Merge remote-tracking branch 'origin/master' into OPENLDAP_REL_ENG_2_5

bbf249a3 · Quanah Gibson-Mount · ac84c6a6 · ec8d6edb · bbf249a3 · bbf249a3
Commit bbf249a3 authored Nov 30, 2020 by Quanah Gibson-Mount
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+workflow:
+  rules:
+    - if: '$CI_COMMIT_REF_NAME == "master" && $CI_PROJECT_NAMESPACE != "openldap"'
+      when: never
+    - if: '$CI_COMMIT_REF_NAME == "OPENLDAP_REL_ENG_2_5" && $CI_PROJECT_NAMESPACE != "openldap"'
+      when: never
+    - when: always
+
 stages:
  - build


--- a/servers/slapd/back-ldap/bind.c
+++ b/servers/slapd/back-ldap/bind.c
@@ -2102,7 +2102,7 @@ ldap_back_is_proxy_authz( Operation *op, SlapReply *rs, ldap_back_send_t sendok,
 	}

 	if ( !( li->li_idassert_flags & LDAP_BACK_AUTH_OVERRIDE )) {
-		if ( op->o_tag == LDAP_REQ_BIND ) {
+		if ( op->o_tag == LDAP_REQ_BIND && ( sendok & LDAP_BACK_SENDERR )) {
 			if ( !BER_BVISEMPTY( &ndn )) {
 				dobind = 0;
 				goto done;

--- a/servers/slapd/controls.c
+++ b/servers/slapd/controls.c
@@ -1628,7 +1628,10 @@ static int parseValuesReturnFilter (
 		} else {
 			send_ldap_result( op, rs );
 		}
-		if( op->o_vrFilter != NULL) vrFilter_free( op, op->o_vrFilter ); 
+		if( op->o_vrFilter != NULL) {
+			vrFilter_free( op, op->o_vrFilter );
+			op->o_vrFilter = NULL;
+		}
 	}
 #ifdef LDAP_DEBUG
 	else {

--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -178,14 +178,16 @@ int slap_parse_user( struct berval *id, struct berval *user,
 	}

 	if ( !BER_BVISNULL( mech ) ) {
-		assert( mech->bv_val == id->bv_val + 2 );
+		if ( mech->bv_val != id->bv_val + 2 )
+			return LDAP_PROTOCOL_ERROR;

 		AC_MEMCPY( mech->bv_val - 2, mech->bv_val, mech->bv_len + 1 );
 		mech->bv_val -= 2;
 	}

 	if ( !BER_BVISNULL( realm ) ) {
-		assert( realm->bv_val >= id->bv_val + 2 );
+		if ( realm->bv_val < id->bv_val + 2 )
+			return LDAP_PROTOCOL_ERROR;

 		AC_MEMCPY( realm->bv_val - 2, realm->bv_val, realm->bv_len + 1 );
 		realm->bv_val -= 2;
@@ -447,9 +449,12 @@ is_dn:		bv.bv_len = in->bv_len - ( bv.bv_val - in->bv_val );
 	}

 	/* Grab the searchbase */
-	assert( ludp->lud_dn != NULL );
-	ber_str2bv( ludp->lud_dn, 0, 0, &bv );
-	rc = dnValidate( NULL, &bv );
+	if ( ludp->lud_dn != NULL ) {
+		ber_str2bv( ludp->lud_dn, 0, 0, &bv );
+		rc = dnValidate( NULL, &bv );
+	} else {
+		rc = LDAP_INVALID_SYNTAX;
+	}

 done:
 	ldap_free_urldesc( ludp );
@@ -481,6 +486,7 @@ authzPrettyNormal(

 	assert( val != NULL );
 	assert( !BER_BVISNULL( val ) );
+	BER_BVZERO( normalized );

 	/*
 	 * 2) dn[.{exact|children|subtree|onelevel}]:{*|<DN>}
@@ -811,7 +817,6 @@ is_dn:		bv.bv_len = val->bv_len - ( bv.bv_val - val->bv_val );
 	}

 	/* Grab the searchbase */
-	assert( ludp->lud_dn != NULL );
 	if ( ludp->lud_dn ) {
 		struct berval	out = BER_BVNULL;

@@ -829,6 +834,9 @@ is_dn:		bv.bv_len = val->bv_len - ( bv.bv_val - val->bv_val );
 		}

 		ludp->lud_dn = out.bv_val;
+	} else {
+		rc = LDAP_INVALID_SYNTAX;
+		goto done;
 	}

 	ludp->lud_port = 0;
@@ -850,7 +858,7 @@ done:

 	if ( lud_dn ) {
 		if ( ludp->lud_dn != lud_dn ) {
-			ber_memfree( ludp->lud_dn );
+			slap_sl_free( ludp->lud_dn, ctx );
 		}
 		ludp->lud_dn = lud_dn;
 	}
@@ -897,7 +905,7 @@ authzPretty(
 	rc = authzPrettyNormal( val, out, ctx, 0 );

 	Debug( LDAP_DEBUG_TRACE, "<<< authzPretty: <%s> (%d)\n",
-		out->bv_val, rc );
+		out->bv_val ? out->bv_val : "(null)" , rc );

 	return rc;
 }

--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -3268,7 +3268,7 @@ serialNumberAndIssuerCheck(

 	if( in->bv_len < 3 ) return LDAP_INVALID_SYNTAX;

-	if( in->bv_val[0] != '{' && in->bv_val[in->bv_len-1] != '}' ) {
+	if( in->bv_val[0] != '{' || in->bv_val[in->bv_len-1] != '}' ) {
 		/* Parse old format */
 		is->bv_val = ber_bvchr( in, '$' );
 		if( BER_BVISNULL( is ) ) return LDAP_INVALID_SYNTAX;
@@ -3299,7 +3299,7 @@ serialNumberAndIssuerCheck(
 			HAVE_ALL = ( HAVE_ISSUER | HAVE_SN )
 		} have = HAVE_NONE;

-		int numdquotes = 0;
+		int numdquotes = 0, gotquote;
 		struct berval x = *in;
 		struct berval ni;
 		x.bv_val++;
@@ -3341,11 +3341,12 @@ serialNumberAndIssuerCheck(
 				is->bv_val = x.bv_val;
 				is->bv_len = 0;

-				for ( ; is->bv_len < x.bv_len; ) {
+				for ( gotquote=0; is->bv_len < x.bv_len; ) {
 					if ( is->bv_val[is->bv_len] != '"' ) {
 						is->bv_len++;
 						continue;
 					}
+					gotquote = 1;
 					if ( is->bv_val[is->bv_len+1] == '"' ) {
 						/* double dquote */
 						numdquotes++;
@@ -3354,6 +3355,8 @@ serialNumberAndIssuerCheck(
 					}
 					break;
 				}
+				if ( !gotquote ) return LDAP_INVALID_SYNTAX;
+
 				x.bv_val += is->bv_len + 1;
 				x.bv_len -= is->bv_len + 1;

@@ -5141,9 +5144,8 @@ csnValidate(
 	int		rc;

 	assert( in != NULL );
-	assert( !BER_BVISNULL( in ) );

-	if ( BER_BVISEMPTY( in ) ) {
+	if ( BER_BVISNULL( in ) || BER_BVISEMPTY( in ) ) {
 		return LDAP_INVALID_SYNTAX;
 	}


--- a/tests/data/regressions/its9400/its9400
+++ b/tests/data/regressions/its9400/its9400
+#! /bin/sh
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2020 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+echo "running defines.sh"
+. $SRCDIR/scripts/defines.sh
+
+ITS=9400
+ITSDIR=$DATADIR/regressions/its$ITS
+
+if test $BACKLDAP = "ldapno" ; then
+	echo "LDAP backend not available, test skipped"
+	exit 0
+fi
+
+mkdir -p $TESTDIR $DBDIR1 $DBDIR2
+cp -r $DATADIR/tls $TESTDIR
+
+echo "This test checks that back-ldap does retry binds after the remote LDAP server"
+echo "has abruptly disconnected the (idle) LDAP connection."
+
+#
+# Start slapd that acts as a remote LDAP server that will be proxied
+#
+echo "Running slapadd to build database for the remote slapd server..."
+. $CONFFILTER $BACKEND < $CONF > $CONF1
+$SLAPADD -f $CONF1 -l $LDIFORDERED
+
+RC=$?
+if test $RC != 0 ; then
+        echo "slapadd failed ($RC)!"
+        exit $RC
+fi
+
+
+echo "Starting remote slapd server on TCP/IP port $PORT1..."
+$SLAPD -f $CONF1 -h "$URI1" -d $LVL > $LOG1 2>&1 &
+SERVERPID=$!
+if test $WAIT != 0 ; then
+    echo SERVERPID $SERVERPID
+    read foo
+fi
+
+
+#
+# Start ldapd that will proxy for the remote server
+#
+echo "Starting slapd proxy on TCP/IP port $PORT2..."
+. $CONFFILTER $BACKEND < $ITSDIR/slapd-proxy-idassert.conf > $CONF2
+$SLAPD -f $CONF2 -h $URI2 -d $LVL > $LOG2 2>&1 &
+PROXYPID=$!
+if test $WAIT != 0 ; then
+    echo PROXYPID $PROXYPID
+    read foo
+fi
+KILLPIDS="$KILLPIDS $PROXYPID"
+
+sleep 1
+
+
+#
+# Successful searches
+#
+
+echo "Using ldapsearch with bind that will be passed through to remote server..."
+$LDAPSEARCH -S "" -b "$BASEDN" \
+        -D "cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" \
+        -H $URI2 \
+        -w "bjensen"  \
+        'objectclass=*' > $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+        echo "ldapsearch failed at proxy ($RC)!"
+        test $KILLSERVERS != no && kill -HUP $KILLPIDS
+        exit $RC
+fi
+
+
+echo "Using ldapsearch with idassert-bind..."
+$LDAPSEARCH -S "" -b "$BASEDN" -D "cn=Manager,dc=local,dc=com" -H $URI2 -w "secret"  \
+        'objectclass=*' >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+        echo "ldapsearch failed at proxy ($RC)!"
+        test $KILLSERVERS != no && kill -HUP $KILLPIDS
+        exit $RC
+fi
+
+
+#
+# Now kill the remote slapd that is being proxied for.
+# This will invalidate the current TCP connections that proxy has to remote.
+#
+echo "Killing remote server"
+kill $SERVERPID
+sleep 1
+
+echo "Re-starting remote slapd server on TCP/IP port $PORT1..."
+$SLAPD -f $CONF1 -h "$URI1" -d $LVL >> $LOG1 2>&1 &
+SERVERPID=$!
+if test $WAIT != 0 ; then
+    echo SERVERPID $SERVERPID
+    read foo
+fi
+KILLPIDS="$KILLPIDS $SERVERPID"
+
+sleep 2
+
+
+echo "-------------------------------------------------" >> $TESTOUT
+echo "Searches after remote slapd server has restarted:" >> $TESTOUT
+echo "-------------------------------------------------" >> $TESTOUT
+
+#
+# Successful search
+#
+echo "Using ldapsearch with bind that will be passed through to remote server..."
+$LDAPSEARCH -S "" -b "$BASEDN" \
+        -D "cn=Barbara Jensen,ou=Information Technology Division,ou=People,dc=example,dc=com" \
+        -H $URI2 \
+        -w "bjensen"  \
+        'objectclass=*' >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+        echo "ldapsearch failed at proxy ($RC)!"
+        test $KILLSERVERS != no && kill -HUP $KILLPIDS
+        exit $RC
+fi
+
+#
+# UNSUCCESFUL SEARCH
+#
+echo "Using ldapsearch with idassert-bind..."
+$LDAPSEARCH -S "" -b "$BASEDN" -D "cn=Manager,dc=local,dc=com" -H $URI2 -w "secret"  \
+        'objectclass=*' >> $TESTOUT 2>&1
+RC=$?
+if test $RC != 0 ; then
+        echo "ldapsearch failed at proxy ($RC)!"
+        test $KILLSERVERS != no && kill -HUP $KILLPIDS
+        exit $RC
+fi
+
+
+test $KILLSERVERS != no && kill -HUP $KILLPIDS
+
+echo ">>>>> Test succeeded"
+
+test $KILLSERVERS != no && wait
+
+exit 0
--- a/tests/data/regressions/its9400/slapd-proxy-idassert.conf
+++ b/tests/data/regressions/its9400/slapd-proxy-idassert.conf
+# provider slapd config -- for testing
+# $OpenLDAP$
+## This work is part of OpenLDAP Software <http://www.openldap.org/>.
+##
+## Copyright 1998-2020 The OpenLDAP Foundation.
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted only as authorized by the OpenLDAP
+## Public License.
+##
+## A copy of this license is available in the file LICENSE in the
+## top-level directory of the distribution or, alternatively, at
+## <http://www.OpenLDAP.org/license.html>.
+
+include		@SCHEMADIR@/core.schema
+include		@SCHEMADIR@/cosine.schema
+include		@SCHEMADIR@/inetorgperson.schema
+include		@SCHEMADIR@/openldap.schema
+include		@SCHEMADIR@/nis.schema
+pidfile		@TESTDIR@/slapd.m.pid
+argsfile	@TESTDIR@/slapd.m.args
+
+#######################################################################
+# database definitions
+#######################################################################
+
+# here the proxy is not only acting as a proxy, but it also has a local database dc=local,dc=com"
+database	@BACKEND@
+suffix		"dc=local,dc=com"
+rootdn		"cn=Manager,dc=local,dc=com"
+rootpw		"secret"
+#~null~#directory	@TESTDIR@/db.2.a
+
+# Configure proxy
+# - normal user binds to "*,dc=example,dc=com" are proxied through to the remote slapd
+# - admin bind to local "cn=Manager,dc=local,dc=com" is overwritten by using idassert-bind
+database	ldap
+uri			"@URI1@"
+suffix		"dc=example,dc=com"
+idassert-bind bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials="secret"
+idassert-authzFrom "dn.exact:cn=Manager,dc=local,dc=com"
+rebind-as-user	yes
+
+database	monitor