[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication repl5_agmtlist.c, 1.11, 1.12
Richard Allen Megginson
rmeggins at fedoraproject.org
Tue Jan 27 22:37:20 UTC 2009
- Previous message (by thread): [Fedora-directory-commits] ldapserver/ldap/servers/plugins/chainingdb cb_instance.c, 1.13, 1.14
- Next message (by thread): [Fedora-directory-commits] adminutil/lib/libadmsslutil admsslutil.c, 1.10, 1.11 psetcssl.c, 1.4, 1.5 srvutilssl.c, 1.7, 1.8 uginfossl.c, 1.3, 1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: rmeggins
Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19724/ldapserver/ldap/servers/plugins/replication
Modified Files:
repl5_agmtlist.c
Log Message:
Resolves: bug 479253
Bug Description: Configuring Server to Server GSSAPI over SSL - Need better Error Message
Reviewed by: nkinder (Thanks!)
Fix Description: If the user attempts to set the bind mech to GSSAPI, and a secure transport is being used, the server will return LDAP_UNWILLING_TO_PERFORM and provide a useful error message. Same if GSSAPI is being used and the user attempts to use a secure transport.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no
Index: repl5_agmtlist.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5_agmtlist.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- repl5_agmtlist.c 10 Nov 2006 23:45:17 -0000 1.11
+++ repl5_agmtlist.c 27 Jan 2009 22:37:18 -0000 1.12
@@ -48,6 +48,7 @@
*/
#include "repl5.h"
+#include <plstr.h>
#define AGMT_CONFIG_BASE "cn=mapping tree, cn=config"
#define CONFIG_FILTER "(objectclass=nsds5replicationagreement)"
@@ -373,8 +374,22 @@
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5TransportInfo))
{
+ /* do not allow GSSAPI if using TLS/SSL */
+ char *tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5TransportInfo);
+ /* if some value was set, and the value was not set to LDAP (i.e. was set to use security),
+ and we're already using gssapi, deny the change */
+ if (tmpstr && PL_strcasecmp(tmpstr, "LDAP") && (BINDMETHOD_SASL_GSSAPI == agmt_get_bindmethod(agmt)))
+ {
+ /* Report the error to the client */
+ PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use SASL/GSSAPI if using SSL or TLS - please change %s to a value other than SASL/GSSAPI before changing %s to use security", type_nsds5ReplicaBindMethod, type_nsds5TransportInfo);
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmtlist_modify_callback: "
+ "%s", errortext);
+
+ *returncode = LDAP_UNWILLING_TO_PERFORM;
+ rc = SLAPI_DSE_CALLBACK_ERROR;
+ }
/* New Transport info */
- if (agmt_set_transportinfo_from_entry(agmt, e) != 0)
+ else if (agmt_set_transportinfo_from_entry(agmt, e) != 0)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"failed to update transport info for agreement %s\n",
@@ -386,8 +401,19 @@
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5ReplicaBindMethod))
{
- /* New replica bind method */
- if (agmt_set_bind_method_from_entry(agmt, e) != 0)
+ /* do not allow GSSAPI if using TLS/SSL */
+ char *tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaBindMethod);
+ if (tmpstr && !PL_strcasecmp(tmpstr, "SASL/GSSAPI") && agmt_get_transport_flags(agmt))
+ {
+ /* Report the error to the client */
+ PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use SASL/GSSAPI if using SSL or TLS - please change %s to LDAP before changing %s to use SASL/GSSAPI", type_nsds5TransportInfo, type_nsds5ReplicaBindMethod);
+ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmtlist_modify_callback: "
+ "%s", errortext);
+
+ *returncode = LDAP_UNWILLING_TO_PERFORM;
+ rc = SLAPI_DSE_CALLBACK_ERROR;
+ }
+ else if (agmt_set_bind_method_from_entry(agmt, e) != 0)
{
slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: "
"failed to update bind method for agreement %s\n",
@@ -395,6 +421,7 @@
*returncode = LDAP_OPERATIONS_ERROR;
rc = SLAPI_DSE_CALLBACK_ERROR;
}
+ slapi_ch_free_string(&tmpstr);
}
else if (slapi_attr_types_equivalent(mods[i]->mod_type,
type_nsds5ReplicatedAttributeList))
- Previous message (by thread): [Fedora-directory-commits] ldapserver/ldap/servers/plugins/chainingdb cb_instance.c, 1.13, 1.14
- Next message (by thread): [Fedora-directory-commits] adminutil/lib/libadmsslutil admsslutil.c, 1.10, 1.11 psetcssl.c, 1.4, 1.5 srvutilssl.c, 1.7, 1.8 uginfossl.c, 1.3, 1.4
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the Fedora-directory-commits
mailing list