Commit 8434d901 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

Sync with HEAD

parent 0b16e820
......@@ -368,7 +368,10 @@ main()
version = db_version( &major, &minor, &patch );
if( major != DB_VERSION_MAJOR || minor < DB_VERSION_MINOR ) {
if( major != DB_VERSION_MAJOR ||
minor != DB_VERSION_MINOR ||
patch != DB_VERSION_PATCH )
{
printf("Berkeley DB version mismatch\n"
"\theader: %s\n\tlibrary: %s\n",
DB_VERSION_STRING, version);
......
......@@ -48,6 +48,10 @@
#include <ac/errno.h>
#include <sys/stat.h>
#if defined(TEST_ABANDON) || defined(TEST_CANCEL)
#include <ac/signal.h>
#endif
#ifdef HAVE_FCNTL_H
#include <fcntl.h>
#endif
......@@ -550,6 +554,15 @@ private_conn_setup( LDAP *ld )
}
}
#if defined(TEST_ABANDON) || defined(TEST_CANCEL)
static int gotintr;
RETSIGTYPE
do_sig( int sig )
{
gotintr = 1;
}
#endif
int
main( int argc, char **argv )
......@@ -609,6 +622,10 @@ main( int argc, char **argv )
attrs = &argv[optind];
}
#if defined(TEST_ABANDON) || defined(TEST_CANCEL)
SIGNAL( SIGINT, do_sig );
#endif
if ( infile != NULL ) {
if ( infile[0] == '-' && infile[1] == '\0' ) {
fp = stdin;
......@@ -1105,6 +1122,20 @@ static int dosearch(
ldap_msgfree( res );
}
#if defined(TEST_ABANDON) || defined(TEST_CANCEL)
if ( gotintr ) {
#ifdef TEST_CANCEL
rc = ldap_cancel_s( ld, msgid, NULL, NULL );
fprintf( stderr, "got interrupt, cancel got %d\n", rc );
return -1;
#endif
#ifdef TEST_ABANDON
rc = ldap_abandon( ld, msgid );
fprintf( stderr, "got interrupt, abandon got %d\n", rc );
return -1;
#endif
}
#endif
if ( rc == -1 ) {
ldap_perror( ld, "ldap_result" );
......
This diff is collapsed.
......@@ -242,16 +242,14 @@ OL_ARG_ENABLE(sql,[ --enable-sql enable sql backend no|yes|mod],
dnl ----------------------------------------------------------------
dnl SLAPD Overlay Options
Overlays="chain denyop dyngroup glue lastmod ppolicy proxycache rwm \
refint syncprov unique"
Overlays="denyop dyngroup glue lastmod ppolicy proxycache rwm \
refint syncprov translucent unique"
AC_ARG_WITH(xxslapoverlays,[
SLAPD Overlay Options:])
OL_ARG_ENABLE(overlays,[ --enable-overlays enable all available overlays no|yes|mod],
no, [no yes mod])dnl
OL_ARG_ENABLE(chain,[ --enable-chain LDAP Chain Response no|yes|mod],
no, [no yes mod])
OL_ARG_ENABLE(denyop,[ --enable-denyop Deny Operation overlay no|yes|mod],
no, [no yes mod])
OL_ARG_ENABLE(dyngroup,[ --enable-dyngroup Dynamic Group overlay no|yes|mod],
......@@ -268,8 +266,10 @@ OL_ARG_ENABLE(refint,[ --enable-refint Referential Integrity overlay no|yes
no, [no yes mod])
OL_ARG_ENABLE(rwm,[ --enable-rwm Rewrite/Remap overlay no|yes|mod],
no, [no yes mod])
OL_ARG_ENABLE(syncprov,[ --enable-syncprov Syncrepl Provider overlay no|yes|mod],
OL_ARG_ENABLE(syncprov,[ --enable-syncprov Syncrepl Provider overlay no|yes|mod],
yes, [no yes mod])
OL_ARG_ENABLE(translucent,[ --enable-translucent Translucent Proxy overlay no|yes|mod],
no, [no yes mod])
OL_ARG_ENABLE(unique,[ --enable-unique Attribute Uniqueness overlay no|yes|mod],
no, [no yes mod])
......@@ -446,10 +446,6 @@ else
fi
fi
if test $ol_enable_chain != no -a $ol_enable_ldap = no ; then
AC_MSG_ERROR([--enable-chain requires --enable-ldap])
fi
if test $ol_enable_meta = yes -a $ol_enable_ldap = no ; then
AC_MSG_ERROR([--enable-meta requires --enable-ldap])
fi
......@@ -534,6 +530,7 @@ BUILD_PROXYCACHE=no
BUILD_REFINT=no
BUILD_RWM=no
BUILD_SYNCPROV=no
BUILD_TRANSLUCENT=no
BUILD_UNIQUE=no
SLAPD_DYNAMIC_OVERLAYS=
......@@ -819,13 +816,16 @@ AC_CHECK_HEADERS( \
winsock2.h \
)
dnl ----------------------------------------------------------------
dnl Checks for libraries
AC_CHECK_FUNCS( sigaction sigset )
dnl HP-UX requires -lV3
dnl this is not needed on newer versions of HP-UX
AC_CHECK_LIB(V3, sigset)
if test $ac_cv_func_sigaction = no && test $ac_cv_func_sigaction = no ; then
AC_CHECK_LIB(V3, sigset)
fi
dnl The following is INTENTIONALLY scripted out because shell does not
dnl support variable names with the '@' character, which is what
......@@ -2425,6 +2425,12 @@ AC_DEFINE(LBER_TAG_T,long)
dnl ----------------------------------------------------------------
dnl Checks for library functions.
AC_FUNC_MEMCMP
if test $ac_cv_func_memcmp_clean = no ; then
AC_DEFINE(NEED_MEMCMP_REPLACEMENT,1,
[define if memcmp is not 8-bit clean or is otherwise broken])
fi
dnl AM_FUNC_MKTIME dnl checks for sys/time.h and unistd.h
AC_FUNC_STRFTIME
dnl AM_FUNC_STRTOD
......@@ -2483,9 +2489,7 @@ AC_CHECK_FUNCS( \
setsid \
setuid \
seteuid \
sigaction \
signal \
sigset \
strdup \
strpbrk \
strrchr \
......@@ -2772,17 +2776,6 @@ if test "$ol_link_sql" != no ; then
AC_DEFINE_UNQUOTED(SLAPD_SQL,$MFLAG,[define to support SQL backend])
fi
if test "$ol_enable_chain" != no ; then
BUILD_CHAIN=$ol_enable_chain
if test "$ol_enable_chain" = mod ; then
MFLAG=SLAPD_MOD_DYNAMIC
SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS chain.la"
else
MFLAG=SLAPD_MOD_STATIC
fi
AC_DEFINE_UNQUOTED(SLAPD_OVER_CHAIN,$MFLAG,[define for Dynamic Group overlay])
fi
if test "$ol_enable_denyop" != no ; then
BUILD_DENYOP=$ol_enable_denyop
if test "$ol_enable_denyop" = mod ; then
......@@ -2883,6 +2876,17 @@ if test "$ol_enable_syncprov" != no ; then
AC_DEFINE_UNQUOTED(SLAPD_OVER_SYNCPROV,$MFLAG,[define for Syncrepl Provider overlay])
fi
if test "$ol_enable_translucent" != no ; then
BUILD_TRANSLUCENT=$ol_enable_translucent
if test "$ol_enable_translucent" = mod ; then
MFLAG=SLAPD_MOD_DYNAMIC
SLAPD_DYNAMIC_OVERLAYS="$SLAPD_DYNAMIC_OVERLAYS translucent.la"
else
MFLAG=SLAPD_MOD_STATIC
fi
AC_DEFINE_UNQUOTED(SLAPD_OVER_TRANSLUCENT,$MFLAG,[define for Translucent Proxy overlay])
fi
if test "$ol_enable_unique" != no ; then
BUILD_UNIQUE=$ol_enable_unique
if test "$ol_enable_unique" = mod ; then
......@@ -2960,6 +2964,7 @@ dnl overlays
AC_SUBST(BUILD_REFINT)
AC_SUBST(BUILD_RWM)
AC_SUBST(BUILD_SYNCPROV)
AC_SUBST(BUILD_TRANSLUCENT)
AC_SUBST(BUILD_UNIQUE)
AC_SUBST(BUILD_SLURPD)
......@@ -3076,7 +3081,7 @@ cat > $BACKENDSC << ENDX
ENDX
if test "${STATIC_BACKENDS}"; then
for b in ${STATIC_BACKENDS}; do
for b in config ${STATIC_BACKENDS}; do
bb=`echo "${b}" | sed -e 's/back-//'`
cat >> $BACKENDSC << ENDX
extern BI_init ${bb}_back_initialize;
......@@ -3088,7 +3093,7 @@ ENDX
BackendInfo slap_binfo[[]] = {
ENDX
for b in ${STATIC_BACKENDS}; do
for b in config ${STATIC_BACKENDS}; do
bb=`echo "${b}" | sed -e 's/back-//'`
echo " Add ${bb} ..."
cat >> $BACKENDSC << ENDX
......
......@@ -14,6 +14,8 @@ Current contributions:
ldapsasl
LDAP SASL auxprop plugin
Contributed by Symas Corp.
Note: this module is now part of Cyrus SASL
and no longer included here.
slapd-modules
Native modules
......
LDAP auxprop plugin for SASL-enabled servers.
Copyright (C) 2002,2003 by Howard Chu, hyc@symas.com
This software is licensed under the terms of the OpenLDAP license.
The file ldapdb.c was written for Cyrus SASL 2.1.3 and OpenLDAP 2.1.3.
Due to various bugs in the Cyrus source you should use Cyrus SASL 2.1.15
or newer. You need at least Cyrus SASL 2.1.16 to use the auxprop-store
functionality.
The version of ldapdb bundled with OpenLDAP 2.1.22 and older will work
with all OpenLDAP releases 2.1.3 and up. The ldapdb in OpenLDAP 2.1.23
uses a different LDAP request and requires the server to be 2.1.23 or newer.
It can be compiled by copying into the Cyrus SASL source tree, in the
plugins subdirectory. No configuration or build script is provided.
To compile, type "make ldapdb.lo". To link, you'll have to copy the
link rule for one of the other plugins. Below is a sample on my Linux
system:
/bin/sh ../libtool --mode=link gcc -Wall -W -g -O2 -L/usr/local/lib -Wl,-rpath,/usr/local/lib -module -export-dynamic -rpath /usr/lib/sasl2 -o libldapdb.la -version-info 2:4:0 ldapdb.lo -lldap -llber -lssl -lcrypto
Once installed, you need to add some config items to the SASL server's
config file in /usr/lib/sasl2. For example:
ldapdb_uri: ldap://ldap.example.com
ldapdb_id: root
ldapdb_pw: secret
ldapdb_mech: DIGEST-MD5
This config assumes an LDAP server on the same machine as the server
that is using SASL. The LDAP server must be configured to map the SASL
authcId "root" into a DN that has proxy authorization privileges to
every account that is allowed to login to this server. (See the OpenLDAP
Admin Guide section 10 for details.)
Unlike other LDAP-enabled plugins for other services that are common
on the web, this plugin does not require you to configure DN search
patterns to map usernames to LDAP DNs. This plugin requires SASL name
mapping to be configured on the target slapd. This approach keeps the
LDAP-specific configuration details in one place, the slapd.conf, and
makes the configuration of remote services much simpler.
An additional keyword "ldapdb_rc" may be specified in the config file.
The filename specified here will be put into the server's LDAPRC
environment variable, and libldap-specific config options may be set
in that ldaprc file. The main purpose behind this option is to allow
a client TLS certificate to be configured, so that SASL/EXTERNAL may
be used between the SASL server and the LDAP server. This is the most
optimal way to use this plugin when the servers are on separate machines.
Note: this plugin is not for use with slapd itself. When OpenLDAP is
built with SASL support, slapd uses its own internal auxprop module.
By default, without configuring anything else, slapd will fail to load
the ldapdb module when it's present. This is as it should be. If you
don't like the "auxpropfunc: error -7" message that is sent to syslog
by slapd, you can stop it by creating /usr/lib/sasl2/slapd.conf with:
auxprop_plugin: slapd
which will force the SASL library to ignore all other auxprop modules.
This plugin has been in use for over a year at many sites with good
results. If you have questions or problems, please send feedback via
the openldap-software mailing list.
-- Howard Chu
Update... With OpenLDAP 2.1.13 you can use SASL/EXTERNAL on ldapi://.
This is fast and secure, and needs no username or password to be stored.
The SASL config file is just
ldapdb_uri: ldapi://
ldapdb_mech: EXTERNAL
The slapd.conf will need to map these usernames to LDAP DNs:
sasl-regexp uidNumber=(.*)\\+gidNumber=(.*),cn=peercred,cn=external,cn=auth
ldap:///dc=example,dc=com??sub?(&(uidNumber=$1)(gidNumber=$2))
sasl-regexp uid=(.*),cn=external,cn=auth
ldap:///dc=example,dc=com??sub?(uid=$1)
Update... With OpenLDAP 2.1.23 you can use the ldapdb_starttls keyword
to use the StartTLS extended operation on an LDAP session. This item
may be set to either "try" or "demand", e.g.:
ldapdb_uri: ldap://ldap.example.com
ldapdb_starttls: try
When set to "try" any failure in StartTLS is ignored. When set to "demand"
then any failure aborts the connection.
/* $OpenLDAP$ */
/* SASL LDAP auxprop implementation
* Copyright (C) 2002,2003 Howard Chu, All rights reserved. <hyc@symas.com>
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted only as authorized by the OpenLDAP
* Public License.
*
* A copy of this license is available in the file LICENSE in the
* top-level directory of the distribution or, alternatively, at
* <http://www.OpenLDAP.org/license.html>.
*/
#include <config.h>
#include <stdio.h>
#include "sasl.h"
#include "saslutil.h"
#include "saslplug.h"
#define SASL_VERSION_FULL ((SASL_VERSION_MAJOR << 16) |\
(SASL_VERSION_MINOR << 8) |SASL_VERSION_STEP)
#include "plugin_common.h"
#include <ldap.h>
static char ldapdb[] = "ldapdb";
typedef struct ldapctx {
const char *uri; /* URI of LDAP server */
struct berval id; /* SASL authcid to bind as */
struct berval pw; /* password for bind */
struct berval mech; /* SASL mech */
int use_tls; /* Issue StartTLS request? */
} ldapctx;
static int ldapdb_interact(LDAP *ld, unsigned flags __attribute__((unused)),
void *def, void *inter)
{
sasl_interact_t *in = inter;
ldapctx *ctx = def;
struct berval p;
for (;in->id != SASL_CB_LIST_END;in++)
{
p.bv_val = NULL;
switch(in->id)
{
case SASL_CB_GETREALM:
ldap_get_option(ld, LDAP_OPT_X_SASL_REALM, &p.bv_val);
if (p.bv_val) p.bv_len = strlen(p.bv_val);
break;
case SASL_CB_AUTHNAME:
p = ctx->id;
break;
case SASL_CB_PASS:
p = ctx->pw;
break;
}
if (p.bv_val)
{
in->result = p.bv_val;
in->len = p.bv_len;
}
}
return LDAP_SUCCESS;
}
typedef struct connparm {
LDAP *ld;
LDAPControl c;
LDAPControl *ctrl[2];
struct berval *dn;
} connparm;
static int ldapdb_connect(ldapctx *ctx, sasl_server_params_t *sparams,
const char *user, unsigned ulen, connparm *cp)
{
int i;
char *authzid;
if((i=ldap_initialize(&cp->ld, ctx->uri))) {
return i;
}
authzid = sparams->utils->malloc(ulen + sizeof("u:"));
if (!authzid) {
return LDAP_NO_MEMORY;
}
strcpy(authzid, "u:");
strcpy(authzid+2, user);
cp->c.ldctl_oid = LDAP_CONTROL_PROXY_AUTHZ;
cp->c.ldctl_value.bv_val = authzid;
cp->c.ldctl_value.bv_len = ulen + 2;
cp->c.ldctl_iscritical = 1;
i = LDAP_VERSION3;
ldap_set_option(cp->ld, LDAP_OPT_PROTOCOL_VERSION, &i);
/* If TLS is set and it fails, continue or bail out as requested */
if (ctx->use_tls && (i=ldap_start_tls_s(cp->ld, NULL, NULL)) != LDAP_SUCCESS
&& ctx->use_tls > 1) {
sparams->utils->free(authzid);
return i;
}
i = ldap_sasl_interactive_bind_s(cp->ld, NULL, ctx->mech.bv_val, NULL,
NULL, LDAP_SASL_QUIET, ldapdb_interact, ctx);
if (i != LDAP_SUCCESS) {
sparams->utils->free(authzid);
return i;
}
cp->ctrl[0] = &cp->c;
cp->ctrl[1] = NULL;
i = ldap_whoami_s(cp->ld, &cp->dn, cp->ctrl, NULL);
if (i == LDAP_SUCCESS && cp->dn) {
if (!cp->dn->bv_val || strncmp(cp->dn->bv_val, "dn:", 3)) {
ber_bvfree(cp->dn);
cp->dn = NULL;
i = LDAP_INVALID_SYNTAX;
} else {
cp->c.ldctl_value = *(cp->dn);
}
}
sparams->utils->free(authzid);
return i;
}
static void ldapdb_auxprop_lookup(void *glob_context,
sasl_server_params_t *sparams,
unsigned flags,
const char *user,
unsigned ulen)
{
ldapctx *ctx = glob_context;
connparm cp;
int ret, i, n, *aindx;
const struct propval *pr;
struct berval **bvals;
LDAPMessage *msg, *res;
char **attrs = NULL;
if(!ctx || !sparams || !user) return;
pr = sparams->utils->prop_get(sparams->propctx);
if(!pr) return;
/* count how many attrs to fetch */
for(i = 0, n = 0; pr[i].name; i++) {
if(pr[i].name[0] == '*' && (flags & SASL_AUXPROP_AUTHZID))
continue;
if(pr[i].values && !(flags & SASL_AUXPROP_OVERRIDE))
continue;
n++;
}
/* nothing to do, bail out */
if (!n) return;
/* alloc an array of attr names for search, and index to the props */
attrs = sparams->utils->malloc((n+1)*sizeof(char *)*2);
if (!attrs) return;
aindx = (int *)(attrs + n + 1);
/* copy attr list */
for (i=0, n=0; pr[i].name; i++) {
if(pr[i].name[0] == '*' && (flags & SASL_AUXPROP_AUTHZID))
continue;
if(pr[i].values && !(flags & SASL_AUXPROP_OVERRIDE))
continue;
attrs[n] = (char *)pr[i].name;
if (pr[i].name[0] == '*') attrs[n]++;
aindx[n] = i;
n++;
}
attrs[n] = NULL;
if(ldapdb_connect(ctx, sparams, user, ulen, &cp)) {
goto done;
}
ret = ldap_search_ext_s(cp.ld, cp.dn->bv_val+3, LDAP_SCOPE_BASE,
"(objectclass=*)", attrs, 0, cp.ctrl, NULL, NULL, 1, &res);
ber_bvfree(cp.dn);
if (ret != LDAP_SUCCESS) goto done;
for(msg=ldap_first_message(cp.ld, res); msg; msg=ldap_next_message(cp.ld, msg))
{
if (ldap_msgtype(msg) != LDAP_RES_SEARCH_ENTRY) continue;
for (i=0; i<n; i++)
{
bvals = ldap_get_values_len(cp.ld, msg, attrs[i]);
if (!bvals) continue;
if (pr[aindx[i]].values)
sparams->utils->prop_erase(sparams->propctx, pr[aindx[i]].name);
sparams->utils->prop_set(sparams->propctx, pr[aindx[i]].name,
bvals[0]->bv_val, bvals[0]->bv_len);
ber_bvecfree(bvals);
}
}
ldap_msgfree(res);
done:
if(attrs) sparams->utils->free(attrs);
if(cp.ld) ldap_unbind(cp.ld);
}
#if SASL_VERSION_FULL >= 0x020110
static int ldapdb_auxprop_store(void *glob_context,
sasl_server_params_t *sparams,
struct propctx *prctx,
const char *user,
unsigned ulen)
{
ldapctx *ctx = glob_context;
connparm cp;
const struct propval *pr;
int i, n;
LDAPMod **mods;
/* just checking if we are enabled */
if (!prctx) return SASL_OK;
if (!sparams || !user) return SASL_BADPARAM;
pr = sparams->utils->prop_get(prctx);
if (!pr) return SASL_BADPARAM;
for (n=0; pr[n].name; n++);
if (!n) return SASL_BADPARAM;
mods = sparams->utils->malloc((n+1) * sizeof(LDAPMod*) + n * sizeof(LDAPMod));
if (!mods) return SASL_NOMEM;
if((i=ldapdb_connect(ctx, sparams, user, ulen, &cp)) == 0) {
for (i=0; i<n; i++) {
mods[i] = (LDAPMod *)((char *)(mods+n+1) + i * sizeof(LDAPMod));
mods[i]->mod_op = LDAP_MOD_REPLACE;
mods[i]->mod_type = (char *)pr[i].name;
mods[i]->mod_values = (char **)pr[i].values;
}
mods[i] = NULL;
i = ldap_modify_ext_s(cp.ld, cp.dn->bv_val+3, mods, cp.ctrl, NULL);
ber_bvfree(cp.dn);
}
sparams->utils->free(mods);
if (i) {
sparams->utils->seterror(sparams->utils->conn, 0,
ldap_err2string(i));
if (i == LDAP_NO_MEMORY) i = SASL_NOMEM;
else i = SASL_FAIL;
}
if (cp.ld) ldap_unbind(cp.ld);
return i;
}
#endif /* SASL_VERSION_FULL >= 2.1.16 */
static void ldapdb_auxprop_free(void *glob_ctx, const sasl_utils_t *utils)
{
utils->free(glob_ctx);
}
static sasl_auxprop_plug_t ldapdb_auxprop_plugin = {
0, /* Features */
0, /* spare */
NULL, /* glob_context */
ldapdb_auxprop_free, /* auxprop_free */
ldapdb_auxprop_lookup, /* auxprop_lookup */
ldapdb, /* name */
#if SASL_VERSION_FULL >=0x020110
ldapdb_auxprop_store /* spare if <2.1.16*/
#else
NULL
#endif
};
static int ldapdb_auxprop_plug_init(const sasl_utils_t *utils,
int max_version,
int *out_version,
sasl_auxprop_plug_t **plug,
const char *plugname __attribute__((unused)))
{
ldapctx tmp, *p;
const char *s;
unsigned len;
if(!out_version || !plug) return SASL_BADPARAM;
if(max_version < SASL_AUXPROP_PLUG_VERSION) return SASL_BADVERS;
memset(&tmp, 0, sizeof(tmp));
utils->getopt(utils->getopt_context, ldapdb, "ldapdb_uri", &tmp.uri, NULL);
if(!tmp.uri) return SASL_BADPARAM;
utils->getopt(utils-&g