Commit 1da15c6f authored by Pierangelo Masarati's avatar Pierangelo Masarati
Browse files

import fixes to ITS#4488,4497 and related documentation

parent d0399ec9
......@@ -16,6 +16,8 @@ OpenLDAP 2.3.22 Engineering
Fixed slapd thread pool init issue (ITS#4513)
Added slapd syncrepl mandatory searchbase check
Fixed slapadd cn=config issue (ITS#4194)
Fixed slapd-ldap proxyAuthz of bound identity/override (ITS#4497)
Fixed slapd-ldap/meta protocol version propagation (ITS#4488)
Fixed slapd-ldap fd cleanup (ITS#4474)
Fixed slapd-ldif deadlock (ITS#4500)
Fixed slapo-accesslog log purging issue (ITS#4505)
......
......@@ -83,10 +83,10 @@ LDAP server to use. Multiple URIs can be set in in a single
argument, resulting in the underlying library automatically
call the first server of the list that responds, e.g.
\fBuri "ldap://host/ ldap://backup-host"\fP
\fBuri "ldap://host/ ldap://backup-host/"\fP
The URI list is space- or comma-separated.
This statement is mandatory.
.\"This statement is mandatory.
.\".TP
.\".B server <hostport>
.\"Obsolete option; same as `uri ldap://<hostport>/'.
......@@ -121,6 +121,33 @@ and
.BR acl-passwd .
.RE
.TP
.B chase-referrals {YES|no}
enable/disable automatic referral chasing, which is delegated to the
underlying libldap, with rebinding eventually performed if the
\fBrebind-as-user\fP directive is used. The default is to chase referrals.
.TP
.B conn-ttl <time>
This directive causes a cached connection to be dropped an recreated
after a given ttl, regardless of being idle or not.
.TP
.B idassert-authzFrom <authz-regexp>
if defined, selects what
.I local
identities are authorized to exploit the identity assertion feature.
The string
.B <authz-regexp>
follows the rules defined for the
.I authzFrom
attribute.
See
.BR slapd.conf (5),
section related to
.BR authz-policy ,
for details on the syntax of this field.
.HP
.hy 0
.B idassert-bind
......@@ -273,23 +300,21 @@ and
.RE
.TP
.B idassert-authzFrom <authz-regexp>
if defined, selects what
.I local
identities are authorized to exploit the identity assertion feature.
The string
.B <authz-regexp>
follows the rules defined for the
.I authzFrom
attribute.
See
.BR slapd.conf (5),
section related to
.BR authz-policy ,
for details on the syntax of this field.
.B idle-timeout <time>
This directive causes a cached connection to be dropped an recreated
after it has been idle for the specified time.
.TP
.B protocol\-version {0,2,3}
This directive indicates what protocol version must be used to contact
the remote server.
If set to 0 (the default), the proxy uses the same protocol version
used by the client, otherwise the requested protocol is used.
The proxy returns \fIunwillingToPerform\fP if an operation that is
incompatible with the requested protocol is attempted.
.TP
.B proxy-whoami {NO|yes}
.B proxy\-whoami {NO|yes}
Turns on proxying of the WhoAmI extended operation. If this option is
given, back-ldap will replace slapd's original WhoAmI routine with its
own. On slapd sessions that were authenticated by back-ldap, the WhoAmI
......@@ -303,21 +328,6 @@ If this option is given, the client's bind credentials are remembered
for rebinds when chasing referrals. Useful when
\fBchase-referrals\fP is set to \fByes\fP, useless otherwise.
.TP
.B chase-referrals {YES|no}
enable/disable automatic referral chasing, which is delegated to the
underlying libldap, with rebinding eventually performed if the
\fBrebind-as-user\fP directive is used. The default is to chase referrals.
.TP
.B tls {[try-]start|[try-]propagate}
execute the StartTLS extended operation when the connection is initialized;
only works if the URI directive protocol scheme is not \fBldaps://\fP.
\fBpropagate\fP issues the StartTLS operation only if the original
connection did.
The \fBtry-\fP prefix instructs the proxy to continue operations
if the StartTLS operation failed; its use is highly deprecated.
.TP
.B t-f-support {NO|yes|discover}
enable if the remote server supports absolute filters
......@@ -342,14 +352,13 @@ the protocol does not provide any means to rollback the operation,
so the client will not know if the operation eventually succeeded or not.
.TP
.B idle-timeout <time>
This directive causes a cached connection to be dropped an recreated
after it has been idle for the specified time.
.TP
.B conn-ttl <time>
This directive causes a cached connection to be dropped an recreated
after a given ttl, regardless of being idle or not.
.B tls {[try-]start|[try-]propagate}
execute the StartTLS extended operation when the connection is initialized;
only works if the URI directive protocol scheme is not \fBldaps://\fP.
\fBpropagate\fP issues the StartTLS operation only if the original
connection did.
The \fBtry-\fP prefix instructs the proxy to continue operations
if the StartTLS operation failed; its use is highly deprecated.
.SH BACKWARD COMPATIBILITY
The LDAP backend has been heavily reworked between releases 2.2 and 2.3;
......
......@@ -125,6 +125,17 @@ If this statement is set to \fBstop\fP, the search is terminated as soon
as an error is returned by one target, and the error is immediately
propagated to the client.
.TP
.B protocol\-version {0,2,3}
This directive indicates what protocol version must be used to contact
the remote server.
If set to 0 (the default), the proxy uses the same protocol version
used by the client, otherwise the requested protocol is used.
The proxy returns \fIunwillingToPerform\fP if an operation that is
incompatible with the requested protocol is attempted.
If set before any target specification, it affects all targets, unless
overridden by any per-target directive.
.TP
.B pseudoroot-bind-defer {NO|yes}
This directive, when set to
......@@ -184,15 +195,6 @@ causes \fIl2.foo.com\fP to be contacted whenever \fIl1.foo.com\fP
does not respond.
.RE
.TP
.B subtree-exclude "<DN>"
This directive instructs back-meta to ignore the current target
for operations whose requestDN is subordinate to
.BR DN .
There may be multiple occurrences of the
.B subtree-exclude
directive for each of the targets.
.TP
.B acl-authcDN "<administrative DN for access control purposes>"
DN which is used to query the target server for acl checking,
......@@ -289,6 +291,15 @@ using the pseudorootdn/pseudorootpw directives is inherently unsafe.
.B rewrite* ...
The rewrite options are described in the "REWRITING" section.
.TP
.B subtree-exclude "<DN>"
This directive instructs back-meta to ignore the current target
for operations whose requestDN is subordinate to
.BR DN .
There may be multiple occurrences of the
.B subtree-exclude
directive for each of the targets.
.TP
.B suffixmassage "<virtual naming context>" "<real naming context>"
All the directives starting with "rewrite" refer to the rewrite engine
......
......@@ -306,7 +306,6 @@ ldap_back_freeconn( Operation *op, ldapconn_t *lc, int dolock )
ldap_pvt_thread_mutex_lock( &li->li_conninfo.lai_mutex );
}
assert( lc->lc_refcnt >= 0 );
tmplc = avl_delete( &li->li_conninfo.lai_tree, (caddr_t)lc,
ldap_back_conndnlc_cmp );
assert( LDAP_BACK_CONN_TAINTED( lc ) || tmplc == lc );
......@@ -728,11 +727,13 @@ retry_lock:
}
#ifdef HAVE_TLS
done:;
#endif /* HAVE_TLS */
if ( li->li_idle_timeout && lc ) {
lc->lc_time = op->o_time;
}
done:;
return lc;
}
......@@ -1484,7 +1485,10 @@ ldap_back_proxy_authz_ctrl(
goto done;
}
if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
if ( op->o_tag == LDAP_REQ_BIND ) {
ndn = op->o_req_ndn;
} else if ( !BER_BVISNULL( &op->o_conn->c_ndn ) ) {
ndn = op->o_conn->c_ndn;
} else {
......@@ -1626,6 +1630,11 @@ ldap_back_proxy_authz_ctrl(
assertedID = slap_empty_bv;
}
/* don't idassert the bound DN (ITS#4497) */
if ( dn_match( &assertedID, &lc->lc_bound_ndn ) ) {
goto done;
}
if ( op->o_ctrls ) {
for ( i = 0; op->o_ctrls[ i ]; i++ )
/* just count ctrls */ ;
......
......@@ -63,6 +63,7 @@ enum {
LDAP_BACK_CFG_IDLE_TIMEOUT,
LDAP_BACK_CFG_CONN_TTL,
LDAP_BACK_CFG_NETWORK_TIMEOUT,
LDAP_BACK_CFG_VERSION,
LDAP_BACK_CFG_REWRITE,
LDAP_BACK_CFG_LAST
......@@ -241,6 +242,14 @@ static ConfigTable ldapcfg[] = {
"SYNTAX OMsDirectoryString "
"SINGLE-VALUE )",
NULL, NULL },
{ "protocol-version", "version", 2, 0, 0,
ARG_MAGIC|ARG_INT|LDAP_BACK_CFG_VERSION,
ldap_back_cf_gen, "( OLcfgDbAt:3.18 "
"NAME 'olcDbProtocolVersion' "
"DESC 'protocol version' "
"SYNTAX OMsInteger "
"SINGLE-VALUE )",
NULL, NULL },
{ "suffixmassage", "[virtual]> <real", 2, 3, 0,
ARG_STRING|ARG_MAGIC|LDAP_BACK_CFG_REWRITE,
ldap_back_cf_gen, NULL, NULL, NULL },
......@@ -605,6 +614,14 @@ ldap_back_cf_gen( ConfigArgs *c )
value_add_one( &c->rvalue_vals, &bv );
} break;
case LDAP_BACK_CFG_VERSION:
if ( li->li_version == 0 ) {
return 1;
}
c->value_int = li->li_version;
break;
default:
/* FIXME: we need to handle all... */
assert( 0 );
......@@ -694,6 +711,10 @@ ldap_back_cf_gen( ConfigArgs *c )
li->li_network_timeout = 0;
break;
case LDAP_BACK_CFG_VERSION:
li->li_version = 0;
break;
default:
/* FIXME: we need to handle all... */
assert( 0 );
......@@ -1244,6 +1265,19 @@ done_url:;
li->li_network_timeout = (time_t)t;
} break;
case LDAP_BACK_CFG_VERSION:
switch ( c->value_int ) {
case 0:
case LDAP_VERSION2:
case LDAP_VERSION3:
li->li_version = c->value_int;
break;
default:
return 1;
}
break;
case LDAP_BACK_CFG_REWRITE:
snprintf( c->msg, sizeof( c->msg ),
"rewrite/remap capabilities have been moved "
......
......@@ -51,9 +51,25 @@ ldap_back_modrdn(
}
if ( op->orr_newSup ) {
int version = LDAP_VERSION3;
/* needs LDAPv3 */
switch ( li->li_version ) {
case LDAP_VERSION3:
break;
case 0:
if ( op->o_protocol == 0 || op->o_protocol == LDAP_VERSION3 ) {
break;
}
/* fall thru */
default:
/* op->o_protocol cannot be anything but LDAPv3,
* otherwise wouldn't be here */
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
send_ldap_result( op, rs );
goto cleanup;
}
ldap_set_option( lc->lc_ld, LDAP_OPT_PROTOCOL_VERSION, &version );
newSup = op->orr_newSup->bv_val;
}
......
......@@ -1050,6 +1050,32 @@ meta_back_db_config(
mi->mi_targets[ i ].mt_nretries = nretries;
}
} else if ( strcasecmp( argv[ 0 ], "protocol-version" ) == 0 ) {
int *version = mi->mi_ntargets ?
&mi->mi_targets[ mi->mi_ntargets - 1 ].mt_version
: &mi->mi_version;
if ( argc != 2 ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: need value in \"protocol-version <version>\"\n",
fname, lineno, 0 );
return 1;
}
if ( lutil_atoi( version, argv[ 1 ] ) != 0 ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: unable to parse version \"%s\" in \"protocol-version <version>\"\n",
fname, lineno, argv[ 1 ] );
return 1;
}
if ( *version != 0 && ( *version < LDAP_VERSION_MIN || *version > LDAP_VERSION_MAX ) ) {
Debug( LDAP_DEBUG_ANY,
"%s: line %d: unsupported version \"%s\" in \"protocol-version <version>\"\n",
fname, lineno, argv[ 1 ] );
return 1;
}
/* anything else */
} else {
return SLAP_CONF_UNKNOWN;
......
......@@ -260,7 +260,7 @@ meta_back_init_one_conn(
{
metainfo_t *mi = ( metainfo_t * )op->o_bd->be_private;
metasingleconn_t *msc = &mc->mc_conns[ candidate ];
int vers;
int version;
dncookie dc;
int isauthz = ( candidate == mc->mc_authz_target );
......@@ -285,8 +285,16 @@ meta_back_init_one_conn(
* Set LDAP version. This will always succeed: If the client
* bound with a particular version, then so can we.
*/
vers = op->o_conn->c_protocol;
ldap_set_option( msc->msc_ld, LDAP_OPT_PROTOCOL_VERSION, &vers );
if ( mt->mt_version != 0 ) {
version = mt->mt_version;
} else if ( op->o_conn->c_protocol != 0 ) {
version = op->o_conn->c_protocol;
} else {
version = LDAP_VERSION3;
}
ldap_set_option( msc->msc_ld, LDAP_OPT_PROTOCOL_VERSION, &version );
/* automatically chase referrals ("chase-referrals [{yes|no}]" statement) */
ldap_set_option( msc->msc_ld, LDAP_OPT_REFERRALS,
......
......@@ -55,7 +55,6 @@ meta_back_modrdn( Operation *op, SlapReply *rs )
dc.rs = rs;
if ( op->orr_newSup ) {
int version = LDAP_VERSION3;
/*
* NOTE: the newParent, if defined, must be on the
......@@ -76,11 +75,25 @@ meta_back_modrdn( Operation *op, SlapReply *rs )
* feature from back-ldap
*/
/* newSuperior needs LDAPv3; if we got here, we can safely
* enforce it */
ldap_set_option( mc->mc_conns[ candidate ].msc_ld,
LDAP_OPT_PROTOCOL_VERSION, &version );
/* needs LDAPv3 */
switch ( mi->mi_targets[ candidate ].mt_version ) {
case LDAP_VERSION3:
break;
case 0:
if ( op->o_protocol == 0 || op->o_protocol == LDAP_VERSION3 ) {
break;
}
/* fall thru */
default:
/* op->o_protocol cannot be anything but LDAPv3,
* otherwise wouldn't be here */
rs->sr_err = LDAP_UNWILLING_TO_PERFORM;
maperr = 0;
goto cleanup;
}
/*
* Rewrite the new superior, if defined and required
*/
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment