[Fedora-directory-commits] ldapserver/ldap/servers/plugins/replication repl5_agmtlist.c, 1.11, 1.12

Tue Jan 27 22:37:20 UTC 2009

Author: rmeggins

Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/replication
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv19724/ldapserver/ldap/servers/plugins/replication

Modified Files:
	repl5_agmtlist.c 
Log Message:
Resolves: bug 479253
Bug Description: Configuring Server to Server GSSAPI over SSL - Need better Error Message
Reviewed by: nkinder (Thanks!)
Fix Description: If the user attempts to set the bind mech to GSSAPI, and a secure transport is being used, the server will return LDAP_UNWILLING_TO_PERFORM and provide a useful error message.  Same if GSSAPI is being used and the user attempts to use a secure transport.
Platforms tested: RHEL5
Flag Day: no
Doc impact: no



Index: repl5_agmtlist.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/replication/repl5_agmtlist.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12

--- repl5_agmtlist.c	10 Nov 2006 23:45:17 -0000	1.11
+++ repl5_agmtlist.c	27 Jan 2009 22:37:18 -0000	1.12
@@ -48,6 +48,7 @@
 */
 
 #include "repl5.h"
+#include <plstr.h>
 
 #define AGMT_CONFIG_BASE "cn=mapping tree, cn=config"
 #define CONFIG_FILTER "(objectclass=nsds5replicationagreement)"
@@ -373,8 +374,22 @@
 		else if (slapi_attr_types_equivalent(mods[i]->mod_type,
 					type_nsds5TransportInfo))
 		{
+			/* do not allow GSSAPI if using TLS/SSL */
+			char *tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5TransportInfo);
+			/* if some value was set, and the value was not set to LDAP (i.e. was set to use security),
+			   and we're already using gssapi, deny the change */
+			if (tmpstr && PL_strcasecmp(tmpstr, "LDAP") && (BINDMETHOD_SASL_GSSAPI == agmt_get_bindmethod(agmt)))
+			{
+				/* Report the error to the client */
+				PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use SASL/GSSAPI if using SSL or TLS - please change %s to a value other than SASL/GSSAPI before changing %s to use security", type_nsds5ReplicaBindMethod, type_nsds5TransportInfo);
+				slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmtlist_modify_callback: " 
+								"%s", errortext);
+
+				*returncode = LDAP_UNWILLING_TO_PERFORM;
+				rc = SLAPI_DSE_CALLBACK_ERROR;
+			}
 			/* New Transport info */
-			if (agmt_set_transportinfo_from_entry(agmt, e) != 0)
+			else if (agmt_set_transportinfo_from_entry(agmt, e) != 0)
             {
                 slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: " 
                                 "failed to update transport info for agreement %s\n",
@@ -386,8 +401,19 @@
 		else if (slapi_attr_types_equivalent(mods[i]->mod_type,
 					type_nsds5ReplicaBindMethod))
 		{
-			/* New replica bind method */
-			if (agmt_set_bind_method_from_entry(agmt, e) != 0)
+			/* do not allow GSSAPI if using TLS/SSL */
+			char *tmpstr = slapi_entry_attr_get_charptr(e, type_nsds5ReplicaBindMethod);
+			if (tmpstr && !PL_strcasecmp(tmpstr, "SASL/GSSAPI") && agmt_get_transport_flags(agmt))
+			{
+				/* Report the error to the client */
+				PR_snprintf (errortext, SLAPI_DSE_RETURNTEXT_SIZE, "Cannot use SASL/GSSAPI if using SSL or TLS - please change %s to LDAP before changing %s to use SASL/GSSAPI", type_nsds5TransportInfo, type_nsds5ReplicaBindMethod);
+				slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "agmtlist_modify_callback: " 
+								"%s", errortext);
+
+				*returncode = LDAP_UNWILLING_TO_PERFORM;
+				rc = SLAPI_DSE_CALLBACK_ERROR;
+			}
+			else if (agmt_set_bind_method_from_entry(agmt, e) != 0)
             {
                 slapi_log_error(SLAPI_LOG_REPL, repl_plugin_name, "agmtlist_modify_callback: " 
                                 "failed to update bind method for agreement %s\n",
@@ -395,6 +421,7 @@
                 *returncode = LDAP_OPERATIONS_ERROR;
                 rc = SLAPI_DSE_CALLBACK_ERROR;
             }
+			slapi_ch_free_string(&tmpstr);
 		}
 		else if (slapi_attr_types_equivalent(mods[i]->mod_type,
 					type_nsds5ReplicatedAttributeList))


