revision 1.26 diff -u -r1.25 -r1.26 --- config.h.in 29 Oct 2008 19:16:29 -0000 1.25 +++ config.h.in 12 Nov 2008 17:42:37 -0000 1.26 @@ -84,12 +84,24 @@ /* Define to 1 if you have the `getpagesize' function. */ #undef HAVE_GETPAGESIZE +/* define if you have HEIMDAL Kerberos */ +#undef HAVE_HEIMDAL_KERBEROS + +/* Define to 1 if you have the header file. */ +#undef HAVE_HEIM_ERR_H + /* Define to 1 if you have the `inet_ntoa' function. */ #undef HAVE_INET_NTOA /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H +/* define if you have Kerberos V */ +#undef HAVE_KRB5 + +/* Define to 1 if you have the `krb5_cc_new_unique' function. */ +#undef HAVE_KRB5_CC_NEW_UNIQUE + /* Define to 1 if you have the `localtime_r' function. */ #undef HAVE_LOCALTIME_R From nkinder at fedoraproject.org Thu Nov 13 21:56:31 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Thu, 13 Nov 2008 21:56:31 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd libglobs.c, 1.29, 1.30 Message-ID: <20081113215631.EE78D70136@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv558/ldap/servers/slapd Modified Files: libglobs.c Log Message: Resolves: 470393 Summary: nsslapd-timelimit setting should accept a value of -1. Index: libglobs.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/libglobs.c,v retrieving revision 1.29 retrieving revision 1.30 diff -u -r1.29 -r1.30 --- libglobs.c 7 Nov 2008 22:32:57 -0000 1.29 +++ libglobs.c 13 Nov 2008 21:56:29 -0000 1.30 @@ -3018,9 +3018,9 @@ errno = 0; nVal = strtol(value, &endp, 10); - if ( *endp != '\0' || errno == ERANGE || nVal < 0 ) { + if ( *endp != '\0' || errno == ERANGE || nVal < -1 ) { PR_snprintf ( errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, - "%s: invalid value \"%s\", time limit must range from 0 to %ld", + "%s: invalid value \"%s\", time limit must range from -1 to %ld", attrname, value, LONG_MAX ); retVal = LDAP_OPERATIONS_ERROR; return retVal; From nkinder at fedoraproject.org Thu Nov 13 23:08:20 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Thu, 13 Nov 2008 23:08:20 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication repl5_replica.c, 1.19, 1.20 Message-ID: <20081113230820.8416F7013F@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9536/ldap/servers/plugins/replication Modified Files: repl5_replica.c Log Message: Resolves: 470918 Summary: Made replica_set_updatedn detect value add modify operations properly. Index: repl5_replica.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5_replica.c,v retrieving revision 1.19 retrieving revision 1.20 diff -u -r1.19 -r1.20 --- repl5_replica.c 17 Oct 2008 22:12:47 -0000 1.19 +++ repl5_replica.c 13 Nov 2008 23:08:18 -0000 1.20 @@ -911,12 +911,12 @@ if (!r->updatedn_list) r->updatedn_list = replica_updatedn_list_new(NULL); - if (mod_op & LDAP_MOD_DELETE || vs == NULL || + if (SLAPI_IS_MOD_DELETE(mod_op) || vs == NULL || (0 == slapi_valueset_count(vs))) /* null value also causes list deletion */ replica_updatedn_list_delete(r->updatedn_list, vs); - else if (mod_op & LDAP_MOD_REPLACE) + else if (SLAPI_IS_MOD_REPLACE(mod_op)) replica_updatedn_list_replace(r->updatedn_list, vs); - else if (mod_op & LDAP_MOD_ADD) + else if (SLAPI_IS_MOD_ADD(mod_op)) replica_updatedn_list_add(r->updatedn_list, vs); PR_Unlock(r->repl_lock); From nkinder at fedoraproject.org Thu Nov 13 23:08:20 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Thu, 13 Nov 2008 23:08:20 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/plugins/acl acl.c, 1.12, 1.13 Message-ID: <20081113230820.6378670142@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/acl In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9536/ldap/servers/plugins/acl Modified Files: acl.c Log Message: Resolves: 470918 Summary: Made replica_set_updatedn detect value add modify operations properly. Index: acl.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/acl/acl.c,v retrieving revision 1.12 retrieving revision 1.13 diff -u -r1.12 -r1.13 --- acl.c 17 Oct 2008 22:12:46 -0000 1.12 +++ acl.c 13 Nov 2008 23:08:17 -0000 1.13 @@ -1428,14 +1428,14 @@ for ( i = 0; mod->mod_bvalues[i] != NULL; i++ ) { - if ( ((mod->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD) || - ((mod->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_REPLACE)) { + if (SLAPI_IS_MOD_ADD(mod->mod_op) || + SLAPI_IS_MOD_REPLACE(mod->mod_op)) { rv = acl_access_allowed (pb,e, mod->mod_type, mod->mod_bvalues[i], ACLPB_SLAPI_ACL_WRITE_ADD); /*was SLAPI_ACL_WRITE*/ - } else if ((mod->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) { + } else if (SLAPI_IS_MOD_DELETE(mod->mod_op)) { rv = acl_access_allowed (pb,e, mod->mod_type, mod->mod_bvalues[i], From nkinder at fedoraproject.org Thu Nov 13 23:08:20 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Thu, 13 Nov 2008 23:08:20 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/plugins/uiduniq 7bit.c, 1.7, 1.8 uid.c, 1.8, 1.9 Message-ID: <20081113230820.AD70C70141@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/uiduniq In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9536/ldap/servers/plugins/uiduniq Modified Files: 7bit.c uid.c Log Message: Resolves: 470918 Summary: Made replica_set_updatedn detect value add modify operations properly. Index: 7bit.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/uiduniq/7bit.c,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- 7bit.c 10 Nov 2006 23:45:31 -0000 1.7 +++ 7bit.c 13 Nov 2008 23:08:18 -0000 1.8 @@ -458,8 +458,8 @@ if ((slapi_attr_type_cmp(mod->mod_type, attr_name, 1) == 0) && /* mod contains target attr */ (mod->mod_op & LDAP_MOD_BVALUES) && /* mod is bval encoded (not string val) */ (mod->mod_bvalues && mod->mod_bvalues[0]) && /* mod actually contains some values */ - (((mod->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD) || /* mod is add */ - (mod->mod_op & LDAP_MOD_REPLACE))) /* mod is replace */ + (SLAPI_IS_MOD_ADD(mod->mod_op) || /* mod is add */ + SLAPI_IS_MOD_REPLACE(mod->mod_op))) /* mod is replace */ { addMod(&checkmods, &checkmodsCapacity, &modcount, mod); } Index: uid.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/uiduniq/uid.c,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- uid.c 10 Nov 2006 23:45:31 -0000 1.8 +++ uid.c 13 Nov 2008 23:08:18 -0000 1.9 @@ -727,8 +727,8 @@ if ((slapi_attr_type_cmp(mod->mod_type, attrName, 1) == 0) && /* mod contains target attr */ (mod->mod_op & LDAP_MOD_BVALUES) && /* mod is bval encoded (not string val) */ (mod->mod_bvalues && mod->mod_bvalues[0]) && /* mod actually contains some values */ - (((mod->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD) || /* mod is add */ - (mod->mod_op & LDAP_MOD_REPLACE))) /* mod is replace */ + (SLAPI_IS_MOD_ADD(mod->mod_op) || /* mod is add */ + SLAPI_IS_MOD_REPLACE(mod->mod_op))) /* mod is replace */ { addMod(&checkmods, &checkmodsCapacity, &modcount, mod); } From nkinder at fedoraproject.org Thu Nov 13 23:08:21 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Thu, 13 Nov 2008 23:08:21 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm ldbm_attrcrypt_config.c, 1.6, 1.7 ldbm_config.c, 1.16, 1.17 ldbm_index_config.c, 1.8, 1.9 ldbm_modrdn.c, 1.9, 1.10 Message-ID: <20081113230821.44DCF70141@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9536/ldap/servers/slapd/back-ldbm Modified Files: ldbm_attrcrypt_config.c ldbm_config.c ldbm_index_config.c ldbm_modrdn.c Log Message: Resolves: 470918 Summary: Made replica_set_updatedn detect value add modify operations properly. Index: ldbm_attrcrypt_config.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/ldbm_attrcrypt_config.c,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- ldbm_attrcrypt_config.c 10 Nov 2006 23:45:39 -0000 1.6 +++ ldbm_attrcrypt_config.c 13 Nov 2008 23:08:18 -0000 1.7 @@ -304,7 +304,7 @@ if (strcasecmp(config_attr, "nsEncryptionAlgorithm") == 0) { - if ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD) { + if (SLAPI_IS_MOD_ADD(mods[i]->mod_op)) { for (j = 0; mods[i]->mod_bvalues[j] != NULL; j++) { int cipher = ldbm_attrcrypt_parse_cipher(mods[i]->mod_bvalues[j]->bv_val); @@ -315,7 +315,7 @@ } continue; } - if ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) { + if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op)) { if ((mods[i]->mod_bvalues == NULL) || (mods[i]->mod_bvalues[0] == NULL)) { /* Not legal */ Index: ldbm_config.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/ldbm_config.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- ldbm_config.c 17 Oct 2008 16:54:47 -0000 1.16 +++ ldbm_config.c 13 Nov 2008 23:08:18 -0000 1.17 @@ -1727,8 +1727,8 @@ continue; } - if ((mods[i]->mod_op & LDAP_MOD_DELETE) || - ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD)) { + if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op) || + SLAPI_IS_MOD_ADD(mods[i]->mod_op)) { rc= LDAP_UNWILLING_TO_PERFORM; PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "%s attributes is not allowed", (mods[i]->mod_op & LDAP_MOD_DELETE) ? "Deleting" : "Adding"); Index: ldbm_index_config.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/ldbm_index_config.c,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- ldbm_index_config.c 15 Jul 2008 16:49:43 -0000 1.8 +++ ldbm_index_config.c 13 Nov 2008 23:08:19 -0000 1.9 @@ -392,14 +392,14 @@ config_attr = (char *)mods[i]->mod_type; if (strcasecmp(config_attr, "nsIndexType") == 0) { - if ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD) { + if (SLAPI_IS_MOD_ADD(mods[i]->mod_op)) { for (j = 0; mods[i]->mod_bvalues[j] != NULL; j++) { charray_add(&addIndexTypesArray, slapi_ch_strdup(mods[i]->mod_bvalues[j]->bv_val)); } continue; } - if ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) { + if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op)) { if ((mods[i]->mod_bvalues == NULL) || (mods[i]->mod_bvalues[0] == NULL)) { if (deleteIndexTypesArray) { @@ -416,14 +416,14 @@ } } if (strcasecmp(config_attr, "nsMatchingRule") == 0) { - if ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD) { + if (SLAPI_IS_MOD_ADD(mods[i]->mod_op)) { for (j = 0; mods[i]->mod_bvalues[j] != NULL; j++) { charray_add(&addMatchingRulesArray, slapi_ch_strdup(mods[i]->mod_bvalues[j]->bv_val)); } continue; } - if ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) { + if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op)) { if ((mods[i]->mod_bvalues == NULL) || (mods[i]->mod_bvalues[0] == NULL)) { if (deleteMatchingRulesArray) { Index: ldbm_modrdn.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- ldbm_modrdn.c 17 Oct 2008 22:12:48 -0000 1.9 +++ ldbm_modrdn.c 13 Nov 2008 23:08:19 -0000 1.10 @@ -977,7 +977,7 @@ for (mod = slapi_mods_get_first_mod(smods_wsi); mod != NULL; mod = slapi_mods_get_next_mod(smods_wsi)) { - if (((mod->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) && + if (SLAPI_IS_MOD_DELETE(mod->mod_op) && (strcasecmp(mod->mod_type, type) == 0) && (mod->mod_bvalues != NULL) && (slapi_attr_value_cmp(attr, *mod->mod_bvalues, bvp) == 0)) { From nkinder at fedoraproject.org Thu Nov 13 23:08:20 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Thu, 13 Nov 2008 23:08:20 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd mapping_tree.c, 1.15, 1.16 modify.c, 1.18, 1.19 schema.c, 1.16, 1.17 slapi-plugin.h, 1.34, 1.35 Message-ID: <20081113230821.193497013F@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9536/ldap/servers/slapd Modified Files: mapping_tree.c modify.c schema.c slapi-plugin.h Log Message: Resolves: 470918 Summary: Made replica_set_updatedn detect value add modify operations properly. Index: mapping_tree.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/mapping_tree.c,v retrieving revision 1.15 retrieving revision 1.16 diff -u -r1.15 -r1.16 --- mapping_tree.c 8 Oct 2008 17:29:03 -0000 1.15 +++ mapping_tree.c 13 Nov 2008 23:08:18 -0000 1.16 @@ -1063,7 +1063,7 @@ /* if we are deleting this attribute the new parent * node will be mapping_tree_root */ - if ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) + if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op)) { parent_node = mapping_tree_root; } @@ -1153,7 +1153,7 @@ /* state change * for now only allow replace */ - if ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) != LDAP_MOD_REPLACE) + if (!SLAPI_IS_MOD_REPLACE(mods[i]->mod_op)) { PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "must use replace operation to change state\n"); *returncode = LDAP_UNWILLING_TO_PERFORM; @@ -1206,8 +1206,8 @@ mtn_wlock(); - if (((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_REPLACE) - || ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD)) + if (SLAPI_IS_MOD_REPLACE(mods[i]->mod_op) + || SLAPI_IS_MOD_ADD(mods[i]->mod_op)) { /* delete old referrals, set new ones */ mtn_free_referral_in_node(node); @@ -1215,7 +1215,7 @@ node->mtn_referral = referral; node->mtn_referral_entry = referral2entry(referral, slapi_sdn_get_dn(subtree)); - } else if ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) + } else if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op)) { /* it is not OK to delete the referrals if they are still * used @@ -1249,8 +1249,8 @@ else if (strcasecmp(mods[i]->mod_type, "nsslapd-distribution-funct" ) == 0) { - if (((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_REPLACE) - || ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD)) + if (SLAPI_IS_MOD_REPLACE(mods[i]->mod_op) + || SLAPI_IS_MOD_ADD(mods[i]->mod_op)) { slapi_entry_attr_find(entryAfter, "nsslapd-distribution-funct", &attr); @@ -1264,7 +1264,7 @@ } plugin_fct = slapi_ch_strdup(slapi_value_get_string(val)); } - else if ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) + else if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op)) { plugin_fct = NULL; } @@ -1273,8 +1273,8 @@ else if (strcasecmp(mods[i]->mod_type, "nsslapd-distribution-plugin" ) == 0) { - if (((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_REPLACE) - || ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD)) + if (SLAPI_IS_MOD_REPLACE(mods[i]->mod_op) + || SLAPI_IS_MOD_ADD(mods[i]->mod_op)) { slapi_entry_attr_find(entryAfter, "nsslapd-distribution-plugin", &attr); @@ -1288,7 +1288,7 @@ } plugin_lib = slapi_ch_strdup(slapi_value_get_string(val)); } - else if ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) + else if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op)) { plugin_lib = NULL; } Index: modify.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/modify.c,v retrieving revision 1.18 retrieving revision 1.19 diff -u -r1.18 -r1.19 --- modify.c 24 Oct 2008 22:36:58 -0000 1.18 +++ modify.c 13 Nov 2008 23:08:18 -0000 1.19 @@ -637,7 +637,7 @@ while ( tmpmods && *tmpmods ) { if ((*tmpmods)->mod_bvalues != NULL && - (((*tmpmods)->mod_op & ~LDAP_MOD_BVALUES) != LDAP_MOD_DELETE)) + !SLAPI_IS_MOD_DELETE((*tmpmods)->mod_op)) { for (i=0; i < numattr; i++) { Index: schema.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/schema.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- schema.c 15 Jul 2008 16:49:42 -0000 1.16 +++ schema.c 13 Nov 2008 23:08:18 -0000 1.17 @@ -1681,7 +1681,7 @@ /* * Delete an objectclass or attribute */ - if ( (mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) { + if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op)) { if (strcasecmp (mods[i]->mod_type, "objectclasses") == 0) { *returncode = schema_delete_objectclasses (entryBefore, mods[i], returntext, SLAPI_DSE_RETURNTEXT_SIZE, schema_ds4x_compat ); @@ -1707,7 +1707,7 @@ /* * Replace an objectclass,attribute, or schema CSN */ - else if ( (mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_REPLACE) { + else if (SLAPI_IS_MOD_REPLACE(mods[i]->mod_op)) { int replace_allowed = 0; slapdFrontendConfig_t *slapdFrontendConfig; @@ -1777,7 +1777,7 @@ /* * Add an objectclass or attribute */ - else if ( (mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD) { + else if (SLAPI_IS_MOD_ADD(mods[i]->mod_op)) { if (strcasecmp (mods[i]->mod_type, "attributetypes") == 0) { /* * Add a new attribute Index: slapi-plugin.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-plugin.h,v retrieving revision 1.34 retrieving revision 1.35 diff -u -r1.34 -r1.35 --- slapi-plugin.h 5 Nov 2008 18:21:06 -0000 1.34 +++ slapi-plugin.h 13 Nov 2008 23:08:18 -0000 1.35 @@ -1897,6 +1897,10 @@ /* Size of the database, in kilobytes */ #define SLAPI_DBSIZE 199 +/* convenience macros for checking modify operation types */ +#define SLAPI_IS_MOD_ADD(x) (((x) & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD) +#define SLAPI_IS_MOD_DELETE(x) (((x) & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) +#define SLAPI_IS_MOD_REPLACE(x) (((x) & ~LDAP_MOD_BVALUES) == LDAP_MOD_REPLACE) #ifdef __cplusplus } From nkinder at fedoraproject.org Thu Nov 13 23:08:20 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Thu, 13 Nov 2008 23:08:20 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/plugins/chainingdb cb_config.c, 1.7, 1.8 cb_instance.c, 1.11, 1.12 Message-ID: <20081113230820.6EC627012B@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/chainingdb In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9536/ldap/servers/plugins/chainingdb Modified Files: cb_config.c cb_instance.c Log Message: Resolves: 470918 Summary: Made replica_set_updatedn detect value add modify operations properly. Index: cb_config.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/chainingdb/cb_config.c,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- cb_config.c 27 Jun 2008 19:28:22 -0000 1.7 +++ cb_config.c 13 Nov 2008 23:08:17 -0000 1.8 @@ -429,17 +429,17 @@ return SLAPI_DSE_CALLBACK_ERROR; } - if ( mods[i]->mod_op & LDAP_MOD_REPLACE) { + if (SLAPI_IS_MOD_REPLACE(mods[i]->mod_op)) { if (!done) { cb_unregister_all_supported_control(cb); done=1; } cb_register_supported_control(cb,config_attr_value,0); } else - if ( (mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD) { + if (SLAPI_IS_MOD_ADD(mods[i]->mod_op)) { cb_register_supported_control(cb,config_attr_value,0); } else - if ( (mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) { + if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op)) { cb_unregister_supported_control(cb,config_attr_value,0); } } @@ -450,7 +450,7 @@ /* assume single-valued */ if (mods[i]->mod_op & LDAP_MOD_DELETE) cb_set_debug(0); - else if ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD) + else if (SLAPI_IS_MOD_ADD(mods[i]->mod_op)) cb_set_debug(1); } else if ( !strcasecmp ( attr_name, CB_CONFIG_GLOBAL_CHAINING_COMPONENTS )) { @@ -461,7 +461,7 @@ for (j = 0; mods[i]->mod_bvalues && mods[i]->mod_bvalues[j]; j++) { config_attr_value = (char *) mods[i]->mod_bvalues[j]->bv_val; - if ( mods[i]->mod_op & LDAP_MOD_REPLACE) { + if (SLAPI_IS_MOD_REPLACE(mods[i]->mod_op)) { if (!done) { charray_free(cb->config.chaining_components); cb->config.chaining_components=NULL; @@ -471,11 +471,11 @@ charray_add(&cb->config.chaining_components, slapi_dn_normalize(slapi_ch_strdup(config_attr_value))); } else - if ( (mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD) { + if (SLAPI_IS_MOD_ADD(mods[i]->mod_op)) { charray_add(&cb->config.chaining_components, slapi_dn_normalize(slapi_ch_strdup(config_attr_value))); } else - if ( (mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) { + if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op)) { charray_remove(cb->config.chaining_components, slapi_dn_normalize(slapi_ch_strdup(config_attr_value)), 0 /* freeit */); @@ -496,7 +496,7 @@ for (j = 0; mods[i]->mod_bvalues && mods[i]->mod_bvalues[j]; j++) { config_attr_value = (char *) mods[i]->mod_bvalues[j]->bv_val; - if ( mods[i]->mod_op & LDAP_MOD_REPLACE) { + if (SLAPI_IS_MOD_REPLACE(mods[i]->mod_op)) { if (!done) { charray_free(cb->config.chainable_components); cb->config.chainable_components=NULL; @@ -506,12 +506,12 @@ slapi_dn_normalize(slapi_ch_strdup(config_attr_value) )); } else - if ( (mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD) { + if (SLAPI_IS_MOD_ADD(mods[i]->mod_op)) { charray_add(&cb->config.chainable_components, slapi_dn_normalize(slapi_ch_strdup(config_attr_value) )); } else - if ( (mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) { + if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op)) { charray_remove(cb->config.chainable_components, slapi_dn_normalize(slapi_ch_strdup(config_attr_value) ), Index: cb_instance.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/chainingdb/cb_instance.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- cb_instance.c 5 Nov 2008 18:21:05 -0000 1.11 +++ cb_instance.c 13 Nov 2008 23:08:17 -0000 1.12 @@ -323,8 +323,8 @@ if ( !strcasecmp ( attr_name, CB_CONFIG_BINDUSER )) { /* Make sure value is not forbidden */ - if ((mods[i]->mod_op & LDAP_MOD_REPLACE) || - ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD)) { + if (SLAPI_IS_MOD_REPLACE(mods[i]->mod_op) || + SLAPI_IS_MOD_ADD(mods[i]->mod_op)) { rc = cb_instance_config_set((void *) inst, attr_name, cb_the_instance_config, mods[i]->mod_bvalues[0], returntext, @@ -333,8 +333,8 @@ } } - if ((mods[i]->mod_op & LDAP_MOD_DELETE) || - ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD)) { + if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op) || + SLAPI_IS_MOD_ADD(mods[i]->mod_op)) { rc= LDAP_UNWILLING_TO_PERFORM; PR_snprintf(returntext, SLAPI_DSE_RETURNTEXT_SIZE, "%s attributes is not allowed", (mods[i]->mod_op & LDAP_MOD_DELETE) ? "Deleting" : "Adding"); @@ -383,7 +383,7 @@ PR_RWLock_Wlock(inst->rwl_config_lock); for (j = 0; mods[i]->mod_bvalues && mods[i]->mod_bvalues[j]; j++) { config_attr_value = (char *) mods[i]->mod_bvalues[j]->bv_val; - if ( mods[i]->mod_op & LDAP_MOD_REPLACE) { + if (SLAPI_IS_MOD_REPLACE(mods[i]->mod_op)) { if (!done) { charray_free(inst->illegal_attributes); inst->illegal_attributes=NULL; @@ -392,11 +392,11 @@ charray_add(&inst->illegal_attributes, slapi_ch_strdup(config_attr_value)); } else - if ( (mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD) { + if (SLAPI_IS_MOD_ADD(mods[i]->mod_op)) { charray_add(&inst->illegal_attributes, slapi_ch_strdup(config_attr_value)); } else - if ( (mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) { + if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op)) { charray_remove(inst->illegal_attributes, slapi_ch_strdup(config_attr_value), 0 /* freeit */); @@ -417,7 +417,7 @@ PR_RWLock_Wlock(inst->rwl_config_lock); for (j = 0; mods[i]->mod_bvalues && mods[i]->mod_bvalues[j]; j++) { config_attr_value = (char *) mods[i]->mod_bvalues[j]->bv_val; - if ( mods[i]->mod_op & LDAP_MOD_REPLACE) { + if (SLAPI_IS_MOD_REPLACE(mods[i]->mod_op)) { if (!done) { charray_free(inst->chaining_components); inst->chaining_components=NULL; @@ -427,11 +427,11 @@ charray_add(&inst->chaining_components, slapi_dn_normalize(slapi_ch_strdup(config_attr_value))); } else - if ( (mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD) { + if (SLAPI_IS_MOD_ADD(mods[i]->mod_op)) { charray_add(&inst->chaining_components, slapi_dn_normalize(slapi_ch_strdup(config_attr_value))); } else - if ( (mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) { + if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op)) { charray_remove(inst->chaining_components, slapi_dn_normalize(slapi_ch_strdup(config_attr_value)), 0 /* freeit */); @@ -447,8 +447,8 @@ - if ((mods[i]->mod_op & LDAP_MOD_DELETE) || - ((mods[i]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD)) { + if (SLAPI_IS_MOD_DELETE(mods[i]->mod_op) || + SLAPI_IS_MOD_ADD(mods[i]->mod_op)) { /* Special processing for binddn & password */ /* because they are optional */ From nkinder at fedoraproject.org Fri Nov 14 02:06:37 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Fri, 14 Nov 2008 02:06:37 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication cl5_api.c, 1.23, 1.24 Message-ID: <20081114020637.3129B70140@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25071/ldap/servers/plugins/replication Modified Files: cl5_api.c Log Message: Resolves: 450046 Summary: Clean-up leftover changelog semaphore at startup. Index: cl5_api.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/cl5_api.c,v retrieving revision 1.23 retrieving revision 1.24 diff -u -r1.23 -r1.24 --- cl5_api.c 15 Oct 2008 06:29:58 -0000 1.23 +++ cl5_api.c 14 Nov 2008 02:06:34 -0000 1.24 @@ -6415,17 +6415,35 @@ (*dbFile)->semaName = slapi_ch_smprintf("%s/%s.sema", semadir, replName); slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name_cl, "_cl5NewDBFile: semaphore %s\n", (*dbFile)->semaName); - (*dbFile)->sema = PR_OpenSemaphore((*dbFile)->semaName, PR_SEM_CREATE, 0666, s_cl5Desc.dbConfig.maxConcurrentWrites ); + (*dbFile)->sema = PR_OpenSemaphore((*dbFile)->semaName, + PR_SEM_CREATE | PR_SEM_EXCL, 0666, + s_cl5Desc.dbConfig.maxConcurrentWrites ); slapi_log_error (SLAPI_LOG_REPL, repl_plugin_name_cl, "_cl5NewDBFile: maxConcurrentWrites=%d\n", s_cl5Desc.dbConfig.maxConcurrentWrites ); } if ((*dbFile)->sema == NULL ) { - slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, - "_cl5NewDBFile: failed to create semaphore %s; NSPR error - %d\n", - (*dbFile)->semaName ? (*dbFile)->semaName : "(nil)", PR_GetError ()); - rc = CL5_SYSTEM_ERROR; - goto done; + /* If the semaphore was left around due + * to an unclean exit last time, remove + * and re-create it. + */ + if (PR_GetError() == PR_FILE_EXISTS_ERROR) { + PR_DeleteSemaphore((*dbFile)->semaName); + (*dbFile)->sema = PR_OpenSemaphore((*dbFile)->semaName, + PR_SEM_CREATE | PR_SEM_EXCL, 0666, + s_cl5Desc.dbConfig.maxConcurrentWrites ); + } + + /* If we still failed to create the semaphore, + * we should just error out. */ + if ((*dbFile)->sema == NULL ) + { + slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name_cl, + "_cl5NewDBFile: failed to create semaphore %s; NSPR error - %d\n", + (*dbFile)->semaName ? (*dbFile)->semaName : "(nil)", PR_GetError()); + rc = CL5_SYSTEM_ERROR; + goto done; + } } /* compute number of entries in the file */ From nhosoi at fedoraproject.org Mon Nov 17 23:12:00 2008 From: nhosoi at fedoraproject.org (Noriko Hosoi) Date: Mon, 17 Nov 2008 23:12:00 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd/tools/ldclt ldapfct.c, 1.8, 1.9 ldclt.c, 1.6, 1.7 ldclt.h, 1.5, 1.6 ldcltU.c, 1.4, 1.5 threadMain.c, 1.3, 1.4 Message-ID: <20081117231200.92ED07013C@cvs1.fedora.phx.redhat.com> Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/tools/ldclt In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23022 Modified Files: ldapfct.c ldclt.c ldclt.h ldcltU.c threadMain.c Log Message: Resolves: #471138 Summary: LDCLT: add abandon to ldclt Index: ldapfct.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/tools/ldclt/ldapfct.c,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- ldapfct.c 8 Oct 2008 17:29:04 -0000 1.8 +++ ldapfct.c 17 Nov 2008 23:11:57 -0000 1.9 @@ -1650,7 +1650,7 @@ attribute.mod_type = "cn"; attribute.mod_values = strList1 ("toto cn"); if (addAttrib (attrs, nbAttribs++, &attribute) < 0) - return (-1); + return (-1); } if (strcmp (tttctx->buf2, "sn")) { @@ -1658,7 +1658,7 @@ attribute.mod_type = "sn"; attribute.mod_values = strList1 ("toto sn"); if (addAttrib (attrs, nbAttribs++, &attribute) < 0) - return (-1); + return (-1); } } @@ -3554,5 +3554,174 @@ return (0); } +/* **************************************************************************** + FUNCTION : doAbandon + PURPOSE : Perform one abandon operation against an async search. + INPUT : tttctx = thread context + OUTPUT : None. + RETURN : -1 if error, 0 else. + DESCRIPTION : + *****************************************************************************/ +int +doAbandon (thread_context *tttctx) +{ + int ret; /* Return value */ + LDAPMessage *res; /* LDAP results */ + char **attrlist; /* Attribs list */ + struct timeval mytimeout; + int msgid; + + /* + * Connection to the server + * The function connectToServer() will take care of the various connection/ + * disconnection, bind/unbind/close etc... requested by the user. + * The cost is one more function call in this application, but the + * resulting source code will be much more easiest to maintain. + */ + if (connectToServer (tttctx) < 0) + return (-1); + if (!(tttctx->binded)) + return (0); + + /* + * Build the filter + */ + if (buildRandomRdnOrFilter (tttctx) < 0) + return (-1); + + attrlist = NULL; + + /* + * We use asynchronous search to abandon... + * + * set (1, 2) to (acyncMin, acyncMax), which combination does not stop write. + */ + mctx.asyncMin = 1; + mctx.asyncMax = 2; + if (tttctx->pendingNb >= mctx.asyncMin) + { + mytimeout.tv_sec = 1; + mytimeout.tv_usec = 0; + ret = ldap_result (tttctx->ldapCtx, + LDAP_RES_ANY, LDAP_MSG_ONE, &mytimeout, &res); + if (ret < 0) + { + if (!((mctx.mode & QUIET) && ignoreError (ret))) + (void) printErrorFromLdap (tttctx, res, ret, "Cannot ldap_result()"); + if (addErrorStat (ret) < 0) + return (-1); + } + else + { + /* ret == 0 --> timeout; op abandoned and no result is returned */ + tttctx->pendingNb--; + + /* + * Don't forget to free the returned message ! + */ + if ((ret = ldap_msgfree (res)) < 0) + { + if (!((mctx.mode & QUIET) && ignoreError (ret))) + { + printf ("ldclt[%d]: T%03d: Cannot ldap_msgfree(), error=%d (%s)\n", + mctx.pid, tttctx->thrdNum, ret, my_ldap_err2string (ret)); + fflush (stdout); + } + if (addErrorStat (ret) < 0) + return (-1); + } + } + } + + /* + * Maybe we may send another request ? + * Well... there is no proper way to retrieve the error number for + * this, so I guess I may use direct access to the ldap context + * to read the field ld_errno. + */ + if (tttctx->pendingNb > mctx.asyncMax) + { + if ((mctx.mode & VERBOSE) && + (tttctx->asyncHit == 1) && + (!(mctx.mode & SUPER_QUIET))) + { + tttctx->asyncHit = 1; + printf ("ldclt[%d]: T%03d: Max pending request hit.\n", + mctx.pid, tttctx->thrdNum); + fflush (stdout); + } + } + else + { + if ((mctx.mode & VERBOSE) && + (tttctx->asyncHit == 1) && + (!(mctx.mode & SUPER_QUIET))) + { + tttctx->asyncHit = 0; + printf ("ldclt[%d]: T%03d: Restart sending.\n", + mctx.pid, tttctx->thrdNum); + fflush (stdout); + } + + msgid = -1; + /* for some reasons, it is an error to pass in a zero'd timeval */ + mytimeout.tv_sec = mytimeout.tv_usec = -1; + ret = ldap_search_ext (tttctx->ldapCtx, tttctx->bufBaseDN, mctx.scope, + tttctx->bufFilter, attrlist, mctx.attrsonly, + NULL, NULL, &mytimeout, -1, &msgid); + if (mctx.mode & VERY_VERBOSE) + printf ("ldclt[%d]: T%03d: ldap_search(%s)=>%d\n", + mctx.pid, tttctx->thrdNum, tttctx->bufFilter, ret); + + if (ret != 0) + { + if (ldap_get_option (tttctx->ldapCtx, LDAP_OPT_ERROR_NUMBER, &ret) < 0) + { + printf ("ldclt[%d]: T%03d: Cannot ldap_get_option(LDAP_OPT_ERROR_NUMBER)\n", + mctx.pid, tttctx->thrdNum); + fflush (stdout); + return (-1); + } + else + { + if (!((mctx.mode & QUIET) && ignoreError (ret))) + { + printf ("ldclt[%d]: T%03d: Cannot ldap_search(), error=%d (%s)\n", + mctx.pid, tttctx->thrdNum, ret, my_ldap_err2string (ret)); + fflush (stdout); + } + if (addErrorStat (ret) < 0) + return (-1); + } + } + else + { + if (msgid >= 0) + { + /* ABANDON the search request immediately */ + (void) ldap_abandon(tttctx->ldapCtx, msgid); + } + + /* + * Memorize the operation + */ + if (incrementNbOpers (tttctx) < 0) + return (-1); + tttctx->pendingNb++; + if (mctx.mode & VERY_VERBOSE) + printf ("ldclt[%d]: T%03d: ldap_abandon(%d)\n", + mctx.pid, tttctx->thrdNum, msgid); + } + } + + if (mctx.mode & VERY_VERBOSE) + printf ("ldclt[%d]: T%03d: pendingNb=%d\n", + mctx.pid, tttctx->thrdNum, tttctx->pendingNb); + + /* + * End of asynchronous operation... and also end of function. + */ + return (0); +} /* End of file */ Index: ldclt.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/tools/ldclt/ldclt.c,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- ldclt.c 19 Sep 2007 18:08:12 -0000 1.6 +++ ldclt.c 17 Nov 2008 23:11:57 -0000 1.7 @@ -2115,6 +2115,8 @@ "randomauthidhigh", #define EP_RANDOMSASLAUTHIDLOW 48 "randomauthidlow", +#define EP_ABANDON 49 + "abandon", NULL }; @@ -2397,6 +2399,9 @@ case EP_WITH_NEWPARENT: /*JLS 15-12-00*/ mctx.mode |= WITH_NEWPARENT; /*JLS 15-12-00*/ break; /*JLS 15-12-00*/ + case EP_ABANDON: + mctx.mod2 |= M2_ABANDON; + break; default: fprintf (stderr, "Error: illegal option -e %s\n", subvalue); return (-1); @@ -2750,7 +2755,8 @@ fprintf (stderr, "Error: use -f or -e rdn=value for this purpose.\n"); ldcltExit (EXIT_PARAMS); /*JLS 13-11-00*/ } - if ((!((mctx.mode & NEED_FILTER) || (mctx.mod2 & M2_GENLDIF)))/*JLS 04-05-01*/ + if ((!((mctx.mode & NEED_FILTER) || (mctx.mod2 & M2_GENLDIF) || + (mctx.mod2 & M2_NEED_FILTER)))/*JLS 04-05-01*/ && (mctx.filter != NULL)) /*JLS 04-05-01*/ { /*JLS 04-05-01*/ fprintf (stderr, "Error: do not need filter -f\n"); /*JLS 04-05-01*/ Index: ldclt.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/tools/ldclt/ldclt.h,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- ldclt.h 19 Sep 2007 18:08:12 -0000 1.5 +++ ldclt.h 17 Nov 2008 23:11:57 -0000 1.6 @@ -277,6 +277,7 @@ #define M2_BINDONLY 0x00000020 /* -e bindonly */ /*JLS 04-05-01*/ #define M2_SASLAUTH 0x00000040 /* -o : SASL authentication */ #define M2_RANDOM_SASLAUTHID 0x00000080 /* -e randomauthid */ +#define M2_ABANDON 0x00000100 /* -e abandon */ /* * Combinatory defines @@ -286,10 +287,11 @@ * - VALID_OPERS : valid operations */ #define NEED_FILTER (ADD_ENTRIES|DELETE_ENTRIES|EXACT_SEARCH|RENAME_ENTRIES|ATTR_REPLACE|SCALAB01) +#define M2_NEED_FILTER (M2_ABANDON) #define NEED_RANGE (INCREMENTAL|RANDOM) #define NEED_RND_INCR (ADD_ENTRIES|DELETE_ENTRIES|RENAME_ENTRIES) #define VALID_OPERS (ADD_ENTRIES|DELETE_ENTRIES|EXACT_SEARCH|RENAME_ENTRIES|ATTR_REPLACE|SCALAB01) -#define M2_VALID_OPERS (M2_GENLDIF|M2_BINDONLY) +#define M2_VALID_OPERS (M2_GENLDIF|M2_BINDONLY|M2_ABANDON) #define NEED_CLASSES (ADD_ENTRIES) #define THE_CLASSES (OC_PERSON|OC_EMAILPERSON|OC_INETORGPRSON) @@ -700,6 +702,7 @@ extern int doBindOnly (thread_context *tttctx); /*JLS 04-05-01*/ extern int doDeleteEntry (thread_context *tttctx); extern int doExactSearch (thread_context *tttctx); +extern int doAbandon (thread_context *tttctx); extern int doGenldif (thread_context *tttctx); /*JLS 19-03-01*/ extern int doRename (thread_context *tttctx); extern int freeAttrib (LDAPMod **attrs); Index: ldcltU.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/tools/ldclt/ldcltU.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- ldcltU.c 5 Jul 2007 23:53:41 -0000 1.4 +++ ldcltU.c 17 Nov 2008 23:11:57 -0000 1.5 @@ -65,6 +65,7 @@ * -D Bind DN. See -w * -E Max errors allowed. Default 1000. * -e Execution parameters: + * abandon : abandon asyncronous search requests. * add : ldap_add() entries. * append : append entries to the genldif file. * ascii : ascii 7-bits strings. @@ -156,35 +157,36 @@ (void) printf (" -D Bind DN. See -w\n"); (void) printf (" -E Max errors allowed. Default 1000.\n"); (void) printf (" -e Execution parameters:\n"); - (void) printf (" add : ldap_add() entries.\n"); - (void) printf (" append : append entries to the genldif file.\n"); - (void) printf (" ascii : ascii 7-bits strings.\n"); + (void) printf (" abandon : abandon async search requests.\n"); + (void) printf (" add : ldap_add() entries.\n"); + (void) printf (" append : append entries to the genldif file.\n"); + (void) printf (" ascii : ascii 7-bits strings.\n"); (void) printf (" attreplace=name:mask : replace attribute of existing entry.\n"); (void) printf (" attrlist=name:name:name : specify list of attribs to retrieve\n"); - (void) printf (" attrsonly=0|1 : ldap_search() parameter. Set 0 to read values.\n"); - (void) printf (" bindeach : ldap_bind() for each operation.\n"); - (void) printf (" bindonly : only bind/unbind, no other operation is performed.\n"); - (void) printf (" close : will close() the fd, rather than ldap_unbind().\n"); - (void) printf (" cltcertname=name : name of the SSL client certificate\n"); - (void) printf (" commoncounter : all threads share the same counter.\n"); - (void) printf (" counteach : count each operation not only successful ones.\n"); - (void) printf (" delete : ldap_delete() entries.\n"); + (void) printf (" attrsonly=0|1 : ldap_search() parameter. Set 0 to read values.\n"); + (void) printf (" bindeach : ldap_bind() for each operation.\n"); + (void) printf (" bindonly : only bind/unbind, no other operation is performed.\n"); + (void) printf (" close : will close() the fd, rather than ldap_unbind().\n"); + (void) printf (" cltcertname=name : name of the SSL client certificate\n"); + (void) printf (" commoncounter : all threads share the same counter.\n"); + (void) printf (" counteach : count each operation not only successful ones.\n"); + (void) printf (" delete : ldap_delete() entries.\n"); (void) printf (" dontsleeponserverdown : will loop very fast if server down.\n"); - (void) printf (" emailPerson : objectclass=emailPerson (-e add only).\n"); - (void) printf (" esearch : exact search.\n"); - (void) printf (" genldif=filename : generates a ldif file\n"); - (void) printf (" imagesdir=path : specify where are the images.\n"); - (void) printf (" incr : incremental values.\n"); - (void) printf (" inetOrgPerson : objectclass=inetOrgPerson (-e add only).\n"); - (void) printf (" keydbfile=file : filename of the key database\n"); - (void) printf (" keydbpin=password : password for accessing the key database\n"); - (void) printf (" noglobalstats : don't print periodical global statistics\n"); - (void) printf (" noloop : does not loop the incremental numbers.\n"); - (void) printf (" object=filename : build object from input file\n"); - (void) printf (" person : objectclass=person (-e add only).\n"); - (void) printf (" random : random filters, etc...\n"); + (void) printf (" emailPerson : objectclass=emailPerson (-e add only).\n"); + (void) printf (" esearch : exact search.\n"); + (void) printf (" genldif=filename : generates a ldif file\n"); + (void) printf (" imagesdir=path : specify where are the images.\n"); + (void) printf (" incr : incremental values.\n"); + (void) printf (" inetOrgPerson : objectclass=inetOrgPerson (-e add only).\n"); + (void) printf (" keydbfile=file : filename of the key database\n"); + (void) printf (" keydbpin=password : password for accessing the key database\n"); + (void) printf (" noglobalstats : don't print periodical global statistics\n"); + (void) printf (" noloop : does not loop the incremental numbers.\n"); + (void) printf (" object=filename : build object from input file\n"); + (void) printf (" person : objectclass=person (-e add only).\n"); + (void) printf (" random : random filters, etc...\n"); (void) printf (" randomattrlist=name:name:name : random select attrib in the list\n"); - (void) printf (" randombase : random base DN.\n"); + (void) printf (" randombase : random base DN.\n"); (void) printf (" randombaselow=value : low value for random generator.\n"); (void) printf (" randombasehigh=value : high value for random generator.\n"); (void) printf (" randombinddn : random bind DN.\n"); @@ -198,8 +200,8 @@ (void) printf (" scalab01_maxcnxnb : modem pool size.\n"); (void) printf (" scalab01_wait : sleep() between 2 attempts to connect.\n"); (void) printf (" smoothshutdown : main thread waits till the worker threads exit.\n"); - (void) printf (" string : create random strings rather than random numbers.\n"); - (void) printf (" v2 : ldap v2.\n"); + (void) printf (" string : create random strings rather than random numbers.\n"); + (void) printf (" v2 : ldap v2.\n"); (void) printf (" withnewparent : rename with newparent specified as argument.\n"); (void) printf (" randomauthid : random SASL Authid.\n"); (void) printf (" randomauthidlow=value : low value for random SASL Authid.\n"); Index: threadMain.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/tools/ldclt/threadMain.c,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- threadMain.c 5 Jul 2007 23:53:41 -0000 1.3 +++ threadMain.c 17 Nov 2008 23:11:57 -0000 1.4 @@ -954,7 +954,7 @@ * Don't forget the buffers !! * This should save time while redoing random values */ - if ((mctx.mode & NEED_FILTER) || (mctx.mod2 & M2_GENLDIF)) /*JLS 19-03-01*/ + if ((mctx.mode & NEED_FILTER) || (mctx.mod2 & (M2_GENLDIF|M2_NEED_FILTER))) /*JLS 19-03-01*/ { if (mctx.mod2 & M2_RDN_VALUE) /*JLS 23-03-01*/ tttctx->bufFilter = (char *) malloc (MAX_FILTER); /*JLS 23-03-01*/ @@ -1200,6 +1200,15 @@ continue; /*JLS 19-03-01*/ } /*JLS 19-03-01*/ + if (mctx.mod2 & M2_ABANDON) + { + if (doAbandon (tttctx) < 0) + { + go = 0; + continue; + } + } + /* * Check the thread's status */ From nhosoi at fedoraproject.org Wed Nov 19 02:52:45 2008 From: nhosoi at fedoraproject.org (Noriko Hosoi) Date: Wed, 19 Nov 2008 02:52:45 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm proto-back-ldbm.h, 1.16, 1.17 dblayer.c, 1.32, 1.33 dbverify.c, 1.3, 1.4 Message-ID: <20081119025246.348BF7013C@cvs1.fedora.phx.redhat.com> Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv10528 Modified Files: proto-back-ldbm.h dblayer.c dbverify.c Log Message: Resolves: #471998 Summary: dbverify: support integer type index Description: 1) changed dblayer_bt_compare to public (proto-back-ldbm.h, dblayer.c) 2) set dblayer_bt_compare by dbp->set_bt_compare if the attribute has a comparison function set in ai->ai_key_cmp_fn (dbverify.c) 3) cleaned up the function dbverify_ext; set the right page size based upon the idl type (new idl or old idl), also set dup compare function only when the idl type is new. (dbverify.c) Index: proto-back-ldbm.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/proto-back-ldbm.h,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- proto-back-ldbm.h 24 Oct 2008 23:28:22 -0000 1.16 +++ proto-back-ldbm.h 19 Nov 2008 02:52:41 -0000 1.17 @@ -170,6 +170,8 @@ int dblayer_db_uses_transactions(DB_ENV *db_env); int dblayer_db_uses_mpool(DB_ENV *db_env); int dblayer_db_uses_logging(DB_ENV *db_env); +int dblayer_bt_compare(DB *db, const DBT *dbt1, const DBT *dbt2); + /* * dn2entry.c Index: dblayer.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/dblayer.c,v retrieving revision 1.32 retrieving revision 1.33 diff -u -r1.32 -r1.33 --- dblayer.c 17 Oct 2008 17:13:55 -0000 1.32 +++ dblayer.c 19 Nov 2008 02:52:42 -0000 1.33 @@ -243,7 +243,7 @@ see also DBTcmp */ -static int +int dblayer_bt_compare(DB *db, const DBT *dbt1, const DBT *dbt2) { struct berval bv1, bv2; Index: dbverify.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/dbverify.c,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- dbverify.c 8 Oct 2008 17:29:03 -0000 1.3 +++ dbverify.c 19 Nov 2008 02:52:42 -0000 1.4 @@ -111,25 +111,67 @@ "Unable to create id2entry db file %d\n", rval); return rval; } + #define VLVPREFIX "vlv#" - if ((0 != strncmp(direntry->name, ID2ENTRY, strlen(ID2ENTRY))) && - (0 != strncmp(direntry->name, VLVPREFIX, strlen(VLVPREFIX)))) + if (0 != strncmp(direntry->name, ID2ENTRY, strlen(ID2ENTRY))) { - rval = dbp->set_flags(dbp, DB_DUP | DB_DUPSORT); - if (0 != rval) + struct attrinfo *ai = NULL; + char *p = NULL; + p = strstr(filep, LDBM_FILENAME_SUFFIX); /* since already checked, + it must have it */ + *p = '\0'; + ainfo_get( inst->inst_be, filep+1, &ai ); + *p = '.'; + if (ai->ai_key_cmp_fn) { + dbp->app_private = (void *)ai->ai_key_cmp_fn; + dbp->set_bt_compare(dbp, dblayer_bt_compare); + } + if (idl_get_idl_new()) + { + rval = dbp->set_pagesize(dbp, + (priv->dblayer_index_page_size == 0) ? + DBLAYER_INDEX_PAGESIZE : priv->dblayer_index_page_size); + } + else { - slapi_log_error(SLAPI_LOG_FATAL, "DB verify", - "Unable to set DUP flags to db %d\n", rval); - return rval; + rval = dbp->set_pagesize(dbp, + (priv->dblayer_page_size == 0) ? + DBLAYER_PAGESIZE : priv->dblayer_page_size); } - - rval = dbp->set_dup_compare(dbp, idl_new_compare_dups); if (0 != rval) { slapi_log_error(SLAPI_LOG_FATAL, "DB verify", - "Unable to set dup_compare to db %d\n", rval); + "Unable to set pagesize flags to db (%d)\n", rval); return rval; } + if (0 == strncmp(direntry->name, VLVPREFIX, strlen(VLVPREFIX))) + { + rval = dbp->set_flags(dbp, DB_RECNUM); + if (0 != rval) + { + slapi_log_error(SLAPI_LOG_FATAL, "DB verify", + "Unable to set RECNUM flag to vlv index (%d)\n", rval); + return rval; + } + } + else if (idl_get_idl_new()) + { + rval = dbp->set_flags(dbp, DB_DUP | DB_DUPSORT); + if (0 != rval) + { + slapi_log_error(SLAPI_LOG_FATAL, "DB verify", + "Unable to set DUP flags to db (%d)\n", rval); + return rval; + } + + rval = dbp->set_dup_compare(dbp, idl_new_compare_dups); + if (0 != rval) + { + slapi_log_error(SLAPI_LOG_FATAL, "DB verify", + "Unable to set dup_compare to db (%d)\n", rval); + return rval; + } + } } #undef VLVPREFIX rval = dbp->verify(dbp, dbdir, NULL, NULL, 0); From nhosoi at fedoraproject.org Thu Nov 20 17:31:01 2008 From: nhosoi at fedoraproject.org (Noriko Hosoi) Date: Thu, 20 Nov 2008 17:31:01 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm dblayer.c, 1.33, 1.34 Message-ID: <20081120173101.84536700FA@cvs1.fedora.phx.redhat.com> Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv26996 Modified Files: dblayer.c Log Message: Resolves: #470084 Summary: Problems migrating from libdb-4.4 to libdb-4.7 Description: Removed the code to remove transaction logs for the db version upgrade. Index: dblayer.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/dblayer.c,v retrieving revision 1.33 retrieving revision 1.34 diff -u -r1.33 -r1.34 --- dblayer.c 19 Nov 2008 02:52:42 -0000 1.33 +++ dblayer.c 20 Nov 2008 17:30:58 -0000 1.34 @@ -1620,15 +1620,6 @@ dblayer_strerror(return_value), 0); return return_value; } - /* remove transaction logs */ - return_value = dblayer_delete_transaction_logs(log_dir); - if (return_value) - { - LDAPDebug(LDAP_DEBUG_ANY, - "dblayer_start: failed to remove old transaction logs (%d)\n", - return_value, 0, 0); - return return_value; - } dbmode = DBLAYER_NORMAL_MODE; if ((return_value = dblayer_make_env(&pEnv, li)) != 0) From nkinder at fedoraproject.org Fri Nov 21 16:38:36 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Fri, 21 Nov 2008 16:38:36 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm import-threads.c, 1.19, 1.20 Message-ID: <20081121163836.BF4BD70140@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19980/ldap/servers/slapd/back-ldbm Modified Files: import-threads.c Log Message: Resolves: 454348 Summary: Index nscpEntryDN attribute when importing tombstones. Index: import-threads.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/import-threads.c,v retrieving revision 1.19 retrieving revision 1.20 diff -u -r1.19 -r1.20 --- import-threads.c 4 Nov 2008 23:12:39 -0000 1.19 +++ import-threads.c 21 Nov 2008 16:38:34 -0000 1.20 @@ -1233,6 +1233,7 @@ FifoItem *fi = NULL; int is_objectclass_attribute; int is_nsuniqueid_attribute; + int is_nscpentrydn_attribute; void *attrlist_cursor; PR_ASSERT(NULL != info); @@ -1250,14 +1251,16 @@ } /* - * If the entry is a Tombstone, then we only add it to the nsuniqeid index - * and the idlist for (objectclass=tombstone). These two flags are just - * handy for working out what to do in this case. + * If the entry is a Tombstone, then we only add it to the nsuniqeid index, + * the nscpEntryDN index, and the idlist for (objectclass=tombstone). These + * flags are just handy for working out what to do in this case. */ is_objectclass_attribute = (strcasecmp(info->index_info->name, "objectclass") == 0); is_nsuniqueid_attribute = (strcasecmp(info->index_info->name, SLAPI_ATTR_UNIQUEID) == 0); + is_nscpentrydn_attribute = + (strcasecmp(info->index_info->name, SLAPI_ATTR_NSCP_ENTRYDN) == 0); if (1 != idl_get_idl_new()) { /* Is there substring indexing going on here ? */ @@ -1364,8 +1367,8 @@ } } } else { - /* This is a Tombstone entry... we only add it to the nsuniqeid - * index and the idlist for (objectclass=nstombstone). + /* This is a Tombstone entry... we only add it to the nsuniqueid + * index, the nscpEntryDN index, and the idlist for (objectclass=nstombstone). */ if (job->flags & FLAG_ABORT) { goto error; @@ -1387,6 +1390,29 @@ goto error; } } + if (is_nscpentrydn_attribute) { + attrlist_cursor = NULL; + while ((attr = attrlist_find_ex(ep->ep_entry->e_attrs, + SLAPI_ATTR_NSCP_ENTRYDN, + NULL, + NULL, + &attrlist_cursor)) != NULL) { + + if (job->flags & FLAG_ABORT) { + goto error; + } + if(valueset_isempty(&(attr->a_present_values))) continue; + svals = attr_get_present_values(attr); + ret = index_addordel_values_ext_sv(be, info->index_info->name, + svals, NULL, ep->ep_id, BE_INDEX_ADD | (job->encrypt ? 0 : BE_INDEX_DONT_ENCRYPT), NULL, &idl_disposition, + substring_key_buffer); + + if (0 != ret) { + /* Something went wrong, eg disk filled up */ + goto error; + } + } + } } import_decref_entry(ep); info->last_ID_processed = id; From nkinder at fedoraproject.org Fri Nov 21 17:06:08 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Fri, 21 Nov 2008 17:06:08 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd slapi_counter.c, 1.6, 1.7 Message-ID: <20081121170608.9EB227013C@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28719/ldap/servers/slapd Modified Files: slapi_counter.c Log Message: Resolves: 207457 Summary: Changed the way we specify the memory offset in the slapi_counter_set_value() assembly code to make it work properly with gcc3. Index: slapi_counter.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi_counter.c,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- slapi_counter.c 12 Nov 2008 16:58:06 -0000 1.6 +++ slapi_counter.c 21 Nov 2008 17:06:05 -0000 1.7 @@ -306,7 +306,7 @@ " movl 4%0, %%edx;" /* Put newval in ECX:EBX */ " movl %1, %%ebx;" - " movl 4%1, %%ecx;" + " movl 4+%1, %%ecx;" /* If EDX:EAX and counter-> are the same, * replace *ptr with ECX:EBX */ " lock; cmpxchg8b %0;" From rmeggins at fedoraproject.org Mon Nov 24 16:09:25 2008 From: rmeggins at fedoraproject.org (Richard Allen Megginson) Date: Mon, 24 Nov 2008 16:09:25 +0000 (UTC) Subject: [Fedora-directory-commits] directoryconsole/src/com/netscape/admin/dirserv/panel/replication ActiveDirectoryAgreement.java, 1.1.1.1, 1.2 AgreementDestinationPanel.java, 1.1.1.1, 1.2 AgreementPanel.java, 1.1.1.1, 1.2 AgreementWizard.java, 1.1.1.1, 1.2 AgreementWizardInfo.java, 1.1.1.1, 1.2 IReplicationAgreement.java, 1.1.1.1, 1.2 MMRAgreement.java, 1.1.1.1, 1.2 ReplicationAgreement.java, 1.2, 1.3 ReplicationTool.java, 1.1.1.1, 1.2 WAgreementDestinationPanel.java, 1.1.1.1, 1.2 WAgreementSummaryPanel.java, 1.1.1.1, 1.2 WindowsAgreementDestinationPanel.java, 1.2, 1.3 WindowsAgreementWizard.java, 1.1.1.1, 1.2 WindowsAgreementWizardInfo.java, 1.1.1.1, 1.2 replication.properties, 1.1.1.1, 1.2 Message-ID: <20081124160925.A85B170141@cvs1.fedora.phx.redhat.com> Author: rmeggins Update of /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23221/directoryconsole/src/com/netscape/admin/dirserv/panel/replication Modified Files: ActiveDirectoryAgreement.java AgreementDestinationPanel.java AgreementPanel.java AgreementWizard.java AgreementWizardInfo.java IReplicationAgreement.java MMRAgreement.java ReplicationAgreement.java ReplicationTool.java WAgreementDestinationPanel.java WAgreementSummaryPanel.java WindowsAgreementDestinationPanel.java WindowsAgreementWizard.java WindowsAgreementWizardInfo.java replication.properties Log Message: Resolves: bug 469261 Bug Description: Support server-to-server SASL - console replication changes Reviewed by: nkinder (Thanks!) Fix Description: This adds support for starttls, gssapi, and digest to the console for setting up replication agreements. 1) Instead of a checkbox for use ssl, I added 3 radio buttons - no ssl, regular ldaps, starttls - note: active directory supports starttls 2) To the ssl auth and simple auth radio buttons, I added gssapi and digest. The way the logic works is that gssapi is only allowed when using regular ldap, digest and simple bind are allowed always, ssl auth is only allowed with one of the ssl options. gssapi allows an empty bind dn and password, but digest and simple require a bind dn and password. NOTE: we do not support anything other than simple bind with active directory in the GUI I also changed the wording a little bit, and added tool tips (which will hopefully not be too annoying) I did not add additional checking e.g. the console cannot verify that kerberos is set up properly Platforms tested: RHEL5 Flag Day: no Doc impact: oh yes Index: ActiveDirectoryAgreement.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/ActiveDirectoryAgreement.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- ActiveDirectoryAgreement.java 18 Jul 2005 00:56:06 -0000 1.1.1.1 +++ ActiveDirectoryAgreement.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -149,6 +149,7 @@ } else if (attr.getName().equalsIgnoreCase( ReplicationTool.REPLICA_TRANSPORT_ATTR)) { setUseSSL(val); + setUseStartTLS(val); } else if (attr.getName().equalsIgnoreCase( ReplicationTool.MMR_NAME_ATTR)) { cn = val; @@ -248,13 +249,18 @@ newAttrs.add(attr); } - if( useSSL ) { - attr = new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, - ReplicationTool.REPLICA_TRANSPORT_SSL ); + if( useSSL || useStartTLS ) { + if (useStartTLS) { + attr = new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, + ReplicationTool.REPLICA_TRANSPORT_TLS ); + } else { + attr = new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, + ReplicationTool.REPLICA_TRANSPORT_SSL ); + } newAttrs.add(attr); } - if( useSSL && useSSLAuth ) { + if( (useSSL || useStartTLS) && useSSLAuth ) { attr = new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, ReplicationTool.REPLICA_BINDMETHOD_SSLCLIENTAUTH ); newAttrs.add(attr); Index: AgreementDestinationPanel.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/AgreementDestinationPanel.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- AgreementDestinationPanel.java 18 Jul 2005 00:56:06 -0000 1.1.1.1 +++ AgreementDestinationPanel.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -82,20 +82,55 @@ _myPanel.setLayout(new GridBagLayout()); _myPanel.setBackground(getBackground()); + //connection radio buttons + ButtonGroup connGroup = new ButtonGroup(); + //plain old ldap button + _noEncrypt = makeJRadioButton(_resource.getString( + "replication-destination-noEncrypt","label")); + _noEncrypt.setToolTipText(_resource.getString( + "replication-destination-noEncrypt","ttip")); + connGroup.add(_noEncrypt); + ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.WEST; + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.NONE; + gbc.weightx = 1.0; + _myPanel.add(_noEncrypt, gbc); + //ssl check box - _sslEncrypt = makeJCheckBox(_resource.getString( + _sslEncrypt = makeJRadioButton(_resource.getString( "replication-destination-sslEncrypt","label")); + _sslEncrypt.setToolTipText(_resource.getString( + "replication-destination-sslEncrypt","ttip")); + connGroup.add(_sslEncrypt); ReplicationTool.resetGBC(gbc); - gbc.anchor = gbc.WEST; + gbc.anchor = gbc.WEST; gbc.gridwidth = gbc.REMAINDER; gbc.fill = gbc.NONE; gbc.weightx=1.0; _myPanel.add(_sslEncrypt, gbc); + //tls check box + _tlsEncrypt = makeJRadioButton(_resource.getString( + "replication-destination-startTLS","label")); + _tlsEncrypt.setToolTipText(_resource.getString( + "replication-destination-startTLS","ttip")); + connGroup.add(_tlsEncrypt); + ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.WEST; + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.NONE; + gbc.weightx=1.0; + _myPanel.add(_tlsEncrypt, gbc); + /* add DSEntry to correctly update field coloring and buttons enabling/disabling */ + _ldapDSEntry = new DSEntryBoolean ("on", _noEncrypt); + setComponentTable(_noEncrypt, _ldapDSEntry); _sslDSEntry = new DSEntryBoolean ("off", _sslEncrypt); setComponentTable(_sslEncrypt, _sslDSEntry); + _tlsDSEntry = new DSEntryBoolean ("off", _tlsEncrypt); + setComponentTable(_tlsEncrypt, _tlsDSEntry); //auth using label JLabel auth = makeJLabel(_resource.getString( @@ -116,40 +151,80 @@ gbc.insets = new Insets(0,0,0,0); _myPanel.add(authModePanel, gbc); - //ssl auth radio button - ButtonGroup authGroup = new ButtonGroup(); - _sslAuth = makeJRadioButton(_resource.getString( - "replication-destination-sslClientAuth","label")); - authGroup.add(_sslAuth); - ReplicationTool.resetGBC(gbc); - gbc.anchor = gbc.WEST; - gbc.gridwidth = gbc.REMAINDER; - gbc.fill = gbc.NONE; - gbc.weightx=1.0; - authModePanel.add(_sslAuth, gbc); - - /* add DSEntry to correctly update field - coloring and buttons enabling/disabling */ - _sslAuthDSEntry = new DSEntryBoolean ("off", _sslAuth); - setComponentTable(_sslAuth, _sslAuthDSEntry); + if(_agreement.getAgreementType() != ReplicationAgreement.AGREEMENT_TYPE_AD) { + //ssl auth radio button + ButtonGroup authGroup = new ButtonGroup(); + _sslAuth = makeJRadioButton(_resource.getString( + "replication-destination-sslClientAuth","label")); + _sslAuth.setToolTipText(_resource.getString( + "replication-destination-sslClientAuth","ttip")); + authGroup.add(_sslAuth); + ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.WEST; + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.NONE; + gbc.weightx=1.0; + authModePanel.add(_sslAuth, gbc); + + /* add DSEntry to correctly update field + coloring and buttons enabling/disabling */ + _sslAuthDSEntry = new DSEntryBoolean ("off", _sslAuth); + setComponentTable(_sslAuth, _sslAuthDSEntry); + + //gssapi auth radio button + _gssapiAuth = makeJRadioButton(_resource.getString( + "replication-destination-gssapiAuth","label")); + _gssapiAuth.setToolTipText(_resource.getString( + "replication-destination-gssapiAuth","ttip")); + authGroup.add(_gssapiAuth); + ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.WEST; + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.NONE; + gbc.weightx = 1.0; + authModePanel.add(_gssapiAuth, gbc); - //simple auth radio button - _simpAuth = makeJRadioButton(_resource.getString( - "replication-destination-simpleAuth","label")); - authGroup.add(_simpAuth); - ReplicationTool.resetGBC(gbc); - gbc.insets.top = 0; - gbc.anchor = gbc.WEST; - gbc.gridwidth = gbc.REMAINDER; - gbc.fill = gbc.NONE; - gbc.weightx=1.0; - authModePanel.add(_simpAuth, gbc); + /* add DSEntry to correctly update field + coloring and buttons enabling/disabling */ + _gssapiAuthDSEntry = new DSEntryBoolean ("off", _gssapiAuth); + setComponentTable(_gssapiAuth, _gssapiAuthDSEntry); + + //digest auth radio button + _digestAuth = makeJRadioButton(_resource.getString( + "replication-destination-digestAuth","label")); + _digestAuth.setToolTipText(_resource.getString( + "replication-destination-digestAuth","ttip")); + authGroup.add(_digestAuth); + ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.WEST; + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.NONE; + gbc.weightx = 1.0; + authModePanel.add(_digestAuth, gbc); - /* add DSEntry to correctly update field - coloring and buttons enabling/disabling */ - _simpAuthDSEntry = new DSEntryBoolean ("on", _simpAuth); - setComponentTable(_simpAuth, _simpAuthDSEntry); + /* add DSEntry to correctly update field + coloring and buttons enabling/disabling */ + _digestAuthDSEntry = new DSEntryBoolean ("off", _digestAuth); + setComponentTable(_digestAuth, _digestAuthDSEntry); + + //simple auth radio button + _simpAuth = makeJRadioButton(_resource.getString( + "replication-destination-simpleAuth","label")); + authGroup.add(_simpAuth); + ReplicationTool.resetGBC(gbc); + gbc.insets.top = 0; + gbc.anchor = gbc.WEST; + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.NONE; + gbc.weightx=1.0; + authModePanel.add(_simpAuth, gbc); + /* add DSEntry to correctly update field + coloring and buttons enabling/disabling */ + _simpAuthDSEntry = new DSEntryBoolean ("on", _simpAuth); + setComponentTable(_simpAuth, _simpAuthDSEntry); + } + //simp panel JPanel simpPanel = new JPanel(new GridBagLayout()); ReplicationTool.resetGBC(gbc); @@ -202,7 +277,7 @@ /* add DSEntry to correctly update field coloring and buttons enabling/disabling */ - _pwdDSEntry = new DSEntryTextStrict ("", _pwdText, _pwd); + _pwdDSEntry = new pwdDSEntry ("", _pwdText, _pwd); setComponentTable(_pwdText, _pwdDSEntry); if(_agreement.getAgreementType() == ReplicationAgreement.AGREEMENT_TYPE_AD){ @@ -275,9 +350,13 @@ } private void enableFields(){ - _sslEncrypt.setEnabled(false); - _sslAuth.setEnabled(_sslEncrypt.isSelected()); - _simpAuth.setEnabled(_sslEncrypt.isSelected()); + boolean ssl = _sslEncrypt.isSelected() || _tlsEncrypt.isSelected(); + if (_sslAuth != null) { + _sslAuth.setEnabled(ssl); + } + if (_gssapiAuth != null) { + _gssapiAuth.setEnabled(!ssl); + } } @@ -298,35 +377,81 @@ } //========= ACTIONLISTENER ================= - public void actionPerformed(ActionEvent e) { - if (e.getSource().equals(_sslAuth)) { - if (_sslAuth.isSelected()) { - //disable - enableSimpleAuth (false); - } - } - if (e.getSource().equals(_simpAuth)) { - if (_simpAuth.isSelected()) { - //enable - enableSimpleAuth (true); - } + public void actionPerformed(ActionEvent e) { + _bindDSEntry.setSkipCheck(false); + _pwdDSEntry.setSkipCheck(false); + if (e.getSource().equals(_sslAuth) && _sslAuth.isSelected()) { + setDirtyFlag(); + //disable + enableSimpleAuth (false); + } + if (e.getSource().equals(_gssapiAuth) && _gssapiAuth.isSelected()) { + setDirtyFlag(); + // enable + enableSimpleAuth (true); + // requires ldap + _noEncrypt.setSelected(true); + /* set to use non-SSL port LDAP */ + _portAttr = ATTR_PORT; + _bindDSEntry.setSkipCheck(true); + _pwdDSEntry.setSkipCheck(true); + } + if (e.getSource().equals(_simpAuth) && _simpAuth.isSelected()) { + setDirtyFlag(); + //enable + enableSimpleAuth (true); + } + if (e.getSource().equals(_digestAuth) && _digestAuth.isSelected()) { + setDirtyFlag(); + //enable + enableSimpleAuth (true); + } + + if (e.getSource().equals(_noEncrypt) && _noEncrypt.isSelected()) { + setDirtyFlag(); + //disable + if (_sslAuth != null) { + _sslAuth.setEnabled(false); + } + //enable + if ((_sslAuth != null) && _sslAuth.isSelected() && (_simpAuth != null)) { + // have to select something else + _simpAuth.setSelected(true); + } + enableSimpleAuth(true); + if (_gssapiAuth != null) { + _gssapiAuth.setEnabled(true); + } + if (_digestAuth != null) { + _digestAuth.setEnabled(true); + } + + /* set to use non-SSL port */ + _portAttr = ATTR_PORT; + } + boolean ssl_selected = false; + if (e.getSource().equals(_sslEncrypt) && _sslEncrypt.isSelected()) { + /* set to use SSL port */ + _portAttr = ATTR_SSL_PORT; + ssl_selected = true; } - if (e.getSource().equals(_sslEncrypt)) { - setDirtyFlag(); - if (_sslEncrypt.isSelected()) { - //enable - _sslAuth.setEnabled(true); - - _portAttr = ATTR_SSL_PORT; - } else { - //disable - _sslAuth.setEnabled(false); - //enable - _simpAuth.setSelected(true); - enableSimpleAuth (true); - - _portAttr = ATTR_PORT; - } + if (e.getSource().equals(_tlsEncrypt) && _tlsEncrypt.isSelected()) { + /* set to use non-SSL port for startTLS */ + _portAttr = ATTR_PORT; + ssl_selected = true; + } + if (ssl_selected) { + if (_sslAuth != null) { + _sslAuth.setEnabled(true); + } + if (_gssapiAuth != null) { + _gssapiAuth.setEnabled(false); + if (_gssapiAuth.isSelected()) { + // have to select something else + _simpAuth.setSelected(true); + enableSimpleAuth(true); + } + } } super.actionPerformed (e); } @@ -351,34 +476,30 @@ public void getUpdateInfo( Object inf ) { AgreementWizardInfo info = (AgreementWizardInfo)inf; - if (_sslEncrypt.isSelected()) - info.setSSL(true); - else - info.setSSL(false); + info.setStartTLS(_tlsEncrypt.isSelected()); + info.setSSL(_sslEncrypt.isSelected()); + info.setSSLAuth( (_sslAuth != null) && _sslAuth.isSelected() ); + info.setGSSAPIAuth( (_gssapiAuth != null) && _gssapiAuth.isSelected() ); + info.setDigestAuth( (_digestAuth != null) && _digestAuth.isSelected() ); - if (!_sslAuth.isSelected()) { - info.setBindDN(_bindText.getText()); - info.setBindPWD(_pwdText.getText()); - info.setSSLAuth( false ); - if(_agreement.getAgreementType() == ReplicationAgreement.AGREEMENT_TYPE_AD) - { - if(_newWinUserSyncCB.isSelected()) - { - info.setNewWinUserSync("on"); - }else{ - info.setNewWinUserSync("off"); - } - if(_newWinGroupSyncCB.isSelected()) - { - info.setNewWinGroupSync("on"); - }else{ - info.setNewWinGroupSync("off"); - } - } - } else { + if (info.getSSLAuth()) { info.setBindDN(""); info.setBindPWD(""); - info.setSSLAuth( true ); + } else { + info.setBindDN(_bindText.getText()); + info.setBindPWD(_pwdText.getText()); + } + if(_agreement.getAgreementType() == ReplicationAgreement.AGREEMENT_TYPE_AD) { + if(_newWinUserSyncCB.isSelected()) { + info.setNewWinUserSync("on"); + }else{ + info.setNewWinUserSync("off"); + } + if(_newWinGroupSyncCB.isSelected()) { + info.setNewWinGroupSync("on"); + }else{ + info.setNewWinGroupSync("off"); + } } } @@ -409,29 +530,35 @@ _origPwd = _agreement.getBindCredentials(); _origBindDN = _agreement.getBindDN(); } - if (_agreement.getUseSSL()) { - _sslDSEntry.fakeInitModel ("on"); - _sslEncrypt.setSelected(true); - _portAttr = ATTR_SSL_PORT; - - if (_agreement.getUseSSLAuth()) { - //SSL client Auth - enableSimpleAuth (false); - _sslAuth.setEnabled(true); - _sslAuthDSEntry.fakeInitModel ("on"); - _simpAuthDSEntry.fakeInitModel ("off"); - - } else { - //Simple Auth with SSL - _sslAuth.setEnabled(true); - _simpAuth.setSelected(true); - _simpAuthDSEntry.fakeInitModel ("on"); - enableSimpleAuth (true); - } - } else { - _portAttr = ATTR_PORT; - setSimpAuth(); + boolean ssl = _agreement.getUseSSL() || _agreement.getUseStartTLS(); + _ldapDSEntry.fakeInitModel(ssl ? "off" : "on"); + _noEncrypt.setSelected(!ssl); + _sslEncrypt.setSelected(_agreement.getUseSSL()); + _sslDSEntry.fakeInitModel(_agreement.getUseSSL() ? "on" : "off"); + _tlsEncrypt.setSelected(_agreement.getUseStartTLS()); + _tlsDSEntry.fakeInitModel(_agreement.getUseStartTLS() ? "on" : "off"); + _portAttr = _agreement.getUseSSL() ? ATTR_SSL_PORT : ATTR_PORT; + + if (_sslAuth != null) { + _sslAuth.setEnabled(ssl); + _sslAuth.setSelected(_agreement.getUseSSLAuth()); + _sslAuthDSEntry.fakeInitModel (_agreement.getUseSSLAuth() ? "on" : "off"); + enableSimpleAuth (!_agreement.getUseSSLAuth()); + } + if (_gssapiAuth != null) { + _gssapiAuth.setEnabled(!ssl); + _gssapiAuth.setSelected(_agreement.getUseGSSAPIAuth()); + _gssapiAuthDSEntry.fakeInitModel (_agreement.getUseGSSAPIAuth() ? "on" : "off"); + } + if (_digestAuth != null) { + _digestAuth.setSelected(_agreement.getUseDigestAuth()); + _digestAuthDSEntry.fakeInitModel (_agreement.getUseDigestAuth() ? "on" : "off"); + } + if (_simpAuth != null) { + _simpAuth.setEnabled(!_agreement.getUseSSLAuth()); + _simpAuthDSEntry.fakeInitModel (_agreement.getUseSSLAuth() ? "on" : "off"); } + if(_agreement.getAgreementType() == ReplicationAgreement.AGREEMENT_TYPE_AD){ if(((ActiveDirectoryAgreement)_agreement).getNewWinUserSync().compareTo("on") == 0){ _newWinUserSyncCB.setSelected(true); @@ -450,16 +577,6 @@ } } - /** - * Set simple auth selection - */ - private void setSimpAuth() { - //Simple Auth no SSL - _sslDSEntry.fakeInitModel ("off"); - _sslAuth.setEnabled(false); - _simpAuthDSEntry.fakeInitModel ("on"); - } - private void enableSimpleAuth (boolean enable){ _bind.setEnabled(enable); _bind.repaint(1); @@ -485,6 +602,8 @@ class bindDSEntry extends DSEntryTextStrict { + private boolean skipCheck = false; + bindDSEntry(String model, JComponent view1, JComponent view2) { super (model, view1, view2); } @@ -496,15 +615,50 @@ /* disabled field is always valid */ if (!tf.isEnabled ()) return 0; + + if (skipCheck) { + return 0; + } if (!dn.equals ("") && DSUtil.isValidDN (dn)) return 0; else return 1; } + + public void setSkipCheck(boolean val) { + skipCheck = val; + } } - /*========================================================== + class pwdDSEntry extends DSEntryTextStrict + { + private boolean skipCheck = false; + + pwdDSEntry(String model, JComponent view1, JComponent view2) { + super (model, view1, view2); + } + + public int validate (){ + JTextField tf = (JTextField) getView (0); + String dn = tf.getText (); + + /* disabled field is always valid */ + if (!tf.isEnabled ()) + return 0; + + if (skipCheck) { + return 0; + } + return super.validate(); + } + + public void setSkipCheck(boolean val) { + skipCheck = val; + } + } + + /*========================================================== * variables *==========================================================*/ private ConsoleInfo _serverInfo; @@ -517,20 +671,25 @@ private boolean refreshed = false; JTextField _bindText; - private JCheckBox _sslEncrypt, _newWinUserSyncCB, _newWinGroupSyncCB; - private JRadioButton _simpAuth, _sslAuth; + private JRadioButton _noEncrypt, _sslEncrypt, _tlsEncrypt; + private JCheckBox _newWinUserSyncCB, _newWinGroupSyncCB; + private JRadioButton _simpAuth = null, _sslAuth = null, _gssapiAuth = null, _digestAuth = null; JPasswordField _pwdText; private JLabel _bind, _pwd, _newWinUserSync, _newWinGroupSync; private JFrame _frame; private ImageIcon _icon; private bindDSEntry _bindDSEntry; - private DSEntryTextStrict _pwdDSEntry; + private pwdDSEntry _pwdDSEntry; private DSEntryBoolean _newUserDSEntry; private DSEntryBoolean _newGroupDSEntry; + private DSEntryBoolean _ldapDSEntry; private DSEntryBoolean _sslDSEntry; - private DSEntryBoolean _sslAuthDSEntry; - private DSEntryBoolean _simpAuthDSEntry; + private DSEntryBoolean _tlsDSEntry; + private DSEntryBoolean _sslAuthDSEntry = null; + private DSEntryBoolean _simpAuthDSEntry = null; + private DSEntryBoolean _gssapiAuthDSEntry = null; + private DSEntryBoolean _digestAuthDSEntry = null; private String _origBindDN; private String _origPwd; Index: AgreementPanel.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/AgreementPanel.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- AgreementPanel.java 18 Jul 2005 00:56:06 -0000 1.1.1.1 +++ AgreementPanel.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -131,6 +131,7 @@ // Determine whether SSL is used and what type. info.setSSL(_adAgreement.getUseSSL()); + info.setStartTLS(_adAgreement.getUseStartTLS()); info.setSSLAuth(_adAgreement.getUseSSLAuth()); // Set the description. @@ -254,8 +255,11 @@ _agreement.setReplicatedSubtree(info.getSubtree()); _agreement.setUpdateSchedule(info.getDate()); _agreement.setUseSSL(info.getSSL()); + _agreement.setUseStartTLS(info.getStartTLS()); _agreement.setUseSSLAuth( info.getSSLAuth()); - + _agreement.setUseGSSAPIAuth( info.getGSSAPIAuth()); + _agreement.setUseDigestAuth( info.getDigestAuth()); + if (info.getBindDN().equals("")) { _agreement.setBindDN(null); } else { Index: AgreementWizard.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/AgreementWizard.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- AgreementWizard.java 18 Jul 2005 00:56:07 -0000 1.1.1.1 +++ AgreementWizard.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -20,6 +20,7 @@ package com.netscape.admin.dirserv.panel.replication; import java.awt.*; + import com.netscape.admin.dirserv.wizard.*; import javax.swing.*; import com.netscape.management.client.util.*; @@ -37,7 +38,7 @@ public class AgreementWizard extends WizardWidget { public AgreementWizard(JFrame parent, AgreementWizardInfo info) { - super(parent, _resource.getString("replication-agreementWizard","label")); + super(parent, _resource.getString("replication-agreementWizard","label"), new Dimension(460,550)); getAccessibleContext().setAccessibleDescription(_resource.getString("replication-agreementWizard", "description")); //parent.setIconImage(ReplicationTool.getImage(_resource.getString("replication-agreementWizard","frameIcon")).getImage()); @@ -62,6 +63,7 @@ } info.setSubtree(info.getCopyAgreement().getReplicatedSubtree()); info.setSSL(info.getCopyAgreement().getUseSSL()); + info.setStartTLS(info.getCopyAgreement().getUseStartTLS()); if (info.getCopyAgreement().getBindDN()!= null) { info.setBindDN(info.getCopyAgreement().getBindDN()); } else { Index: AgreementWizardInfo.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/AgreementWizardInfo.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- AgreementWizardInfo.java 18 Jul 2005 00:56:07 -0000 1.1.1.1 +++ AgreementWizardInfo.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -213,6 +213,18 @@ return false; } + //ssl + void setStartTLS(boolean type) { + _content.put(AGREEMENT_EXTENSION+"startTLS", new Boolean(type)); + } + + boolean getStartTLS() { + if (_content.get(AGREEMENT_EXTENSION+"startTLS")!= null) + return ((Boolean)_content.get(AGREEMENT_EXTENSION+"startTLS")).booleanValue(); + else + return false; + } + //Auth type void setSSLAuth(boolean type) { _content.put(AGREEMENT_EXTENSION+"sslauth", new Boolean(type)); @@ -225,6 +237,30 @@ return false; } + //Auth type + void setGSSAPIAuth(boolean type) { + _content.put(AGREEMENT_EXTENSION+"gssapi", new Boolean(type)); + } + + boolean getGSSAPIAuth() { + if (_content.get(AGREEMENT_EXTENSION+"gssapi")!= null) + return ((Boolean)_content.get(AGREEMENT_EXTENSION+"gssapi")).booleanValue(); + else + return false; + } + + //Auth type + void setDigestAuth(boolean type) { + _content.put(AGREEMENT_EXTENSION+"digest", new Boolean(type)); + } + + boolean getDigestAuth() { + if (_content.get(AGREEMENT_EXTENSION+"digest")!= null) + return ((Boolean)_content.get(AGREEMENT_EXTENSION+"digest")).booleanValue(); + else + return false; + } + //bindDN void setBindDN(String dn) { if (dn != null) { @@ -390,12 +426,20 @@ buf.append(" "); buf.append(_resource.getString("replication-destination-sslEncrypt","label")+"\n"); } + if (getStartTLS()) { + buf.append(" "); + buf.append(_resource.getString("replication-destination-startTLS","label")+"\n"); + } //bind info buf.append(" "); buf.append(_resource.getString("replication-destination-authUsing","label")+" "); if (getSSL() && getSSLAuth()) { buf.append(_resource.getString("replication-destination-sslClientAuth","label")+"\n"); + } else if (getGSSAPIAuth()) { + buf.append(_resource.getString("replication-destination-gssapiAuth","label")+"\n"); + } else if (getDigestAuth()) { + buf.append(_resource.getString("replication-destination-digestAuth","label")+"\n"); } else { buf.append(_resource.getString("replication-destination-simpleAuth","label")+"\n"); } Index: IReplicationAgreement.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/IReplicationAgreement.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- IReplicationAgreement.java 18 Jul 2005 00:56:07 -0000 1.1.1.1 +++ IReplicationAgreement.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -157,6 +157,21 @@ public String[] getUpdateScheduleStrings(); /** + * Set the useStartTLS flag + */ + public void setUseStartTLS(String val); + + /** + * Set the useSSL flag + */ + public void setUseStartTLS(boolean val); + + /** + * Get the useSSL flag + */ + public boolean getUseStartTLS(); + + /** * Set the useSSL flag */ public void setUseSSL(String val); @@ -172,6 +187,51 @@ public boolean getUseSSL(); /** + * Set the sslAuth flag + */ + public void setUseSSLAuth(String val); + + /** + * Set the sslAuth flag + */ + public void setUseSSLAuth(boolean val); + + /** + * Get the sslAuth flag + */ + public boolean getUseSSLAuth(); + + /** + * Set the GSSAPIAuth flag + */ + public void setUseGSSAPIAuth(String val); + + /** + * Set the GSSAPIAuth flag + */ + public void setUseGSSAPIAuth(boolean val); + + /** + * Get the GSSAPIAuth flag + */ + public boolean getUseGSSAPIAuth(); + + /** + * Set the DigestAuth flag + */ + public void setUseDigestAuth(String val); + + /** + * Set the DigestAuth flag + */ + public void setUseDigestAuth(boolean val); + + /** + * Get the DigestAuth flag + */ + public boolean getUseDigestAuth(); + + /** * Get the CN (common name) of this entry */ public String getEntryCN(); Index: MMRAgreement.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/MMRAgreement.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- MMRAgreement.java 18 Jul 2005 00:56:07 -0000 1.1.1.1 +++ MMRAgreement.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -20,6 +20,7 @@ package com.netscape.admin.dirserv.panel.replication; import netscape.ldap.*; + import com.netscape.management.client.util.Debug; import com.netscape.management.client.util.ResourceSet; import com.netscape.management.client.console.ConsoleInfo; @@ -156,12 +157,15 @@ } else if (attr.getName().equalsIgnoreCase( ReplicationTool.REPLICA_TRANSPORT_ATTR)) { setUseSSL(val); + setUseStartTLS(val); } else if (attr.getName().equalsIgnoreCase( ReplicationTool.MMR_NAME_ATTR)) { cn = val; } else if (attr.getName().equalsIgnoreCase( ReplicationTool.REPLICA_BINDMETHOD_ATTR)) { setUseSSLAuth(val); + setUseGSSAPIAuth(val); + setUseDigestAuth(val); } else if (attr.getName().equalsIgnoreCase( ReplicationTool.REPLICA_REFRESH_ATTR)) { setORCValue(val); @@ -224,22 +228,30 @@ newAttrs.add(attr); } - if( useSSL ) { - attr = new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, - ReplicationTool.REPLICA_TRANSPORT_SSL ); - newAttrs.add(attr); - - } - if( useSSL && useSSLAuth ) { - attr = new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, - ReplicationTool.REPLICA_BINDMETHOD_SSLCLIENTAUTH ); - newAttrs.add(attr); + if ( useStartTLS ) { + newAttrs.add(new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, + ReplicationTool.REPLICA_TRANSPORT_TLS )); + } else if ( useSSL ) { + newAttrs.add(new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, + ReplicationTool.REPLICA_TRANSPORT_SSL )); + } else { + newAttrs.add(new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, + ReplicationTool.REPLICA_TRANSPORT_LDAP )); + } + + if ( useSSLAuth ) { + newAttrs.add(new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, + ReplicationTool.REPLICA_BINDMETHOD_SSLCLIENTAUTH )); + } else if ( useGSSAPIAuth ) { + newAttrs.add(new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, + ReplicationTool.REPLICA_BINDMETHOD_SASL_GSSAPI )); + } else if ( useDigestAuth ) { + newAttrs.add(new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, + ReplicationTool.REPLICA_BINDMETHOD_SASL_DIGEST_MD5 )); } else { - attr = new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, - ReplicationTool.REPLICA_BINDMETHOD_SIMPLE ); - newAttrs.add(attr); + newAttrs.add(new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, + ReplicationTool.REPLICA_BINDMETHOD_SIMPLE )); } - // XXXggood filtered and selective attribute attributes would // get written @@ -327,14 +339,30 @@ } Debug.println("MMRAgreement.writeToServer: useSSLAuth="+ useSSLAuth ); - if( useSSLAuth ) { - attr = new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, - ReplicationTool.REPLICA_BINDMETHOD_SSLCLIENTAUTH ); - } else { - attr = new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, - ReplicationTool.REPLICA_BINDMETHOD_SIMPLE ); - } - mods.add(LDAPModification.REPLACE, attr); + if ( useStartTLS ) { + mods.add(LDAPModification.REPLACE, new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, + ReplicationTool.REPLICA_TRANSPORT_TLS )); + } else if ( useSSL ) { + mods.add(LDAPModification.REPLACE, new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, + ReplicationTool.REPLICA_TRANSPORT_SSL )); + } else { + mods.add(LDAPModification.REPLACE, new LDAPAttribute(ReplicationTool.REPLICA_TRANSPORT_ATTR, + ReplicationTool.REPLICA_TRANSPORT_LDAP )); + } + + if ( useSSLAuth ) { + mods.add(LDAPModification.REPLACE, new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, + ReplicationTool.REPLICA_BINDMETHOD_SSLCLIENTAUTH )); + } else if ( useGSSAPIAuth ) { + mods.add(LDAPModification.REPLACE, new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, + ReplicationTool.REPLICA_BINDMETHOD_SASL_GSSAPI )); + } else if ( useDigestAuth ) { + mods.add(LDAPModification.REPLACE, new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, + ReplicationTool.REPLICA_BINDMETHOD_SASL_DIGEST_MD5 )); + } else { + mods.add(LDAPModification.REPLACE, new LDAPAttribute(ReplicationTool.REPLICA_BINDMETHOD_ATTR, + ReplicationTool.REPLICA_BINDMETHOD_SIMPLE )); + } String[] sched = getUpdateScheduleStrings(); attr = new LDAPAttribute(ReplicationTool.REPLICA_SCHEDULE_ATTR); Index: ReplicationAgreement.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/ReplicationAgreement.java,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- ReplicationAgreement.java 2 Jul 2007 19:44:09 -0000 1.2 +++ ReplicationAgreement.java 24 Nov 2008 16:09:23 -0000 1.3 @@ -337,6 +337,34 @@ return useSSL; } + /** + * Set the useStartTLS flag + */ + public void setUseStartTLS(String val) { + Debug.println(8,"ReplicationAgreement.useStartTLS() val = " + val); + if ((val != null) && val.equals(ReplicationTool.REPLICA_TRANSPORT_TLS)) { + useStartTLS = true; + useSSL = false; + } else { + useStartTLS = false; + } + Debug.println(8,"ReplicationAgreement.useStartTLS() = " + useStartTLS ); + } + + /** + * Set the useSSL flag + */ + public void setUseStartTLS(boolean val) { + useStartTLS = val; + } + + /** + * Get the useSSL flag + */ + public boolean getUseStartTLS() { + return useStartTLS; + } + /** * Set the setUseSSLAuth flag */ @@ -364,6 +392,59 @@ return useSSLAuth; } + /** + * Set the setUseGSSAPIAuth flag + */ + public void setUseGSSAPIAuth(String val) { + if (val.equalsIgnoreCase("true")) { + useGSSAPIAuth = true; + } else if (val.equals(ReplicationTool.REPLICA_BINDMETHOD_SASL_GSSAPI)) { + useGSSAPIAuth = true; + } else { + useGSSAPIAuth = false; + } + } + + /** + * Set the setUseGSSAPIAuth flag + */ + public void setUseGSSAPIAuth(boolean val) { + useGSSAPIAuth = val; + } + + /** + * Get the setUseGSSAPIAuth flag + */ + public boolean getUseGSSAPIAuth() { + return useGSSAPIAuth; + } + + /** + * Set the setUseDigestAuth flag + */ + public void setUseDigestAuth(String val) { + if (val.equalsIgnoreCase("true")) { + useDigestAuth = true; + } else if (val.equals(ReplicationTool.REPLICA_BINDMETHOD_SASL_DIGEST_MD5)) { + useDigestAuth = true; + } else { + useDigestAuth = false; + } + } + + /** + * Set the setUseDigestAuth flag + */ + public void setUseDigestAuth(boolean val) { + useDigestAuth = val; + } + + /** + * Get the setUseDigestAuth flag + */ + public boolean getUseDigestAuth() { + return useDigestAuth; + } /** * Set the type of agreement. @@ -1265,10 +1346,16 @@ ReplicationTool.REPLICA_CRED_ATTR); setUseSSL(DSUtil.getAttrValue(entry, - ReplicationTool.REPLICA_TRANSPORT_ATTR)); + ReplicationTool.REPLICA_TRANSPORT_ATTR)); + setUseStartTLS(DSUtil.getAttrValue(entry, + ReplicationTool.REPLICA_TRANSPORT_ATTR)); setUseSSLAuth(DSUtil.getAttrValue(entry, ReplicationTool.REPLICA_BINDMETHOD_ATTR)); + setUseGSSAPIAuth(DSUtil.getAttrValue(entry, + ReplicationTool.REPLICA_BINDMETHOD_ATTR)); + setUseDigestAuth(DSUtil.getAttrValue(entry, + ReplicationTool.REPLICA_BINDMETHOD_ATTR)); String[] schedule = DSUtil.getAttrValues(entry, ReplicationTool.REPLICA_SCHEDULE_ATTR); @@ -1713,7 +1800,12 @@ ret += "\n"; ret += "Host: " + getRemoteHost() + "\n"; ret += "Port: " + getRemotePort() + "\n"; - ret += "Subtree: " + replicatedSubtree; + ret += "Subtree: " + replicatedSubtree + "\n"; + ret += "SSL: " + useSSL + "\n"; + ret += "TLS: " + useStartTLS + "\n"; + ret += "SSL Client Auth: " + useSSLAuth + "\n"; + ret += "SASL/GSSAPI Auth: " + useGSSAPIAuth + "\n"; + ret += "SASL/Digest-MD5 Auth: " + useDigestAuth + "\n"; return ret; } @@ -1837,8 +1929,11 @@ protected String bindCredentials; // The credentials (password) used when connectin to the consumer. protected Vector updateSchedule; // Schedule(s) for updates //protected ReplicationAgreementEditor editor; // Reference to repl agrmt editor window. If null, no window is open - protected boolean useSSL; // true if SSL should be used when connecting to replote server - protected boolean useSSLAuth; // true if useSSL and strong auth by SSL required + protected boolean useSSL; // true if SSL should be used when connecting to remote server + protected boolean useStartTLS; // true if startTLS should be used when connecting to remote server + protected boolean useSSLAuth; // true if useSSL and strong auth by SSL required + protected boolean useGSSAPIAuth; // true if using SASL/GSSAPI for auth + protected boolean useDigestAuth; // true if using SASL/Digest-MD5 for auth protected int agreementType; // mmr or legacyr //protected Vector namingContexts; // Naming contexts supported by the server protected String orcValue; // non-null if replica is being reinitialized Index: ReplicationTool.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/ReplicationTool.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- ReplicationTool.java 18 Jul 2005 00:56:09 -0000 1.1.1.1 +++ ReplicationTool.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -105,13 +105,15 @@ final static String REPLICA_PORT_ATTR = "nsDS5ReplicaPort"; final static String REPLICA_TRANSPORT_ATTR = "nsDS5ReplicaTransportInfo"; final static String REPLICA_TRANSPORT_SSL = "SSL"; - final static String REPLICA_TRANSPORT_STARTTLS = "startTLS"; + final static String REPLICA_TRANSPORT_TLS = "TLS"; final static String REPLICA_TRANSPORT_LDAP= "LDAP"; final static String REPLICA_CRED_ATTR = "nsDS5ReplicaCredentials"; final static String REPLICA_BINDMETHOD_ATTR = "nsDS5ReplicaBindMethod"; final static String REPLICA_REPLATTRS_ATTR = "nsDS5ReplicatedAttributeList"; final static String REPLICA_BINDMETHOD_SIMPLE = "SIMPLE"; final static String REPLICA_BINDMETHOD_SSLCLIENTAUTH = "SSLCLIENTAUTH"; + final static String REPLICA_BINDMETHOD_SASL_GSSAPI = "SASL/GSSAPI"; + final static String REPLICA_BINDMETHOD_SASL_DIGEST_MD5 = "SASL/DIGEST-MD5"; final static String REPLICA_SCHEDULE_ATTR = "nsDS5ReplicaUpdateSchedule"; final static String REPLICA_REFRESH_ATTR = "nsds5BeginReplicaRefresh"; final static String MMR_NAME_ATTR = "cn"; Index: WAgreementDestinationPanel.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/WAgreementDestinationPanel.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- WAgreementDestinationPanel.java 18 Jul 2005 00:56:10 -0000 1.1.1.1 +++ WAgreementDestinationPanel.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -147,77 +147,143 @@ gbc.weightx = 1.0; add(authPanel, gbc); - //ssl check box - _sslEncrypt = new JCheckBox(_resource.getString( + //connection radio buttons + ButtonGroup connGroup = new ButtonGroup(); + //plain old ldap button + _noEncrypt = new JRadioButton(_resource.getString( + "replication-destination-noEncrypt","label")); + _noEncrypt.setToolTipText(_resource.getString( + "replication-destination-noEncrypt","ttip")); + _noEncrypt.setSelected(true); // default is on + _noEncrypt.addActionListener(this); + connGroup.add(_noEncrypt); + ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.WEST; + gbc.insets = new Insets(0, space, 0, different); + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.HORIZONTAL; + gbc.weightx = 1.0; + authPanel.add(_noEncrypt, gbc); + + //ssl button + _sslEncrypt = new JRadioButton(_resource.getString( "replication-destination-sslEncrypt","label")); + _sslEncrypt.setToolTipText(_resource.getString( + "replication-destination-sslEncrypt","ttip")); _sslEncrypt.addActionListener(this); + connGroup.add(_sslEncrypt); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.WEST; - gbc.insets = new Insets(0, space, different, different); + gbc.insets = new Insets(0, space, 0, different); gbc.gridwidth = gbc.REMAINDER; gbc.fill = gbc.HORIZONTAL; gbc.weightx = 1.0; authPanel.add(_sslEncrypt, gbc); + //tls button + _tlsEncrypt = new JRadioButton(_resource.getString( + "replication-destination-startTLS","label")); + _tlsEncrypt.setToolTipText(_resource.getString( + "replication-destination-startTLS","ttip")); + _tlsEncrypt.addActionListener(this); + connGroup.add(_tlsEncrypt); + ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.WEST; + gbc.insets = new Insets(0, space, space, different); + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.HORIZONTAL; + gbc.weightx = 1.0; + authPanel.add(_tlsEncrypt, gbc); + //auth using label JLabel auth = new JLabel(_resource.getString( "replication-destination-authUsing","label")); - JPanel authModePanel = new JPanel(new GridBagLayout()); - gbc.insets = new Insets(0,0,0,0); - authPanel.add(authModePanel, gbc); - auth.setLabelFor(authModePanel); - ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.WEST; - gbc.insets = new Insets(0,large,space,different); + gbc.insets = new Insets(0,space,0,different); gbc.gridwidth = gbc.REMAINDER; - gbc.fill = gbc.NONE; + gbc.fill = gbc.HORIZONTAL; gbc.weightx = 1.0; - authModePanel.add(auth, gbc); + authPanel.add(auth, gbc); //ssl auth radio button ButtonGroup authGroup = new ButtonGroup(); _sslAuth = new JRadioButton(_resource.getString( "replication-destination-sslClientAuth","label")); + _sslAuth.setToolTipText(_resource.getString( + "replication-destination-sslClientAuth","ttip")); _sslAuth.addActionListener(this); authGroup.add(_sslAuth); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.WEST; - gbc.insets = new Insets(0,large,0,different); + gbc.insets = new Insets(0,space,0,different); gbc.gridwidth = gbc.REMAINDER; - gbc.fill = gbc.NONE; + gbc.fill = gbc.HORIZONTAL; + gbc.weightx = 1.0; + authPanel.add(_sslAuth, gbc); + + //gssapi auth radio button + _gssapiAuth = new JRadioButton(_resource.getString( + "replication-destination-gssapiAuth","label")); + _gssapiAuth.setToolTipText(_resource.getString( + "replication-destination-gssapiAuth","ttip")); + _gssapiAuth.addActionListener(this); + authGroup.add(_gssapiAuth); + ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.WEST; + gbc.insets = new Insets(0,space,0,different); + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.HORIZONTAL; + gbc.weightx = 1.0; + authPanel.add(_gssapiAuth, gbc); + + //digest auth radio button + _digestAuth = new JRadioButton(_resource.getString( + "replication-destination-digestAuth","label")); + _digestAuth.setToolTipText(_resource.getString( + "replication-destination-digestAuth","ttip")); + _digestAuth.addActionListener(this); + authGroup.add(_digestAuth); + ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.WEST; + gbc.insets = new Insets(0,space,0,different); + gbc.gridwidth = gbc.REMAINDER; + gbc.fill = gbc.HORIZONTAL; gbc.weightx = 1.0; - authModePanel.add(_sslAuth, gbc); + authPanel.add(_digestAuth, gbc); //simple auth radio button _simpAuth = new JRadioButton(_resource.getString( "replication-destination-simpleAuth","label")); + _simpAuth.setToolTipText(_resource.getString( + "replication-destination-simpleAuth","ttip")); _simpAuth.addActionListener(this); authGroup.add(_simpAuth); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.WEST; - gbc.insets = new Insets(0,large,0,different); + gbc.insets = new Insets(0,space,0,different); gbc.gridwidth = gbc.REMAINDER; - gbc.fill = gbc.NONE; + gbc.fill = gbc.HORIZONTAL; gbc.weightx = 1.0; - authModePanel.add(_simpAuth, gbc); + authPanel.add(_simpAuth, gbc); //simp panel JPanel simpPanel = new JPanel(); simpPanel.setLayout(new GridBagLayout()); simpPanel.setBackground(getBackground()); ReplicationTool.resetGBC(gbc); + gbc.anchor = gbc.NORTH; gbc.gridwidth = gbc.REMAINDER; gbc.weightx=1.0; gbc.insets = new Insets(0,0,0,0); - authModePanel.add(simpPanel, gbc); + authPanel.add(simpPanel, gbc); //bind as _bind = new JLabel(_resource.getString( "replication-destination-bindAs","label")); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.EAST; - gbc.insets = new Insets(0,70,space,different); + gbc.insets = new Insets(0,space+10,space,different); gbc.fill = gbc.NONE; simpPanel.add(_bind, gbc); @@ -237,7 +303,7 @@ "replication-destination-bindPwd","label")); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.EAST; - gbc.insets = new Insets(0,70,space,different); + gbc.insets = new Insets(0,space+10,space,different); gbc.fill = gbc.NONE; simpPanel.add(_pwd, gbc); @@ -336,42 +402,69 @@ _toBox.setSelectedIndex(_toModel.getSize()-1); //no need to get new context } - if (e.getSource().equals(_sslAuth)) { - if (_sslAuth.isSelected()) { - //disable - enableSimpleAuth (false); - } - } - if (e.getSource().equals(_simpAuth)) { - if (_simpAuth.isSelected()) { - //enable - enableSimpleAuth (true); - } - } - if (e.getSource().equals(_sslEncrypt)) { - if (_sslEncrypt.isSelected()) { - //enable - _sslAuth.setEnabled(true); + if (e.getSource().equals(_sslAuth) && _sslAuth.isSelected()) { + //disable + enableSimpleAuth (false); + } + if (e.getSource().equals(_gssapiAuth) && _gssapiAuth.isSelected()) { + // enable + enableSimpleAuth (true); + // requires ldap + _noEncrypt.setSelected(true); + /* set to use non-SSL port LDAP */ + _portAttr = ATTR_PORT; + } + if (e.getSource().equals(_simpAuth) && _simpAuth.isSelected()) { + //enable + enableSimpleAuth (true); + } + if (e.getSource().equals(_digestAuth) && _digestAuth.isSelected()) { + //enable + enableSimpleAuth (true); + } + + if (e.getSource().equals(_noEncrypt) && _noEncrypt.isSelected()) { + /* set to use non-SSL port LDAP */ + _portAttr = ATTR_PORT; + //disable + _sslAuth.setEnabled(false); + //enable + if (_sslAuth.isSelected()) { + // have to select something else + _simpAuth.setSelected(true); + } + enableSimpleAuth(true); + _gssapiAuth.setEnabled(true); + _digestAuth.setEnabled(true); - /* set to use SSL port */ - _portAttr = ATTR_SECURE_PORT; - - } else { - //disable - _sslAuth.setEnabled(false); - //enable - _simpAuth.setSelected(true); - enableSimpleAuth(true); - - /* set to use non-SSL port */ - _portAttr = ATTR_PORT; - } + /* set to use non-SSL port */ + _portAttr = ATTR_PORT; /* set appropriate to and from servers */ populateInstanceModel(_consoleInfo); _toText.setText(_server.getKey()); } + boolean ssl_selected = false; + if (e.getSource().equals(_sslEncrypt) && _sslEncrypt.isSelected()) { + /* set to use SSL port */ + _portAttr = ATTR_SECURE_PORT; + ssl_selected = true; + } + if (e.getSource().equals(_tlsEncrypt) && _tlsEncrypt.isSelected()) { + /* set to use non-SSL port for startTLS */ + _portAttr = ATTR_PORT; + ssl_selected = true; + } + if (ssl_selected) { + _sslAuth.setEnabled(true); + _gssapiAuth.setEnabled(false); + if (_gssapiAuth.isSelected()) { + // have to select something else + _simpAuth.setSelected(true); + enableSimpleAuth(true); + } + } checkNextButton(); } @@ -426,6 +519,9 @@ return false; } } + // else if digest or gssapi auth is selected, there really isn't much + // we can do to validate the fields - password is not required, and + // the format can be different //check box //check consumer @@ -464,36 +560,62 @@ } public void getUpdateInfo(WizardInfo info) { - Debug.println("WAgreementDestinationPanel: getUpdateInfo()"); - Hashtable serverItem = (Hashtable) _toBox.getSelectedItem(); - ServerInstance toServer = - (ServerInstance) serverItem.get( - CustomComboBoxModel.SELECTION_DATA); - _wizardInfo.setFromServer(_server); - _wizardInfo.setToServer(toServer); - if (_sslEncrypt.isSelected()) { - _wizardInfo.setSSL(true); - _wizardInfo.setSSLAuth(_sslAuth.isSelected()); - - } else { - _wizardInfo.setSSL(false); - _wizardInfo.setSSLAuth(false); - } - - // Set bindDN and password iff not using client auth. - if (_sslEncrypt.isSelected() && _sslAuth.isSelected()) { - _wizardInfo.setSSLAuth(true); - _wizardInfo.setBindDN(""); - _wizardInfo.setBindPWD(""); - } else { - _wizardInfo.setSSLAuth(false); - _wizardInfo.setBindDN(_bindText.getText()); - _wizardInfo.setBindPWD(_pwdText.getText()); - } - if (_replicaPanel != null) { - _wizardInfo.setReplicaEntry(_replicaPanel.getReplicaEntry()); - _wizardInfo.setSubtree(_replicaPanel.getSuffix()); - } + Debug.println("WAgreementDestinationPanel: getUpdateInfo()"); + Hashtable serverItem = (Hashtable) _toBox.getSelectedItem(); + ServerInstance toServer = + (ServerInstance) serverItem.get( + CustomComboBoxModel.SELECTION_DATA); + _wizardInfo.setFromServer(_server); + _wizardInfo.setToServer(toServer); + + boolean ssl = false; + if (_tlsEncrypt.isSelected()) { + _wizardInfo.setSSL(false); + _wizardInfo.setStartTLS(true); + ssl = true; + } else if (_sslEncrypt.isSelected()) { + _wizardInfo.setSSL(true); + _wizardInfo.setStartTLS(false); + ssl = true; + } else { + _wizardInfo.setSSL(false); + _wizardInfo.setStartTLS(false); + } + + if (ssl) { + boolean need_dn_pw = false; + if (_sslAuth.isSelected()) { + _wizardInfo.setSSLAuth(true); + _wizardInfo.setDigestAuth(false); + } else { + _wizardInfo.setSSLAuth(false); + _wizardInfo.setDigestAuth(_digestAuth.isSelected()); + need_dn_pw = true; + } + if (need_dn_pw) { + _wizardInfo.setBindDN(_bindText.getText()); + _wizardInfo.setBindPWD(_pwdText.getText()); + } else { + _wizardInfo.setBindDN(""); + _wizardInfo.setBindPWD(""); + } + _wizardInfo.setGSSAPIAuth(false); + } else { + if (_gssapiAuth.isSelected()) { + _wizardInfo.setGSSAPIAuth(true); + _wizardInfo.setDigestAuth(false); + } else { + _wizardInfo.setGSSAPIAuth(false); + _wizardInfo.setDigestAuth(_digestAuth.isSelected()); + } + _wizardInfo.setBindDN(_bindText.getText()); + _wizardInfo.setBindPWD(_pwdText.getText()); + _wizardInfo.setSSLAuth(false); + } + if (_replicaPanel != null) { + _wizardInfo.setReplicaEntry(_replicaPanel.getReplicaEntry()); + _wizardInfo.setSubtree(_replicaPanel.getSuffix()); + } } public String getErrorMessage() { @@ -511,7 +633,6 @@ GridBagConstraints gbc = new GridBagConstraints(); int space = UIFactory.getComponentSpace(); int different = UIFactory.getDifferentSpace(); - int large = 40; _fromPanel.removeAll(); ReplicationTool.resetGBC(gbc); @@ -580,29 +701,42 @@ private void copyData() { _pwdText.setText(_wizardInfo.getBindPWD()); _bindText.setText(_wizardInfo.getBindDN()); - if (_wizardInfo.getSSL()) { - _sslEncrypt.setSelected(true); - // if (_copy.getBindCredentials().equals("")) { - if(_wizardInfo.getSSLAuth()) { + boolean ssl = false; + if (_wizardInfo.getStartTLS()) { + _tlsEncrypt.setSelected(true); + ssl = true; + } else if (_wizardInfo.getSSL()) { + _sslEncrypt.setSelected(true); + ssl = true; + } else { + _noEncrypt.setSelected(true); + } + if (ssl) { + if (_wizardInfo.getSSLAuth()) { //SSL client Auth enableSimpleAuth (false); _sslAuth.setEnabled(true); _sslAuth.setSelected(true); - } else { - //Simple Auth with SSL + //id/pwd auth with ssl _sslAuth.setEnabled(false); - _simpAuth.setSelected(true); + _simpAuth.setSelected(!_wizardInfo.getDigestAuth()); + _digestAuth.setSelected(_wizardInfo.getDigestAuth()); enableSimpleAuth (true); } + _gssapiAuth.setEnabled(false); } else { - setSimpAuth(); + if (_wizardInfo.getGSSAPIAuth()) { + _gssapiAuth.setEnabled(true); + _gssapiAuth.setSelected(true); + enableSimpleAuth (false); + } else { + _simpAuth.setSelected(!_wizardInfo.getDigestAuth()); + _digestAuth.setSelected(_wizardInfo.getDigestAuth()); + enableSimpleAuth (true); + } + _sslAuth.setEnabled(false); } - -// if (_sslAuth.isSelected ()) -// _portAttr = ATTR_SECURE_PORT; -// else -// _portAttr = ATTR_PORT; } /** @@ -611,6 +745,7 @@ private void setSimpAuth() { //Simple Auth no SSL _sslEncrypt.setSelected(false); + _tlsEncrypt.setSelected(false); _sslAuth.setEnabled(false); _simpAuth.setSelected(true); @@ -954,7 +1089,7 @@ if ((serverItem == null) || serverItem.get(CustomComboBoxModel.SELECTION_TITLE).equals(CONSUMER_LIST_NOT_AVAILABLE)) { state = false; - } else if (_simpAuth.isSelected()) { + } else if (_simpAuth.isSelected() || _digestAuth.isSelected()) { if (_bindText.getText().trim().equals("") || !DSUtil.isValidDN(_bindText.getText()) || _pwdText.getText().trim().equals("")) { @@ -981,8 +1116,8 @@ private JTextField _bindText; private JButton _toButton; private JComboBox _fromBox, _toBox; - private JCheckBox _sslEncrypt; - private JRadioButton _simpAuth, _sslAuth; + private JRadioButton _noEncrypt, _sslEncrypt, _tlsEncrypt; + private JRadioButton _simpAuth, _sslAuth, _gssapiAuth, _digestAuth; private JPasswordField _pwdText; private JLabel _bind, _pwd; private CustomComboBoxModel _fromModel, _toModel; Index: WAgreementSummaryPanel.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/WAgreementSummaryPanel.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- WAgreementSummaryPanel.java 18 Jul 2005 00:56:11 -0000 1.1.1.1 +++ WAgreementSummaryPanel.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -133,12 +133,13 @@ agreement.setReplicatedSubtree(_wizardInfo.getSubtree()); agreement.setConsumerHost(_wizardInfo.getToServer().getHost()); agreement.setConsumerPort(_wizardInfo.getToServer().getPort()); - if (_wizardInfo.getSSL()){ - agreement.setUseSSL(true); - if(_wizardInfo.getSSLAuth()){ - agreement.setUseSSLAuth(true); - } - } + + agreement.setUseSSL(_wizardInfo.getSSL()); + agreement.setUseStartTLS(_wizardInfo.getStartTLS()); + + agreement.setUseSSLAuth(_wizardInfo.getSSLAuth()); + agreement.setUseGSSAPIAuth(_wizardInfo.getGSSAPIAuth()); + agreement.setUseDigestAuth(_wizardInfo.getDigestAuth()); if (!_wizardInfo.getBindDN().equals("")) { agreement.setBindDN(_wizardInfo.getBindDN()); @@ -163,8 +164,15 @@ agreement.setWindowsDomain(_wizardInfo.getWindowsDomain()); agreement.setConsumerHost(_wizardInfo.getToServer().getHost()); agreement.setConsumerPort(_wizardInfo.getToServer().getPort()); - agreement.setUseSSL( _wizardInfo.getSSL() ); - agreement.setUpdateSchedule(_wizardInfo.getDate()); + agreement.setUpdateSchedule(_wizardInfo.getDate()); + + agreement.setUseSSL(_wizardInfo.getSSL()); + agreement.setUseStartTLS(_wizardInfo.getStartTLS()); + + agreement.setUseSSLAuth(_wizardInfo.getSSLAuth()); + agreement.setUseGSSAPIAuth(_wizardInfo.getGSSAPIAuth()); + agreement.setUseDigestAuth(_wizardInfo.getDigestAuth()); + if (!_wizardInfo.getBindDN().equals("")) { agreement.setBindDN(_wizardInfo.getBindDN()); agreement.setBindCredentials(_wizardInfo.getBindPWD()); @@ -190,8 +198,14 @@ agreement.setReplicatedSubtree(_wizardInfo.getSubtree()); agreement.setConsumerHost(_wizardInfo.getToServer().getHost()); agreement.setConsumerPort(_wizardInfo.getToServer().getPort()); - if (_wizardInfo.getSSL()) - agreement.setUseSSL(true); + + agreement.setUseSSL(_wizardInfo.getSSL()); + agreement.setUseStartTLS(_wizardInfo.getStartTLS()); + + agreement.setUseSSLAuth(_wizardInfo.getSSLAuth()); + agreement.setUseGSSAPIAuth(_wizardInfo.getGSSAPIAuth()); + agreement.setUseDigestAuth(_wizardInfo.getDigestAuth()); + if (!_wizardInfo.getBindDN().equals("")) { agreement.setBindDN(_wizardInfo.getBindDN()); agreement.setBindCredentials(_wizardInfo.getBindPWD()); Index: WindowsAgreementDestinationPanel.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/WindowsAgreementDestinationPanel.java,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- WindowsAgreementDestinationPanel.java 16 Oct 2007 16:41:44 -0000 1.2 +++ WindowsAgreementDestinationPanel.java 24 Nov 2008 16:09:23 -0000 1.3 @@ -29,7 +29,6 @@ import com.netscape.admin.dirserv.panel.*; import com.netscape.management.client.*; import com.netscape.management.client.console.*; -import com.netscape.management.client.util.JButtonFactory; import com.netscape.management.client.util.*; import netscape.ldap.*; import netscape.ldap.util.DN; @@ -361,65 +360,54 @@ gbc.weightx = 1.0; add(authPanel, gbc); - //ssl check box - _sslEncrypt = new JCheckBox(_resource.getString( - "replication-destination-sslEncrypt","label")); - - _sslEncrypt.setSelected(true); - _sslEncrypt.setEnabled(true); - - _sslEncrypt.addActionListener(this); + //connection radio buttons + ButtonGroup connGroup = new ButtonGroup(); + //plain old ldap button + _noEncrypt = new JRadioButton(_resource.getString( + "replication-destination-noEncrypt","label")); + _noEncrypt.setToolTipText(_resource.getString( + "replication-destination-noEncrypt","ttip")); + _noEncrypt.setSelected(true); // default is on + _noEncrypt.addActionListener(this); + connGroup.add(_noEncrypt); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.WEST; - gbc.insets = new Insets(0, space, different, different); + gbc.insets = new Insets(0, space, 0, different); gbc.gridwidth = gbc.REMAINDER; gbc.fill = gbc.HORIZONTAL; gbc.weightx = 1.0; - authPanel.add(_sslEncrypt, gbc); - - //auth using label - JLabel auth = new JLabel(_resource.getString( - "replication-destination-authUsing","label")); - JPanel authModePanel = new JPanel(new GridBagLayout()); - gbc.insets = new Insets(0,0,0,0); - authPanel.add(authModePanel, gbc); - auth.setLabelFor(authModePanel); - - ReplicationTool.resetGBC(gbc); - gbc.anchor = gbc.WEST; - gbc.insets = new Insets(0,large,space,different); - gbc.gridwidth = gbc.REMAINDER; - gbc.fill = gbc.NONE; - gbc.weightx = 1.0; - //authModePanel.add(auth, gbc); - - /*ssl auth radio button - ButtonGroup authGroup = new ButtonGroup(); - _sslAuth = new JRadioButton(_resource.getString( - "replication-destination-sslClientAuth","label")); - _sslAuth.addActionListener(this); - authGroup.add(_sslAuth); + authPanel.add(_noEncrypt, gbc); + + //ssl button + _sslEncrypt = new JRadioButton(_resource.getString( + "replication-destination-sslEncrypt","label")); + _sslEncrypt.setToolTipText(_resource.getString( + "replication-destination-sslEncrypt","ttip")); + _sslEncrypt.addActionListener(this); + connGroup.add(_sslEncrypt); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.WEST; - gbc.insets = new Insets(0,large,0,different); + gbc.insets = new Insets(0, space, 0, different); gbc.gridwidth = gbc.REMAINDER; - gbc.fill = gbc.NONE; + gbc.fill = gbc.HORIZONTAL; gbc.weightx = 1.0; - //authModePanel.add(_sslAuth, gbc); - - //simple auth radio button - _simpAuth = new JRadioButton(_resource.getString( - "replication-destination-simpleAuth","label")); - _simpAuth.addActionListener(this); - authGroup.add(_simpAuth); + authPanel.add(_sslEncrypt, gbc); + + //tls button + _tlsEncrypt = new JRadioButton(_resource.getString( + "replication-destination-startTLS","label")); + _tlsEncrypt.setToolTipText(_resource.getString( + "replication-destination-startTLS","ttip")); + _tlsEncrypt.addActionListener(this); + connGroup.add(_tlsEncrypt); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.WEST; - gbc.insets = new Insets(0,large,0,different); + gbc.insets = new Insets(0, space, space, different); gbc.gridwidth = gbc.REMAINDER; - gbc.fill = gbc.NONE; + gbc.fill = gbc.HORIZONTAL; gbc.weightx = 1.0; - //authModePanel.add(_simpAuth, gbc);*/ - + authPanel.add(_tlsEncrypt, gbc); + //simp panel JPanel simpPanel = new JPanel(); simpPanel.setLayout(new GridBagLayout()); @@ -428,14 +416,14 @@ gbc.gridwidth = gbc.REMAINDER; gbc.weightx=1.0; gbc.insets = new Insets(0,0,0,0); - authModePanel.add(simpPanel, gbc); + authPanel.add(simpPanel, gbc); //bind as _bind = new JLabel(_resource.getString( "replication-destination-bindAs","label")); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.EAST; - gbc.insets = new Insets(0,70,space,different); + gbc.insets = new Insets(0,space+10,space,different); gbc.fill = gbc.NONE; simpPanel.add(_bind, gbc); @@ -455,7 +443,7 @@ "replication-destination-bindPwd","label")); ReplicationTool.resetGBC(gbc); gbc.anchor = gbc.EAST; - gbc.insets = new Insets(0,70,space,different); + gbc.insets = new Insets(0,space+10,space,different); gbc.fill = gbc.NONE; simpPanel.add(_pwd, gbc); @@ -559,23 +547,15 @@ } - if (e.getSource().equals(_sslEncrypt)) { - if (_sslEncrypt.isSelected()) { - enableSimpleAuth(false); - /* set to use SSL port */ - _domainControllerPort.setText(ATTR_SECURE_PORT); - - } else { - enableSimpleAuth(true); - - /* set to use non-SSL port */ - _domainControllerPort.setText(ATTR_PORT); - } - - /* set appropriate to and from servers */ - //populateInstanceModel(_consoleInfo); - - //_toText.setText(_server.getKey()); + if (e.getSource().equals(_tlsEncrypt) && _tlsEncrypt.isSelected()) { + /* use regular LDAP port for startTLS */ + _domainControllerPort.setText(ATTR_PORT); + } else if (e.getSource().equals(_sslEncrypt) && _sslEncrypt.isSelected()) { + /* set to use SSL port */ + _domainControllerPort.setText(ATTR_SECURE_PORT); + } else if (e.getSource().equals(_noEncrypt) && _noEncrypt.isSelected()) { + /* use regular LDAP port */ + _domainControllerPort.setText(ATTR_PORT); } if (e.getSource()==_syncNewWinUsers) @@ -721,21 +701,15 @@ toServer.setHost(_domainController.getText()); toServer.setPort(Integer.parseInt(_domainControllerPort.getText())); //xxx - - _wizardInfo.setFromServer(_server); _wizardInfo.setToServer(toServer); - if (_sslEncrypt.isSelected()) { - _wizardInfo.setSSL(true); - _wizardInfo.setSSLAuth(false); - - } else { - _wizardInfo.setSSL(false); - _wizardInfo.setSSLAuth(false); - } - + _wizardInfo.setStartTLS(_tlsEncrypt.isSelected()); + _wizardInfo.setSSL(_sslEncrypt.isSelected()); + /* none of these other auth methods are currently supported */ _wizardInfo.setSSLAuth(false); + _wizardInfo.setGSSAPIAuth(false); + _wizardInfo.setDigestAuth(false); _wizardInfo.setBindDN(_bindText.getText()); _wizardInfo.setBindPWD(_pwdText.getText()); @@ -816,25 +790,10 @@ private void copyData() { _pwdText.setText(_wizardInfo.getBindPWD()); _bindText.setText(_wizardInfo.getBindDN()); - if (_wizardInfo.getSSL()) { - _sslEncrypt.setSelected(true); - // if (_copy.getBindCredentials().equals("")) { - if(_wizardInfo.getSSLAuth()) { - //SSL client Auth - enableSimpleAuth(false); - - } else { - //Simple Auth with SSL - enableSimpleAuth(true); - } - } else { - setSimpAuth(); - } - - // if (_sslAuth.isSelected ()) - // _portAttr = ATTR_SECURE_PORT; - // else - // _portAttr = ATTR_PORT; + _tlsEncrypt.setSelected(_wizardInfo.getStartTLS()); + _sslEncrypt.setSelected(_wizardInfo.getSSL()); + enableSimpleAuth(true); + /* none of the other auth methods are currently supported */ } /** @@ -843,6 +802,7 @@ private void setSimpAuth() { //Simple Auth no SSL _sslEncrypt.setSelected(false); + _tlsEncrypt.setSelected(false); enableSimpleAuth(true); } @@ -1242,8 +1202,8 @@ //private JButton _fetchDcButton; private JComboBox _fromBox, _toBox; - private JCheckBox _sslEncrypt; - private JRadioButton _simpAuth, _sslAuth; + private JRadioButton _noEncrypt, _sslEncrypt, _tlsEncrypt; + private JRadioButton _simpAuth = null, _sslAuth = null, _gssapiAuth = null, _digestAuth = null; private JPasswordField _pwdText; private JLabel _bind, _pwd; private CustomComboBoxModel _fromModel; Index: WindowsAgreementWizard.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/WindowsAgreementWizard.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- WindowsAgreementWizard.java 18 Jul 2005 00:56:12 -0000 1.1.1.1 +++ WindowsAgreementWizard.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -37,7 +37,7 @@ public class WindowsAgreementWizard extends WizardWidget { public WindowsAgreementWizard(JFrame parent, AgreementWizardInfo info) { - super(parent, _resource.getString("replication-agreementWizard","label"), new Dimension(460,560)); + super(parent, _resource.getString("replication-agreementWizard","label"), new Dimension(460,580)); @@ -61,6 +61,7 @@ } info.setSubtree(info.getCopyAgreement().getReplicatedSubtree()); info.setSSL(info.getCopyAgreement().getUseSSL()); + info.setStartTLS(info.getCopyAgreement().getUseStartTLS()); if (info.getCopyAgreement().getBindDN()!= null) { info.setBindDN(info.getCopyAgreement().getBindDN()); } else { Index: WindowsAgreementWizardInfo.java =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/WindowsAgreementWizardInfo.java,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- WindowsAgreementWizardInfo.java 18 Jul 2005 00:56:12 -0000 1.1.1.1 +++ WindowsAgreementWizardInfo.java 24 Nov 2008 16:09:23 -0000 1.2 @@ -192,6 +192,18 @@ return (ServerInstance)_content.get(AGREEMENT_EXTENSION+"to"); } + //tls + void setStartTLS(boolean type) { + _content.put(AGREEMENT_EXTENSION+"startTLS", new Boolean(type)); + } + + boolean getStartTLS() { + if (_content.get(AGREEMENT_EXTENSION+"startTLS")!= null) + return ((Boolean)_content.get(AGREEMENT_EXTENSION+"startTLS")).booleanValue(); + else + return false; + } + //ssl void setSSL(boolean type) { _content.put(AGREEMENT_EXTENSION+"ssl", new Boolean(type)); @@ -377,6 +389,10 @@ } //connection + if (getStartTLS()) { + buf.append(" "); + buf.append(_resource.getString("replication-destination-startTLS","label")+"\n"); + } if (getSSL()) { buf.append(" "); buf.append(_resource.getString("replication-destination-sslEncrypt","label")+"\n"); @@ -385,7 +401,7 @@ //bind info buf.append(" "); buf.append(_resource.getString("replication-destination-authUsing","label")+" "); - if (getSSL() && getSSLAuth()) { + if ((getStartTLS() || getSSL()) && getSSLAuth()) { buf.append(_resource.getString("replication-destination-sslClientAuth","label")+"\n"); } else { buf.append(_resource.getString("replication-destination-simpleAuth","label")+"\n"); Index: replication.properties =================================================================== RCS file: /cvs/dirsec/directoryconsole/src/com/netscape/admin/dirserv/panel/replication/replication.properties,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- replication.properties 18 Jul 2005 00:56:13 -0000 1.1.1.1 +++ replication.properties 24 Nov 2008 16:09:23 -0000 1.2 @@ -162,11 +162,21 @@ replication-destination-otherButton-mnemonic=O replication-destination-browseButton-label=Browse... replication-destination-browseButton=mnemonic=B -replication-destination-sslEncrypt-label=Using encrypted SSL connection -replication-destination-sslEncrypt-ttip=SSL communications between supplier and consumer server -replication-destination-authUsing-label=Authenticate using: -replication-destination-simpleAuth-label=Simple authentication -replication-destination-sslClientAuth-label=SSL client authentication +replication-destination-noEncrypt-label=Use LDAP (no encryption) +replication-destination-noEncrypt-ttip=Use plain LDAP with no encryption +replication-destination-sslEncrypt-label=Use TLS/SSL (TLS/SSL encryption with LDAPS) +replication-destination-sslEncrypt-ttip=Use TLSv1/SSLv3 encryption using the LDAPS port (636) +replication-destination-startTLS-label=Use StartTLS (TLS/SSL encryption with LDAP) +replication-destination-startTLS-ttip=Start a TLSv1/SSLv3 encryption session on the LDAP connection +replication-destination-authUsing-label=Authentication mechanism: +replication-destination-simpleAuth-label=Simple (Bind DN/Password) +replication-destination-simpleAuth-ttip=Authenticate using a DN and a password (Simple auth) +replication-destination-sslClientAuth-label=Server TLS/SSL Certificate (requires TLS/SSL server set up) +replication-destination-sslClientAuth-ttip=Use the server's certificate to do TLS/SSL client cert auth (requires that the server has been set up to be an SSL server) +replication-destination-gssapiAuth-label=SASL/GSSAPI (requires server Kerberos keytab) +replication-destination-gssapiAuth-ttip=Authenticate using SASL/GSSAPI and the server's Kerberos keytab (supplier and consumer must both support SASL/GSSAPI/Kerberos) +replication-destination-digestAuth-label=SASL/DIGEST-MD5 (SASL user id and password) +replication-destination-digestAuth-ttip=Authenticate using SASL/DIGEST-MD5 - requires consumer support for digest password and identity mapping replication-destination-bindAs-label=Bind as: replication-destination-bindPwd-label=Password: replication-destination-new-user-sync-label=New Windows User Sync From nkinder at fedoraproject.org Mon Nov 24 17:16:58 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Mon, 24 Nov 2008 17:16:58 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd pw.c, 1.18, 1.19 result.c, 1.16, 1.17 Message-ID: <20081124171658.A1D9970105@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv31927/ldap/servers/slapd Modified Files: pw.c result.c Log Message: Resolves: 216522 Summary: Make password modify extop use fine-grained password policies correctly. Index: pw.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/pw.c,v retrieving revision 1.18 retrieving revision 1.19 diff -u -r1.18 -r1.19 --- pw.c 27 Aug 2008 21:05:49 -0000 1.18 +++ pw.c 24 Nov 2008 17:16:55 -0000 1.19 @@ -1414,9 +1414,7 @@ slapi_pblock_get( pb, SLAPI_OPERATION, &op); slapi_pblock_get( pb, SLAPI_OPERATION_TYPE, &optype ); - if (slapdFrontendConfig->pwpolicy_local == 1) { - if ( !operation_is_flag_set( op, OP_FLAG_INTERNAL ) && dn ) { - + if (dn && (slapdFrontendConfig->pwpolicy_local == 1)) { /* If we're doing an add, COS does not apply yet so we check parents for the pwdpolicysubentry. We look only for virtual attributes, because real ones are for single-target policy. */ @@ -1462,196 +1460,195 @@ } if (values != NULL) { - Slapi_Value *v = NULL; - const struct berval *bvp = NULL; + Slapi_Value *v = NULL; + const struct berval *bvp = NULL; - if ( ((rc = slapi_valueset_first_value( values, &v )) != -1) && - ( bvp = slapi_value_get_berval( v )) != NULL ) { - if ( bvp != NULL ) { - /* we got the pwdpolicysubentry value */ - pw_entry = get_entry ( pb, bvp->bv_val); - } - } + if ( ((rc = slapi_valueset_first_value( values, &v )) != -1) && + ( bvp = slapi_value_get_berval( v )) != NULL ) { + if ( bvp != NULL ) { + /* we got the pwdpolicysubentry value */ + pw_entry = get_entry ( pb, bvp->bv_val); + } + } - slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags); + slapi_vattr_values_free(&values, &actual_type_name, attr_free_flags); - slapi_entry_free( e ); + slapi_entry_free( e ); - if ( pw_entry == NULL ) { - LDAPDebug(LDAP_DEBUG_ANY, "loading global password policy for %s" - "--local policy entry not found\n", escape_string(dn, ebuf),0,0); - goto done; - } + if ( pw_entry == NULL ) { + LDAPDebug(LDAP_DEBUG_ANY, "loading global password policy for %s" + "--local policy entry not found\n", escape_string(dn, ebuf),0,0); + goto done; + } - for (slapi_entry_first_attr(pw_entry, &attr); attr; - slapi_entry_next_attr(pw_entry, attr, &attr)) - { - slapi_attr_get_type(attr, &attr_name); - if (!strcasecmp(attr_name, "passwordminage")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_minage = slapi_value_get_long(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordmaxage")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_maxage = slapi_value_get_long(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordwarning")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_warning = slapi_value_get_long(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordhistory")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_history = - pw_boolean_str2value(slapi_value_get_string(*sval)); - } - } - else - if (!strcasecmp(attr_name, "passwordinhistory")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_inhistory = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordlockout")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_lockout = - pw_boolean_str2value(slapi_value_get_string(*sval)); - } - } - else - if (!strcasecmp(attr_name, "passwordmaxfailure")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_maxfailure = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordunlock")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_unlock = - pw_boolean_str2value(slapi_value_get_string(*sval)); - } - } - else - if (!strcasecmp(attr_name, "passwordlockoutduration")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_lockduration = slapi_value_get_long(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordresetfailurecount")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_resetfailurecount = slapi_value_get_long(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordchange")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_change = - pw_boolean_str2value(slapi_value_get_string(*sval)); - } - } - else - if (!strcasecmp(attr_name, "passwordmustchange")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_must_change = - pw_boolean_str2value(slapi_value_get_string(*sval)); - } - } - else - if (!strcasecmp(attr_name, "passwordchecksyntax")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_syntax = - pw_boolean_str2value(slapi_value_get_string(*sval)); - } - } - else - if (!strcasecmp(attr_name, "passwordminlength")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_minlength = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordmindigits")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_mindigits = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordminalphas")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_minalphas = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordminuppers")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_minuppers = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordminlowers")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_minlowers = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordminspecials")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_minspecials = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordmin8bit")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_min8bit = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordmaxrepeats")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_maxrepeats = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordmincategories")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_mincategories = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordmintokenlength")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_mintokenlength = slapi_value_get_int(*sval); - } - } - else - if (!strcasecmp(attr_name, "passwordexp")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_exp = - pw_boolean_str2value(slapi_value_get_string(*sval)); - } - } - else - if (!strcasecmp(attr_name, "passwordgracelimit")) { - if ((sval = attr_get_present_values(attr))) { - pwdpolicy->pw_gracelimit = slapi_value_get_int(*sval); - } + for (slapi_entry_first_attr(pw_entry, &attr); attr; + slapi_entry_next_attr(pw_entry, attr, &attr)) + { + slapi_attr_get_type(attr, &attr_name); + if (!strcasecmp(attr_name, "passwordminage")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_minage = slapi_value_get_long(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordmaxage")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_maxage = slapi_value_get_long(*sval); } + } + else + if (!strcasecmp(attr_name, "passwordwarning")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_warning = slapi_value_get_long(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordhistory")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_history = + pw_boolean_str2value(slapi_value_get_string(*sval)); + } + } + else + if (!strcasecmp(attr_name, "passwordinhistory")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_inhistory = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordlockout")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_lockout = + pw_boolean_str2value(slapi_value_get_string(*sval)); + } + } + else + if (!strcasecmp(attr_name, "passwordmaxfailure")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_maxfailure = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordunlock")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_unlock = + pw_boolean_str2value(slapi_value_get_string(*sval)); + } + } + else + if (!strcasecmp(attr_name, "passwordlockoutduration")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_lockduration = slapi_value_get_long(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordresetfailurecount")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_resetfailurecount = slapi_value_get_long(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordchange")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_change = + pw_boolean_str2value(slapi_value_get_string(*sval)); + } + } + else + if (!strcasecmp(attr_name, "passwordmustchange")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_must_change = + pw_boolean_str2value(slapi_value_get_string(*sval)); + } + } + else + if (!strcasecmp(attr_name, "passwordchecksyntax")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_syntax = + pw_boolean_str2value(slapi_value_get_string(*sval)); + } + } + else + if (!strcasecmp(attr_name, "passwordminlength")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_minlength = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordmindigits")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_mindigits = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordminalphas")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_minalphas = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordminuppers")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_minuppers = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordminlowers")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_minlowers = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordminspecials")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_minspecials = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordmin8bit")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_min8bit = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordmaxrepeats")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_maxrepeats = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordmincategories")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_mincategories = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordmintokenlength")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_mintokenlength = slapi_value_get_int(*sval); + } + } + else + if (!strcasecmp(attr_name, "passwordexp")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_exp = + pw_boolean_str2value(slapi_value_get_string(*sval)); + } + } + else + if (!strcasecmp(attr_name, "passwordgracelimit")) { + if ((sval = attr_get_present_values(attr))) { + pwdpolicy->pw_gracelimit = slapi_value_get_int(*sval); + } + } - } /* end of for() loop */ - if (pw_entry) { - slapi_entry_free(pw_entry); - } - return pwdpolicy; - } else if ( e ) { - slapi_entry_free( e ); + } /* end of for() loop */ + if (pw_entry) { + slapi_entry_free(pw_entry); } + return pwdpolicy; + } else if ( e ) { + slapi_entry_free( e ); } } Index: result.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/result.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- result.c 29 Oct 2008 19:16:29 -0000 1.16 +++ result.c 24 Nov 2008 17:16:55 -0000 1.17 @@ -293,17 +293,12 @@ char *dn; passwdPolicy *pwpolicy = NULL; - - slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn ); - pwpolicy = new_passwdPolicy(pb, dn); - slapi_pblock_get (pb, SLAPI_OPERATION, &operation); if ( ber != NULL ) { flush_ber_element = 0; } - if(err != LDAP_SUCCESS){ /* count the error for snmp */ /* first check for security errors */ @@ -370,10 +365,12 @@ /* invalid password. Update the password retry here */ /* put this here for now. It could be a send_result pre-op plugin. */ - if ( err == LDAP_INVALID_CREDENTIALS && - pwpolicy->pw_lockout == 1 ) { - - update_pw_retry ( pb ); + if (err == LDAP_INVALID_CREDENTIALS) { + slapi_pblock_get( pb, SLAPI_TARGET_DN, &dn ); + pwpolicy = new_passwdPolicy(pb, dn); + if (pwpolicy && (pwpolicy->pw_lockout == 1)) { + update_pw_retry ( pb ); + } } if ( ber == NULL ) { From nhosoi at fedoraproject.org Mon Nov 24 20:26:35 2008 From: nhosoi at fedoraproject.org (Noriko Hosoi) Date: Mon, 24 Nov 2008 20:26:35 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm sort.c, 1.12, 1.13 Message-ID: <20081124202635.C127070105@cvs1.fedora.phx.redhat.com> Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv24704 Modified Files: sort.c Log Message: Resolves: #472457 Summary: Specially crafted Server Side Sort crashes directory server or makes it unresponsive Description: The cause of the problem was a buffer overflow. The length of the 2 sort specs "-sn;2.16.840.1.113730.3.3.2.18.1.6 -givenName;2.16.840.1.113730.3. 3.2.18.1.6 " is just about the prepared buffer size, which is unfortunate since there is no space for the candidate size, e.g., "(1944)" being added later. By adding the "(1944)" to the static buffer, it caused buffer overflow and crashed your server. The code to check the length of the candidate size before calculating the buffer size is added. Index: sort.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/sort.c,v retrieving revision 1.12 retrieving revision 1.13 diff -u -r1.12 -r1.13 --- sort.c 15 Oct 2008 06:30:10 -0000 1.12 +++ sort.c 24 Nov 2008 20:26:32 -0000 1.13 @@ -113,22 +113,32 @@ int size = SORT_LOG_BSZ + SORT_LOG_PAD; char *prefix = "SORT "; int prefix_size = strlen(prefix); + char candidate_buffer[32]; /* store u_long value; max 20 digits */ + int candidate_size = 0; buffer = stack_buffer; size -= PR_snprintf(buffer,sizeof(stack_buffer),"%s",prefix); + if (candidates) { + if (ALLIDS(candidates)) { + PR_snprintf(candidate_buffer, sizeof(candidate_buffer), "(*)"); + candidate_size = strlen(candidate_buffer); + } else { + PR_snprintf(candidate_buffer, sizeof(candidate_buffer), + "(%lu)", (u_long)candidates->b_nids); + candidate_size = strlen(candidate_buffer); + } + } + size -= (candidate_size + 1); /* 1 for '\0' */ ret = print_out_sort_spec(buffer+prefix_size,s,&size); if (0 != ret) { /* It wouldn't fit in the buffer */ - buffer = slapi_ch_malloc(prefix_size + size + SORT_LOG_PAD); + buffer = + slapi_ch_malloc(prefix_size + size + candidate_size + SORT_LOG_PAD); sprintf(buffer,"%s",prefix); ret = print_out_sort_spec(buffer+prefix_size,s,&size); } - if (candidates) { - if (ALLIDS(candidates)) { - sprintf(buffer+size+prefix_size,"(*)"); - } else { - sprintf(buffer+size+prefix_size,"(%lu)",(u_long)candidates->b_nids); - } + if (0 == ret && candidates) { + sprintf(buffer+size+prefix_size, "%s", candidate_buffer); } /* Now output it */ ldbm_log_access_message(pb,buffer); From nkinder at fedoraproject.org Tue Nov 25 16:15:11 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Tue, 25 Nov 2008 16:15:11 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/plugins/collation collate.c, 1.8, 1.9 Message-ID: <20081125161511.B84FE70141@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/collation In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv12327/ldap/servers/plugins/collation Modified Files: collate.c Log Message: Resolves: 430321 Summary: Fixed memory leak in collator plug-in. Index: collate.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/collation/collate.c,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- collate.c 10 Nov 2006 23:44:56 -0000 1.8 +++ collate.c 25 Nov 2008 16:15:09 -0000 1.9 @@ -230,7 +230,6 @@ UCollator* collator; UConverter* converter; struct berval** ix_keys; - int is_default_collator; } collation_indexer_t; /* @@ -386,8 +385,8 @@ ucnv_close(etc->converter); etc->converter = NULL; } - if (!etc->is_default_collator) { - /* Don't delete the default collation - it seems to cause problems */ + + if (etc->collator) { ucol_close(etc->collator); etc->collator = NULL; } @@ -469,7 +468,6 @@ oid, profile->decomposition, err); } etc->collator = coll; - etc->is_default_collator = is_default; for (id = collation_id; *id; ++id) { if ((*id)->profile == profile) { break; /* found the 'official' id */ From nkinder at fedoraproject.org Tue Nov 25 19:20:29 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Tue, 25 Nov 2008 19:20:29 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd libglobs.c, 1.30, 1.31 proto-slap.h, 1.42, 1.43 sasl_io.c, 1.15, 1.16 slap.h, 1.39, 1.40 Message-ID: <20081125192029.9EF4770141@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13745/ldap/servers/slapd Modified Files: libglobs.c proto-slap.h sasl_io.c slap.h Log Message: Resolves: 387851 Summary: Add configuration parameter to limit maximum allowed incoming SASL IO packet size. Index: libglobs.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/libglobs.c,v retrieving revision 1.30 retrieving revision 1.31 diff -u -r1.30 -r1.31 --- libglobs.c 13 Nov 2008 21:56:29 -0000 1.30 +++ libglobs.c 25 Nov 2008 19:20:26 -0000 1.31 @@ -525,6 +525,9 @@ {CONFIG_MAXBERSIZE_ATTRIBUTE, config_set_maxbersize, NULL, 0, (void**)&global_slapdFrontendConfig.maxbersize, CONFIG_INT, NULL}, + {CONFIG_MAXSASLIOSIZE_ATTRIBUTE, config_set_maxsasliosize, + NULL, 0, + (void**)&global_slapdFrontendConfig.maxsasliosize, CONFIG_INT, NULL}, {CONFIG_VERSIONSTRING_ATTRIBUTE, config_set_versionstring, NULL, 0, (void**)&global_slapdFrontendConfig.versionstring, CONFIG_STRING, NULL}, @@ -4488,6 +4491,42 @@ } int +config_set_maxsasliosize( const char *attrname, char *value, char *errorbuf, int apply ) +{ + int retVal = LDAP_SUCCESS; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + if ( config_value_is_null( attrname, value, errorbuf, 0 )) { + return LDAP_OPERATIONS_ERROR; + } + + if ( !apply ) { + return retVal; + } + + CFG_LOCK_WRITE(slapdFrontendConfig); + + slapdFrontendConfig->maxsasliosize = atol(value); + + CFG_UNLOCK_WRITE(slapdFrontendConfig); + return retVal; +} + +size_t +config_get_maxsasliosize() +{ + size_t maxsasliosize; + slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); + + maxsasliosize = slapdFrontendConfig->maxsasliosize; + if (maxsasliosize == 0) { + maxsasliosize = 2 * 1024 * 1024; /* Default: 2Mb */ + } + + return maxsasliosize; +} + +int config_set_max_filter_nest_level( const char *attrname, char *value, char *errorbuf, int apply ) { Index: proto-slap.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/proto-slap.h,v retrieving revision 1.42 retrieving revision 1.43 diff -u -r1.42 -r1.43 --- proto-slap.h 7 Nov 2008 22:32:57 -0000 1.42 +++ proto-slap.h 25 Nov 2008 19:20:27 -0000 1.43 @@ -320,6 +320,7 @@ int config_set_referral_mode(const char *attrname, char *url, char *errorbuf, int apply); int config_set_conntablesize(const char *attrname, char *url, char *errorbuf, int apply); int config_set_maxbersize(const char *attrname, char *value, char *errorbuf, int apply ); +int config_set_maxsasliosize(const char *attrname, char *value, char *errorbuf, int apply ); int config_set_versionstring(const char *attrname, char *versionstring, char *errorbuf, int apply ); int config_set_enquote_sup_oc(const char *attrname, char *value, char *errorbuf, int apply ); int config_set_basedn( const char *attrname, char *value, char *errorbuf, int apply ); @@ -442,6 +443,7 @@ int config_get_conntablesize(void); int config_check_referral_mode(void); ber_len_t config_get_maxbersize(); +size_t config_get_maxsasliosize(); char *config_get_versionstring(); char *config_get_buildnum(void); int config_get_enquote_sup_oc(); Index: sasl_io.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/sasl_io.c,v retrieving revision 1.15 retrieving revision 1.16 diff -u -r1.15 -r1.16 --- sasl_io.c 17 Oct 2008 22:12:47 -0000 1.15 +++ sasl_io.c 25 Nov 2008 19:20:27 -0000 1.16 @@ -215,6 +215,15 @@ LDAPDebug( LDAP_DEBUG_CONNS, "read sasl packet length %ld on connection %" PRIu64 "\n", packet_length, c->c_connid, 0 ); + + if (packet_length > config_get_maxsasliosize()) { + LDAPDebug( LDAP_DEBUG_ANY, + "SASL encrypted packet length exceeds maximum allowed limit (length=%ld, limit=%ld)." + " Change the nsslapd-maxsasliosize attribute in cn=config to increase limit.\n", + packet_length, config_get_maxsasliosize(), 0); + return -1; + } + sasl_io_resize_encrypted_buffer(c->c_sasl_io_private, packet_length); /* Cyrus SASL implementation expects to have the length at the first 4 bytes */ Index: slap.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slap.h,v retrieving revision 1.39 retrieving revision 1.40 diff -u -r1.39 -r1.40 --- slap.h 7 Nov 2008 22:32:57 -0000 1.39 +++ slap.h 25 Nov 2008 19:20:27 -0000 1.40 @@ -1764,6 +1764,7 @@ #define CONFIG_REFERRAL_MODE_ATTRIBUTE "nsslapd-referralmode" #define CONFIG_ATTRIBUTE_NAME_EXCEPTION_ATTRIBUTE "nsslapd-attribute-name-exceptions" #define CONFIG_MAXBERSIZE_ATTRIBUTE "nsslapd-maxbersize" +#define CONFIG_MAXSASLIOSIZE_ATTRIBUTE "nsslapd-maxsasliosize" #define CONFIG_MAX_FILTER_NEST_LEVEL_ATTRIBUTE "nsslapd-max-filter-nest-level" #define CONFIG_VERSIONSTRING_ATTRIBUTE "nsslapd-versionstring" #define CONFIG_ENQUOTE_SUP_OC_ATTRIBUTE "nsslapd-enquote-sup-oc" @@ -1981,8 +1982,9 @@ char *ldapi_gidnumber_type; /* type that contains gid number */ char *ldapi_search_base_dn; /* base dn to search for mapped entries */ char *ldapi_auto_dn_suffix; /* suffix to be appended to auto gen DNs */ - int slapi_counters; /* switch to turn slapi_counters on/off */ - int allow_unauth_binds; /* switch to enable/disable unauthenticated binds */ + int slapi_counters; /* switch to turn slapi_counters on/off */ + int allow_unauth_binds; /* switch to enable/disable unauthenticated binds */ + size_t maxsasliosize; /* limit incoming SASL IO packet size */ #ifndef _WIN32 struct passwd *localuserinfo; /* userinfo of localuser */ #endif /* _WIN32 */ From nhosoi at fedoraproject.org Wed Nov 26 00:13:45 2008 From: nhosoi at fedoraproject.org (Noriko Hosoi) Date: Wed, 26 Nov 2008 00:13:45 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication cl5_api.c, 1.24, 1.25 Message-ID: <20081126001345.0F5F570141@cvs1.fedora.phx.redhat.com> Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16234 Modified Files: cl5_api.c Log Message: Resolves: #430172 Summary: memory leaks after db "get" deadlocks, e.g. in CL5 trim Description: Even if cursor->c_get returns non SUCCESS(==0), there is an occasion that DBT data holds memory which is allocated in libdb. To release the memory, put slapi_ch_free ((void **)&key.data); slapi_ch_free ((void **)&data.data); just after the while loop, where we come to the point when cursor->c_get fails. Index: cl5_api.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/cl5_api.c,v retrieving revision 1.24 retrieving revision 1.25 diff -u -r1.24 -r1.25 --- cl5_api.c 14 Nov 2008 02:06:34 -0000 1.24 +++ cl5_api.c 26 Nov 2008 00:13:42 -0000 1.25 @@ -5387,6 +5387,21 @@ return CL5_SUCCESS; } + /* + * Bug 430172 - memory leaks after db "get" deadlocks, e.g. in CL5 trim + * Even when db->c_get() does not return success, memory may have been + * allocated in the DBT. This seems to happen when DB_DBT_MALLOC was set, + * the data being retrieved is larger than the page size, and we got + * DB_LOCK_DEADLOCK. libdb allocates the memory and then finds itself + * deadlocked trying to go through the overflow page list. It returns + * DB_LOCK_DEADLOCK which we've assumed meant that no memory was allocated + * for the DBT. + * + * The following slapi_ch_free frees the memory only when the value is + * non NULL, which is true if the situation described above occurs. + */ + slapi_ch_free ((void **)&key.data); + slapi_ch_free ((void **)&data.data); /* walked of the end of the file */ if (rc == DB_NOTFOUND) @@ -5456,6 +5471,21 @@ return rc; } + /* + * Bug 430172 - memory leaks after db "get" deadlocks, e.g. in CL5 trim + * Even when db->c_get() does not return success, memory may have been + * allocated in the DBT. This seems to happen when DB_DBT_MALLOC was set, + * the data being retrieved is larger than the page size, and we got + * DB_LOCK_DEADLOCK. libdb allocates the memory and then finds itself + * deadlocked trying to go through the overflow page list. It returns + * DB_LOCK_DEADLOCK which we've assumed meant that no memory was allocated + * for the DBT. + * + * The following slapi_ch_free frees the memory only when the value is + * non NULL, which is true if the situation described above occurs. + */ + slapi_ch_free ((void **)&key.data); + slapi_ch_free ((void **)&data.data); /* walked of the end of the file or entry is out of range */ if (rc == 0 || rc == DB_NOTFOUND) From nkinder at fedoraproject.org Wed Nov 26 17:32:24 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Wed, 26 Nov 2008 17:32:24 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd libglobs.c, 1.31, 1.32 sasl_io.c, 1.16, 1.17 slap.h, 1.40, 1.41 Message-ID: <20081126173224.8C77970142@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9219/ldap/servers/slapd Modified Files: libglobs.c sasl_io.c slap.h Log Message: Resolves: 387851 Summary: Added validation for nsslapd-maxsasliosize value. Index: libglobs.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/libglobs.c,v retrieving revision 1.31 retrieving revision 1.32 diff -u -r1.31 -r1.32 --- libglobs.c 25 Nov 2008 19:20:26 -0000 1.31 +++ libglobs.c 26 Nov 2008 17:32:21 -0000 1.32 @@ -856,6 +856,7 @@ cfg->ioblocktimeout = SLAPD_DEFAULT_IOBLOCK_TIMEOUT; cfg->outbound_ldap_io_timeout = SLAPD_DEFAULT_OUTBOUND_LDAP_IO_TIMEOUT; cfg->max_filter_nest_level = SLAPD_DEFAULT_MAX_FILTER_NEST_LEVEL; + cfg->maxsasliosize = SLAPD_DEFAULT_MAX_SASLIO_SIZE; #ifdef _WIN32 cfg->conntablesize = SLAPD_DEFAULT_CONNTABLESIZE; @@ -4494,21 +4495,41 @@ config_set_maxsasliosize( const char *attrname, char *value, char *errorbuf, int apply ) { int retVal = LDAP_SUCCESS; + long maxsasliosize; + char *endptr; slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); if ( config_value_is_null( attrname, value, errorbuf, 0 )) { return LDAP_OPERATIONS_ERROR; } - if ( !apply ) { - return retVal; + maxsasliosize = strtol(value, &endptr, 10); + + /* Check for non-numeric garbage in the value */ + if (*endptr != '\0') { + retVal = LDAP_OPERATIONS_ERROR; } - CFG_LOCK_WRITE(slapdFrontendConfig); + /* Check for a value overflow */ + if (((maxsasliosize == LONG_MAX) || (maxsasliosize == LONG_MIN)) && (errno == ERANGE)){ + retVal = LDAP_OPERATIONS_ERROR; + } + + /* A setting of -1 means unlimited. Don't allow other negative values. */ + if ((maxsasliosize < 0) && (maxsasliosize != -1)) { + retVal = LDAP_OPERATIONS_ERROR; + } - slapdFrontendConfig->maxsasliosize = atol(value); + if (retVal != LDAP_SUCCESS) { + PR_snprintf(errorbuf, SLAPI_DSE_RETURNTEXT_SIZE, + "%s: \"%s\" is invalid. Value must range from -1 to %ld", + attrname, value, LONG_MAX ); + } else if (apply) { + CFG_LOCK_WRITE(slapdFrontendConfig); + slapdFrontendConfig->maxsasliosize = maxsasliosize; + CFG_UNLOCK_WRITE(slapdFrontendConfig); + } - CFG_UNLOCK_WRITE(slapdFrontendConfig); return retVal; } @@ -4519,9 +4540,6 @@ slapdFrontendConfig_t *slapdFrontendConfig = getFrontendConfig(); maxsasliosize = slapdFrontendConfig->maxsasliosize; - if (maxsasliosize == 0) { - maxsasliosize = 2 * 1024 * 1024; /* Default: 2Mb */ - } return maxsasliosize; } Index: sasl_io.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/sasl_io.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- sasl_io.c 25 Nov 2008 19:20:27 -0000 1.16 +++ sasl_io.c 26 Nov 2008 17:32:21 -0000 1.17 @@ -195,6 +195,7 @@ int ret = 0; unsigned char buffer[4]; size_t packet_length = 0; + size_t saslio_limit; ret = PR_Recv(c->c_prfd,buffer,sizeof(buffer),0,PR_INTERVAL_NO_WAIT); if (ret < 0) { @@ -216,7 +217,10 @@ LDAPDebug( LDAP_DEBUG_CONNS, "read sasl packet length %ld on connection %" PRIu64 "\n", packet_length, c->c_connid, 0 ); - if (packet_length > config_get_maxsasliosize()) { + /* Check if the packet length is larger than our max allowed. A + * setting of -1 means that we allow any size SASL IO packet. */ + saslio_limit = config_get_maxsasliosize(); + if(((long)saslio_limit != -1) && (packet_length > saslio_limit)) { LDAPDebug( LDAP_DEBUG_ANY, "SASL encrypted packet length exceeds maximum allowed limit (length=%ld, limit=%ld)." " Change the nsslapd-maxsasliosize attribute in cn=config to increase limit.\n", Index: slap.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slap.h,v retrieving revision 1.40 retrieving revision 1.41 diff -u -r1.40 -r1.41 --- slap.h 25 Nov 2008 19:20:27 -0000 1.40 +++ slap.h 26 Nov 2008 17:32:21 -0000 1.41 @@ -279,6 +279,7 @@ #define SLAPD_DEFAULT_LOOKTHROUGHLIMIT 5000 /* use -1 for no limit */ #define SLAPD_DEFAULT_GROUPNESTLEVEL 5 #define SLAPD_DEFAULT_MAX_FILTER_NEST_LEVEL 40 /* use -1 for no limit */ +#define SLAPD_DEFAULT_MAX_SASLIO_SIZE 2097152 /* 2MB in bytes. Use -1 for no limit */ #define SLAPD_DEFAULT_IOBLOCK_TIMEOUT 1800000 /* half hour in ms */ #define SLAPD_DEFAULT_OUTBOUND_LDAP_IO_TIMEOUT 300000 /* 5 minutes in ms */ #define SLAPD_DEFAULT_RESERVE_FDS 64 From nhosoi at fedoraproject.org Wed Nov 26 20:11:55 2008 From: nhosoi at fedoraproject.org (Noriko Hosoi) Date: Wed, 26 Nov 2008 20:11:55 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm vlv.c, 1.16, 1.17 Message-ID: <20081126201155.9D9B270141@cvs1.fedora.phx.redhat.com> Author: nhosoi Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv24653 Modified Files: vlv.c Log Message: Resolves: #472999 Summary: vlv: memory leak Description: if the addresses of the passed key and the returned key don't match, the space for the returned key is allocated in libdb. Thus, we have to release the returned key. Index: vlv.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/vlv.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 --- vlv.c 15 Oct 2008 06:30:10 -0000 1.16 +++ vlv.c 26 Nov 2008 20:11:53 -0000 1.17 @@ -990,6 +990,10 @@ } LDAPDebug( LDAP_DEBUG_TRACE, "<= vlv_build_candidate_list_byvalue: Not Found. Index=%lu\n",si,0,0); } + if (key.data != typedown_value[0]->bv_val) { /* in case new key is set + in dbc->c_get(DB_SET_RANGE) */ + slapi_ch_free(&(key.data)); + } ber_bvecfree((struct berval**)typedown_value); return si; } From nkinder at fedoraproject.org Wed Nov 26 22:42:15 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Wed, 26 Nov 2008 22:42:15 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd/back-ldbm ldbm_search.c, 1.14, 1.15 Message-ID: <20081126224215.1E11C70142@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7639/ldap/servers/slapd/back-ldbm Modified Files: ldbm_search.c Log Message: Resolves: 220532 Summary: Add access to RUV by users other than "cn=Directory Manager". Index: ldbm_search.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/back-ldbm/ldbm_search.c,v retrieving revision 1.14 retrieving revision 1.15 diff -u -r1.14 -r1.15 --- ldbm_search.c 8 Aug 2008 15:53:10 -0000 1.14 +++ ldbm_search.c 26 Nov 2008 22:42:12 -0000 1.15 @@ -1203,11 +1203,17 @@ if((slapi_entry_flag_is_set(e->ep_entry,SLAPI_ENTRY_LDAPSUBENTRY) && !filter_flag_is_set(filter,SLAPI_FILTER_LDAPSUBENTRY)) || (slapi_entry_flag_is_set(e->ep_entry,SLAPI_ENTRY_FLAG_TOMBSTONE) - && (!isroot || !filter_flag_is_set(filter, SLAPI_FILTER_TOMBSTONE)))) + && ((!isroot && !filter_flag_is_set(filter, SLAPI_FILTER_RUV)) || + !filter_flag_is_set(filter, SLAPI_FILTER_TOMBSTONE)))) { /* If the entry is an LDAP subentry and filter don't filter subentries OR * the entry is a TombStone and filter don't filter Tombstone - * don't return the entry + * don't return the entry. We make a special case to allow a non-root user + * to search for the RUV entry using a filter of: + * + * "(&(objectclass=nstombstone)(nsuniqueid=ffffffff-ffffffff-ffffffff-ffffffff))" + * + * For this RUV case, we let the ACL check apply. */ /* ugaston - we don't want to mistake this filter failure with the one below due to ACL, * because whereas the former should be read as 'no entry must be returned', the latter From nkinder at fedoraproject.org Wed Nov 26 22:42:15 2008 From: nkinder at fedoraproject.org (Nathan Kinder) Date: Wed, 26 Nov 2008 22:42:15 +0000 (UTC) Subject: [Fedora-directory-commits] ldapserver/ldap/servers/slapd filter.c, 1.11, 1.12 plugin_internal_op.c, 1.11, 1.12 slapi-private.h, 1.29, 1.30 str2filter.c, 1.6, 1.7 Message-ID: <20081126224215.29FFF7010D@cvs1.fedora.phx.redhat.com> Author: nkinder Update of /cvs/dirsec/ldapserver/ldap/servers/slapd In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv7639/ldap/servers/slapd Modified Files: filter.c plugin_internal_op.c slapi-private.h str2filter.c Log Message: Resolves: 220532 Summary: Add access to RUV by users other than "cn=Directory Manager". Index: filter.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/filter.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- filter.c 15 Oct 2008 06:30:04 -0000 1.11 +++ filter.c 26 Nov 2008 22:42:12 -0000 1.12 @@ -54,14 +54,15 @@ static int get_filter_list( Connection *conn, BerElement *ber, struct slapi_filter **f, char **fstr, int maxdepth, int curdepth, - int *subentry_dont_rewrite, int *has_tombstone_filter); + int *subentry_dont_rewrite, int *has_tombstone_filter, int *has_ruv_filter); static int get_substring_filter(); static int get_extensible_filter( BerElement *ber, mr_filter_t* ); static int get_filter_internal( Connection *conn, BerElement *ber, struct slapi_filter **filt, char **fstr, int maxdepth, int curdepth, - int *subentry_dont_rewrite, int *has_tombstone_filter); + int *subentry_dont_rewrite, int *has_tombstone_filter, int *has_ruv_filter); static int tombstone_check_filter(Slapi_Filter *f); +static int ruv_check_filter(Slapi_Filter *f); static void filter_optimize(Slapi_Filter *f); @@ -83,20 +84,23 @@ { int subentry_dont_rewrite = 0; /* Re-write unless we're told not to */ int has_tombstone_filter = 0; /* Check if nsTombstone appears */ + int has_ruv_filter = 0; /* Check if searching for RUV */ int return_value = 0; char *logbuf = NULL; size_t logbufsize = 0; return_value = get_filter_internal(conn, ber, filt, fstr, config_get_max_filter_nest_level(), /* maximum depth */ - 0, /* current depth */ - &subentry_dont_rewrite, &has_tombstone_filter); + 0, /* current depth */ &subentry_dont_rewrite, + &has_tombstone_filter, &has_ruv_filter); if (0 == return_value) { /* Don't try to re-write if there was an error */ if (subentry_dont_rewrite || scope == LDAP_SCOPE_BASE) (*filt)->f_flags |= SLAPI_FILTER_LDAPSUBENTRY; if (has_tombstone_filter) (*filt)->f_flags |= SLAPI_FILTER_TOMBSTONE; + if (has_ruv_filter) + (*filt)->f_flags |= SLAPI_FILTER_RUV; } if (LDAPDebugLevelIsSet( LDAP_DEBUG_FILTER ) && *filt != NULL @@ -175,7 +179,7 @@ static int get_filter_internal( Connection *conn, BerElement *ber, struct slapi_filter **filt, char **fstr, int maxdepth, int curdepth, - int *subentry_dont_rewrite, int *has_tombstone_filter ) + int *subentry_dont_rewrite, int *has_tombstone_filter, int *has_ruv_filter ) { ber_len_t len; int err; @@ -272,6 +276,18 @@ *has_tombstone_filter = tombstone_check_filter(f); } } + + if ( 0 == strcasecmp ( f->f_avtype, "nsuniqueid")) { + /* + * Check if it's a RUV filter. + * We need to do it once per filter, so if flag is already set, + * don't bother doing it + */ + if (!(*has_ruv_filter)) { + *has_ruv_filter = ruv_check_filter(f); + } + } + *fstr=filter_escape_filter_value(f, FILTER_EQ_FMT, FILTER_EQ_LEN); } break; @@ -342,7 +358,8 @@ case LDAP_FILTER_AND: LDAPDebug( LDAP_DEBUG_FILTER, "AND\n", 0, 0, 0 ); if ( (err = get_filter_list( conn, ber, &f->f_and, &ftmp, maxdepth, - curdepth, subentry_dont_rewrite, has_tombstone_filter )) + curdepth, subentry_dont_rewrite, + has_tombstone_filter, has_ruv_filter )) == 0 ) { filter_compute_hash(f); *fstr = slapi_ch_smprintf( "(&%s)", ftmp ); @@ -353,7 +370,8 @@ case LDAP_FILTER_OR: LDAPDebug( LDAP_DEBUG_FILTER, "OR\n", 0, 0, 0 ); if ( (err = get_filter_list( conn, ber, &f->f_or, &ftmp, maxdepth, - curdepth, subentry_dont_rewrite, has_tombstone_filter )) + curdepth, subentry_dont_rewrite, + has_tombstone_filter, has_ruv_filter )) == 0 ) { filter_compute_hash(f); *fstr = slapi_ch_smprintf( "(|%s)", ftmp ); @@ -365,7 +383,8 @@ LDAPDebug( LDAP_DEBUG_FILTER, "NOT\n", 0, 0, 0 ); (void) ber_skip_tag( ber, &len ); if ( (err = get_filter_internal( conn, ber, &f->f_not, &ftmp, maxdepth, - curdepth, subentry_dont_rewrite, has_tombstone_filter )) + curdepth, subentry_dont_rewrite, + has_tombstone_filter, has_ruv_filter )) == 0 ) { filter_compute_hash(f); *fstr = slapi_ch_smprintf( "(!%s)", ftmp ); @@ -394,7 +413,7 @@ get_filter_list( Connection *conn, BerElement *ber, struct slapi_filter **f, char **fstr, int maxdepth, int curdepth, int *subentry_dont_rewrite, - int *has_tombstone_filter) + int *has_tombstone_filter, int* has_ruv_filter) { struct slapi_filter **new; int err; @@ -411,7 +430,8 @@ tag = ber_next_element( ber, &len, last ) ) { char *ftmp; if ( (err = get_filter_internal( conn, ber, new, &ftmp, maxdepth, - curdepth, subentry_dont_rewrite, has_tombstone_filter)) + curdepth, subentry_dont_rewrite, + has_tombstone_filter, has_ruv_filter)) != 0 ) { if ( *fstr != NULL ) { slapi_ch_free((void**)fstr ); @@ -1450,6 +1470,17 @@ return 0; /* Not nsTombstone filter */ } + +static int +ruv_check_filter(Slapi_Filter *f) +{ + if ( 0 == strcasecmp ( f->f_avvalue.bv_val, "ffffffff-ffffffff-ffffffff-ffffffff")) { + return 1; /* Contains a RUV filter */ + } + return 0; /* Not a RUV filter */ +} + + /* filter_optimize * --------------- * takes a filter and optimizes it for fast evaluation Index: plugin_internal_op.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/plugin_internal_op.c,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- plugin_internal_op.c 17 Oct 2008 22:12:47 -0000 1.11 +++ plugin_internal_op.c 26 Nov 2008 22:42:12 -0000 1.12 @@ -720,7 +720,11 @@ op->o_search_referral_handler = internal_ref_entry_callback; filter = slapi_str2filter(ifstr ? (fstr = slapi_ch_strdup(ifstr)) : NULL); - if(scope == LDAP_SCOPE_BASE) filter->f_flags |= (SLAPI_FILTER_LDAPSUBENTRY | SLAPI_FILTER_TOMBSTONE); + if(scope == LDAP_SCOPE_BASE) { + filter->f_flags |= (SLAPI_FILTER_LDAPSUBENTRY | + SLAPI_FILTER_TOMBSTONE | SLAPI_FILTER_RUV); + } + if (NULL == filter) { send_ldap_result(pb, LDAP_FILTER_ERROR, NULL, NULL, 0, NULL); Index: slapi-private.h =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/slapi-private.h,v retrieving revision 1.29 retrieving revision 1.30 diff -u -r1.29 -r1.30 --- slapi-private.h 5 Nov 2008 18:21:06 -0000 1.29 +++ slapi-private.h 26 Nov 2008 22:42:12 -0000 1.30 @@ -68,6 +68,7 @@ /* filter */ #define SLAPI_FILTER_LDAPSUBENTRY 1 #define SLAPI_FILTER_TOMBSTONE 2 +#define SLAPI_FILTER_RUV 4 #define SLAPI_ENTRY_LDAPSUBENTRY 2 /* Index: str2filter.c =================================================================== RCS file: /cvs/dirsec/ldapserver/ldap/servers/slapd/str2filter.c,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- str2filter.c 10 Nov 2006 23:45:40 -0000 1.6 +++ str2filter.c 26 Nov 2008 22:42:12 -0000 1.7 @@ -162,6 +162,7 @@ str = next; f->f_flags |= ((*fp)->f_flags & SLAPI_FILTER_LDAPSUBENTRY); f->f_flags |= ((*fp)->f_flags & SLAPI_FILTER_TOMBSTONE); + f->f_flags |= ((*fp)->f_flags & SLAPI_FILTER_RUV); fp = &(*fp)->f_next; } *fp = NULL; @@ -331,6 +332,13 @@ if (0 == strcasecmp (unqstr,SLAPI_ATTR_VALUE_TOMBSTONE)) f->f_flags |= SLAPI_FILTER_TOMBSTONE; } + + if((f->f_choice == LDAP_FILTER_EQUALITY) && + (0 == strncasecmp (str,"nsuniqueid",strlen("nsuniqueid")))) { + if (0 == strcasecmp (unqstr, "ffffffff-ffffffff-ffffffff-ffffffff")) + f->f_flags |= SLAPI_FILTER_RUV; + } + } if ( !unescape_filter ) { f->f_avtype = slapi_ch_strdup( str ); f->f_avvalue.bv_val = slapi_ch_strdup ( value );