Commit bbf249a3 authored by Quanah Gibson-Mount's avatar Quanah Gibson-Mount
Browse files

Merge remote-tracking branch 'origin/master' into OPENLDAP_REL_ENG_2_5

parents ac84c6a6 ec8d6edb
workflow:
rules:
- if: '$CI_COMMIT_REF_NAME == "master" && $CI_PROJECT_NAMESPACE != "openldap"'
when: never
- if: '$CI_COMMIT_REF_NAME == "OPENLDAP_REL_ENG_2_5" && $CI_PROJECT_NAMESPACE != "openldap"'
when: never
- when: always
stages:
- build
......
......@@ -2102,7 +2102,7 @@ ldap_back_is_proxy_authz( Operation *op, SlapReply *rs, ldap_back_send_t sendok,
}
if ( !( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE )) {
if ( op->o_tag == LDAP_REQ_BIND ) {
if ( op->o_tag == LDAP_REQ_BIND && ( sendok & LDAP_BACK_SENDERR )) {
if ( !BER_BVISEMPTY( &ndn )) {
dobind = 0;
goto done;
......
......@@ -1628,7 +1628,10 @@ static int parseValuesReturnFilter (
} else {
send_ldap_result( op, rs );
}
if( op->o_vrFilter != NULL) vrFilter_free( op, op->o_vrFilter );
if( op->o_vrFilter != NULL) {
vrFilter_free( op, op->o_vrFilter );
op->o_vrFilter = NULL;
}
}
#ifdef LDAP_DEBUG
else {
......
......@@ -178,14 +178,16 @@ int slap_parse_user( struct berval *id, struct berval *user,
}
if ( !BER_BVISNULL( mech ) ) {
assert( mech->bv_val == id->bv_val + 2 );
if ( mech->bv_val != id->bv_val + 2 )
return LDAP_PROTOCOL_ERROR;
AC_MEMCPY( mech->bv_val - 2, mech->bv_val, mech->bv_len + 1 );
mech->bv_val -= 2;
}
if ( !BER_BVISNULL( realm ) ) {
assert( realm->bv_val >= id->bv_val + 2 );
if ( realm->bv_val < id->bv_val + 2 )
return LDAP_PROTOCOL_ERROR;
AC_MEMCPY( realm->bv_val - 2, realm->bv_val, realm->bv_len + 1 );
realm->bv_val -= 2;
......@@ -447,9 +449,12 @@ is_dn: bv.bv_len = in->bv_len - ( bv.bv_val - in->bv_val );
}
/* Grab the searchbase */
assert( ludp->lud_dn != NULL );
ber_str2bv( ludp->lud_dn, 0, 0, &bv );
rc = dnValidate( NULL, &bv );
if ( ludp->lud_dn != NULL ) {
ber_str2bv( ludp->lud_dn, 0, 0, &bv );
rc = dnValidate( NULL, &bv );
} else {
rc = LDAP_INVALID_SYNTAX;
}
done:
ldap_free_urldesc( ludp );
......@@ -481,6 +486,7 @@ authzPrettyNormal(
assert( val != NULL );
assert( !BER_BVISNULL( val ) );
BER_BVZERO( normalized );
/*
* 2) dn[.{exact|children|subtree|onelevel}]:{*|<DN>}
......@@ -811,7 +817,6 @@ is_dn: bv.bv_len = val->bv_len - ( bv.bv_val - val->bv_val );
}
/* Grab the searchbase */
assert( ludp->lud_dn != NULL );
if ( ludp->lud_dn ) {
struct berval out = BER_BVNULL;
......@@ -829,6 +834,9 @@ is_dn: bv.bv_len = val->bv_len - ( bv.bv_val - val->bv_val );
}
ludp->lud_dn = out.bv_val;
} else {
rc = LDAP_INVALID_SYNTAX;
goto done;
}
ludp->lud_port = 0;
......@@ -850,7 +858,7 @@ done:
if ( lud_dn ) {
if ( ludp->lud_dn != lud_dn ) {
ber_memfree( ludp->lud_dn );
slap_sl_free( ludp->lud_dn, ctx );
}
ludp->lud_dn = lud_dn;
}
......@@ -897,7 +905,7 @@ authzPretty(
rc = authzPrettyNormal( val, out, ctx, 0 );
Debug( LDAP_DEBUG_TRACE, "<<< authzPretty: <%s> (%d)\n",
out->bv_val, rc );
out->bv_val ? out->bv_val : "(null)" , rc );
return rc;
}
......
......@@ -3268,7 +3268,7 @@ serialNumberAndIssuerCheck(
if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;
if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
if( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) {
/* Parse old format */
is->bv_val = ber_bvchr( in, '$' );
if( BER_BVISNULL( is ) ) return LDAP_INVALID_SYNTAX;
......@@ -3299,7 +3299,7 @@ serialNumberAndIssuerCheck(
HAVE_ALL = ( HAVE_ISSUER | HAVE_SN )
} have = HAVE_NONE;
int numdquotes = 0;
int numdquotes = 0, gotquote;
struct berval x = *in;
struct berval ni;
x.bv_val++;
......@@ -3341,11 +3341,12 @@ serialNumberAndIssuerCheck(
is->bv_val = x.bv_val;
is->bv_len = 0;
for ( ; is->bv_len < x.bv_len; ) {
for ( gotquote=0; is->bv_len < x.bv_len; ) {
if ( is->bv_val[is->bv_len] != '"' ) {
is->bv_len++;
continue;
}
gotquote = 1;
if ( is->bv_val[is->bv_len+1] == '"' ) {
/* double dquote */
numdquotes++;
......@@ -3354,6 +3355,8 @@ serialNumberAndIssuerCheck(
}
break;
}
if ( !gotquote ) return LDAP_INVALID_SYNTAX;
x.bv_val += is->bv_len + 1;
x.bv_len -= is->bv_len + 1;
......@@ -5141,9 +5144,8 @@ csnValidate(
int rc;
assert( in != NULL );
assert( !BER_BVISNULL( in ) );
if ( BER_BVISEMPTY( in ) ) {
if ( BER_BVISNULL( in ) || BER_BVISEMPTY( in ) ) {
return LDAP_INVALID_SYNTAX;
}
......
#! /bin/sh
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2020 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
echo "running defines.sh"
. $SRCDIR/scripts/defines.sh
ITS=9400
ITSDIR=$DATADIR/regressions/its$ITS
if test $BACKLDAP = "ldapno" ; then
echo "LDAP backend not available, test skipped"
exit 0
fi
mkdir -p $TESTDIR $DBDIR1 $DBDIR2
cp -r $DATADIR/tls $TESTDIR
echo "This test checks that back-ldap does retry binds after the remote LDAP server"
echo "has abruptly disconnected the (idle) LDAP connection."
#
# Start slapd that acts as a remote LDAP server that will be proxied
#
echo "Running slapadd to build database for the remote slapd server..."
. $CONFFILTER $BACKEND < $CONF > $CONF1
$SLAPADD -f $CONF1 -l $LDIFORDERED
RC=$?
if test $RC != 0 ; then
echo "slapadd failed ($RC)!"
exit $RC
fi
echo "Starting remote slapd server on TCP/IP port $PORT1..."
$SLAPD -f $CONF1 -h "$URI1" -d $LVL > $LOG1 2>&1 &
SERVERPID=$!
if test $WAIT != 0 ; then
echo SERVERPID $SERVERPID
read foo
fi
#
# Start ldapd that will proxy for the remote server
#
echo "Starting slapd proxy on TCP/IP port $PORT2..."
. $CONFFILTER $BACKEND < $ITSDIR/slapd-proxy-idassert.conf > $CONF2
$SLAPD -f $CONF2 -h $URI2 -d $LVL > $LOG2 2>&1 &
PROXYPID=$!
if test $WAIT != 0 ; then
echo PROXYPID $PROXYPID
read foo
fi
KILLPIDS="$KILLPIDS $PROXYPID"
sleep 1
#
# Successful searches
#
echo "Using ldapsearch with bind that will be passed through to remote server..."
$LDAPSEARCH -S "" -b "$BASEDN" \
-D "cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" \
-H $URI2 \
-w "bjensen" \
'objectclass=*' > $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed at proxy ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
echo "Using ldapsearch with idassert-bind..."
$LDAPSEARCH -S "" -b "$BASEDN" -D "cn=Manager,dc=local,dc=com" -H $URI2 -w "secret" \
'objectclass=*' >> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed at proxy ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
#
# Now kill the remote slapd that is being proxied for.
# This will invalidate the current TCP connections that proxy has to remote.
#
echo "Killing remote server"
kill $SERVERPID
sleep 1
echo "Re-starting remote slapd server on TCP/IP port $PORT1..."
$SLAPD -f $CONF1 -h "$URI1" -d $LVL >> $LOG1 2>&1 &
SERVERPID=$!
if test $WAIT != 0 ; then
echo SERVERPID $SERVERPID
read foo
fi
KILLPIDS="$KILLPIDS $SERVERPID"
sleep 2
echo "-------------------------------------------------" >> $TESTOUT
echo "Searches after remote slapd server has restarted:" >> $TESTOUT
echo "-------------------------------------------------" >> $TESTOUT
#
# Successful search
#
echo "Using ldapsearch with bind that will be passed through to remote server..."
$LDAPSEARCH -S "" -b "$BASEDN" \
-D "cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" \
-H $URI2 \
-w "bjensen" \
'objectclass=*' >> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed at proxy ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
#
# UNSUCCESFUL SEARCH
#
echo "Using ldapsearch with idassert-bind..."
$LDAPSEARCH -S "" -b "$BASEDN" -D "cn=Manager,dc=local,dc=com" -H $URI2 -w "secret" \
'objectclass=*' >> $TESTOUT 2>&1
RC=$?
if test $RC != 0 ; then
echo "ldapsearch failed at proxy ($RC)!"
test $KILLSERVERS != no && kill -HUP $KILLPIDS
exit $RC
fi
test $KILLSERVERS != no && kill -HUP $KILLPIDS
echo ">>>>> Test succeeded"
test $KILLSERVERS != no && wait
exit 0
# provider slapd config -- for testing
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2020 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
include @SCHEMADIR@/core.schema
include @SCHEMADIR@/cosine.schema
include @SCHEMADIR@/inetorgperson.schema
include @SCHEMADIR@/openldap.schema
include @SCHEMADIR@/nis.schema
pidfile @TESTDIR@/slapd.m.pid
argsfile @TESTDIR@/slapd.m.args
#######################################################################
# database definitions
#######################################################################
# here the proxy is not only acting as a proxy, but it also has a local database dc=local,dc=com"
database @BACKEND@
suffix "dc=local,dc=com"
rootdn "cn=Manager,dc=local,dc=com"
rootpw "secret"
#~null~#directory @TESTDIR@/db.2.a
# Configure proxy
# - normal user binds to "*,dc=example,dc=com" are proxied through to the remote slapd
# - admin bind to local "cn=Manager,dc=local,dc=com" is overwritten by using idassert-bind
database ldap
uri "@URI1@"
suffix "dc=example,dc=com"
idassert-bind bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials="secret"
idassert-authzFrom "dn.exact:cn=Manager,dc=local,dc=com"
rebind-as-user yes
database monitor
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment