Commit bc835b91 authored by Kurt Zeilenga's avatar Kurt Zeilenga
Browse files

+ Updated ldapdelete(1) to stdout bug (ITS#4453)

+       Fixed slapo-ppolicy rebind bug (ITS#4516)
+       Documentation
+               Fixed slapd(8) logging header reference (ITS#4509)
parent e4d4d8e7
......@@ -7,6 +7,7 @@ OpenLDAP 2.3.22 Engineering
Fixed libldap_r tpool cleanup
Fixed liblutil strtoul(3) usage (ITS#4503)
Fixed liblutil time resolution issue (ITS#4514)
Updated ldapdelete(1) to stdout bug (ITS#4453)
Updated ldapsearch(1) BASE output (ITS#4504)
Fixed slapd backglue issue (ITS#4529)
Fixed slapd cn=config (ITS#4512)
......@@ -29,6 +30,7 @@ OpenLDAP 2.3.22 Engineering
Added slapo-accesslog reqOld feature
Fixed slapo-auditlog missing return codes
Fixed slapo-ppolicy BER tags issue (ITS#4528)
Fixed slapo-ppolicy rebind bug (ITS#4516)
Fixed slapo-refint delete prohibit issue (ITS#4442)
Fixed slapo-syncprov MODs cause DELs (ITS#4423)
Fixed slapo-syncprov/syncrepl sessionlog issue (ITS#4534)
......@@ -37,6 +39,8 @@ OpenLDAP 2.3.22 Engineering
Build Environment
Fixed test020-proxycache disabled debug issue (ITS#4491)
Fixed OSF1 compilation problem (ITS#4537)
Documentation
Fixed slapd(8) logging header reference (ITS#4509)
OpenLDAP 2.3.21 Release
Fixed libldap referral chasing issue (ITS#4448)
......
......@@ -263,8 +263,10 @@ static int dodelete(
return rc;
}
if( verbose || code != LDAP_SUCCESS ||
(matcheddn && *matcheddn) || (text && *text) || (refs && *refs) )
if( code != LDAP_SUCCESS ) {
tool_perror( "ldap_delete", code, NULL, matcheddn, text, refs );
} else if ( verbose &&
((matcheddn && *matcheddn) || (text && *text) || (refs && *refs) ))
{
printf( _("Delete Result: %s (%d)\n"),
ldap_err2string( code ), code );
......
......@@ -85,7 +85,7 @@ If this option is specified, even with a zero argument,
will not fork or disassociate from the invoking terminal. Some general
operation and status messages are printed for any value of \fIdebug\-level\fP.
\fIdebug\-level\fP is taken as a bit string, with each bit corresponding to a
different kind of debugging information. See <ldap.h> for details.
different kind of debugging information. See <ldap_log.h> for details.
Remember that if you turn on packet logging, packets containing bind passwords
will be output, so if you redirect the log to a logfile, that file should
be read-protected.
......
......@@ -55,7 +55,7 @@ typedef struct pp_info {
* used by all instances
*/
typedef struct pw_conn {
int restricted; /* TRUE if connection is restricted */
struct berval dn; /* DN of restricted user */
} pw_conn;
static pw_conn *pwcons;
......@@ -814,7 +814,8 @@ ppolicy_bind_resp( Operation *op, SlapReply *rs )
* that we are disallowed from doing anything
* other than change password.
*/
pwcons[op->o_conn->c_conn_idx].restricted = 1;
ber_dupbv( &pwcons[op->o_conn->c_conn_idx].dn,
&op->o_conn->c_ndn );
ppb->pErr = PP_changeAfterReset;
......@@ -972,7 +973,10 @@ ppolicy_bind( Operation *op, SlapReply *rs )
slap_overinst *on = (slap_overinst *)op->o_bd->bd_info;
/* Reset lockout status on all Bind requests */
pwcons[op->o_conn->c_conn_idx].restricted = 0;
if ( !BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn )) {
ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val );
BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn );
}
/* Root bypasses policy */
if ( !be_isroot_dn( op->o_bd, &op->o_req_ndn )) {
......@@ -1026,11 +1030,14 @@ ppolicy_bind( Operation *op, SlapReply *rs )
return SLAP_CB_CONTINUE;
}
/* Reset the restricted flag for the next session on this connection */
/* Reset the restricted info for the next session on this connection */
static int
ppolicy_connection_destroy( BackendDB *bd, Connection *conn )
{
pwcons[conn->c_conn_idx].restricted = 0;
if ( !BER_BVISEMPTY( &pwcons[conn->c_conn_idx].dn )) {
ch_free( pwcons[conn->c_conn_idx].dn.bv_val );
BER_BVZERO( &pwcons[conn->c_conn_idx].dn );
}
return SLAP_CB_CONTINUE;
}
......@@ -1048,7 +1055,18 @@ ppolicy_restrict(
send_ctrl = 1;
}
if ( op->o_conn && pwcons[op->o_conn->c_conn_idx].restricted ) {
if ( op->o_conn && !BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn )) {
/* if the current authcDN doesn't match the one we recorded,
* then an intervening Bind has succeeded and the restriction
* no longer applies. (ITS#4516)
*/
if ( !dn_match( &op->o_conn->c_ndn,
&pwcons[op->o_conn->c_conn_idx].dn )) {
ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val );
BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn );
return SLAP_CB_CONTINUE;
}
Debug( LDAP_DEBUG_TRACE,
"connection restricted to password changing only\n", 0, 0, 0);
if ( send_ctrl ) {
......@@ -1354,13 +1372,19 @@ ppolicy_modify( Operation *op, SlapReply *rs )
}
}
if (pwcons[op->o_conn->c_conn_idx].restricted && !mod_pw_only) {
Debug( LDAP_DEBUG_TRACE,
"connection restricted to password changing only\n", 0, 0, 0 );
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "Operations are restricted to bind/unbind/abandon/StartTLS/modify password";
pErr = PP_changeAfterReset;
goto return_results;
if (!BER_BVISEMPTY( &pwcons[op->o_conn->c_conn_idx].dn ) && !mod_pw_only ) {
if ( dn_match( &op->o_conn->c_ndn,
&pwcons[op->o_conn->c_conn_idx].dn )) {
Debug( LDAP_DEBUG_TRACE,
"connection restricted to password changing only\n", 0, 0, 0 );
rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
rs->sr_text = "Operations are restricted to bind/unbind/abandon/StartTLS/modify password";
pErr = PP_changeAfterReset;
goto return_results;
} else {
ch_free( pwcons[op->o_conn->c_conn_idx].dn.bv_val );
BER_BVZERO( &pwcons[op->o_conn->c_conn_idx].dn );
}
}
/*
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment