From 9ba7bda1f892628b36632906581162ee8c7e6ab4 Mon Sep 17 00:00:00 2001 From: Quanah Gibson-Mount <quanah@openldap.org> Date: Mon, 3 Jan 2011 21:02:15 +0000 Subject: [PATCH] ITS#6642 --- CHANGES | 1 + servers/slapd/back-ldap/bind.c | 10 ++++++++- servers/slapd/back-meta/back-meta.h | 3 +++ servers/slapd/back-meta/config.c | 29 ++++++++++++++++++-------- servers/slapd/back-meta/conn.c | 32 ++++++++++++++++++++++++----- 5 files changed, 61 insertions(+), 14 deletions(-) diff --git a/CHANGES b/CHANGES index 2b867bb816..6c48d6555b 100644 --- a/CHANGES +++ b/CHANGES @@ -26,6 +26,7 @@ OpenLDAP 2.4.24 Engineering Fixed slapd-bdb error propogation to overlays (ITS#6633) Fixed slapd-ldap debug output of timeout (ITS#6721) Fixed slapd-ldap DNSSRV referral chaining (ITS#6565) + Fixed slapd-ldap with SASL/EXTERNAL (ITS#6642) Fixed slapd-ndb to honor rootpw setting (ITS#6661) Fixed slapd-meta anon retry with failed auth method (ITS#6643) Fixed slapd-meta rebind proc (ITS#6665) diff --git a/servers/slapd/back-ldap/bind.c b/servers/slapd/back-ldap/bind.c index 1862022ab1..bd2c054ccb 100644 --- a/servers/slapd/back-ldap/bind.c +++ b/servers/slapd/back-ldap/bind.c @@ -668,6 +668,7 @@ ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_ LDAP *ld = NULL; #ifdef HAVE_TLS int is_tls = op->o_conn->c_is_tls; + int flags = li->li_flags; time_t lctime = (time_t)(-1); slap_bindconf *sb; #endif /* HAVE_TLS */ @@ -727,11 +728,18 @@ ldap_back_prepare_conn( ldapconn_t *lc, Operation *op, SlapReply *rs, ldap_back_ ldap_set_option( ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx ); } + /* if required by the bindconf configuration, force TLS */ + if ( ( sb == &li->li_acl || sb == &li->li_idassert.si_bc ) && + sb->sb_tls_ctx ) + { + flags |= LDAP_BACK_F_USE_TLS; + } + ldap_pvt_thread_mutex_lock( &li->li_uri_mutex ); assert( li->li_uri_mutex_do_not_lock == 0 ); li->li_uri_mutex_do_not_lock = 1; rs->sr_err = ldap_back_start_tls( ld, op->o_protocol, &is_tls, - li->li_uri, li->li_flags, li->li_nretries, &rs->sr_text ); + li->li_uri, flags, li->li_nretries, &rs->sr_text ); li->li_uri_mutex_do_not_lock = 0; ldap_pvt_thread_mutex_unlock( &li->li_uri_mutex ); if ( rs->sr_err != LDAP_SUCCESS ) { diff --git a/servers/slapd/back-meta/back-meta.h b/servers/slapd/back-meta/back-meta.h index ee14f97dcd..a1b9476007 100644 --- a/servers/slapd/back-meta/back-meta.h +++ b/servers/slapd/back-meta/back-meta.h @@ -274,6 +274,9 @@ typedef struct metatarget_t { struct berval mt_binddn; struct berval mt_bindpw; + /* we only care about the TLS options here */ + slap_bindconf mt_tls; + slap_idassert_t mt_idassert; #define mt_idassert_mode mt_idassert.si_mode #define mt_idassert_authcID mt_idassert.si_bc.sb_authcId diff --git a/servers/slapd/back-meta/config.c b/servers/slapd/back-meta/config.c index fecc0a4e89..e6de08a8eb 100644 --- a/servers/slapd/back-meta/config.c +++ b/servers/slapd/back-meta/config.c @@ -620,7 +620,7 @@ meta_back_db_config( fname, lineno, 0 ); return 1; } - + if ( argc != 2 ) { Debug( LDAP_DEBUG_ANY, "%s: line %d: missing password in \"bindpw <password>\" line\n", @@ -709,13 +709,6 @@ meta_back_db_config( &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags : &mi->mi_flags; - if ( argc != 2 ) { - Debug( LDAP_DEBUG_ANY, - "%s: line %d: \"tls <what>\" needs 1 argument.\n", - fname, lineno, 0 ); - return( 1 ); - } - /* start */ if ( strcasecmp( argv[ 1 ], "start" ) == 0 ) { *flagsp |= ( LDAP_BACK_F_USE_TLS | LDAP_BACK_F_TLS_CRITICAL ); @@ -741,6 +734,26 @@ meta_back_db_config( return( 1 ); } + if ( argc > 2 ) { + metatarget_t *mt = NULL; + int i; + + if ( mi->mi_ntargets - 1 < 0 ) { + Debug( LDAP_DEBUG_ANY, + "%s: line %d: need \"uri\" directive first\n", + fname, lineno, 0 ); + return 1; + } + + mt = mi->mi_targets[ mi->mi_ntargets - 1 ]; + + for ( i = 2; i < argc; i++ ) { + if ( bindconf_tls_parse( argv[i], &mt->mt_tls )) + return 1; + } + bindconf_tls_defaults( &mt->mt_tls ); + } + } else if ( strcasecmp( argv[ 0 ], "t-f-support" ) == 0 ) { unsigned *flagsp = mi->mi_ntargets ? &mi->mi_targets[ mi->mi_ntargets - 1 ]->mt_flags diff --git a/servers/slapd/back-meta/conn.c b/servers/slapd/back-meta/conn.c index 43511baf85..7d7cc92507 100644 --- a/servers/slapd/back-meta/conn.c +++ b/servers/slapd/back-meta/conn.c @@ -281,6 +281,7 @@ meta_back_init_one_conn( int do_return = 0; #ifdef HAVE_TLS int is_ldaps = 0; + int do_start_tls = 0; #endif /* HAVE_TLS */ /* if the server is quarantined, and @@ -421,12 +422,33 @@ retry_lock:; META_BACK_TGT_CHASE_REFERRALS( mt ) ? LDAP_OPT_ON : LDAP_OPT_OFF ); #ifdef HAVE_TLS + if ( !is_ldaps ) { + slap_bindconf *sb = NULL; + + if ( ispriv ) { + sb = &mt->mt_idassert.si_bc; + } else { + sb = &mt->mt_tls; + } + + if ( sb->sb_tls_do_init ) { + bindconf_tls_set( sb, msc->msc_ld ); + } else if ( sb->sb_tls_ctx ) { + ldap_set_option( msc->msc_ld, LDAP_OPT_X_TLS_CTX, sb->sb_tls_ctx ); + } + + if ( sb == &mt->mt_idassert.si_bc && sb->sb_tls_ctx ) { + do_start_tls = 1; + + } else if ( META_BACK_TGT_USE_TLS( mt ) + || ( op->o_conn->c_is_tls && META_BACK_TGT_PROPAGATE_TLS( mt ) ) ) + { + do_start_tls = 1; + } + } + /* start TLS ("tls [try-]{start|propagate}" statement) */ - if ( ( META_BACK_TGT_USE_TLS( mt ) - || ( op->o_conn->c_is_tls - && META_BACK_TGT_PROPAGATE_TLS( mt ) ) ) - && !is_ldaps ) - { + if ( do_start_tls ) { #ifdef SLAP_STARTTLS_ASYNCHRONOUS /* * use asynchronous StartTLS; in case, chase referral -- GitLab